Understanding FIFA 2022 World Cup Cybersecurity Framework

Qatar's upcoming 2022 FIFA World Cup represents an incredible economic, social, and PR opportunity for the Middle Eastern country. Hence, it is no surprise that the country has spent billions in ensuring every aspect of the event is up to and, in some cases, exceeds the modern global standards. Data privacy and security is one such area.

Naturally, with millions of football fans flocking to the country for the showpiece event, their data will be a vital asset they’ll be bringing along with them. While Qatar has its own data protection law (Personal Data Privacy Protection or “PDPPL”), the country has released a dedicated framework, aptly titled FIFA 2022 World Cup Cybersecurity Framework (Cybersecurity Framework), explicitly aimed at addressing the data-related issues posed by the World Cup.

This Cybersecurity Framework was released by the Supreme Committee for Delivery & Legacy (SCDL) in 2018, and it highlights the standard that all FIFA World Cup participants should adhere to. SCDL will oversee the Cybersecurity Framework implementation. Its additional responsibilities include delivering and maintaining the required digital infrastructure in support of the 2022 World Cup.

The Scope of the Cybersecurity Framework

The Cybersecurity Framework focuses on developing and integrating "must have" capabilities and competencies that are necessary across all organizations that are a part of the world cup ecosystem. The 2022 FIFA World Cup Qatar ecosystem has been defined as:

• Information assets hold valuable information which will be used and processed by world cup services.
• Services define the essential activities that will be performed and/or facilities provided to stakeholders.
• Entities will contribute to the execution of services for the World Cup. These entities are categorized under critical sectors.
• SCDL, in cooperation with the government, will organize the World Cup.

The Cybersecurity Framework presents a unified system of cybersecurity safeguards for the involved stakeholders. The entities providing services in the World Cup ecosystem should implement these cybersecurity safeguards to mitigate any risk. The fundamental pillars of this framework are prevention, detection, and response to data breaches and any other form of unauthorized access or use of data.

Also, the two most important capabilities from a data privacy compliance perspective (and discussed in detail later) include Data Protection and Data Privacy. The former refers to processes that ensure that the data is accurate, reliable, and accessible for those with authorized access (and cannot be accessed by unauthorized individuals). The latter refers to the appropriate use of personally identifiable information for the agreed purposes. Hence to ensure data privacy, data protection is necessary.

What Organizations Need To Do

Entities are expected to contextually view the entire Cybersecurity Framework keeping in view the lessons learned from previous national events, Qatari National Cybersecurity strategy and standards, and risks prevalent in geographical regions. Subsequently, entities also need to follow industry-leading cybersecurity best practices whilst integrating and utilizing cutting-edge technologies.

After this, the entities should proceed with implementing cybersecurity governance programs. To implement the Cybersecurity Framework, entities need to undergo the following two steps :

1. Entities should review the applicable Cybersecurity Framework's capabilities and map their services to those capabilities.
2. Conduct a self-assessment for the implementation of these capabilities, and have a plan in place to mitigate any major implementation gaps.

The most important aspect for any entity providing world cup services is to remain in abidance with laws and regulations applicable to them, and this implementing Cybersecurity Framework, though not mandatory, would help entities ensure compliance with applicable laws.

Implementing Cybersecurity Governance Program

Cybersecurity Governance addresses the enterprise's reliance on cyberspace from a strategic perspective. It is a canopy for all capabilities defined within the Cybersecurity Framework. Following the structure and practices within the Cybersecurity Framework allows entities smoothly implement and operationalize their cybersecurity capabilities. Three cybersecurity governance functions help achieve this:

• Cybersecurity Risk Management - the goal is to guarantee that cybersecurity risks are properly identified and managed by the entity for each cybersecurity capability in relation to other business risks. Before launching Cybersecurity Risk Assessment, entities should determine the compliance requirements on a national level. This helps in determining the scope of risk management and building better resilience and compliance against security risks. After this, the following activities can be carried out:
  • Identify the entity’s critical business services, processes, and associated information assets.
  • Conduct Business Impact Analysis (BIA) and risk assessment
  • Map entity’s critical information assets with defined cybersecurity capabilities in the Cybersecurity Framework
  • Identify non-applicable or missing capabilities
  • Report to SCDL
  • Annual Risk Assessment by SCDL
• Cybersecurity Internal Audit - the goal is to evaluate the entities' progress toward the World Cup Cybersecurity Framework's capabilities. Before conducting the internal audit, the compliance requirements on a national level should be assessed. Entities must also make sure that internal audit is conducted independently with integrity and due care. Once this is done, entities can:
  • Plan for the internal audit, its scope, and auditor’s qualifications
  • Determine the required capability and determine whether the entity’s design and current capabilities are enough to achieve the intended results
  • Evaluate the audit results in line with pertinent capabilities
  • Draft an internal report and action plans for remediation
  • Report to SCDL
  • Evaluate and improve based on any feedback from SCDL
• Cybersecurity Training and Awareness - this aims to improve the learning and awareness regarding cybersecurity capabilities' current landscape and understand the importance of planning and assessment.
  • Develop a skill matrix for cybersecurity capabilities and determine the gaps in training
  • Determine the current cybersecurity awareness level and awareness level to design activities accordingly
  • Report the awareness status to SCDL

Brief Understanding of Capabilities

The Cyber Security Framework lays down cybersecurity capabilities based on operational layers. All capabilities have certain prerequisites to fulfill before that capability is fully implemented. Moreover, to implement these capabilities, it is advised entities must have all qualified personnel that have the relevant skills and certifications.

Data Protection

This capability is used to identify and stop the unauthorized use of confidential information before it leaves the entity's boundaries. This capability aims to build sustainable data protection programs by implementing technologies and processes aligned with the businesses and the most pertinent data protection matters with respect to the services provided by entities.

The Data Protection capability model breaks down basic cybersecurity operational activities into distinct layers. These layers include:

• The Business Layer: This layer offers services to external stakeholders, which are realized in the organization by business processes performed by business actors and roles.
• The Application Layer: This layer processes data from the technology layer and presents it in human-readable format with the preferred and customized reports.
• The Technology Layer: In this layer, the hardware components interact with other components on the network.

Data protection service pertains to various activities to be conducted for the effective implementation of the Data Protection Capability. This service will apply to all data/information flow at every level (entity/sector/national). Before these activities are carried out, some prerequisites need to be completed as follows.

• Identify security risks for the data that needs to be protected. Such data should be identified in all assets such as endpoint security, cloud security, application security, etc.
• Use complementary information security processes and capabilities to support data confidentiality and integrity.
• Enable appropriate logs on each asset for collection and analysis
• Notify the IT team if there is any change in control management
• Define dependencies
• Implement physical security controls

Following this, data protection service activities can be carried out. These include

• Identify the scope and target of the data protection program
• Establish policies and procedures
• Define roles, responsibilities, acceptance standards, and acceptable service levels for remediation
• Deploy appropriate solutions and train team members
• Determine opportunities for automation
• Improve with changing risk landscape
• Data declassification/safe disposal

Data Privacy

This capability ensures adherence to binding international and Qatari privacy standards for the protection of personally identifiable information, including the EU General Data Privacy and Regulations (GDPR). It will help with implementing the processes and technologies required for a sustainable data privacy model that is aligned with business objectives as well as in compliance with General Data Privacy and Regulations.

• Document the personally identifiable information that needs to be protected and classify it for required security controls
• The staff is aware of contractual and statutory regulations and implications for data breaches and has access to data privacy policies and practices that address their responsibility to maintain Data Privacy.
• Have adequate resources to enforce the Data Privacy rules and regulations within the Entity.
• Establish a process for collection, legal usage, disclosure/ transfer, retention, archival, and disposal of information or data based on the role of the organization (as a controller or processor)
• Identify third parties that collect, store and process personal information on behalf of the entities.
• Identify applicable regulations and contracts related to Data Privacy, protection, and cross-border transfer of personal information.
• Have management support to overlook the compliance with Data Privacy and have a competent department monitor, report, and manage non-compliance or breach
• Define roles and responsibilities
• Identify security risks for risk assessments

Once this is done, the same activities as for Data Protection capabilities can be carried out. The model for Data Privacy is also divided into three distinct layers (Business, application, and Technology) as Data Protection capability.

Ensure Endpoint Security

Endpoints refer to the servers, desktops, laptops, wireless devices, mobile devices, and other OT/IoT devices connected to the Internet that may be subject to cyber threats. The Cybersecurity Framework obligates the entities to develop the capability to implement processes, controls, and technologies required to build a sustainable endpoint protection program.

Implement Application Security

Application security is another essential element of the Cybersecurity Framework as it involves the entities’ ability to prevent/detect/correct security weaknesses during the development, acquisition of applications, and using existing applications deployed during the World Cup.

Network Security

Network security is a critical aspect of the Cybersecurity Framework as it oversees the entire mechanism and practices in place to protect the infrastructure and the hardware being used across the network and devices connected to the network, both internally and externally. A reliable and robust network security program that implements the relevant processes, controls, and technologies while being aligned with the business needs of the system is pivotal to the smooth functioning of online services during the world cup.

Have Recovery & Continuity Plans in Place

Expectedly, the Cybersecurity Framework places requirements on entities regarding having protocols that ensure adequate recovery and continuity in case any digital assets and services are the subject of an attack. It identifies all credible threats and the necessary recovery strategies the entities must have.

Implement Identity & Access Management

Identity & access management (IAM) ensures that only the relevant and appropriate individuals access critical resources at the right time. IAM fulfills the need to ensure appropriate access to physical and logical assets, and associated facilities are limited to authorized users, processes, and devices concerning services provided. Entities should have mechanisms to implement IAM.

Ensure Cloud Security

With cloud computing becoming an increasingly important aspect of the modern Internet, entities need to have the relevant capabilities in place to ensure the cloud fabric is robust enough to deal with any potential threats as well as flexible enough to accommodate the model security architectures that need to be implemented as a result of the endpoint and other security related requirements.

Most entities involved in the World Cup will be using the Infrastructure-as-a-Service (IaaS) model to leverage the cloud capabilities as well as the virtual computing resources such as memory and storage allocation. The infrastructure cloud service model must complete a data classification exercise, contract a cloud service provider and sign NDAs and SLA, agree on roles, responsibilities, and processes and finally test a DRP to accommodate where cloud-based services are not available.

How Can Securiti Help

Users are now more educated and aware of their digital rights. Owing to a plethora of regulations passed globally, organizations now have an obligation to provide adequate protection to their users online via a secure infrastructure and data privacy practices that ensure their data is adequately protected at all times.

However, that is easier said than done, owing to the sheer volume of data involved. This problem is further exacerbated when it comes to mega events such as the FIFA World Cup about to be held in Qatar in 2022. Users from across the world will be in Qatar for more than a month, requiring organizations to radically overhaul and transform their cybersecurity and data privacy infrastructure and capabilities.

Attempts to approach this challenge via the traditional methods will not only fail but leave organizations ruinously unprepared to meet their obligations towards their users. Naturally, organizations must consider radical solutions that promise more effective and efficient results.

This is where Securiti can help.

Securiti is a pioneer and market leader in providing enterprise solutions in data governance and compliance. Its slew of privacy-centric products ranges from third-party vendor risk assessment and data mapping to DSR automation and universal consent. Securiti can aid your compliance efforts regarding the Cybersecurity Framework.

Most importantly, Securiti can offer your organization access to its state-of-the-art Sensitive Data Intelligence (SDI) resource to help you secure and regulate all your collected data on both cloud and on-premises systems.

From discovering and cataloging all your sensitive and dark data across your storage to creating People Data Graphs that help you gain real-time insights into your obligations towards users at the individual level, SDI can significantly alleviate your data protection and privacy concerns.

Request a demo today to see how else Securiti can help you address your data obligations per the Cybersecurity Framework.