PORTAL SOA PEMBUKTIAN DOKUMEN DAN FAIL...

PORTAL SOA

PEMBUKTIAN DOKUMEN

DAN FAIL ISMS

Disediakan oleh

Pasukan Sekretariat ISMS

Clause

No.Control Tiltle Control

Applicabili

ty

(Y/N)

Reasonforselection

Reference JustificationRR SR/BP RAR

A.5 Information security policies

A.5.1 Management direction for information security

Objective: To provide management direction and support for information security in accordance with business requirements and

relevant laws and regulations.

A.5.1.1

Policiesfor

information

security

Control

Aset of policies for

information security shall

be defined,approved by

management, published

and communicated to

employees and relevant

external parties.

Y / /

● Dasar Keselamatan ICT

MBPJ Versi 3.2 yang telah

diluluskan dalam Minit

Mesyuarat MKSP pada 30

Mei 2019

● Surat Akuan Pematuhan

Kakitangan Dasar

Keselamatan ICT Majlis

Bandaraya Petaling Jaya


Pihak Ketiga Dasar



● Taklimat Dasar

Keselamatan ICT Kepada

Kakitangan dan Pembekal

● Paparan pada portal

● Edaran Buletin IT

DKICT merupakan dasar

untuk memaklumkan

peraturan yang perlu

dipatuhi, tanggungjawab

warga kerja MBPJ ke atas

aset ICT yang perlu

dilindungi dan peraturan

ini juga perlu dipatuhi oleh

pihak ketiga bagi

mengurangkan risiko dan

ancaman.

Pengesahan dinyatakan

dalam dokumen Manual

ISMS

http://eps.mbpj.gov.my/dkictv3.2.pdf

http://mykms.mbpj.gov.my/attachments/article/482/Minit_MKSP BIL1-2019.pdf

http://mykms.mbpj.gov.my/attachments/article/85/Surat Akuan DKCIT MBPJ Lampiran 1 dan 2.pdf

http://mykms.mbpj.gov.my/attachments/article/85/Surat Akuan DKCIT MBPJ Lampiran 1 dan 2.pdf

Clause

ControlTiltle Control Applicabili

ty

Reasonforselectio

n

Reference Justification

A.5.1.2

Review of

the policies

for

information

security

Control

The policies for information

security shall be reviewed

at planned intervals or if

significant changes occur

to ensure their continuing

suitability, adequacy and

effectiveness.Y / /

● DKICT Versi 3.2

● DKICT 010103

Penyelenggaraan

Dasar

Dasar ini dikaji

semula sekurang-

kurangnya oleh

ICTSO sekali

setahun.

DKICT telah

dikemaskini kepada

versi 3.2 dan

diluluskan dalam

Mesyuarat Kajian

Semula Pengurusan

A.6 Organization of information security

A.6.1 Internal organization

Objective : To establish a management framework to initiate and control the implementation and operation of information security

within the organization.

A.6.1.1

Information

Security roles

and

responsibilities

Control

All information security

responsibilities shall be defined

and allocated.

Y /

● DKICT Perkara 02

Keselamatan Organisasi


Keselamatan Sumber

Manusia

● Mesyuarat

Jawatankuasa

Kemasyarakatan,

Perkhidmatan, Korporat

& Teknologi Maklumat

● CIO

● ICTSO

● Jawatankuasa Kerja

ISMS

● Fail Meja

● Nota Serah Tugas &

Surat (Tanggung Kerja)

Memastikan calon

atau pihak ketiga yang

dilantik mematuhi

peraturan keselamatan

aset ICT yang telah

ditetapkan sebelum,

semasa dan selepas

perkhidmatan.

Clause


ty

Reasonforselectio

n


• Fail Meja

• Nota Serah Tugas &

Surat

(TanggungKerja)

A.6.1.2Segregation

of duties

Control

Conflicting duties and

areas of responsibility shall

be segregated to reduce

opportunities for

unauthorized or

unintentional modification

or mis use of the

organization’s assets.

Y /

● DKICT 060104 –

Pengasingan Tugas Dan

Tanggungjawab

● Carta Organisasi, MPK

dan Fail Meja

Bagi mengurangkan risiko

penyalahgunaan kuasa

dan memudahkan

pembahagian tugasan.

A.6.1.3Contact with

authorities

Control

Appropriate contacts with

relevant authorities shall be

maintained.

Y /

● Senarai nama dan

nombor telefon yang

boleh dihubungi sekiranya

berlaku kecemasan di

Pusat Data

● Maklumat kontraktor

untuk dihubungi

sekiranya berlaku insiden

di Bilik Kawalan Pusat

Data.

Bagi memudahkan

pegawai terlibat

dihubungi sekiranya

berlaku kecemasan.

Clause


ty

Reasonforselectio

n


A.6.1.4

Contact with

special

interest

groups

Control

Appropriate contacts with

special interest groups or

other specialist security

forums and professional

associations shall be

maintained.

Y /

● Menyertai

Technology Update

(TU) bagi anti-virus.

● SUK

● Mesyuarat

Kemajuan PSICT

bersama PBT.

● Bengkel Kajian

Semula PSICT.

Untuk memastikan

pemahaman

tentang

persekitaran

keselamatan

maklumat terkini

dan lengkap.

Melaksanakan ISMS

dan PSICT bagi PBT.

Clause

ControlTiltle Control Applicabilit

y

Reasonforselectio

n


A.6.1.5

Information

security in

project

management

Control

Information security shall be

addressed in project

management, regardless of the

type of the project.

Y /

● Mesyuarat Jawatankuasa

Kecil ICT


Pihak Ketiga Dasar



● Akuan Keselamatan

Kontraktor (Lampiran A/B)

● Minit Mesyuarat Kick off

Bagi memastikan isu

keselamatan ICT

dikenalpasti dan

dimaklumkan kepada

pihak

pengurusan.

A.6.2 Mobile devices and teleworking

Objective:To ensure the security of teleworking and use of mobile devices.

A.6.2.1Mobile device

policy

Control

A policy and supporting security

measures shall be adopted to

manage the risks introduced by

using mobile devices.

Y /

● DKICT 070601 Peralatan

Mudah AlihKawalan ini memastikan

keselamatan ICT di MBPJ

berkenaan kemudahan ini.

A.6.2.2 Teleworking

Control

A policy and supporting security

measures shall be implemented

to protect information accessed,

processed or stored at

Y

/

● Permohonan Penggunaan

VPN (MBPJ-ISMS-P3-003)

Penggunaan FortiSSLVPN

Client untuk capaian Virtual

Private Network (VPN) bagi

rangkaian dalaman MBPJ.

Tergunapakai pada

kakitangan IT sahaja

berdasarkan skop.

Clause


y

Reasonforselection Reference Justification

A.6.2.2 Teleworking

Control

A policy and supporting

security measures shall be

implemented to protect

information accessed,

processed or stored at

teleworking sites.

Y

/

Permohonan

Penggunaan

VPN(MBPJ-ISMS-P3-003)

Penggunaan Forti SSL

VPN

Client untuk capaian

Virtual Private

Network (VPN) bagi

rangkaian dalaman

MBPJ.

Tergunapakai pada

kakitangan IT sahaja

berdasarkan skop.

Clause


ty

Reasonforselectio

n


A.7 Human resource security

A.7.1 Prior to employment

Objective : To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they

are considered.

A.7.1.1 Screening

Control

Background verification checks

on all candidates for employment

shall be carried out in accordance

with relevant laws, regulations

and ethics and shall be

proportional to the business

requirements, the classification of

the information to be accessed

and the perceived risks.

Y /

● Pekeliling Perkhidmatan

Bab ‘A’

● DKICT 020201 Keperluan

Keselamatan Kontrak

dengan Pihak Ketiga

● Surat Tawaran Pelantikan

● Akta Rahsia Rasmi 1972

(Perakuan Kakitangan)


Kakitangan Dasar




Pihak Ketiga Dasar



Pemeriksaan verifikasi

latar belakang semua

pekerja dan pihak ketiga

dalam melaksanakan

tanggungjawab serta

perkhidmatan di MBPJ.

Clause


ty

Reasonforselectio

n


A.7.1.2

Terms and

Conditions of

employment

Control

The contractual agreements

with employees and

contractors shall state their and

the organization’s

responsibilities for information

security.

Y /

● DKICT 040101

Tanggungjawab

Keselamatan Semasa

Dalam Perkhidmatan

● Surat Tawaran

Pelantikan

● Surat Akuan

Pematuhan Kakitangan

Dasar Keselamatan ICT

Majlis Bandaraya

Petaling Jaya

● Surat Akuan

Pematuhan Pihak

Ketiga Dasar


Bandaraya Petaling

Jaya


Kontraktor (Lampiran

A/B)

● Kontrak Perjanjian

Semua terma dan

syarat pelantikan

dipersetujui oleh

kakitangan dan pihak

ketiga.

Clause


y

Reasonforselectio

n


A.7.2 During employment

Objective : To ensure that employees and contractors are aware of and fulfil their information security responsibilities.

A.7.2.1

Management

responsibilities

Control Y /


Keselamatan Organisasi

● Taklimat kesedaran DKICT

kepada kakitangan/pihak

pembekal

● Mesyuarat Jawatankuasa

Kecil ICT


Kakitangan Dasar




Pihak Ketiga Dasar



● DKICT 040101

Tanggungjawab

Keselamatan Semasa

Dalam Perkhidmatan

Bagi memastikan arahan

keselamatan organisasi

dipatuhi seperti yang

telah ditetapkan.

Clause


ty

Reasonforselectio

n


A.7.2.2

Information

security

awareness,

educationan

d training

Control

All employees of the organization and,

where relevant, contractors shall receive

appropriate awareness education and

training and regular updates in

organizational policies and procedures,

as relevant for their job function.

Y /

● DKICT 040102 Terma &

Syarat Perkhidmatan

● DKICT 100105

Pelanggaran

Perundangan

● Pelan Latihan ICT

● Takwim Kursus Tahunan

MBPJ

● Kursus Suaikenal

● Taklimat Dasar

Keselamatan ICT

● Surat Tawaran

Pelantikan

● Transfer of Technology

(informal)

Untuk memastikan

kompetensi kakitangan

mencapai standard

kualiti dalam bidang

tugas dan dapat

mengurangkan risiko

keselamatan.

Clause


ty

Reasonforselectio

n


A.7.2.3Disciplinary

process

Control

There shall be a formal and

communicated disciplinary

process in place to take

action agains temployees

who have committed an

information security

breach.

Y /

● Warta Negeri

● Dasar Majlis

Perbandaran Petaling

Jaya

● Surat Peringatan

Memastikan hukuman

dikenakan keatas pihak

yang melanggar

peraturan.

A.7.3 Termination and change of employment

Objective : To protect the organization’s interests as part of the process of changing or

terminating employment.

A.7.3.1

Termination or change of employmentresponsibilities

Control

Information security

responsibilities and duties

that remain valid after

termination

Y /

● Warta Negeri

● Dasar Majlis Perbandaran

Petaling Jaya

● Surat Penamatan

Perkhidmatan

● Lembaga Tatatertib.

● Prosedur Pengurusan Kata

Nama Pengguna (User ID)

& Kata Laluan (Password)

(MBPJ-ISMS-P2-002)

Dasar diwujudkan bagi

mengurangkan risiko

pendedahan maklumat

setelah ditamatkan

perkhidmatan.

Clause


ty

Reasonforselectio

n


A.8 Asset management

A.8.1 Responsibility for assets

Objective:To identify organizational assets and define appropriate protection responsibilities.

A.8.1.1Inventory of

assets

Control

Assets associated with

information and

information processing

facilities shall be identified

and an inventory of these

assets shall be drawn up

and maintained.

Y / /

● DKICT 030101 Inventori

Aset

● Daftar Harta Modal

(KEW.PA-2)

● Laporan Penilaian Risiko

MyRAM Step 3 –

Identification of asset

Mengenalpasti semua

asset ICT, merekod

maklumat asset dalam

sistem pengurusan aset

dan sentiasa

dikemaskini.

A.8.1.2Ownership of

assets

Control

Assets maintained in the

inventory shall be owned.

Y / /


Kawalan dan

Pengelasan Aset

● Sistem MyAsset (Senarai

Daftar Harta Modal

(KEW.PA-4))

● Laporan MyRAM – List of

Assets

Semua aset ICT adalah

hak milik MBPJ.

Penerima aset

direkodkan dalam

Sistem MyAsset dan

setiap pengguna

adalah

bertanggunjawab ke

atas aset ICT tersebut.

Clause


ty

Reasonforselectio

n


A.8.1.3Acceptable

use of assets

Control

Rules for the acceptable

use of information and of

assets associated with

information and


facilities shall be identified,

documented and

implemented.

Y / /


Kawalan dan

Pengelasan Aset

● Prosedur Pinjaman

Peralatan Komputer

di MBPJ (MBPJ-ISMS-

P3-014)

● Borang Pinjaman

Peralatan Komputer

● Rekod Pengunaan

Peralatan

Mesyuarat

Pengguna

mengesahkan

penempatan asset

ICT yang

ditempatkan dan

bertanggungjawab

keatas semua asset

ICT dibawah

kawalannya.

A.8.1.4Returnof

assets

Control

Allemployeesandexternalp

arty usersshallreturnallofthe

organizationalassetsintheir

possessionupontermination

of

theiremployment,contract

or agreement.

Y / /

● Makluman

Kakitangan

Pelantikan Baru,

Peletakan Jawatan

Dan Bersara

● Surat Penamatan

Perkhidmatan

Memastikan semua

aset dipulangkan

selepas tamat

perkhidmatan.

Clause


ty

Reasonforselectio

n


A.8.2 Information classification

Objective: To ensure that information receives and appropriate level of protection inaccordance with it simportance to the

organization.

A.8.2.1

Classification

of

information

Control

Information shall be

classified in terms of legal

requirements, value, Y / /

● DKICT 030201

Pengelasan Maklumat

● DKICT 030202

Pengendalian

Maklumat

● Prosedur Klasifikasi dan

Pengendalian

Maklumat (MBPJ-ISMS-

P2-001)

● Lapoaran Penilaian

Risiko MyRAM –

Valuation of Assets

● Arahan Keselamatan

Memastikan maklumat

di kelaskan mengikut

tahap sensitivi

pendedahan dan

pengubahsuaian aset.

Clause


ty

Reasonforselectio

n


A.8.2.2Labelling of

information

Control

Anappropriate set of

procedures for information

labelling shall be

developed and

implemented in

accordance with their

information classification

scheme adopted by the

organization.

Y / /

● DKICT 030201

Pengelasan Maklumat

● DKICT 030202

Pengendalian

Maklumat


Pengendalian


P2-001)

● Prosedur Pengendalian

Media (MBPJ-ISMS-P2-

007)

Memastikan pegawai

yang mengendalikan

aset ICT mengetahui

tahap keselamatan

aset.

A.8.2.3Handling of

assets

Control

Procedures for handling assets shall be developed and implemented inaccordance withThe information

classification scheme

adopted by the

organization.

Y / /

● DKICT 030202 -

Pengendalian

Maklumat


Pengendalian


P2-001)



007)

Mengurangkan risiko

kebocoran maklumat

kepada pihak yang

tidak berkenaan.

Clause


y

Reasonforselectio

n


A.8.3 Media handling

Objective: To prevent unauthorized disclosure, modification,removal or destruction of information stored on media.

A.8.3.1

Management

of removable

media

Control

Procedures shall be

implemented for the

management of removable

media inaccordance with

the classification scheme

adopted by the

organization.

Y /

● DKICT 060602 Prosedur

Pengendalian Media



007)

Prosedur diwujudkan

untuk mengawal

maklumat yang

disimpan dalam hard

disk, thumb drives, cd’s

dan juga maklumat

berbentuk laporan.

A.8.3.2Disposalof

media

Control

Mediashallbedisposedof

securelywhennolongerrequi

red, usingformalprocedures.

Y /

● DKICT 060602 Prosedur

Pengendalian Media

● Satu Pekeliling

Perbendaharaan (1PP)

Memastikan risiko

kebocoran maklumat

dapat dikurangkan.

A.8.3.3

Physical

media

transfer

Control

Media containing

information shall be

protected against

unauthorized access,

misuseor corruption during

transportation.

Y

● Prosedur Pengurusan E-

mel bagi Data Cukai

Taksiran (MBPJ-ISMS-P2-

015)



007)

Clause


ty

Reasonforselectio

n


A.9 Access control

A.9.1 Business requirements of access control

Objective: To limit access to information and information processing facilities.

A.9.1.1Access

control policy

Control

An access control policy

shall be established,

documented and

reviewed based on

business and information

security requirements.

Y /


Kawalan Capaian

● Prosedur Kawalan

Keselamatan Log On

(MBPJ-ISMS-P2-018)

Kawalan dibuat untuk

menghalang dari

berlakunya

pendedahan dan

kebocoran maklumat.

A.9.1.2

Accessto

networksand

network

services

Control

Usersshallonlybeprovidedwi

th accesstothenetworkand

networkservicesthattheyha

ve

beenspecificallyauthorized

to use.

Y /

● DKICT 070301 Kawalan

Capaian Rangkaian


Pengurusan Operasi &

Komunikasi

060501 Kawalan

Infrastruktur Rangkaian

User ID & Password


menghalang capaian

yang tidak sah dan

tanpa kebenaran ke

atas maklumat.

A.9.2 Useraccessmanagement

Objective:Toensureauthorizeduseraccessandtopreventunauthorizedaccesstosyste

msandservices.

A.9.2.1

User

registrationan

d de-

registration

Control

A formal user registration and

de-registration process shall be

implemented to enable

assignment of access rights.

Y /

● DKICT 070201 Akaun

Pengguna

● e-Mel (Makluman

Pengaktifan Akses)


Keselamatan Log On

(MBPJ-ISMS-P2-018)

● Permohonan

penggunaan VPN (P3)

● Prosedur Pengurusan

Kata Nama Pengguna

dan Kata Laluan (MBPJ-

ISMS-P2-018)

● Mform – Borang

Permohonan

Penggunaan Sistem

dan Emel

● Borang Pembatalan

Penggunaan Sistem

(Nama Pengguna/

Katalaluan) (MBPJ-ISMS-

P2-002-B01)

Hanya pengguna yang

berdaftarkan sahaja

yang layak mengakses

sistem.

Clause


y


A.9.2.2User access

provisioning

Control

A formal user access

provisioning process shall be

implemented to assign or

revoke access rights for all

usertypes to all systems and

services.

Y /

● DKICT 070204 Hak Capaian

(Privilege)


Pengguna

● Prosedur Kawalan Keselamatan

Log On (MBPJ-ISMS-P2-018)


Kakitangan Dasar Keselamatan

ICT Majlis Bandaraya Petaling

Jaya

● Surat Akuan Pematuhan Pihak

Ketiga Dasar Keselamatan ICT

Majlis Bandaraya Petaling Jaya

● Akuan keselamatan Kontraktor

(Lampiran A/B)

● Email (Makluman Pengaktifan

Akses)

Setiap sistem

mempunyai

peringkat capaian

pengguna bagi

memastikan

keselamatan

maklumat.

Clause


y

Reasonforselectio

n


A.9.2.3

Managemen

t of

privileged

access rights

Control

The allocation and use of

privileged access rights

shall be restricted and

controlled.

Y /

● DKICT 070204 Hak Capaian

● Menggunakan unik ID dan

kata laluan

● Senarai akses pengguna

dan peringkat capaian

sistem

Setiap sistem mempunyai

peringkat capaian

pengguna bagi

memastikan keselamatan

maklumat.

A.9.2.4

Managemen

t of secret

authenticatio

n information

of users

Control

The allocation of secret

authentication information

shall be controlled through

a formal management

process.

Y

/ ● DKICT 070203 Pengurusan

Kata Laluan

● Borang Permohonan

Penggunaan Sistem

(Nama Pengguna/

Katalaluan) (MBPJ-ISMS-P2-

002-B01)

● Menggunakan Unik ID

Pengguna yang layak

akan dikenalpasti untuk

mengakses sistem.

Server aplikasi - Pegawai

aplikasi menggunakan

unik ID. Tetapi terdapat 2

aktiviti (compile source

log & restart application

services) perlu

mengunakan ID Admin.

Perkongsian bagi ID

Admin hanya dibenarkan

bagi 2 aktiviti tersebut

(diluar waktu bekerja).

Pegawai Infra akan

menukar kata laluan

tersebut setiap kali ID

Admin digunakan oleh

Pegawai Aplikasi

Clause


y

Reasonforselectio

n


A.9.2.5

Review of

user access

rights

Control

Asset owners shall review

users’Y /


Pengguna


Penggunaan Sistem

(Nama Pengguna/


P2-002-B01)

● Semakan kawalan

capaian - Security

Metrics

Kawalan dibuat supaya

pengguna yang

dibenarkan sahaja

untuk mengakses

sistem.

A.9.2.6

Removalor

adjustmentof

accessrights

Control

The access rights of

allemployees and external

party users to information

and information processing

facilities shall be removed

upon termination of their

employment, contractor

agreement ,or adjusted

upon change.

Y /

● DKICT 070204 Hak

Capaian

● Makluman Kakitangan

Pelantikan Baru,

Peletakan Jawatan Dan

Bersara (e-mel Bahagian

Sumber Manusia)


Penggunaan Sistem

(Nama Pengguna/


P2-002-B01)

Penamatan capaian

sistem dan kemudahan

perlatan ICT adalah

adalah mengikut

prosedur yang telah

ditetapkan.

Clause


y

Reasonforselectio

n


A.9.3 User responsibilities

Objective:To make users accountable for safe guarding their authentication

information.

A.9.3.1

Use of secret

authenticatio

n information

Control

Users shall be required to

follow the organization’s

practices in the use of

secret authentication

information.

Y /

● DKICT 070203

Pengurusan Kata Laluan


kata Nama Pengguna

dan Katalaluan (MBPJ-

ISMS-P2-002)

● Menggunakan unik ID

dan kata laluan patuh

kepada keperluan DKICT

MBPJ

Pengesahan

pengenalan maklumat

sulit dilakukan dengan

memerlukan kata

laluan bagi

mendapatkan

maklumat melalui emel

yang diberikan

gunapakai DKICT

070203 Pengurusan

Kata Laluan iaitu:-

Minimum 8 Aksara

Pertukaran kata

laluan maksimum

90 hari

Clause


y

Reasonforselectio

n


A.9.4 System and application access control

Objective:To prevent unauthorized access to systems and

applications.

A.9.4.1Information accessrestriction

Control

Access to information and

application system functions

shall be restricted

inaccordance with the

access control policy.

Y /

● DKICT 070501 Capaian

Aplikasi dan Maklumat


Firewall & IPS (MBPJ-ISMS-

P3-004)

● Senarai Akaun Pengguna

dan tahap capaian

● Encrypt password pada

Database (Sistem

ePenilaian, Sistem Kutipan,

Sistem eAduan)

● Senarai Akaun Pengguna

dan tahap capaian pada

Sistem ePenilaian

Firewall dan IPS digunakan

untuk memastikan

kawalan kepada capaian

ke sistem aplikasi dan

maklumat hanya

dibenarkan mengikut

A.9.4.2Secure log-on

procedures

Control

Where required by the

access control policy,

access to systems and

applications shall be

controlled by a secure log-

on procedure.

Y /

● DKICT 070401 Capaian

Sistem Pengoperasian

● Prosedur Keselamatan Log

On (MBPJ-ISMS-P2-018)

● Kawalan 3 kali cubaan

login sistem (Sistem

ePnilaian & Sistem eAduan)

Untuk memantau akses

yang tidak dibenarkan

kepada sistem dan

aplikasi

Clause


ty

Reasonforselectio

n


A.9.4.3

Password

managemen

t system

Control

Password management

systems shall be interactive

and shall ensure quality

passwords.

Y /

● DKICT 070203

Pengurusan Kata Laluan

● Kata laluan yang

ditetapkan minimum 8

aksara

Pertukaran kata laluan

90 hari sekali melalui

peringatan daripada

sistem dengan minimum

8 aksara.

A.9.4.4

Use of

Privileged

utility

programs

Control

The use of utility programs

that might be capable of

overriding system and

application controls shall

be restricted and tightly

controlled.

Y /

● 070401 Capaian Sistem

Pengoperasian

● Dibenarkan kepada

pentadbir sistem sahaja


memastikan

keselamatan fail sistem

terjamin.

A.9.4.5

Access

control to

program

source code

Control

Access to program source

code shall be restricted. Y

/● DKICT 070401 Capaian

Sistem Pengoperasian

● Dibenarkan kepada

pentadbir sistem sahaja

● Unik ID & Kata laluan

Pentadbir sistem sahaja

dibenarkan untuk

mengemaskini source

code

A.10 Cryptography

A.10.1Cryptographic controls

Objective:To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/orintegrity of information.

Clause

ControlTiltl

e

Control Applicabilit

y

Reasonforselectio

n


A.10.1.1

Policy on

the use of

cryptogra

phic

controls

Control

A policy on the use of

cryptographic controls for

protection of information

shall be developed and

implemented.

Y /

● DKICT 080201

Penyulitan

● Enkripsi kata laluan

Sistem Kutipan di

pangkalan data

pada Jun 2018

● SSL digunakan pada

Sistem eAduan

Melindungi

kerahsiaan, intergriti

dan kesahihan

maklumat

A.10.1.2

Key

managem

ent

Control

A policy on the use,

protection and lifetime of

cryptographic keys shall

be developed and

implemented through their

whole lifecycle.

Y

/

● DKICT 080202

Pengurusan Kunci

Meletakkan

password untuk

melindungi

kerahsiaan, intergriti

dan kesahihan

maklumat

A.11 Physical and environmental security

A.11.1Secure areas

Objective: To prevent unauthorized physical access, damage and interference to the organization’s information and information

processing facilities.

ClauseControl Tiltle


y

Reasonforselectio

n


A.11.1.1

Physical

security

perimeter

Control

Security perimeters shall be

defined and used to protect

areas that contain either

sensitive or critical information

and information processing

facilities.

Y /

● DKICT 05 Keselamatan

Fizikal

● Kaunter pengawal

● Buku log pelawat

● Buku Rekod

Keluar/Masuk Pelawat

Bahagian Teknologi

Maklumat MBPJ

● Buku log Pusat Data

● Pas pelawat/kad akses

pekerja

● Card Access Door

● Emergency alarm

● Thumbprint bagi Pusat

Data

● Kawalan CCTV

● Pemadam kebakaran

dalam Pusat Data

Kawasan larangan

mempunyai kawalan

keselamatan yang

diperlukan seperti yang

dinyatakan.

ClauseControl Tiltle


y

Reasonforselectio

n


A.11.1.2

Physical

entry

controls

Control

Secure areas shall be

protected by appropriate

entry controls to nsure that

only authorized personnel

are allowed access.

Y /

● DKICT 050102

Kawalan Masuk

Fizikal

● Pas Pelawat/Kad

Akses Pekerja


● Thumbprint bagi

Pusat Data

● Kawalan CCTV

● Buku Log Pusat Data

● Buku Rekod

Keluar/Masuk

Pelawat Bahagian

Teknologi Maklumat

MBPJ


● Buku Log Pelawat

Kawasan larangan

mempunyai

kawalan

keselamatan yang

diperlukan seperti

yang dinyatakan.

Clause

Control

Tiltle


y


A.11.1.3

Securing

offices, rooms

and facilities

Control

Physical security for offices, rooms and

facilities shall be designed and

applied.

Y /

● DKICT 050101 Perimeter

Keselamatan Fizikal

● Pas Pelawat/Kad Akses Pekerja

● Buku Log Pelawat

● Buku Rekod Keluar/Masuk

Pelawat Bahagian Teknologi

Maklumat MBPJ


● Bilik kawalan pusat data

● Kawalan buku log Pusat Data

● Pelan susunatur Pejabat

● Fail Kabinet berkunci

● Kawalan CCTV

Kawasan larangan

mempunyai kawalan

keselamatan yang

diperlukan seperti yang

dinyatakan.

A.11.1.4

Protecting

against

external and

environmental

threats

Control

Physical protection against natural

disasters, malicious attack or

accidents shall be designed and

applied.

Y /


Persekitaran

● Penyelenggaraan Bangunan

oleh Jabatan Kejuruteraan

● Laporan Penyelenggaraan

Peralatan Keselamatan (Fire

Fighting)

● Sprinkler

● Alat pemadam api

● Smoke Detector

● Genset

● UPS

● Emergency Alarm

● CCTV

● FM200

Penyelenggaraan

dilakukan oleh pihak

yang berkaitan bagi

memastikan risiko dalam

ancaman luaran dan

persekitaran dapat

diminima.

Clause


y

Reasonforselectio

n


A.11.1.5

Working in

secure

areas

Control

Procedures for working in

secure areas shall be

designed and applied.

Y /

● DKICT 050103

Kawasan Larangan

● Prosedur Kebenaran

Melakukan Kerja di

Pusat Data (MBPJ-

ISMS-P3-009)

● Pas pelawat/pas

pekerja


● Bilik kawalan pusat

data

● Keluar/masuk dan

diiringi Pegawai Data

Pusat (Pihak Ketiga)

Menyediakan bilik

kawalan pusat data

untuk pihak ketiga

membuat

penyelengaraan

dan menyediakan

pegawai pengiring

bagi kawasan

larangan.

Clause

Control

Tiltle


y

Reasonforselectio

n


A.11.1.6

Delivery

and

loading

areas

Control

Access points such as

delivery and loading areas

and other points where

unauthorized persons

could enter the premises

shall be controlled and, if

possible, isolated from


facilities to avoid

unauthorized access.

Y /


Masuk Fizikal

● Bilik kawalan pusat data

● Buku Rekod Pelawat Unit

Teknologi Maklumat

● Prosedur Pelawat Unit

Teknologi Maklumat (MBPJ-

ISMS-P3-017)

Kawasan penyerahan

dan penyediaan

peralatan ICT disediakan

bagi mengelakkan

sebarang ancaman

pencerobohan yang

berkemungkinan berlaku.

A.11.2 Equipment

Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations.

A.11.2.1

Equipment

siting and

protection

Control

Equipment shall be sited

and protected to reduce

the risks from

environmental threats and

hazards, and opportunities

for unauthorized access.

Y /

● Pelan Lantai Tingkat 3 Ibu

Pejabat MBPJ

● Pelan Lantai Jabatan

Penilaian & Pengurusan

Harta

● Pelan Lantai Jabatan

Perbendaharaan, Tingkat 1

Peralatan ICT diletakkan

di tempat terkawal bagi

mengurangkan risiko

ancaman daripada

ancaman persekitaran

dan peluang

pencerobohan yang

mungkin akan berlaku.

Clause


y

Reasonforselectio

n


A.11.2.2Supporting

utilities

Control

Equipment shall be

protected from power

failures and other

disruptions caused by

failures in supporting

utilities.

Y /

● Genset

● UPS

● Pelaksanaan

Redundancy Core Switch

(Supporting utilities bagi

risiko Hardware

Malfunction)

Utiliti disediakan bagi

memastikan

peralatan ICT tidak

terdedah dengan

kegagalan di dalam

menyediakan

perkhidmatan yang

diperlukan.

A.11.2.3Cabling

security

Control

Power and

telecommunications

cabling carrying data or

supporting information

services shall be protected

from interception,

interference or damage.

Y /

● DKICT 050204 Kabel

● Rak peralatan

Rangkaian Berpusat

● Trunking Cable/

Cable tie

● Raised floor di Pusat

Data

Peralatan yang

disediakan

melindungi kabel

yang ditempat

disetiap switch

Majlis.

Clause


y


A.11.2.4Equipment

maintenance

Control

Equipment shall be

correctly maintained to

ensure its continued

availability and integrity.

Y /

● DKICT 050205

Penyelenggaraan

● Laporan Penyelenggaraan

Berkala Peralatan ICT

● Perkhidmatan

penyelenggaraan

kerosakan (Corrective

Maintenance – adhoc

basis)

● Perkhidmatan

Penyelenggaraan dan

Bantuan Teknikal

Perkakasan, Perisian dan

Rangkaian dan Sokongan

Pusat Data oleh Venture

Nucleus (M) Sdn Bhd

● Corrective action done by

Pasukan Teknikal (LAN,

WAN, Komputer & Laptop))

● Penyelenggaraan berkala

dari pasukan teknikal

(Komputer & laptop)

● Fine tuning healthcheck -

setiap 6 bulan

● Preventive maintenance

setiap 3 bulan bagi Oracle

12c (Laporan

penyelenggaraan 4 kali

setahun)

● Penyelenggaraan oleh

Array Technologies (SUN

SPARC T702)

Fail penyelenggaraan

Pusat Data MBPJ

disediakan bagi

memastikan dalam

kebolehsediaan dan

integriti perkhidmatan.

Clause


y


A.11.2.4

● Sokongan Waranti dan

Penyelenggaraan oleh Unit

Teknikal (Laptop

● Penyelenggaraan oleh Pihak

Ketiga, Strategic Alliance –

Dell Storage, Internal Firewall

(Sangfor))

● Sokongan dan

Penyelenggaraan bagi

Antivirus Kyrol

● Preventive maintenance by

Centory Software (M) Sdn Bhd

(Sistem ePenilaian)

● Sokongan teknikal daripada

BKJ (UPS, Split Aircond, Alat

Pemadam Api & FM200)

● Penyelenggaraan CCTV

(Caliber Interconnects dan

Datasonic)

Clause ControlTiltle Control Applicability Reasonforselection Reference Justification

A.11.2.5Removal of

assets

Control

Equipment, information or

software shall not be taken off-

site without prior authorization.

Y /

● DKICT 050206

Peminjaman Perkakasan

Untuk Kegunaan Diluar

Pejabat


Peralatan Komputer di

MBPJ (MBPJ-ISMS-P3-014)

Melindungi dan

mengawal pergerakan

aset ICT dari berlakunya

kehilangan atau

dimanipulasikan oleh

pihak yang tidak

bertanggungjawab.

A.11.2.6

Security of

equipment and

assets off-

premises

Control

Security shall be applied to off-

site assets taking into account

the different risks of working

outside the organization’s

premises.

Y /

● DKICT 050207 Peralatan

di luar premis.


Peralatan Komputer di


Kawalan bagi peralatan

yang digunapakai di luar

premis.

A.11.2.7

Secure disposal

or reuse of

equipment

Control

All items of equipment

containing storage media shall

be verified to ensure that any

sensitive data and licensed

software has been removed or

securely overwritten prior to

disposal or re-use.

Y /

● DKICT 050208 Pelupusan

● Borang Perakuan

Pelupusan (PEP) (MBPJ-

ISMS-P1-007-L06)

● Satu Pekeliling

Perbendaharaan (1PP)

● Kemaskini KEW.PA-2,

KEW.PA-3, KEW.PA-16,

KEW.PA-17, KEW.PA-18

dan KEW.PA-19.

Kawalan digunakan

supaya tidak berlaku

pendedahan maklumat

selepas aset ICT

dilupuskan.

Clause


y


A.11.2.8

Unattended

user

equipment

Control

Users shall ensure that

unattended equipment has

appropriate protection.

Y /

● DKICT 050209 Clear

Desk dan Clear

Screen

● Screen saver with

password protected

Memastikan tiada

penyalahgunaan

dalam penggunaan

aset ICT.

Selepas dua (2) minit

screen saver

diaktifkan

A.11.2.9

Clear desk

and clear

screen policy

Control

A clear desk policy for

papers and removable

storage media and a clear

screen policy for


facilities shall be adopted.

Y /

● DKICT 050209 Clear

Desk dan Clear

Screen

● Screen saver with

password protected

Memastikan tiada

penyalahgunaan

dalam penggunaan

aset ICT.

Selepas dua (2) minit

screen saver

diaktifkan

Clause


y


A.12 Operations security

A.12.1 Operational procedures and responsibilities

Objective: To ensure correct and secure operations of information processing facilities.

A.12.1.1

Documente

d operating

procedures

Control

Operating procedures shall

be documented and

made available to all users

who need them.

Y /

● DKICT 060101 –

Pengendalian

Prosedur

● Dokumen P2

● Dokumen P3

● Proses Pengurusan

Aduan - penerimaan

dan pengesahan

aduan melalui Sistem

eAduan oleh Seksyen

Aduan Awam

Sebagai rujukan

bagi memastikan

pengendalian

prosedur dilakukan

dengan cekap


A.12.1.2Change

management

Control

Changes to the organization,

business processes, information

processing facilities and systems

that affect information security

shall be controlled.

Y /


Perubahan


Perubahan (MBPJ-ISMS-

P2-007)


Patch (MBPJ-ISMS-P2-010)

Perubahan kepada

organisasi, kemudahan

pemprosesan maklumat

dan sistem yang

menjejaskan

keselamatan maklumat

hendaklah dikawal.

A.12.1.3Capacity

management

Control

The use of resources shall be

monitored, tuned and

projections made of future

capacity requirements to

ensure the required system

performance.

Y /

● DKICT 060201

Perancangan kapasiti


Kapasiti Sumber (MBPJ-

ISMS-P2-019)

● Memastikan pelan

pengunjuran kapasiti

dilaksanakan sekurang-

kurangnya sekali

setahun.

Penggunaan sumber

harus dipantau

mengikut keperluan

kapasiti berdasarkan

kegunaan masa

hadapan untuk

memastikan prestasi

sistem yang diperlukan.

A.12.1.4

Separation of

development,

testing and

operational

environments

Control

Development, testing, and

operational environments shall

be separated to reduce the risks

of unauthorized access or

changes to the operational

environment.

Y /

● Network diagram MBPJ

o Dev Server

o Production Server

Pembangunan dan

ujian bagi persekitaran

operasi hendaklah

dipisahkan untuk

mengurangkan risiko

akses yang tidak

dibenarkan atau

perubahan kepada

persekitaran operasi.

Clause


y


A.12.2 Protection from malware

Objective: To ensure that information and information processing facilities are protected against malware.

A.12.2.

1

Controls

against

malware

Control

Detection, prevention and

recovery controls to

protect against malware

shall be implemented,

combined with appropriate

user awareness.

Y /

● DKICT 060302

Perlindungan dari

Mobile Code

● Anti-virus Kyrol bagi

server dan

laptop/notebook/

PC.

● Laporan anti-virus.

● Content/Web Filtering

– Web Marshal


Anti-virus dan

Perlindungan Kod

Perosak (MBPJ-ISMS-

P2-012)

Melaksanakan

kawalan ancaman

dari virus, malware,

trojan serta

cecacing.

A.12.3 Backup

Objective: To protect against loss of data.

Clause Control Tiltle Control Applicability Reasonforselection Reference Justification

A.12.3.1Information

backup

Control

Backup copies of information,

software and system images

shall be taken and tested

regularly in accordance with an

agreed backup policy.

Y /

● DKICT 060401 Backup

● Prosedur pengendalian

backup dan reload data

(MBPJ-ISMS-P3-001)

● Policy Backup Recovery

● Backup file di oracle

storage

● Aktiviti restore 2 kali

setahun

● Backup file ke NAS di

Menara MBPJ & Pusat

Komuniti MBPJ

Prosedur sokongan bagi

maklumat, perisian dan

sistem imej hendaklah

dilakukan dan diuji

secara teratur bagi

memastikan oparasi

dapat diteruskan

apabila berlakunya

bencana.

A.12.4 Logging and monitoring

Objective: To record events and generate evidence.

A.12.4.1 Event logging

Control

Event logs recording user

activities, exceptions, faults and

information security events shall

be produced, kept and

regularly reviewed.

Y /

● DKICT 061102 Sistem Log

● DKICT 061103

Pemantauan Log

● DKICT 070202 Jejak Audit.

● Prosedur Pemantauan

Penggunaan Sistem

(MBPJ-ISMS-P2-021)

Pemantauan bagi

rakaman aktiviti

pengguna dan peristiwa


hendaklah

dikemukakan, disimpan

dan sentiasa dikaji

semula.

Clause


y


● Terdapat audit trail

dalam Oracle bagi

aktiviti yang

dilaksanakan

berdasarkan IP dan

Computer Name

(Oracle 12c)

A.12.4.2

Protection of

log

information

Control

Logging facilities and log

information shall be

protected against

tampering and

unauthorized access.

Y /

● DKICT 061103

Pemantauan Log

● DKICT 070202 Jejak

Audit

● Prosedur

Pemantauan

Penggunaan Sistem

(MBPJ-ISMS-P2-021)

Kerja-kerja semasa

log maklumat

hendaklah dilindungi

daripada sebarang

gangguan

A.12.4.3

Administrator

and

operator logs

Control

System administrator and

system operator activities

shall be logged and the

logs protected and

regularly reviewed.

Y /

● DKICT 070202 Jejak

Audit

● DKICT 061103

Pemantauan Log

● Prosedur

Pemantauan

Penggunaan Sistem

(MBPJ-ISMS-P2-021)

● Log dalam

Pangkalan Data

Pentadbir sistem dan

aktiviti pengendali

sistem akan dilog

dan log dilindungi

dan sentiasa dikaji

semula.


A.12.4.4Clock

synchronisation

Control

The clocks of all relevant

information processing systems

within an organization or

security domain shall be

synchronised to a single

reference time source.

Y /

● DKICT 061103

Pemantauan Log

● Masa server ditetapkan

mengikut Network Time

Protocol (NTP) server

sistem pemprosesan

maklumat yang relevan

dalam sesuatu

organisasi atau domain

keselamatan akan

ditempatkan kepada

sumber rujukan masa

yang tunggal.

A.12.5 Control of operational software

Objective: To ensure the integrity of operational systems.

A.12.5.1

Installation of

software on

operational

systems

Control

Procedures shall be

implemented to control the

installation of software on

operational systems.

Y/


Fail Sistem


Perubahan





P2-006)


Penggunaan

Aplikasi/Perisian

Prosedur kawalan

hendaklah dilaksanakan

untuk mengawal

pemasangan perisian

pada sistem operasi.


A.12.6 Technical vulnerability management

Objective: To prevent exploitation of technical vulnerabilities

A.12.6.1

Management

of technical

vulnerabilities

Control

Information about technical

vulnerabilities of information

systems being used shall be

obtained in a timely fashion, the

organization’s exposure to such

vulnerabilities evaluated and

appropriate measures taken to

address the associated risk.

Y /


Dari Ancaman Teknikal



● Patches dilaksanakan

sewaktu Preventive

Maintenance

● Pelaksanaan Vulnerability

Assessment

Maklumat mengenai

kelemahan teknikal

sistem maklumat yang

digunakan hendaklah

diperolehi dengan cara

yang tepat.

A.12.6.2

Restrictions on

software

installation

Control

Rules governing the installation

of software by users shall be

established and implemented.

Y /


Fail Sistem


Fail Sistem

● Prosedur Pertukaran

Maklumat

● Prosedur Melindungi

Harta Intelek

Prosedur kawalan dan

peraturan yang

mengawal

pemasangan perisian

oleh pengguna

hendaklah dilaksanakan

bagi mengelakkan

pengguna melakukan

instalasi software yang

tidak dibenarkan oleh

Majlis.


A.12.7 Information systems audit considerations

Objective: To minimise the impact of audit activities on operational systems.

A.12.7.1

Information

systems audit

controls

Control

Audit requirements and

activities involving verification of

operational systems shall be

carefully planned and agreed

to minimise disruptions to

business processes.

Y /

● Prosedur Audit Dalam

ISMS (MBPJ-ISMS-P1-004)

Keperluan audit bagi

aktiviti-aktiviti yang

melibatkan pengesahan

sistem operasi

hendaklah dirancang

dengan teliti bagi

mengurangkan

gangguan pada

Business process

A.13 Communications security

A.13.1 Network security management

Objective: To ensure the protection of information in networks and its supporting information processing facilities.

A.13.1.1Network

controls

Control

Networks shall be managed

and controlled to protect

information in systems and

applications.

Y /

● DKICT 020106 Pentadbir

Rangkaian

● Firewall – Fortigate

● Intrusion Detection

System

● Virtual LAN

● Web Content Filtering

● Password Wifi

Sistem Rangkaian

hendaklah diuruskan

dan dikawal untuk

melindungi maklumat

dalam sistem dan

aplikasi.


A.13.1.2

Security of

network

services

Control

Security mechanisms, service

levels and management

requirements of all network

services shall be identified and

included in network services

agreements, whether these

services are provided in-house

or outsourced.

Y /




Kawalan/ prosedur

keselamatan dan

perkhidmatan untuk

keperluan pengurusan

bagi semua

perkhidmatan

rangkaian hendaklah

dikenal pasti dan

dimasukkan dalam

perjanjian perkhidmatan

rangkaian,

A.13.1.3Segregation in

networks

Control

Groups of information services,

users and information systems

shall be segregated on

networks.

Y /




Untuk melindungi

perkhidmatan

Rangkaian Majlis.

A.13.2 Information transfer

Objective: To maintain the security of information transferred within an organization and with any external entity.

Clause


y


A.13.2.

1

Information

transfer

policies and

procedures

Control

Formal transfer policies,

procedures and controls

shall be in place to protect

the transfer of information

through the use of all types

of communication facilities.

Y /

● Prosedur

Pengendalian Media

(MBPJ-ISMS-P2-007)


e-Mel bagi Data

Cukai Taksiran (MBPJ-

ISMS-P2-015)

● Pekeliling Kemajuan

Pentadbiran Awam

Bilangan 1 tahun

2003: Garis panduan

mengenai Tatacara

penggunaan internet

Dan mel elektronik Di

agensi-agensi

kerajaan

Prosedur dan

kawalan hendaklah

berada di lakukan

untuk melindungi

pemindahan

maklumat melalui

penggunaan semua

jenis kemudahan

komunikasi.

A.13.2.

2

Agreements

on

information

transfer

Control

Agreements shall address

the secure transfer of

business information

between the organization

and external parties.

Y

● Surat Akuan

Pematuhan Pihak

Ketiga Dasar

Keselamatan ICT

Majlis Bandaraya

Pelating Jaya.




A/B)

Kawalan bagi

memastikan

maklumat yang

diberikan kepada

pihak ketiga dijaga

dari segi kerahsiaan

dan integriti.


A.13.2.3Electronic

messaging

Control

Information involved in

electronic messaging shall be

appropriately protected.

Y /

● DKICT 060902 Pengurusan

Mel Elektronik (E-mail)

● Garis Panduan

Penggunaan dan

Pengurusan e-Mel Majlis


(http://eps.mbpj.gov.my/

emel.pdf)

● Prosedur Pengurusan e-

Mel bagi Data Cukai

Taksiran (MBPJ-ISMS-P2-

015)

● Anti-Spam – Mail Filtering

Prosedur diwujudkan

bagi memastikan

maklumat yang dihantar

melalui dilindungi.

A.13.2.4

Confidentiality

or

nondisclosure

agreements

Control

Requirements for confidentiality

or non-disclosure agreements

reflecting the organization’s

needs for the protection of

information shall be identified,

regularly reviewed and

documented.

Y /

● DKICT 020109 Pengguna


Keselamatan Kontrak

dengan Pihak Ketiga.


Pihak Ketiga Dasar


Bandaraya Pelating

Jaya.




A/B)

Syarat-syarat untuk

kerahsiaan atau

ketakdedahan

perjanjian

mencerminkan

keperluan organisasi

untuk melindungi

maklumat itu dikenal

pasti, sentiasa dikaji dan

didokumentasikan.

http://eps.mbpj.gov.my/emel.pdf


A.14 System acquisition, development and maintenance

A.14.1 Security requirements of information systems

Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for

information systems which provide services over public networks.

A.14.1.1

Information

security

requirements

analysis and

specification

Control

The information security related

requirements shall be included

in the requirements for new

information systems or

enhancements to existing

information systems.

Y /

● Waterfall methodology

● User Requirement

Specification (URS)


Pembangunan dan

Penyelenggaraan Sistem


Perubahan

● DKICT 080402

Pembangunan Perisian

Secara Outsource

● Contoh spesifikasi Tender

Keperluan berkaitan


akan dimasukkan dalam

keperluan untuk sistem

maklumat baru atau

penambahbaikan untuk

sistem maklumat yang

sedia ada.

A.14.1.2

Securing

application

services on

public networks

Control


application services passing

over public networks shall be

protected from fraudulent

activity, contract dispute and

unauthorized disclosure and

modification.

Y

Capaian rangkaian dalaman

atau VPN

Sebagai

penambahbaikan bagi

sistem yang terlibat di

dalam Skop ISMS


A.14.1.3

Protecting

application

services

transactions

Control


application service transactions

shall be protected to prevent

incomplete transmission, mis-

routing, unauthorized message

alteration, unauthorized

disclosure, unauthorized

message duplication or replay.

Y

Dedicated kaunter (user ID

dan mesin)

Transaksi maklumat perlu

dikawal daripada

transaksi yang tidak

lengkap, mis-routing,

pengubahan,

pendedahan dan

pertindihan maklumat

yang tidak sah.

A.14.2 Security in development and support processes

Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems.

A.14.2.1

Secure

development

policy

Control

Rules for the development of

software and systems shall be

established and applied to

developments within the

organization.

Y /


Keselamatan Kiptografi


Fail Sistem


Perubahan

● DKICT 080402


Secara Outsource

Kawalan Peraturan

untuk pembangunan

perisian dan sistem

dilakukan bagi

memastikan setiap

perubahan tidak

menganggu perjalanan

sistem.

Clause


y


A.14.2.

2

System

change

control

procedures

Control

Changes to systems within

the development lifecycle

shall be controlled by the

use of formal change

control procedures.

Y /

● DKICT 080401

Kawalan Perubahan


Perubahan (MBPJ-

ISMS-P2-006)

Perubahan kepada

sistem dalam boleh

dikawal dengan

menggunakan

prosedur kawalan

perubahan.

A.14.2.

3

Technical

review of

applications

after

operating

platform

changes

Control

When operating platforms

are changed, business

critical applications shall be

reviewed and tested to

ensure there is no adverse

impact on organizational

operations or security.

Y /


Perubahan (MBPJ-

ISMS-P2-006)

● Borang

Penambahbaikan

Sistem (MBPJ-ISMS-P2-

006-B01)

Apabila platform

operasi diubah,

aplikasi bagi sistem

kritikal hendaklah

dikaji semula dan

diuji untuk

memastikan tiada

kesan buruk ke atas

operasi organisasi

atau keselamatan.

A.14.2.

4

Restrictions

on changes

to software

packages

Control

Modifications to software

packages shall be

discouraged, limited to

necessary changes and all

changes shall be strictly

controlled.

Y /


Perubahan (MBPJ-

ISMS-P2-006)

Sebarang

Perubahan pada

perisian akan

dikawal, terhad

kepada perubahan

yang diperlukan dan

semua perubahan

hendaklah dikawal

dengan ketat.


A.14.2.5

Secure system

engineering

principles

Control

Principles for engineering secure

systems shall be established,

documented, maintained and

applied to any information

system implementation efforts.

Y


Pengguna



P2-006)

Kawalan bagi capaian

untuk sistem hendaklah

ditubuhkan, di

dokumenkan,

dikekalkan dan

digunakan untuk

memastikan

keselamatan di dalam

prinsip kejuruteraan

sistem.

A.14.2.6

Secure

development

environment

Control

Organizations shall establish and

appropriately protect secure

development environments for

system development and

integration efforts that cover

the entire system development

lifecycle.

Y


Keselamatan Kiptografi


Fail Sistem


Penambahan/Pindaan

Pangkalan Data Oracle

● Borang Maklumbalas

Permohonan

Penambahan/Pindaan

Pangkalan Data Oracle

Prosedur dan dokumen

kawalan telah

diwujudkan bagi

memastikan

keselamatan di dalam

pembangunan sistem.

A.14.2.7Outsourced

development

Control

The organization shall supervise

and monitor the activity of

outsourced system

development.

Y

● DKICT 080402


Secara Outsource


Aktiviti pembangunan

sistem outsourcing

diselia dan dikawal.

Clause


y


Prosedur Pengurusan Pembekal Dan Pihak Ketiga (MBPJ-ISMS-P2-008)

Surat Tawaran Dan Surat Setujuterima

A.14.2.

8

System

security

testing

Control

Testing of security

functionality shall be

carried out during

development.

Y

● DKICT 080101

Keperluan

Keselamatan

Kiptografi


Perubahan (MBPJ-

ISMS-P2-006)

Ujian fungsi

keselamatan telah

dijalankan semasa

pembangunan.

A.14.2.

9

System

acceptance

testing

Control

Acceptance testing

programs and related

criteria shall be established

for new information

systems, upgrades and new

versions.

Y /

● DKICT 060202

Penerimaan Sistem

● Spesifikasi Keperluan

Sistem (URS)

● User Acceptance Test

(UAT)

● Final Acceptance

Test (FAT)

kriteria yang

berkaitan hendaklah

ditubuhkan bagi

sistem maklumat

dengan versi yang

baru.

Clause

No.ControlTiltle Control

Applicability

(Y/N)

Reasonforselection


A.14.3 Test data

Objective: To ensure the protection of data used for testing.

A.14.3.1 Protection of

test dataControl

Test data shall be selected

carefully, protected and

controlled.

Y /



P2-006)

● Prosedur Pemantauan

Penggunaan Sistem

(MBPJ-ISMS-P2-021)

Data ujian hendaklah

dipilih dengan berhati-

hati, dilindungi dan

dikawal.

A.15 Supplier relationships

A.15.1 Information security in supplier relationships

Objective: To ensure protection of the organization’s assets that is accessible by suppliers.

A.15.1.1

Information

security policy

for supplier

relationships

Control

Information security

requirements for mitigating the

risks associated with supplier’s

access to the organization’s

assets shall be agreed with the

supplier and documented.

Y /

● DKICT 060801

Perkhidmatan

Penyampaian


Pembekal dan Pihak

Ketiga (MBPJ-ISMS-P2-

008)


● Minit Mesyuarat Kick Off

● Dasar Keselamatan ICT

MBPJ

Keperluan keselamatan

maklumat untuk

mengurangkan risiko

yang berkaitan dengan

akses kepada

pembekal aset

hendaklah dipersetujui.

Pembekal

didokumenkan.

Clause


Applicability

(Y/N)

Reasonforselection


A.15.1.2

Addressing

security within

supplier

agreements

Control

All relevant information security

requirements shall be

established and agreed with

each supplier that may access,

process, store, communicate,

or provide IT infrastructure

components for, the

organization’s information.

Y /


Pihak Ketiga Dasar


Bandaraya Petaling

Jaya



A/B)


Penyelenggaraan

Semua keperluan


yang relevan

hendaklah ditubuhkan

dan dipersetujui

dengan setiap pihak

pembekal yang boleh

mengakses,

memproses,

menyimpan,

berkomunikasi, atau

menyediakan

komponen infrastruktur,

maklumat organisasi IT.

A.15.1.3

Information

and

communicatio

n technology

supply chain

Control

Agreements with suppliers shall

include requirements to

address the information

security risks associated with

information and

communications technology

services and product supply

chain.

Y /

● DKICT 060801

Perkhidmatan

Penyampaian


Pihak Ketiga Dasar


Bandaraya Petaling

Jaya



A/B)

Perjanjian dengan

pembekal hendaklah

termasuk keperluan

untuk menangani risiko


yang berkaitan dengan

teknologi komunikasi

maklumat dan

perkhidmatan dan

rangkaian bekalan

produk.

Clause


Applicabili

ty

(Y/N)

Reasonforselection


A.15.2 Supplier service delivery management

Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements.

A.15.2.

1

Monitoring

and review

of supplier

services

Control

Organizations shall

regularly monitor, review

and audit supplier service

delivery.

Y /

● DKICT 060801

Perkhidmatan

Penyampaian


Penyelenggaraan

● Laporan

Penyelenggaraan

Pemantauan dan

kajian sentiasa

dilakukan dengan

pihak pembekal.

A.15.2.

2

Managing

changes to

supplier

services

Control

Changes to the provision

of services by suppliers,

including maintaining and

improving existing


policies, procedures and

controls, shall be

managed, taking account

of the criticality of business

information, systems and

processes involved and re-

assessment of risks.

Y /

● DKICT 060801

Perkhidmatan

Penyampaian

● Laporan

Penyelenggaraan

● Laporan Penilaian

Risiko (MyRAM)


Perubahan (MBPJ-

ISMS-P2-006)

Perubahan kepada

penyediaan

perkhidmatan oleh

pembekal, termasuk

mengekalkan dan

memperbaiki dasar

keselamatan

maklumat yang

sedia ada.

Clause


Applicability

(Y/N)

Reasonforselection


A.16 Information security incident management

A.16.1 Management of information security incidents and improvements

Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events

and weaknesses.

A.16.1.1

Responsibilities

and

procedures

Control

Management responsibilities

and procedures shall be

established to ensure a quick,

effective and orderly response

to information security

incidents.

Y /


Prosedur Pengurusan

Insiden


Pelaporan Insiden


Insiden Keselamatan ICT

(MBPJ-ISMS-P2-005)

● Pekeliling Am Bilangan 1

Tahun 2001 - Mekanisme

Pelaporan Insiden

Keselamatan Teknologi

Maklumat dan Komunikasi

● Surat Pekeliling Am

Bilangan 4 Tahun 2006 -

Pengurusan Pengendalian

Insiden Keselamatan

Teknologi Maklumat dan

Komunikasi Sektor Awam.

Tanggungjawab dan

prosedur pengurusan

hendaklah ditubuhkan

untuk memastikan

tindak balas yang

cepat, berkesan dan

teratur kepada insiden

keselamatan

maklumat.

Clause


Applicabili

ty

(Y/N)

Reasonforselection


A.16.1.2

Reporting

information

security

events

Control

Information security events

shall be reported through

appropriate management

channels as quickly as

possible.

Y /


Pelaporan Insiden

● Prosedur Pengurusan Insiden

Keselamatan ICT (MBPJ-ISMS-

P2-005)

● Pelaporan insiden ke

Mesyuarat Jawatankuasa

Kemasyarakatan

Perkhidmatan Dan Teknologi

Maklumat atau

Jawatankuasa Kecil ICT MBPJ

Insiden keselamatan

maklumat hendaklah

dilaporkan kepada pihak

pengurusan secepat yang

mungkin.

A.16.1.3

Reporting

information

security

weaknesses

Control

Employees and

contractors using the

organization’s information

systems and services shall

be required to note and

report any observed or

suspected information

security weaknesses in

systems or services.

Y /


Prosedur Pengurusan Insiden


Pelaporan Insiden

● Prosedur Pengurusan Insiden

Keselamatan ICT (MBPJ-ISMS-

P2-005)

● Senarai pegawai

Keselamatan ICT yang boleh

dihubungi di Pusat Data


Mesyuarat Jawatankuasa

Kemasyarakatan

Perkhidmatan Dan Teknologi

Maklumat atau

Jawatankuasa Kecil ICT MBPJ

Sebarang kelemahan di

dalam keselamatan

maklumat yang ditemui di

dalam sistem atau

perkhidmatan perlu

dilaporkan kepada pihak

yang bertanggungjwab

dengan segera.

Clause


Applicability

(Y/N)

Reasonforselection


A.16.1.4

Assessment of

and decision

on information

security events

Control

Information security events

shall be assessed and it shall be

decided if they are to be

classified as information

security incidents.

Y /


Prosedur Pengurusan

Insiden


Pelaporan Insiden



(MBPJ-ISMS-P2-005)


Tahun 2001 –Mekanisme

Pelaporan Insiden


Maklumat dan

Komunikasi



Pengurusan

Pengendalian Insiden


Maklumat dan

Komunikasi Sektor

Awam

Insiden keselamatan

maklumat hendaklah

dilaporkan kepada

pihak atasan dan

tindakan pemulihan

bencana perlu

dilakukan dengan

segera.

Clause


Applicability

(Y/N)

Reasonforselection


A.16.1.5

Response to

information

security

incidents

Control

Information security incidents

shall be responded to in

accordance with the

documented procedures.

Y /


Prosedur Pengurusan

Insiden


Pelaporan Insiden



(MBPJ-ISMS-P2-005)


Tahun 2001 - Mekanisme

Pelaporan Insiden


Maklumat dan

Komunikasi



Pengurusan



Maklumat dan

Komunikasi Sektor

Awam

Insiden keselamatan

maklumat akan

dikendalikan mengikut

SOP yang telah

diwujudkan.

Clause


Applicability

(Y/N)

Reasonforselection


A.16.1.6

Learning from

information

security

incidents

Control

Knowledge gained from

analysing and resolving

information security incidents

shall be used to reduce the

likelihood or impact of future

incidents.

Y /


Prosedur Pengurusan

Insiden



(MBPJ-ISMS-P2-005)


Pelaporan Insiden


Mesyuarat

Jawatankuasa

Kemasyarakatan

Perkhidmatan Dan

Teknologi Maklumat dan

Jawatankuasa Kecil ICT

MBPJ



Pengurusan



Maklumat dan

Komunikasi Sektor

Awam

Insiden dilaporkan

untuk menyelesaikan

isu-isu keselamatan

maklumat ICT supaya

insiden yang sama

tidak berulang lagi

atau dapat

dikurangkan.

Clause


Applicability

(Y/N)

ReasonforselectionReference Justification

RR SR/BP RAR

A.16.1.7Collection of

evidence

Control

The organization shall define

and apply procedures for the

identification, collection,

acquisition and preservation of

information, which can serve

as evidence.

Y /


Prosedur Pengurusan

Insiden



(MBPJ-ISMS-P2-005)



Pengurusan



Maklumat dan

Komunikasi Sektor

Awam


Mesyuarat

Jawatankuasa

Kemasyarakatan

Perkhidmatan Dan

Teknologi Maklumat

atau Jawatankuasa

Kecil ICT MBPJ

Bagi memantau dan

mengurangkan risiko

insiden keselamatan

dan menambahbaik

kawalan keselamatan

aset ICT.

A.17 Information security aspects of business continuity management

A.17.1 Information security continuity

Objective: Information security continuity shall be embedded in the organization’s business continuity management systems

Clause


Applicabili

ty

(Y/N)

Reasonforselection


A.17.1.1

Planning

information

security

continuity

Control

The organization shall

determine its requirements

for information security

and the continuity of


management in adverse

situations, e.g. during a

crisis or disaster.

Y /

● DKICT 090101 Pelan

Kesinambungan

Perkhidmatan

● BIA – Business Impact

Analysis (Report)

● Penyambungan

Perlaksanaan projek

DRC bagi Tahun 2017 -

2020

● Menyediakan bajet

DRC setiap tahun

Untuk memastikan

operasi sistem tidak

tergendala dan

menggangu

perkhidmatan

penyampaian Majlis.

A.17.1.2

Implementin

g

information

security

continuity

Control

The organization shall

establish, document,

implement and maintain

processes, procedures

and controls to ensure the

required level of continuity

for information security

during an adverse

situation.

Y /


Kesinambungan

Perkhidmatan


Pemulihan Bencana ICT

MBPJ (MBPJ-ISMS-P2-

016)

● Pelaksanaan

perkhidmatan Cloud

DRC

● Laporan Simulasi DRC

MBPJ


memastikan operasi

sistem tidak

tergendala.

Clause


Applicability

(Y/N)


RR SR/BP RAR

A.17.1.3

Verify, review

and evaluate

information

security

continuity

Control

The organization shall verify the

established and implemented

information security continuity

controls at regular intervals in

order to ensure that they are

valid and effective during

adverse situations.

Y /


Kesinambungan

Perkhidmatan

● Simulasi DRC telah

dilaksanakan semasa UAT

pada 10 April 2018 dan

FAT pada 11 Jun 2018

Memastikan maklumat

yang diberikan adalah

benar dan boleh

dipercayai.

A.17.2 Redundancies

Objective: To ensure availability of information processing facilities.

A.17.2.1

Availability of

information

processing

facilities

Control

Information processing facilities

shall be implemented with

redundancy sufficient to meet

availability requirements.

Y /


Kesinambungan

Perkhidmatan


Pemulihan Bencana ICT


● Redundancy core switch

● Simulasi DRC telah

dilaksanakan pada Jun

2018 dan Dec 2018

● Laporan Simulasi DRC

MBPJ

Sebagai panduan

sekiranya berlaku

gangguan atau

bencana bagi

memastikan

perkhidmatan

pengoperasian tidak

tergendala.

Clause


Applicability

(Y/N)


RR SR/BP RAR

A.18 Compliance

A.18.1 Compliance with legal and contractual requirements

Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.

A.18.1.1

Identification

of applicable

legislation and

contractual

requirements

Control

All relevant legislative statutory,

regulatory, contractual

requirements and the

organization’s approach to

meet these requirements shall

be explicitly identified,

documented and kept up to

date for each information

system and the organization.

Y /


Pematuhan

Dasar dan polisi yang

dilaksanakan adalah

untuk menjamin

keselamatan aset ICT

MBPJ.

A.18.1.2Intellectual

property rights

Control

Appropriate procedures shall

be implemented to ensure

compliance with legislative,

regulatory and contractual

requirements related to

intellectual property rights and

use of proprietary software

products.

Y /


Pematuhan

● Prosedur Perlindungan

Harta Intelek (MBPJ-

ISMS-P2-020)

Mematuhi prosedur

yang telah ditetapkan

untuk melindungi aset

ICT

Clause


Applicability

(Y/N)


RR SR/BP RAR

A.18.1.3Protection of

records

Control

Records shall be protected

from loss, destruction,

falsification, unauthorized

access and unauthorized

release, in accordance with

legislatory, regulatory,

contractual and business

requirements.

Y /


● DKICT 050202 Dokumen


Dokumen ISMS (MBPJ-

ISMS-P1-002)


Rekod ISMS (MBPJ-ISMS-

P1-002)

● Simpan dalam kabinet

berkunci.

Untuk memastikan

keselamatan rekod

aset ICT.

A.18.1.4

Privacy and

protection of

personally

identifiable

information

Control

Privacy and protection of

personally identifiable

information shall be ensured as

required in relevant legislation

and regulation where

applicable.

Y /

● DKICT 070204 Hak

Capaian (Privilege)




Kakitangan Dasar


Bandaraya Petaling

Jaya


Pihak Ketiga Dasar


Bandaraya Petaling

Jaya

Kawalan bagi

melindungi maklumat

peribadi.

Clause


Applicability

(Y/N)


RR SR/BP RAR

A.18.1.5

Regulation of

cryptographic

controls

Control

Cryptographic controls shall be

used in compliance with all

relevant agreements,

legislation and regulations.

Y

/

● DKICT 080201 Penyulitan

● DKICT 080202

Pengurusan Kunci

Melindungi kerahsiaan,

integriti dan kesahihan

maklumat.

A.18.2 Information security reviews

Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures.

A.18.2.1

Independent

review of

information

security

Control

The organization’s approach to

managing information security

and its implementation (i.e.

control objectives, controls,

policies, processes and

procedures for information

security) shall be reviewed

independently at planned

intervals or when significant

changes occur.

Y /

● Pelaksanaan Audit

Dalam ISMS

● Pelaksanaan Audit ISMS

oleh Pihak SIRIM

● Panduan Mesyuarat

Kajian Semula ISMS

(MBPJ-ISMS-P1-011)

Pelaksanaan ISMS perlu

ada pengukuran bagi

memastikan

keberkesanan

terhadap keselamatan

aset ICT secara

berterusan.

Clause


Applicability

(Y/N)


RR SR/BP RAR

A.18.2.2

Compliance

with security

policies and

standards

Control

Managers shall regularly review

the compliance of information

processing and procedures

within their area of

responsibility with the

appropriate security policies,

standards and any other

security requirements.

Y /

● DKICT 100103

Pematuhan dengan

Dasar, Piawaian dan

Keperluan Teknikal

● Surat Akujanji

Perkhidmatan


Dalam ISMS

Pematuhan kepada

dasar yang telah

ditetapkan.

A.18.2.3

Technical

compliance

review

Control

Information systems shall be

regularly reviewed for

compliance with the

organization’s information

security policies and standards.

Y /

● Prosedur Pengukuran

Keberkesanan ISMS

(MBPJ-ISMS-P1-006)


Dalam ISMS

● Prosedur Pengukuran

Keberkesanan Kawalan

ISMS - Backup/Restore

Untuk mengukur

keberkesanan dan

pematuhan terhadap


aset ICT.

KEMASKINI SOA VERSI 5.0Revision No. Revision Date Page No. Description of Change

5.0 30/5/2019

5, 6, 8,19, 21, 22,

25, 27, 30, 31, 32,

34, 53, 56, 57 dan

58

Kemaskini pada kawalan berikut berdasarkan implementasi terkini di MBPJ:

A.5.1.1 Policies for information security

A.5.1.2 Review of the policies for information security

A.6.1.4 Contact with special interest groups

A.9.2.1 User registration and de-registration

A.9.2.4 Management of secret authentication information of users

A.9.2.5 Review of user access rights

A.9.2.6 Removal or adjustment of access rights

A.9.4.1 Information access restriction

A.9.4.2 Secure log-on procedures

A.10.1.1 Policy on the use of cryptographic controls

A.11.1.2 Physical entry controls

A.11.2.4 Equipment maintenance

A.12.1.1 Documented operating procedures

A.16.1.3 Reporting information security weaknesses

A.16.1.7 Collection of evidence

A.17.1.1 Planning information security continuity

A.17.1.2 Implementing information security continuity

A.17.1.3 Verify, review and evaluate information security continuity

A.17.2.1 Availability of information processing facilities

KEMASKINI SOA VERSI 5.1

Revision

No.

Revision

DatePage No. Description of Change

5.1 14/8/2019 15,23,27

Kemaskini pada kawalan berikut berdasarkan

pelaksanaan ISMS yang terkini di MBPJ:

A.8.1.4 Return of assets

A.9.4.2 Secure log-on procedures

A.11.1.4 Protecting against external and

environmental threats

REVISION RECORDS

Date post:	19-Jan-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

PORTAL SOA PEMBUKTIAN DOKUMEN DAN FAIL...

Documents