CHAPTER 3 Security Management Practice in Malaysia
INSPIRING CREATIVE AND INNOVATIVE MINDS
SECURITY MANAGEMENT (MCSH4473)
by:
Dr. Siti Hajar Othman Senior Lecturer,
Department of Computer Science,
Faculty of Computing,
UTM Johor Bharu
TABLE OF CONTENTS
CHAPTER 3: Security Management Practice
INSPIRING CREATIVE AND INNOVATIVE MINDS
SECURITY AUDIT & ASSESSMENT (MCSH2413)
Cyber Security Malaysia (National Cyber Security
Agency) – Cyber999, CyberSAFE, MyCERT, CyberGURU, MyCSC
MAMPU (ISMS, Malaysia Public Sector ICT Strategic Plan)
MyRAM (Public Sector Risk Management) Malaysia’s National Cyber Security Policies Government Computer Emergency Response Team
(GCERT)
CyberSecurity Malaysia (CSM)
• The national cyber security specialist centre under the
Ministry of Science, Technology and Innovation or
MOSTI (www.mosti.gov.my).
• The Malaysian Government has gazetted the role of
CyberSecurity Malaysia by Order of the Ministers of
Federal Government Vol.53, No.13, dated June 22,
2009 by identifying CyberSecurity Malaysia as an
agency that provides ICT security specialist
services and continuously monitors threats to the
national security.
• Cyber security emergency response, incident
handling, and digital forensics.
• Cyber security quality management.
• Cyber security capability and capacity
development.
• Cyber security outreach and acculturation.
• Cyber security research and risk assessment
• Cyber security evaluation and certification
CSM Services
Cyber Security Professional
Development
• The list of PROGRAMMES OFFERED by CyberSecurity Malaysia includes:
– Business Continuity Management
– Common Criteria
– Digital Forensics
– Incident Response and Handling
– ISO 27001
– Mobile Banking
– Network Security
– Security Essential
– Security Policy Development
– Web Application Security
– Wireless Communication
– Wireless Security
• Information Sharing Programmes such as:
– Information Security Local Interest Group (INFOSECURITY.my).
– Information Security Special Interest Group (INFOSECURITY.my SIG).
Penglibatan Standards Malaysia di dalam bidang
standardisasi di peringkat serantau dan antarabangsa
Ahli ISO sejak
1969
Ahli IEC sejak
1991
Pacific Area Standards
Congress (PASC)
ASEAN Consultative
Committee on Standards &
Quality (ACCSQ)
APEC Sub-Committee on
Standards and
Conformance (APEC
SCSC)
Ahli World Trade Organisation
(WTO) Technical Barriers to
Trade (TBT) sejak 1995
• Dokumen yang disediakan secara persetujuan ramai (consensus) dan diluluskan oleh badan yang diiktiraf yang mengandungi (untuk kegunaan umum dan berulang) peraturan, garispanduan atau ciri-ciri untuk produk atau kaedah-kaedah pemprosesan dan pengeluaran berkaitan termasuk syarat-syarat pentadbiran di mana pematuhannya adalah tidak mandatori (sukarela) Sumber: WTO TBT Agreement & ISO/IEC Guide 2
Kod Amalan
Pengesyoran
Garis
Panduan
Persampelan
Pengukuran
Spesifikasi
28
Dibangunkan berdasarkan keperluan pasaran – Kajian
Keperluan, Funding dan prioritisation
Dibangunkan berdasarkan secara konsensus
dan keterbukaan – Penglibatan pihak yang
berkepentingan
Ketelusan – Work plan, ulasan
umum, penerbitan dan sebaran
Performance Based dan menggunapakai /
penjajaran kepada Standard Antarabangsa
di mana bersesuaian
Diluluskan oleh Menteri MOSTI
Kesihatan, keselamatan
dan kelestarian alam
sekitar
Standard menetapkan
keperluan kualiti
produk/perkhidmatan
Peningkatan
Dayasaing
Standard
menyediakan
penyelesaian
kepada masalah
yang berulang
Keberkesanan
pengurusan sumber
Standard
menyumbang ke arah
kecekapan &
pengurangan kos
operasi dan proses
pengeluaran
Membuka laluan
pasaran
Standards adalah
rujukan penting dalam
piawaian untuk
perdagangan
Pemacu teknologi
Mekanisme bagi pemindahan
teknologi – menjimatkan
masa, usaha & kewangan
bagi pelaburan dalam R&D; -
Standard menjadi sumber
atau asas teknologi terkini
Tanggungjawab
perundangan
Standard sebagai
rujukan piawaian
30
Syarikat
Badan Standard Badan Akreditasi
Badan Pensijilan
Akreditasi –
Penilaian ke atas
makmal, badan
pensijilan, badan
pemeriksaan
Pensijilan Produk,
Personel atau Sistem
Pengurusan
Metrologi
Pensijilan Sistem
Pengurusan Pensijilan Produk
Metrologi Sah
Sains Pengukuran Pembangunan
Standard
Pensijilan
Personnel
ISC/G Member Organisations • Member's Organisation
• Association of Consulting Engineers Malaysia
• Association of the Computer and Multimedia Industry of Malaysia
• CyberSecurity Malaysia
• Department of Standards Malaysia
• Federation of Malaysian Manufacturers
• KETTHA
• Kementerian Sains, Teknologi dan Inovasi
• MIMOS Berhad
• Malaysian Administrative, Modernisation and Management Planning Unit (MAMPU)
• Malaysian Communications and Multimedia Commission
• Malaysian International Chamber of Commerce and Industry
• Malaysian National Computer Confederation
• Malaysian Technical Standards Forum Bhd
• Ministry of Communication & Multimedia
• Ministry of Domestic Trade, Co-operatives and Consumerism
• Ministry of International Trade and Industry
• Multimedia Development Corporation Sdn Bhd
• Multimedia University
• National Institute of Public Administration, Malaysia
• Prime Minister's Department
• Science and Technology Research Institute for Defence
• TM Applied Business Sdn Bhd
• The Institution of Engineers, Malaysia
• Universiti Teknologi Malaysia 34
Technical Committees Under ISC/G
• Multilingual Information Technology(TC/G/1)
• Geographic Information / Geomatics(TC/G/2)
• Intelligent Transportation System(TC/G/3)
• E-Commerce(TC/G/4)
• Information Security(TC/G/5)
• Computer Graphics and Multimedia(TC/G/6)
• Identification Cards and Related Devices(TC/G/9)
• Biometrics(TC/G/10)
• Software Engineering(TC/G/11)
• IT Interconnection, Communications and System
Information(TC/G/12)
• Health Informatics Standards(TC/G/13)
• Automatic Identification and Data Capture Techniques(TC/G/14)
35
TC/G/5 Information Security - Scope
Standardisation in Information Security which covers the
development of standards for the protection of information and
ICT. This includes generic methods, techniques and guidelines to
address both security and privacy aspects, such as: - Security
requirements capture methodology; - Management of information
and ICT security; in particular information security management
systems (ISMS), security processes, security controls and services;
- Cryptographic and other security mechanisms, including but not
limited to mechanisms for protecting the accountability, availability,
integrity and confidentiality of information; - Security management
support documentation including terminology, guidelines as well as
procedures for the registration of security components; - Security
aspects of identity management, biometrics and privacy; -
Conformance assessment, accreditation and auditing requirements
in the area of information security; - Security evaluation criteria and
methodology. 36
TC/G/5 Information Security –
Member Organisations
• Association of the Computer and Multimedia Industry of
Malaysia
• Central Bank of Malaysia
• Chief Government Security Office
• CyberSecurity Malaysia
• MIMOS Berhad
• Malaysian Communications and Multimedia Commission
• Malaysian National Computer Confederation
• Ministry of Science, Technology and Innovation
• Multimedia Development Corporation Sdn Bhd
• POS Malaysia Berhad
• PricewaterhouseCoopers Advisory Services Sdn Bhd
• TM Applied Business Sdn Bhd
• Teknimuda Sdn Bhd 37
TC/G/5 Information Security –
Working Groups
• Information Security Management Systems (WG/G/5-1)
• Cryptography and Security Mechanisms (WG/G/5-2)
• Security Evaluation Criteria (WG/G/5-3)
• Security Controls and Services (WG/G/5-4)
• Identity Management and Privacy Technologies
(WG/G/5-5)
• Security for Industry Automation and Control Systems
(WG/G/5-7)
• Identity Proofing (WG/G/5-8)
38
Membership Profile and Other
Information
• Representatives in ISC/G, TCs and WGs are a
mixture of technical experts, policy makers and
industry groups.
• Organisations can apply to join or can be invited to
join:
– ISC/G – Subject to approval by MyNSC
– TCs – Subject to approval by ISC/G
– WGs – Subject to approval by ISC/G
• Organisations in ISC/G usually have a representative
in the TCs and/or WGs (though not always the case)
39
MyRAM
• MyRAM =Penilaian Risiko Keselamatan Maklumat SEKTOR
AWAM
• Tujuan untuk membolehkan Sektor Awam mengukur, menganalisis
tahap risiko aset maklumat dan seterusnya mengambil tindakan
untuk merancang dan mengawal risiko.
• Kerajaan telah mengeluarkan Surat Pekeliling Am Bil. 6 Tahun
2005 : Garis Panduan Penilaian Risiko Keselamatan Maklumat
Sektor Awam bagi memaklumkan kepentingan dan cara
melaksanakan penilaian risiko keselamatan maklumat di Sektor
Awam.
• Garis Panduan Penilaian Risiko Keselamatan Maklumat Sektor
Awam ini menyediakan kaedah-kaedah dan teknik-teknik dalam
proses penilaian risiko maklumat supaya proses penilaian dapat
dilaksanakan dengan sistematik dan berkesan.
Menerima risiko yang akan terjadi selagi ia
memenuhi kriteria yang ditetapkan oleh pengurusan;
Mengurangkan risiko dengan melaksanakan kawalan
yang bersesuaian;
Memindahkan risiko ke entiti lain seperti pembekal,
pakar runding dan pihak lain yang berkepentingan;
dan
Mengelak atau mencegah risiko daripada terjadi
dengan mengambil tindakan yang dapat menghalang
berlakunya risiko.
MyRAM - Objektif