STATEMENT OF APPLICABILITY (SoA)

Transcription

1 STATEMENT OF APPLICABILITY (SoA) OPERASI PERKHIDMATAN SOKONGAN PUSAT PEMBANGUNAN MAKLUMAT & KOMUNIKASI Tarikh : 05/06/2015

2 PUSAT PEMBANGUNAN MAKLUMAT & KOMUNIKASI Halaman 1 / 67 STATEMENT OF APPLICABILITY 1.0 PENGENALAN Dokumen penyataan pemakaian Statement of Applicability (SoA) menggariskan control objectives dan controls di Annex A dalam Standard ISO/IEC 27001:2013 selaras dengan keperluan Sistem Pengurusan Keselamatan Maklumat di Universiti Putra Malaysia. 2.0 TUJUAN Dokumen ini bertujuan untuk menetapkan proses yang perlu dipatuhi dalam menyediakan SoA. 3.0 PROSES PENYATAAN PEMAKAIAN (SoA) 3.1 PENYEDIAAN SoA Proses yang terlibat dalam penyediaan SoA merangkumi: a) Memahami keperluan SoA dalam Standard ISO/IEC 27001:2013. b) Menyediakan kandungan SoA dengan mengambil kira aspek berikut: i. Menyenaraikan semua control objectives dan controls di Annex A dalam Standard ISO/IEC 27001:2013; ii. Memberi jawapan Yes dengan justifikasi pemilihan kepada control objectives dan controls selaras dengan penemuan Risk Treatment Plan; iii. Memberi jawapan Yes kepada control objectives dan controls yang sedang dilaksanakan; iv. Memberi jawapan Partial kepada kawalan yang masih dalam pembangunan; v. Menyenaraikan nama prosedur / panduan / dokumen yang dirujuk bagi menyokong pelaksanaan control objectives dan controls tersebut; dan

3 PUSAT PEMBANGUNAN MAKLUMAT & KOMUNIKASI Halaman 2 / 67 vi. Memberi jawapan No kepada control objectives dan controls yang tidak dipilih dengan alasan pengecualiannya. c) Membentangkan cadangan awal SoA dalam mesyuarat pengurusan ISMS; dan d) Mendapat kelulusan dan tandatangan pihak pengurusan yang bertanggungjawab ke atas skop Pensijilan ISMS. 3.2 PELAKSANAAN SoA Pelaksanaan SoA hendaklah mengambil kira aspek berikut: a) Memaklumkan kepada semua pengguna ISMS berhubung penguatkuasaan dokumen SoA; b) Melaksanakan program kesedaran pematuhan semua peraturan Polisi ISMS selaras dengan keperluan SoA; c) Memantau tahap pematuhan pelaksanaan kawalan dalam SoA sekurangkurangnya sekali dalam setahun; dan d) Melaporkan penemuan di para c) dalam mesyuarat pengurusan ISMS untuk pertimbangan dan kelulusan. 3.3 PENGEMASKINIAN SoA SoA perlu dikemaskini dengan mengambilkira perkara berikut: a) Penemuan penilaian semula risiko; b) Perubahan justifikasi pemilihan kawalan; c) Perluasan skop ISMS; d) Penambahan atau pengecualian aset ISMS; e) Perubahan struktur organisasi; f) Penambahbaikan ke atas pelaksanaan ISMS; g) Pengemaskinian ke atas dokumen rujukan; dan h) Perubahan disebabkan oleh keperluan lain.

4 PUSAT PEMBANGUNAN MAKLUMAT & KOMUNIKASI Halaman 3 / 67 Sebarang pindaan kepada SoA hendaklah mematuhi perkara yang dinyatakan dalam para 3.1(c) di atas. 4.0 JADUAL PENYATAAN PEMAKAIAN (SoA) SoA di LAMPIRAN A menyediakan ringkasan keputusan berkaitan penguraian risiko (risk treatment). Sebarang control objectives dan controls yang tidak dipilih diberikan alasan pengecualiannya bagi memastikan suatu kawalan tidak sengaja diabaikan.

5 PUSAT PEMBANGUNAN MAKLUMAT & KOMUNIKASI Halaman 4 / CARTA ALIRAN MULA Menyediakan deraf dokumen SoA selaras dengan keperluan standard ISMS. Menyediakan kandungan Jadual SoA ISMS. Membuat pindaan Mendapat kelulusan pengurusan Tidak Setuju Ya Menghebahkan penguatkuasaan dokumen SoA Melapor pelaksanaan kawalan dokumen SoA di mesyuarat yang berkaitan dan menangani sebarang isu pelaksanaan jika ada. Mendapat kelulusan pengurusan cadangan pindaan ke atas dokumen SoA sedia ada jika perlu. Ya Setuju Tidak TAMAT

6 Halaman 5 / 67 Jadual 1: SoA Pensijilan ISO/IEC 27001:2013 ISMS Universiti Putra Malaysia Control Applicable (Yes/No) Implemented (Yes/Partial/No) Business Requirement Legal/ Regulatory requirement Justification Result of RA ISMS Requirement Not Applicable to the Business Reference A.5 A.5.1 INFORMATION SECURITY POLICY Management Directions for Information security Objective: To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. A Policies for information security A set of policies for information security shall be defined, approved by management, published and communicated to all employees and relevant external parties. Kaedah-Kaedah Universiti Putra Malaysia (Teknologi Maklumat dan Komunikasi 2014) Garis Panduan Keselamatan Teknologi Maklumat Dan Komunikasi

7 Halaman 6 / 67 A Review of the policies for information security A.6 The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness. ORGANIZATION OF INFORMATION SECURITY (GPKTMK) Isu 2.0 Semakan 00 Garis Panduan Keselamatan Teknologi Maklumat Dan Komunikasi (GPKTMK) Isu 2.0 Semakan 00 GPKTMK 5.1 c)penyelenggaraan Perkara iv A.6.1 Internal organization Objective: To establish a management framework to initiate and control the implementation of information security within the organization. A Information security roles and responsibilities All information security responsibilities shall be defined and allocated. Manual Sistem Pengurusan Keselamatan Maklumat - Kod Dokumen : UPM/ISMS/PGR/M P (5.3 PERANAN

8 Halaman 7 / 67 DAN TANGGUNGJAWAB) A A A Segregation of duties Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization s assets. Contact with authorities Appropriate contacts with relevant authorities shall be maintained. Contact with special interest groups Appropriate contacts with special interest groups or other GPKTMK (12.1 c) Pengasingan Tugas Dan Tanggungjawab) PELAN PENGURUSAN BENCANA ( Maklumat Agensi berkaitan - Jadual DMP 1 : Agensi Dihubungi apabila berlaku gangguan atau bencana GCERT MAMPU SIRIM

9 Halaman 8 / 67 A specialist security forums and professional associations shall be maintained. Information security in project management Information security shall be addressed in project management, regardless of the type of the project. Jawatankuasa ISMS Sektor Perkhidmatan Kerajaan UPMCERT CyberSecurity Malaysia (NISER) GPKTMK (14.1- Keselamatan dalam Pembangunan Sistem & Aplikasi) GPKTMK (14.4- Keselamatan dalam Pembangunan Infrastruktur ICT) A.6.2 Mobile devices and teleworking Objective: To ensure the security of teleworking and use of mobile devices. A Mobile device policy A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices GPKTMK (6.2- a)panduan Pengkomputeran Mudah Alih) UPM/ISMS/SOK/ GP05/PERALATAN MUDAH ALIH

10 Halaman 9 / 67 Garis Panduan Keselamatan Peralatan Mudah Alih A Teleworking A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites. NO NO Pentadbir Sistem tidak dibenarkan untuk akses dari luar UPMNET. Akses hanya dibenarkan melalui bilik console yang telah disediakan di Pusat Data. A.7 HUMAN RESOURCE SECURITY A.7.1 Prior to employment Objective: To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. A Screening Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics, and Saringan Keselamatan bagi Staf Pusat Data UPM melalui Pejabat Ketua Pegawai Keselamatan Kerajaan Malaysia,

11 Halaman 10 / 67 proportional to the business requirements, the classification of the information to be accessed, and the perceived risks. A Terms and conditions of employment The contractual agreements with employees and contractors shall state their and the Jabatan Perdana Menteri GPKTMK Perkara 7.0 (a) : Sebelum Perkhidmatan UPM/SOK/BUM/P00 1: Prosedur Pelantikan Staf Tetap Bagi Kumpulan Pengurusan dan Profesional (Bukan Akademik) dan Kumpulan Sokongan UPM/ISMS/OPR/DC/ BR04/PENDAFTARAN PEMBEKAL. UPM/ISMS/OPR/DC/ BR01/PENDAFTARAN PELAWAT. Akta Rahsia rasmi 1972 UPM/SOK/BUM/GP0 3/LAPOR DIRI : Garis Panduan Lapor Diri (Aku Janji Staf UPM)

12 Halaman 11 / 67 organization s responsibilities for information security. UPM/ISMS/OPR/DC/ GP03/KAWALAN AKSES : Garis Panduan Kawalan Akses ke Pusat Data A.7.2 During Employment Objective: To ensure that employees and external party users are aware of, and fulfill, their information security responsibilities. A A Management responsibilities Management shall require employees and contractors to apply information security in accordance with the established policies and procedures of the organization. Information security awareness, education and training All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and Akta Rahsia rasmi 1972 UPM/SOK/BUM/GP0 3/LAPOR DIRI : Garis Panduan Lapor Diri (Aku Janji Staf UPM) UPM/ISMS/OPR/DC/ GP03/KAWALAN AKSES : Garis Panduan Kawalan Akses ke Pusat Data GPKTMK Perkara 7.0 (b) ii Dalam Perkhidmatan Program Kesedaraan pelaksanaan ISMS

13 Halaman 12 / 67 A regular updates in organizational policies and procedures, as relevant for their job function. Disciplinary process There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach. Kaedah-Kaedah Universiti Putra Malaysia (Teknologi Maklumat dan Komunikasi 2014) GPKTMK Perkara 7.0 (b) iii Dalam Perkhidmatan A.7.3 Termination and change of employment Objective: To protect the organization s interests as part of the process of changing or terminating employment A Termination or change of employment responsibilities Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced. GPKTMK Perkara 7.0 (c) Bertukar Atau Tamat Perkhidmatan UPM/ISMS/OPR/DC/GP 06/PEMANTAUAN CAPAIAN

14 Halaman 13 / 67 A.8 ASSET MANAGEMENT A.8.1 Responsibility for Assets Objective: To identify organizational assets and appropriate protection responsibilities. A A A Inventory of assets Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained. Ownership of assets Assets maintaned in the inventory shall be owned. Acceptable use of assets Rules for the acceptable use of information and of assets associated with information and Kaedah-kaedah UPM (Teknologi maklumat dan Komunikasi) 2014 Bahagian D 8.0 (MS7) GPKTMK 8.1a(i) (MS10) UPM/SOK/KEW- AST/P012 : Prosedur Pengurusan Aset GPKTMK 8.1a(ii) (MS10) UPM/SOK/KEW- AST/P012 : Prosedur Pengurusan Aset Pekeliling Bendahari Bil. 1 Tahun 2008 :Tatacara Pengurusan Aset

15 Halaman 14 / 67 information processing facilities shall be identified, documented, and implemented. Alih Universiti Putra Malaysia Kaedah-kaedah UPM (Teknologi maklumat dan Komunikasi) 2013 Bahagian F 16 (MS12) GPKTMK 8.1a(i) (MS13)GPKTMK 8.1a(iv,v) (MS10) & 8.2b (MS11) UPM/ISMS/SOK/G P03/Pengendalian Maklumat : Garis Panduan Pengendalian Maklumat UPM/ISMS/SOK/ GP05/PERALATAN MUDAH ALIH Garis Panduan Keselamatan Peralatan Mudah Alih

16 Halaman 15 / 67 A Return of assets GPKTMK 7.0 : Keselamatan Sumber Manusia All employees and external (MS 9) party users shall return all of the UPM/SOK/KEWorganizational assets in their AST/P012 : possession upon termination of Prosedur their employment, contract or Pengurusan Aset agreement. SOK/ICT/GP02/Baik Pulih : Garis Panduan Baik Pulih ICT A.8.2 Information classification Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organization. A Classification of information Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification. Arahan Keselamatan Kerajaan Malaysia Akta Arkib Negara 2003 (Akta 629) GPKTMK 8.2a (MS10) UPM/ISMS/SOK/GP0 3/PENGENDALIAN MAKLUMAT : Garis Panduan Pengendalian Maklumat

17 Halaman 16 / 67 A A Labeling of information An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization. Handling of assets Procedures for handling assets Arahan Keselamatan Kerajaan Malaysia Akta Arkib Negara 2003 (Akta 629) : (m/s : 28) Bahagian V: Pentadbiran Arkib- Pemprosesan dan pemeliharaan arkib awam. GPKTMK 8.2a (MS10) UPM/ISMS/SOK/GP0 3/Pengendalian Maklumat : Garis Panduan Pengendalian Maklumat UPM/ISMS/OPR/PD/ GP14/BACKUP : Garis Panduan Pengurusan Backup Pangkalan Data GPKTMK 8.1a (iv) dan 8.2b (MS 10 & 11)

18 Halaman 17 / 67 shall be developed and Pekeliling Bendahari implemented in accordance Bil. 1 Tahun 2008 with the information :Tatacara Pengurusan classification scheme adopted by the organization. Aset Alih Universiti Putra Malaysia UPM/ISMS/SOK/GP0 3/Pengendalian Maklumat : Garis Panduan Pengendalian Maklumat A.8.3 Media Handling Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored on media A A Management of removable media Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization. Disposal of media GPKTMK 8.3 : Pengendalian media (MS11) GPKTMK 8.2b(vi) & 8.3b(vi) (MS11) UPM/ISMS/SOK/G

19 Halaman 18 / 67 A Media shall be disposed of securely when no longer required, using formal procedures. Physical media transfer Media containing information shall be protected against unauthorized access, misuse or corruption during transportion. P03/PENGENDALIA N MAKLUMAT : Garis Panduan Pengendalian Maklumat UPM/SOK/KEW/GP 020/AST: Garis Panduan pelupusan aset Kaedah-kaedah UPM (Teknologi maklumat dan Komunikasi 2014) Bahagian F 16 (MS12) GPKTMK 8.3 (MS11) UPM/ISMS/SOK/G P03/PENGENDALIA N MAKLUMAT : Garis Panduan Pengendalian Maklumat A.9 ACCESS CONTROL

20 Halaman 19 / 67 A.9.1 A Business requirement for access control Access control policy An access control policy shall be established, documented, and reviewed based on business and information security requirements. Objective: To limit access to information and information processing facilities. A Access to networks and networks services GPKTMK Perkara 9.1 : Dasar Kawalan Capaian UPM/ISMS/OPR/DC/ P003: Prosedur Kawalan dan Pemantauan Capaian ke Sistem di Pusat Data UPM/ISMS/OPR/DC/ GP03/KAWALAN AKSES : Garis Panduan Kawalan Akses Ke Pusat Data UPM/ISMS/OPR/DC/ GP06/PEMANTAUAN CAPAIAN: Garis Panduan Pemantauan Capaian Ke Sistem Di Pusat Data Kaedah-kaedah Universiti Putra Malaysia (Teknologi

21 Halaman 20 / 67 Users shall only be provided with acess to the network and network services that they have specifically authorized to used. A.9.2 User access management Objective: To ensure authorized user access and to prevent unauthorized access to systems and services. Maklumat dan komunikasi 2014) Perkara 19 GPKTMK Perkara 13.2 : Kawalan Akses Rangkaian UPM/ISMS/OPR/DC/ GP03/KAWALAN AKSES : Garis Panduan Kawalan Akses Ke Pusat Data UPM/ISMS/OPR/DC/ GP06/PEMANTAUAN CAPAIAN: Garis Panduan Pemantauan Capaian Ke Sistem Di Pusat Data UPM/ISMS/OPR/NET /GP13/AGIHAN RANGKAIAN: Garis Panduan Pengurusan Pengagihan Rangkaian

22 Halaman 21 / 67 A User registration and deregistration A A formal user registration and de-registration process shall be implemented to enable assignment of access rights. User access provisioning A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services. GPKTMK Perkara 9.2 : Pengurusan Capaian Pengguna UPM/ISMS/OPR/DC/ P003: Prosedur Kawalan dan Pemantauan Capaian ke Sistem di Pusat Data UPM/ISMS/OPR/DC/ GP06/PEMANTAUAN CAPAIAN: Garis Panduan Pemantauan Capaian Ke Sistem Di Pusat Data GPKTMK Perkara 9.2 : Pengurusan Capaian Pengguna UPM/ISMS/OPR/DC/ GP06/PEMANTAUAN CAPAIAN: Garis Panduan Pemantauan Capaian Ke Sistem Di Pusat Data

23 Halaman 22 / 67 A Management of privileged access rights The allocation and use of priviledge access rights shall be restricted and controlled. A Management of secret authentication information of users A The allocation of a secret authentication information shall be controlled through a formal management process. Review of user access rights Assets owners shall review user s access rights at regular intervals. GPKTMK Perkara 9.2 : Pengurusan Capaian Pengguna UPM/ISMS/OPR/DC/ GP06/PEMANTAUAN CAPAIAN: Garis Panduan Pemantauan Capaian Ke Sistem Di Pusat Data GPKTMK Perkara 10.0 : Kawalan Kriptografi UPM/ISMS/OPR/PD /GP16UPM-ID : Garis Panduan Pengurusan UPM-ID UPM/SOK/ICT/P001 : Prosedur Penyelenggaraan ICT A Removal or adjustment of GPKTMK Perkara 9.2

24 Halaman 23 / 67 access rights The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. A.9.3 User responsibilities Objective: To make users accountable for safeguarding their authentication information. : Pengurusan Capaian Pengguna UPM/ISMS/OPR/DC/ P003: Prosedur Kawalan dan Pemantauan Capaian ke Sistem di Pusat Data UPM/ISMS/OPR/DC/ GP06/PEMANTAUAN CAPAIAN: Garis Panduan Pemantauan Capaian Ke Sistem Di Pusat Data A Use of secret authentication information Users shall be required to follow the organization s practices in the use of secret authentication information. Yes GPKTMK Perkara 10.0 : Kawalan Kriptografi UPM/ISMS/SOK/GP 07/IDENTITI : Garis Panduan Pengurusan Identiti

25 Halaman 24 / 67 A.9.4 A System and application access control Information access restriction Access to information and application system functions shall be restricted in accordance with the access control policy. Objective: To prevent unauthorized access to systems and applications. GPKTMK Perkara 9.1 : Dasar Kawalan Capaian UPM/ISMS/OPR/DC/ P003: Prosedur Kawalan dan Pemantauan Capaian ke Sistem di Pusat Data UPM/ISMS/OPR/DC/ GP03/KAWALAN AKSES : Garis Panduan Kawalan Akses Ke Pusat Data UPM/ISMS/OPR/DC/ GP06/PEMANTAUAN CAPAIAN: Garis Panduan Pemantauan Capaian Ke Sistem Di Pusat Data UPM/ISMS/SOK/GP 03/PENGENDALIAN MAKLUMAT : Garis

26 Halaman 25 / 67 A Secure log-on procedures Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure. Panduan Pengendalian Maklumat GPKTMK Perkara 9.3 : Kawalan Akses Sistem Pengoperasian Server UPM/ISMS/OPR/DC/ P003: Prosedur Kawalan dan Pemantauan Capaian ke Sistem di Pusat Data UPM/ISMS/SOK/GP0 7/IDENTITI : Garis Panduan Pengurusan Identiti UPM/ISMS/OPR/DC/ GP06/PEMANTAUAN CAPAIAN: Garis Panduan Pemantauan Capaian Ke Sistem Di Pusat Data

27 Halaman 26 / 67 A A Password management system Password management systems shall be interactive and shall ensure quality passwords. Use of priviledge utility program The use of utility programs that might be capable of overriding systems and application controls shall be restricted and tightly controlled. A Access control to program source code GPKTMK Perkara 9.2 : Pengurusan Capaian Pengguna UPM/ISMS/SOK/GP0 7/IDENTITI : Garis Panduan Pengurusan Identiti UPM/ISMS/OPR/DC/ P003: Prosedur Kawalan dan Pemantauan Capaian ke Sistem di Pusat Data UPM/ISMS/OPR/DC/ GP06/PEMANTAUAN CAPAIAN: Garis Panduan Pemantauan Capaian Ke Sistem Di Pusat Data GPKTMK 9.0 : Kawalan Akses Access to program source code shall be restricted

28 Halaman 27 / 67 A.10 CRYPTOGRAPHY A.10.1 Cryptographic controls Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. A A Policy on the use of cryptographic control A policy on the use of cryptographic controls for protection of information shall be developed and implemented. Key management A policy on the use, protection and lifetime of cyptographic keys shall be developed and implemented through their whole lifecycle. Kaedah-kaedah Universiti Putra Malaysia (Teknologi Maklumat dan komunikasi 2014) Bahagian kawalan Keselamatan TMK 21(a) UPM/ISMS/SOK/GP 03/PENGENDALIAN MAKLUMAT : Garis Panduan Pengendalian Maklumat Kaedah-kaedah Universiti Putra Malaysia (Teknologi Maklumat dan komunikasi 2014) Bahagian kawalan Keselamatan TMK 21(c)

29 Halaman 28 / 67 UPM/ISMS/SOK/G P03/PENGENDALIA N MAKLUMAT : Garis Panduan Pengendalian Maklumat A.11 PHYSICAL AND ENVIRONMENTAL SECURITY A.11.1 Secure areas Objective: To prevent unauthorized physical access, damage and interference to the organization s information and information processing facilities. A A Physical security perimeter Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. Physical entry controls Secure areas shall be protected by appropriate entry controls to UPM/ISMS/PGR/MP : Manual Sistem Pengurusan Keselamatan Maklumat (ISMS) Lokasi Skop Pensijilan ISMS UPM, Pelan Lantai Bangunan Lokasi Utama (DC) dan Lokasi Kedua (DRC) Kaedah-kaedah Universiti Putra Malaysia (Teknologi Maklumat dan komunikasi 2014)

30 Halaman 29 / 67 A A ensure that only authorized personnel are allowed access. Securing offices, rooms and facilities Physical security for offices, rooms, and facilities shall be designed and applied. Protecting against external and environmental threats Bhgn D, 9 (b) GPKTMK Perkara 11.1 : Persekitaran Selamat UPM/ISMS/OPR/DC/ GP03/KAWALAN AKSES : Garis Panduan Kawalan Akses ke Pusat Data Kaedah-kaedah Universiti Putra Malaysia (Teknologi Maklumat dan komunikasi 2014) Bhgn D, 9 (b) GPKTMK Perkara 11.1 : Persekitaran Selamat Terma Rujukan JKK ICT Terma Rujukan JK Kelulusan Kerja UPM (PPPA) Kaedah-kaedah Universiti Putra Malaysia (Teknologi

31 Halaman 30 / 67 A Physical protection against natural disaster, malicious attack or accidents shall be designed and applied. Working in secure areas Procedures for working in secure areas shall be designed and applied. Maklumat dan komunikasi 2014) Bhgn D, 9 (b) dan Bhgn G, 20 (1) GPKTMK Perkara 11.1 : Persekitaran Selamat Akta Keselamatan dan Kesihatan Pekerjaan 1994 (AKTA 514) UPM/ISMS/OPR/DC/ P001: Prosedur Pengoperasian Pengurusan Pusat Data Akta Keselamatan dan Kesihatan Pekerjaan 1994 (AKTA 514) GPKTMK Perkara 7.0 : Keselamatan Sumber Manusia dan Perkara 11.1 : Persekitaran Selamat UPM/ISMS/OPR/DC/

32 Halaman 31 / 67 A Delivery and loading areas Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. P001: Prosedur Pengoperasian Pengurusan Pusat Data Kaedah-kaedah Universiti Putra Malaysia (Teknologi Maklumat dan komunikasi 2014) Bhgn D, 9 (b) dan Bhgn G, 20 (1) GPKTMK Perkara 11.1 : Persekitaran Selamat UPM/OPR/BKU/P001 : Prosedur kawalan Akses A.11.2 Equipment Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization s operation. A Equipment sitting and protection Equipment shall be sited or protected to reduce the risks from environmental threats and Kaedah-kaedah Universiti Putra Malaysia (Teknologi Maklumat dan komunikasi 2014) Bhgn D, 9 (b) dan Bhgn G, 20 (1)

33 Halaman 32 / 67 A A hazards, and opportunities for unauthorized access. Supporting utilities Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities. Cabling security Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage. GPKTMK Perkara 11.3 : Keselamatan Peralatan GPKTMK Perkara 11.1 (h) : Perkhidmatan Sokongan dan Perkara 17.1 (a) UPM/ISMS/OPR/DC/ P001: Prosedur Pengoperasian Pengurusan Pusat Data Kaedah-kaedah Universiti Putra Malaysia (Teknologi Maklumat dan komunikasi 2014) Bhgn D, 11 GPKTMK Perkara 11.1 (i) : Keselamatan Kabel UPM/ISMS/OPR/NET /GP12/PEMASANGA N KABEL : Garis Panduan Pengurusan

34 Halaman 33 / 67 Sistem Pengkabelan A Equipment maintenance Equipment shall be correctly maintained to ensure its continued availability and integrity. Kaedah-kaedah Universiti Putra Malaysia (Teknologi Maklumat dan komunikasi 2014) Bhgn D, 10 GPKTMK Perkara 11.3 (e) : Penyelenggaraan Peralatan UPM/SOK/ICT/P001 : Prosedur Penyelenggaraan ICT UPM/SOK/ICT/P002 : Prosedur Baik Pulih ICT UPM/SOK/PYG/GP02 : GP Penyelenggaraan Berkala (PPPA) UPM/SOK/PYG/P001 : Prosedur Penyelenggaraan Baik Pulih (PPPA)

35 Halaman 34 / 67 A A Removal of asset Equipment, information or software shall not be taken offsite without prior authorization. Security of equipment and asset off-premises Security shall be applied to offsite asset taking into account the different risks of working Kaedah-kaedah Universiti Putra Malaysia (Teknologi Maklumat dan komunikasi 2014) Bhgn D, 9 (a) GPKTMK Perkara 11.3 (a) : Peralatan ICT UPM/SOK/KEW- AST/P012 : Prosedur Pengurusan Aset UPM/SOK/ICT/P002 : Prosedur Baik Pulih ICT UPM/SOK/PYG/P001 : Prosedur Penyelenggaraan Baik Pulih (PPPA) UPM/SOK/KEW- AST/P012 : Prosedur Pengurusan Aset GPKTMK Perkara 11.3 (f) : Peralatan Di Luar Premis

36 Halaman 35 / 67 outside the organization s premises A A A Secure disposal or re-use of equipment All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use Unattended user equipment Users shall ensure that unattended equipment has appropriate protection. Clear desk and clear screen policy A clear desk policy for papers and removable storage media and a clear screen policy for Pekeliling perbendaharaan Bil 5/2007 : Bab E : Pelupusan (m/s : 36) GPKTMK Perkara 13 (g) : Pelupusan Peralatan UPM/SOK/KEW- AST/P012 : Prosedur Pengurusan Aset GPKTMK Perkara 11.3 (h) : Peralatan Ditinggalkan Pengguna GPKTMK Perkara 11.3 (i) : Panduan Clear Desk dan Clear Screen

37 Halaman 36 / 67 information processing facilities shall be adopted A.12 OPERATION SECURITY A.12.1 Operational procedures and responsibility Objective: T0 ensure correct and secure operations of processing facilities. A A Documented procedures operating Operating procedures shall be documented and made available to all users who need them. Change management Changes to the organizations, business processes, information processing facilities and systems that affect information security shall be controlled. Laman Web e-iso my GPKTMK Perkara 7.0 : Keselamatan Sumber Manusia/ JK Mesyuarat Teknikal Operasi (MOT) UPM/OPR/IDEC/P00 2 : Prosedur Perkhidmatan Sokongan ICT

38 Halaman 37 / 67 A A Capacity management The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance. Separation of development, testing and operational environments Development, testing and operational environments shall be separated to reduce the risks of unauthorized access or UPM/OPR/IDEC/P00 1 : Prosedur Pembangunan ICT UPM/SOK/ICT/P001: Prosedur Penyelenggaraan ICT GPKTMK Perkara 15.3 (a) : Perancangan Kapasiti (Keupayaan) UPM/ISMS/OPR/P00 2 : Prosedur Pemantauan Operasi Pusat Data UPM UPM/SOK/ICT/P001 : Prosedur Penyelenggaraan ICT GPKTMK Perkara 14.0 : Perolehan, pembangunan dan penyelenggaraan sistem maklumat

39 Halaman 38 / 67 changes to the operational environment. A.12.2 Protection from malware Objective: To ensure that information and information processing facilities are protected against A Controls against malware Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness. A.12.3 Backup Objective: To protect againsts loss of data GPKTMK Perkara 12.2 (a) : Perlindungan daripada Perisian Berbahaya A Information backup Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy. GPKTMK Perkara 12.3 (a) : Backup UPM/ISMS/OPR/PD /GP14/BACKUP : Garis Panduan Pengurusan Backup Pangkalan Data UPM/ISMS/OPR/PD /GP15/DATA PENGUJIAN : Garis Panduan

40 Halaman 39 / 67 A.12.4 Logging and monitoring Objective: To record events and generate evidence. Penggunaan Pengujian Data A A A Event logging Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed Protection of log information Logging facilities and log information shall be protected against tampering and unauthorized access. Administrator and operator logs GPKTMK Perkara 12.4: Logging dan Pemantauan GPKTMK Perkara 12.4 (b): Perlindungan Maklumat Log UPM/ISMS/OPR/DC/ GP08/MAKLUMAT LOG : Garis Panduan Perlindungan Maklumat Log Server GPKTMK Perkara 12.4 (c): Pentadbir dan Operator Log

41 Halaman 40 / 67 A System administrator and system operator activities shall be logged and the logs protected and regularly reviewed. Clock synchronization The clocks of all relevant information processing systems within an organization or security domain shall be synchronized to a single reference time source. A.12.5 Control of operational software Objective: To ensure the integrity of operational system UPM/ISMS/OPR/DC/ P003: Prosedur Kawalan dan Pemantauan Capaian ke Sistem di Pusat Data GPKTMK Perkara 12.4(d): Pelarasan Masa Network Time Protocol (time.upm.edu.my) A Installation of software on operational systems Procedures sahll be implemented to control the installation of software on operational systems. GPKTMK Perkara 12.5: Kawalan Ke atas Perisian Pengoperasian UPM/ISMS/OPR/DC/ GP02/PENYEDIAAN SERVER DAN STORAN : Garis Panduan Penyediaan Server di

42 Halaman 41 / 67 A.12.6 Technical vulnerability management Objective: To prevent exploitation of technical vulnerabilities. Pusat Data UPM/OPR/IDEC/P00 2 : Prosedur Perkhidmatan Sokongan ICT A Management of technical vulnerabilities Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. GPKTMK Perkara 12.6: Pengurusan Kerentanan Teknikal UPM/ISMS/OPR/KES /GP09/TAHAP KESELAMATAN : Garis Panduan Penilaian Tahap Keselamatan A Restrictions on software installation Rules governing the installation GPKTMK Perkara 12.6 (b): Menghadkan Instalasi Perisian UPM/ISMS/SOKGP06

43 Halaman 42 / 67 of software by users shall be established and implemented A.12.7 Information systems audit considerations Objective: To minimise the impact of audit activities on operational systems. /INSTALASI PERISIAN : Garis Panduan Kawalan Instalasi Perisian A A.13 A.13.1 Information systems audit controls Audit requirements and activities involving verification of operational systems shall be carefullyplanned and agreed to minimise distruptios to business processes. COMMUNICATION SECURITY Network security management GPKTMK Perkara 12.7(a) : Kawalan Audit Sistem Maklumat UPM/ISMS/OPR/KES /GP09/TAHAP KESELAMATAN:Garis Panduan Penilaian Tahap Keselamatan ICT UPM/SOK/ICT/P001: Prosedur Penyelenggaraan ICT Objective: To ensure the protection of information in networks and its supporting information processing facilities.

44 Halaman 43 / 67 A Network controls Networks shall be managed and controlled to protect information in systems and application. Kaedah-kaedah Universiti Putra Malaysia (Teknologi Maklumat dan komunikasi 2014) Perkara 19 GPKTMK Perkara 13.2 : Kawalan Akses Rangkaian UPM/ISMS/SOK/GP 03/PENGENDALIAN MAKLUMAT : Garis Panduan Pengendalian Maklumat UPM/ISMS/OPR/NET /GP13/AGIHAN RANGKAIAN: Garis Panduan Pengurusan Pengagihan Rangkaian UPM/SOK/ICT/P001 : Prosedur Penyelenggaraan ICT

45 Halaman 44 / 67 A Security of network services Security mechanisms, service levels, and management requirements of all network services shall be identified and included in network services agreement, whether these services are provided in-house or outsourced. Kaedah-kaedah Universiti Putra Malaysia (Teknologi Maklumat dan komunikasi 2014) Perkara 11 GPKTMK Perkara 13.1 : Pengurusan Keselamatan Rangkaian UPM/ISMS/SOK/GP 03/PENGENDALIAN MAKLUMAT : Garis Panduan Pengendalian Maklumat A Segregation in network Groups of information services, users, and information systems shall be segregated on networks.. UPM/ISMS/OPR/NE T/GP13/AGIHAN RANGKAIAN : Garis Panduan Pengurusan Pengagihan Rangkaian

46 Halaman 45 / 67 A.13.2 Information transfer Objective: To maintain the security of information transferred within an organization and with any external entity. A A Information transfer policies and procedures Formal transfer policies, procedures and controls shall be in place to protec the transfer of information through the use of all types of communication facilities. Agreements on information transfer Agreements shall address the secure transfer of business information between the organization and external parties. GPKTMK Perkara 13.3 : Pengurusan Pertukaran Maklumat UPM/ISMS/SOK/GP 03/PENGENDALIAN MAKLUMAT : Garis Panduan Pengendalian Maklumat UPM/ISMS/SOK/P0 02 : Prosedur Pertukaran Maklumat. GPKTMK Perkara 13.3(a) : Pertukaran Maklumat UPM/ISMS/SOK/P0 02 : Prosedur Pertukaran Maklumat.

47 Halaman 46 / 67 A Electronic messaging Infromation involved in electronic messaging shall be appropriately protected. GPKTMK Perkara 13.3 (b): Pengurusan Mel Elektronik A Confidentiality or nondisclosure agreements GPKTMK Perkara 15.1 : Pihak Ketiga Requirements for confidentiality or nondisclosure agreements reflecting the organization s needs for the protection of information shall be identified, regularly reviewed and documented. A.14 SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE A.14.1 Security requirements of information systems Objective: To ensure that information security is an intergral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks.

48 Halaman 47 / 67 A A Information security requirements analysis and specification The information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems. Securing application services on public networks. Infromation involved in application services passing over public neworks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. GPKTMK Perkara 14.1 (a(vi)) : Keselamatan dalam Pembangunan Sistem dan Aplikasi Kaedah-kaedah Universiti Putra Malaysia (Teknologi Maklumat dan komunikasi 2014) Bahagian F Pengurusan Data dan Maklumat : Transaksi Dalam Talian 19(1) GPKTMK Perkara 14.2 (b) : Pemantauan Perkhidmatan Sistem Maklumat

49 Halaman 48 / 67 A A.14.2 A Protecting application services transactions Information involved in application services transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. Security in development and support processes Secure development policy Rules fro the development of software and systems shall be established and applied to (C) Transaksi dalam talian Kaedah-kaedah Universiti Putra Malaysia (Teknologi Maklumat dan komunikasi 2014) Bahagian F Pengurusan Data dan Maklumat : Transaksi Dalam Talian 19(3) GPKTMK Perkara 14.1 (b) : Kesahihan Data Input dan Output Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems. Kaedah-kaedah Universiti Putra Malaysia (Teknologi Maklumat dan komunikasi 2014) Bahagian G Kawalan Keselamatan

50 Halaman 49 / 67 A A developments within the organization. System change control procedures Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures. Technical review of applications after operating platform changes Teknologi Maklumat : Proses Pembangunan Perisian Atau Aplikasi 23(1) GPKTMK Perkara 14.1 (a) : Keperluan Keselamatan Sistem Maklumat GPKTMK Perkara 14.2 (a) : Prosedur Kawalan Perubahan UPM/OPR/iDEC/P0 01 Prosedur Pembangunan ICT GPKTMK Perkara 14.2 (a) : Prosedur Kawalan Perubahan When operating platforms are change, business critical applications shall be reviewd and tested to ensure there is no

51 Halaman 50 / 67 A A adverse impact on organizational operations or security. Restriction on changes to software packages Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled. Secure system engineering principles GPKTMK Perkara 14.2 (a) : Prosedur Kawalan Perubahan Skop pensijilan ISMS UPM tidak melibatkan sistem pembangunan aplikasi. A Principles for engineering secure systems shall be established documented, maintained and applied to any information syste implementation efforts. Secure development environment NO NO Kaedah-kaedah Universiti Putra Malaysia (Teknologi Maklumat dan

52 Halaman 51 / 67 A Organizations shall establish and appropriately protect secure development environments for system development and intergration efforts that cover the entire system development lifecycle. Outsourced development The organization shall supervise and monitor the activity of outsourced system development. komunikasi 2014) Bahagian G Kawalan Keselamatan Teknologi Maklumat : Proses Pembangunan Perisian Atau Aplikasi 23(1) GPKTMK Perkara 14.3 (a) : Prosedur Kawalan Persekitaran Selamat Kaedah-kaedah Universiti Putra Malaysia (Teknologi Maklumat dan komunikasi 2014) Bahagian G Kawalan Keselamatan Teknologi Maklumat : Proses Pembangunan Perisian Atau Aplikasi 23(3) GPKTMK Perkara

53 Halaman 52 / 67 A A A.14.3 System security testing Testing of security functionality shall be carried out during development. System acceptance testing Acceptance testing programs and related criteria shall be established fro new information systems, upgrades and new versions. Test data Objective: To ensure the protection of data used for testing (c) : Pembangunan Sistem Aplikasi oleh pihak Ketiga GPKTMK Perkara 14.3 (b) : Pengujian Pembangunan atau Penaiktarafan Sistem GPKTMK Perkara 15.3 (b) : Penerimaan Sistem UPM/OPR/iDEC/P0 01: Prosedur Pembangunan ICT A Protection of test data Test data shall be selected carefully, protected and controlled. GPKTMK Perkara 14.3 (b) : Pengujian Pembangunan atau Penaiktarafan Sistem UPM/ISMS/SOK/GP

54 Halaman 53 / 67 A.15 SUPPLIER RELATIONSHIP 15/DATA PENGUJIAN : Garis Panduan Penggunaan Data Pengujian A.15.1 A A Information security in supplier relationship Information security policy for supplier relationship Information security requirements fro mitigating the risks associated with supplier s access to the organization s assets shall be agreed with the supplier and documented. Objective: To ensure protection of the organization s assets that is accessible bu suppliers. Addressing security within supplier agreements Kaedah-kaedah Universiti Putra Malaysia (Teknologi Maklumat dan komunikasi 2014) Bhgn F, 16 (c) GPKTMK Perkara 15.1 : Pihak Ketiga UPM/ISMS/OPR/DC/ P001: Prosedur Pengoperasian Pengurusan Pusat Data Kaedah-kaedah Universiti Putra Malaysia (Teknologi

55 Halaman 54 / 67 A All relevent information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for the organization s infromation. Information communication supply chain and technology Agreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain. A.15.2 Supplier service delivery management Maklumat dan komunikasi 2014) Bhgn F, 16 (c) GPKTMK Perkara 15.1 : Pihak Ketiga UPM/ISMS/OPR/DC/ P001: Prosedur Pengoperasian Pengurusan Pusat Data GPKTMK Perkara 15.1 : Pihak Ketiga UPM/SOK/KEW- BUY/P005 : Prosedur Sebut Harga Universiti UPM/SOK/KEW- BUY/P006 : Prosedur Tender Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements.

56 Halaman 55 / 67 A A Monitoring and review of supplier services Organizations shall regularly monitor, review and audit supplier service delivery. Managing changes to supplier services Changes to the provision of services by suppliers, including maintaning and improving existing information security policies, procedures and controls, shall be managed, taking account of the critically of business information, systems and processes involved and reassessment of risks. A.16 INFORMATION SECURITY INCIDENT MANAGEMENT GPKTMK Perkara 15.2 : Pengurusan Penyampaian Perkhidmatan Pihak Ketiga UPM/SOK/KEW/AK0 02/BUY : Arahan Kerja Penilaian Prestasi Syarikat GPKTMK Perkara 15.2 : Pengurusan Penyampaian Perkhidmatan Pihak Ketiga

57 Halaman 56 / 67 A.16.1 Management of information security incidents and improvements A Responsibilities and procedures 1 Management responsibilities and procedures shall be established to ensure a quick, effective, and orderly response to information security incidents. A Reporting information security events Information security events Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. Kaedah-kaedah Universiti Putra Malaysia (Teknologi Maklumat dan komunikasi 2014) Bahagian (H) : Pengurusan Insiden Keselamatan Teknologi Maklumat GPKTMK Perkara 16.2 (a) : Pengurusan Maklumat Insiden Keselamatan ICT UPM/ISMS/OPR/KE S/P004 : Prosedur Pengendalian Insiden ICT Kaedah-kaedah Universiti Putra Malaysia (Teknologi Maklumat dan komunikasi 2014)

58 Halaman 57 / 67 A shall be reported through appropriate management channels as quickly as possible Reporting security weaknesses Employees and contractors using the organization s information systems and services shall be required to note and report any observed or suspected security weaknesses in systems or services. Bahagian (H) : Pengurusan Insiden Keselamatan Teknologi Maklumat GPKTMK Perkara 16.1 (a) : Mekanisme Pelaporan Insiden Keselamatan ICT UPM/ISMS/OPR/KE S/P004 : Prosedur Pengendalian Insiden ICT Kaedah-kaedah Universiti Putra Malaysia (Teknologi Maklumat dan komunikasi 2014) Bahagian (H) : Pengurusan Insiden Keselamatan Teknologi Maklumat GPKTMK Perkara 16.1 (a) : Mekanisme Pelaporan Insiden

59 Halaman 58 / 67 A A Assessment of and decision on information security events Information security events shall be assessed and it shall be decided if they are to be classified as information security incidents. Response to information security incidents Information security incidents shall be responded to in Keselamatan ICT UPM/ISMS/OPR/KE S/P004 : Prosedur Pengendalian Insiden ICT Kaedah-kaedah Universiti Putra Malaysia (Teknologi Maklumat dan komunikasi 2014) Bahagian (H) : Pengurusan Insiden Keselamatan Teknologi Maklumat Pasukan UPMCERT UPM/ISMS/OPR/KE S/P004 : Prosedur Pengendalian Insiden ICT Kaedah-kaedah Universiti Putra Malaysia (Teknologi Maklumat dan komunikasi 2014) Bahagian (H) : Pengurusan Insiden

60 Halaman 59 / 67 A A accordance with the documented procedures. Learning from information security incidents Knowledge gained from analysing and resolving information securityincidents shall be used to reduced the likelihood or impact of future incidents. Collection of evidence The organization shall define and apply procedures for the Keselamatan Teknologi Maklumat Pasukan UPMCERT UPM/ISMS/OPR/KE S/P004 : Prosedur Pengendalian Insiden ICT Kaedah-kaedah Universiti Putra Malaysia (Teknologi Maklumat dan komunikasi 2014) Bahagian (H) : Pengurusan Insiden Keselamatan Teknologi Maklumat Pasukan UPMCERT UPM/ISMS/OPR/KE S/P004 : Prosedur Pengendalian Insiden ICT Kaedah-kaedah Universiti Putra Malaysia (Teknologi Maklumat dan komunikasi 2014)

61 Halaman 60 / 67 identification, collection, acquisition and preservation of information, which can serve as evidence. A.17 INFROMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT Bahagian (H) : Pengurusan Insiden Keselamatan Teknologi Maklumat Pasukan UPMCERT UPM/ISMS/OPR/KE S/P004 : Prosedur Pengendalian Insiden ICT A.17.1 Information security continuity Objective: Infromation security continuity shall be embedded A Planning information security continuity The organization shall determine its requirements for information security and the continuity of information security management in adverse situation, eg. During a crisis or disaster. GPKTMK 17.0 (MS33) Pelan Kesinambungan Perkhidmatan (ICT)

62 Halaman 61 / 67 A A A.17.2 Implementing security continuity information The organization shall establish, documen, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. Verify, review and evaluate information security continuity The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situation. Redundancies Objective: To ensure availability of information processing facilities. GPKTMK 17.0 (MS33) Pelan Kesinambungan Perkhidmatan (ICT) GPKTMK 17.0 (MS33) Pelan Kesinambungan Perkhidmatan (ICT) Laporan Pengujian Simulasi DRP ICT UPM

63 Halaman 62 / 67 A Availability of information processing facilities Information processing facilities shall be implemented with with redundancy sufficient to meet availability requirements. A.18 COMPLIANCE Pelan Kesinambungan Perkhidmatan Universiti Pelan Pemulihan Bencana ICT A Compliance with legal and contractual requirements A Identification of applicable legislation and contractual requirements Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requiments. GPKTMK Perkara 18.1 (d) : Keperluan Perundangan All relevant legislative statutory, regulatory, contractual requirements and the organization s approach to meet these requirements shall be explicitly identified, documented, and kept up to date for each information

64 Halaman 63 / 67 system and the organization. A A Intellectual property rights Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory, and contractual requirements related to intellectual property rights and use of proprietary software products. Protection of records Records shall be protected from loss, destruction and falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual, and business requirements. Kaedah-kaedah Universiti Putra Malaysia (Teknologi Maklumat dan komunikasi 2014) Perkara 12 : Perlindungan Hak Cipta Dan Pelesenan GPKTMK Perkara 8.3 (c) : Keselamatan Dokumen UPM/PGR/P001 : Prosedur Kawalan Dokumen dan Rekod ISO Akta Arkib Negara 2003 (Akta 629)

65 Halaman 64 / 67 A A Privacy and protection of personally identifiable infromation Privacy and protection of personally identifiable infromation shall be assured as required in relevant legislation and regulation where applicable. Regulation of cryptographic controls Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations. GPKTMK Perkara 13.3 : Pengurusan Pertukaran Maklumat UPM/ISMS/SOK/P00 2 : Prosedur Pertukaran Maklumat UPM/PGR/P001 : Prosedur Kawalan Dokumen dan Rekod ISO Kaedah-kaedah Universiti Putra Malaysia (Teknologi Maklumat dan komunikasi 2014) Perkara 21 : Kawalan Kriptografi GPKTMK Perkara 10.0 : Kawalan Kriptografi UPM/ISMS/SOK/GP 03/PENGENDALIAN MAKLUMAT : Garis Panduan

66 Halaman 65 / 67 Pengendalian Maklumat A.18.2 Information security reviews Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures. A A Independent review of information security The organization s approach to managing information security and its implementation (i.e. control onjectives, controls, policies, processes and procedures for information security) shall be reviewed independantly at planned intervals or when significant changes occur. Compliance with security policies and standards Managers shall regularly review the compliance of information processing and procedures Mesyuarat Pengurusan ISMS Mesyuarat Keberkesanan Semakan Pengurusan ISMS (MKSP) Audit Dalaman ISMS Mesyuarat Pengurusan ISMS Mesyuarat Keberkesanan Semakan Pengurusan ISMS (MKSP)

67 Halaman 66 / 67 A within their area of responsibility with the appropriate security policies, standards and any other security requirements. Technical compliance review Information systems shall be regularly reviewed for compliance with the organization s information security security policies and standards. Audit Dalaman ISMS Mesyuarat Pengurusan ISMS Audit Dalaman ISMS