NATIONAL STRATEGY:- MALAYSIAN EXPERIENCE

Transcription

1 NATIONAL STRATEGY:- MALAYSIAN EXPERIENCE Devi Annamalai Security, Trust and Governance MCMC 28th August 2007 Hanoi. Vietnam

2 BACKGROUND MCMC is a statutory body established under the Malaysian Communications and Multimedia Commission Act 1998 to regulate and nurture the communications and multimedia industry in Malaysia. The 10 th National Policy Objective requires the Commission to ensure information security and the integrity and reliability of the network for the country.

3 NATIONAL STRATEGY Comprehensive law and policies Effective monitoring tools Awareness and Education Capacity Building International collaboration

4 LAWS AND POLICIES

5 Public Private Presently, matters relating to information and network security in the public sector is under the administration of the Malaysian Administrative Modernization and Management Planning Unit (MAMPU) Within MAMPU, there is the ICT Security Division. They recently launched the Malaysian Public Sector Management of Information & Communications Technology Security Handbook (MyMIS) They also operate The G-CERT. However, MAMPU does not have any enforcement powers. MCMC CMA The Police CCA CMA The National IT Council gave birth to NISER (now known as Cyber Security Malaysia to address e-security issues of the nation and as to act as Malaysia s CERT. NISER offers research in vulnerability detection, intrusion detection and computer forensic technology They offer their services to private and public entities. Like MAMPU s ICT Security Division, they do not have any enforcement powers

6 Acts Under MCMC The Telemedicine Act 1997 The Computer Crimes Act 1997 The Communication and Multimedia Act (1998) The Copyright (Amendment) Act 1997 MALAYSIAN CYBERLAWS The Digital Signature Act 1997 Personal Data Protection The Electronic Government/ Transaction Activities (EGA) The Malaysian Communications and Multimedia Commission Act (1998)

7 Cyber Crime Related Sections Under CMA Offence if use apparatus or device without authority Fraudulent use of network facilities, network service etc Improper use of network facilities or network service Uses any apparatus or device With intent to obtain information, content, sender or addressee Without an approval from SIRIM Dishonestly transmit or receive Any communication or obtains service With intent to avoid payment Fraudulent use of service or facility makes, creates, solicits, initiates transmission of comment, request, other communication With intent to annoy, abuse, threaten or harass another person Includes any obscene communication

8 Interception & disclosure of communicati ons prohibited Damage to network facilities etc Fraud and related activity in connection with access devices without lawful authority intercepts, discloses, uses (or attempts to) knowing that such is in contravention of sec 234 such interception is done in connection of a case By any willful, dishonest, negligent act or omission tampers with, adjusts, alters, destroys or damages Any network facility or any part of them Knowingly or with intent to defraud Produces, sells, imports, uses etc Any equipment, devices that has been modified Any hardware, software used for altering or modifying any equipment etc To obtain unauthorized use of any network service etc

9 OTHER RELEVANT PROVISIONS IN CMA Section General duty of licensees Section Network interception capability Section Special powers in emergency Section Disaster Plan Section Persons not liable for act done in good faith (saving provision for operators)

10 OTHER INSTRUMENTS Mandatory Standards to ensure that all communications service provider maintain an acceptable level of network integrity Individual license applicants under the CMA is required to provide a disaster recovery plan and details of measures undertaken to ensure network and data security when submitting application for license.

11 MAMPU All matters relating to information network security in the public sector is under the administration of MAMPU Within MAMPU, there is the ICT Security Division Malaysian Public Sector Management of Information & Communications Technology Security Handbook (MyMis) Operates G-Cert

12 CYBER SECURITY MALAYSIA Offers research in vulnerability detection, intrusion detection and computer forensic technology Offer service to private and public sector Operates MyCert

13 POLICE Provide assistance in enforcement activities (CMA) Have jurisdiction over Computer Crimes Act acts such as unauthorized access to computer material and with intent to commit or facilitate commission of further offence, unauthorized modifications of contents of any computer and wrongful communications.

14 INS POLICY The security policy will address the role and responsibilities of licensees under the CMA to ensure information security and the integrity and reliability of the network. It will also act as a guide for other parties relevant to the communications and multimedia industry Audits in the future will be based on the policies.

15 REGULATING SPAM The MCMC have developed an action plan in 2003 to address the problem that Spam poses. The action plans are multi-prong, which includes raising awareness, management by the ISPs, promoting technological solutions and would require the cooperation of all major stakeholders namely, the industry, consumers, service providers, the regulators and the international community.

16 REGULATING SPAM On 25 th June 2007, MCMC issued a Tender for the Provision of Consultancy Service for Strategic Study and Drafting of Anti-Spam Legislation for Malaysia. The study will review the current state of regulatory framework on Spam in Malaysia and recommend forward looking policy and strategy and propose necessary regulatory changes including drafting of relevant legislation.

17 MONITORING TOOLS

18 NETWORK SECURITY CENTRE

19 Security, Trust and Governance Security Network Security Centre Network Monitoring Vulnerability Management Warning, Response & Forensic Information and Network Security Portal

20 MAIN FOCUS OF THE NSC The NSC will coordinate 3 main activities: a) Network Threat Monitoring and Management; b) Vulnerability Management; and c) Incident Management, Network Forensic, Recovery and Advisory To be operational by end of 2007 hopefully

21 Objectives, Benefits & Deliverables Objective Benefits Deliverables Threat Monitoring & Early Warning Generating early warning of massive attacks or malicious propagation through threat monitoring Enable the IASPs to take measures against attacks before they do the actual damage Early warning on new attacks Response action for new attacks Monthly Statistics Monthly Advisories Annual status and benchmarking report to be shared with IASP and MCMC Vulnerability Management Periodic identification and mitigation of vulnerabilities in cost effective manner Periodic testing helps in identifying vulnerabilities at the earliest so that remedial measures can be undertaken. This in fact aids in ensuring continued security and reliability of ICT infrastructure. Quarterly internal and external automated and remote penetration testing of each IASP location Report listing vulnerabilities, risk level and recommended mitigation steps after each test

22 Objectives, Benefits & Deliverables Objective Benefits Deliverables Incident Management and Forensics Provide timely and efficient information and recommendatios to manage security incidents to contain the damage and conduct forensics activities The rapid response team with tools and processes to investigate reported incidents, take remedial action enables to manage incidents effectively to contain the damage Investigation of reported incidents, timely remediation Advisory services on recent events how to take action on recommendations Monthly reports on how to secure against latest threats/ vulnerabilities, international trends

23 INFORMATION NETWORK SECURITY PORTAL

24 What is INS Portal? It is a website that host multiple portal which will serve as a focal point and a one stop information centre on information and network security for the communications and multimedia industry.

25 What are the portal available in the enterprise? Name of Portal General Information and Network Security Portal Network Abuse Reporting Portal Objectives To house information concerning Information & Network security on various issues To function as centralized repository Network Reporting Portal Information Sharing Forum (group) A portal that specifically designed for the industry in concert with the NRC Information sharing, cooperation and coordination with IASPs and government agencies

26 INS Portal Design

27 SECURITY AUDITS

28 AUDITS The MCMC also undertakes to conduct Information and Network Security Audits on CMA licensees. The audits are based on internationally accepted information and network security standards and best practices.

29 INFORMATION SHARING FORUM

30 ISF On June 22, 2004, the MCMC formed the ISF Total of 60 individual members in the ISF Share information on security incidents, vulnerabilities, best practices etc

31 AWARENESS AND EDUCATION

32 Awareness and Education Consistent and Repeatable Processes Technology People Products, tools, and automation Skills, roles, and responsibilities

33 AWARENESS PROGRAMS Organize industry talks Collaborate with other agencies Issue related publications, brochures and pamphlets

34 TARGET AUDIENCE Businesses/Organizations Students Government Consumers

35 CAPACITY BUILDING

36 Focus on licensees CAPACITY BUILDING In partnership with information and network security industry Workshops and training for targeted groups Industry Talks

37 INTERNATIONAL COLLABORATION

38 International Collaborative Work Lead ATRC s action-plan against Spam; Signatory of Seoul-Melbourne MOU and endorsed the London Action Plan against Spam APEC TEL s E-Security and Prosperity Steering Group

39 THANK YOU Devi Annamalai Deputy Director Security Trust and Governance Malaysian Communications and Multimedia Commission MALAYSIA