SECURITY MANAGEMENT (MCSH4473) CHAPTER 3 Security Management Practice in Malaysia by: Dr. Siti Hajar Othman Senior Lecturer, Department of Computer Science, Faculty of Computing, UTM Johor Bharu INSPIRING CREATIVE AND INNOVATIVE MINDS
TABLE OF CONTENTS CHAPTER 3: Security Management Practice Cyber Security Malaysia (National Cyber Security Agency) Cyber999, CyberSAFE, MyCERT, CyberGURU, MyCSC MAMPU (ISMS, Malaysia Public Sector ICT Strategic Plan) MyRAM (Public Sector Risk Management) Malaysia s National Cyber Security Policies Government Computer Emergency Response Team SECURITY AUDIT & ASSESSMENT (MCSH2413) (GCERT) INSPIRING CREATIVE AND INNOVATIVE MINDS
CyberSecurity Malaysia (CSM) The national cyber security specialist centre under the Ministry of Science, Technology and Innovation or MOSTI (www.mosti.gov.my). The Malaysian Government has gazetted the role of CyberSecurity Malaysia by Order of the Ministers of Federal Government Vol.53, No.13, dated June 22, 2009 by identifying CyberSecurity Malaysia as an agency that provides ICT security specialist services and continuously monitors threats to the national security.
CSM Services Cyber security emergency response, incident handling, and digital forensics. Cyber security quality management. Cyber security capability and capacity development. Cyber security outreach and acculturation. Cyber security research and risk assessment Cyber security evaluation and certification
CSM HISTORY
CSM HISTORY
CSM HISTORY
CSM HISTORY
CyberSecurity Malaysia
MyCERT
Security Incident Reported LIVE
- 2018 -
- 2017 -
- 2016 -
CyberSAFE
Cyber Threats CLASIFICATIONS
National Cyber Security Policy CNII SECTORS
National Cyber Security Policy POLICY THRUST
Cyber Security Professional Development The list of PROGRAMMES OFFERED by CyberSecurity Malaysia includes: Business Continuity Management Common Criteria Digital Forensics Incident Response and Handling ISO 27001 Mobile Banking Network Security Security Essential Security Policy Development Web Application Security Wireless Communication Wireless Security Information Sharing Programmes such as: Information Security Local Interest Group (INFOSECURITY.my). Information Security Special Interest Group (INFOSECURITY.my SIG).
Effective Governance NATIONAL COORDINATION COMMITTEE
Legislative & Regulatory Framework CYBER LAWS OF MALAYSIA
Infosec Pro Development
Training Course
The steps towards achieving ISO/IEC 27001 certification
SIRIM ISO27K Certification
Penglibatan Standards Malaysia di dalam bidang standardisasi di peringkat serantau dan antarabangsa Ahli ISO sejak 1969 APEC Sub-Committee on Standards and Conformance (APEC SCSC) Ahli IEC sejak 1991 Ahli World Trade Organisation (WTO) Technical Barriers to Trade (TBT) sejak 1995 ASEAN Consultative Committee on Standards & Quality (ACCSQ) Pacific Area Standards Congress (PASC)
Kod Amalan Dokumen yang disediakan secara persetujuan ramai (consensus) dan diluluskan oleh badan yang diiktiraf yang mengandungi (untuk kegunaan umum dan berulang) peraturan, garispanduan atau ciri-ciri untuk produk atau kaedah-kaedah pemprosesan dan pengeluaran berkaitan termasuk syaratsyarat pentadbiran di mana pematuhannya adalah tidak mandatori (sukarela) Sumber: WTO TBT Agreement & ISO/IEC Guide 2 Spesifikasi Pengesyoran Persampelan Garis Panduan Pengukuran
Dibangunkan berdasarkan keperluan pasaran Kajian Keperluan, Funding dan prioritisation Dibangunkan berdasarkan secara konsensus dan keterbukaan Penglibatan pihak yang berkepentingan Ketelusan Work plan, ulasan umum, penerbitan dan sebaran Performance Based dan menggunapakai / penjajaran kepada Standard Antarabangsa di mana bersesuaian Diluluskan oleh Menteri MOSTI
Kesihatan, keselamatan dan kelestarian alam sekitar Standard menetapkan keperluan kualiti produk/perkhidmatan Membuka laluan pasaran Standards adalah rujukan penting dalam piawaian untuk perdagangan Peningkatan Dayasaing Standard menyediakan penyelesaian kepada masalah yang berulang Tanggungjawab perundangan Standard sebagai rujukan piawaian Keberkesanan pengurusan sumber Standard menyumbang ke arah kecekapan & pengurangan kos operasi dan proses Pemacu teknologi pengeluaran Mekanisme bagi pemindahan teknologi menjimatkan masa, usaha & kewangan bagi pelaburan dalam R&D; - Standard menjadi sumber atau asas teknologi terkini
Metrologi Badan Standard Badan Akreditasi Akreditasi Penilaian ke atas makmal, badan pensijilan, badan pemeriksaan Metrologi Sah Sains Pengukuran Pembangunan Standard Badan Pensijilan Pensijilan Personnel Syarikat Pensijilan Produk, Personel atau Sistem Pengurusan Pensijilan Sistem Pengurusan Pensijilan Produk
ICT STANDARDS DEVELOPMENT AND ADOPTION IN MALAYSIA Copyright 2014 CyberSecurity Malaysia
32
33
ISC/G Member Organisations Member's Organisation Association of Consulting Engineers Malaysia Association of the Computer and Multimedia Industry of Malaysia CyberSecurity Malaysia Department of Standards Malaysia Federation of Malaysian Manufacturers KETTHA Kementerian Sains, Teknologi dan Inovasi MIMOS Berhad Malaysian Administrative, Modernisation and Management Planning Unit (MAMPU) Malaysian Communications and Multimedia Commission Malaysian International Chamber of Commerce and Industry Malaysian National Computer Confederation Malaysian Technical Standards Forum Bhd Ministry of Communication & Multimedia Ministry of Domestic Trade, Co-operatives and Consumerism Ministry of International Trade and Industry Multimedia Development Corporation Sdn Bhd Multimedia University National Institute of Public Administration, Malaysia Prime Minister's Department Science and Technology Research Institute for Defence TM Applied Business Sdn Bhd The Institution of Engineers, Malaysia Universiti Teknologi Malaysia 34
Technical Committees Under ISC/G Multilingual Information Technology(TC/G/1) Geographic Information / Geomatics(TC/G/2) Intelligent Transportation System(TC/G/3) E-Commerce(TC/G/4) Information Security(TC/G/5) Computer Graphics and Multimedia(TC/G/6) Identification Cards and Related Devices(TC/G/9) Biometrics(TC/G/10) Software Engineering(TC/G/11) IT Interconnection, Communications and System Information(TC/G/12) Health Informatics Standards(TC/G/13) Automatic Identification and Data Capture Techniques(TC/G/14) 35
TC/G/5 Information Security - Scope Standardisation in Information Security which covers the development of standards for the protection of information and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as: - Security requirements capture methodology; - Management of information and ICT security; in particular information security management systems (ISMS), security processes, security controls and services; - Cryptographic and other security mechanisms, including but not limited to mechanisms for protecting the accountability, availability, integrity and confidentiality of information; - Security management support documentation including terminology, guidelines as well as procedures for the registration of security components; - Security aspects of identity management, biometrics and privacy; - Conformance assessment, accreditation and auditing requirements in the area of information security; - Security evaluation criteria and methodology. 36
TC/G/5 Information Security Member Organisations Association of the Computer and Multimedia Industry of Malaysia Central Bank of Malaysia Chief Government Security Office CyberSecurity Malaysia MIMOS Berhad Malaysian Communications and Multimedia Commission Malaysian National Computer Confederation Ministry of Science, Technology and Innovation Multimedia Development Corporation Sdn Bhd POS Malaysia Berhad PricewaterhouseCoopers Advisory Services Sdn Bhd TM Applied Business Sdn Bhd Teknimuda Sdn Bhd 37
TC/G/5 Information Security Working Groups Information Security Management Systems (WG/G/5-1) Cryptography and Security Mechanisms (WG/G/5-2) Security Evaluation Criteria (WG/G/5-3) Security Controls and Services (WG/G/5-4) Identity Management and Privacy Technologies (WG/G/5-5) Security for Industry Automation and Control Systems (WG/G/5-7) Identity Proofing (WG/G/5-8) 38
Membership Profile and Other Information Representatives in ISC/G, TCs and WGs are a mixture of technical experts, policy makers and industry groups. Organisations can apply to join or can be invited to join: ISC/G Subject to approval by MyNSC TCs Subject to approval by ISC/G WGs Subject to approval by ISC/G Organisations in ISC/G usually have a representative in the TCs and/or WGs (though not always the case) 39
Malaysian Public Sector Information Security Risk Assessment Methodology (MyRAM)
MyRAM MyRAM =Penilaian Risiko Keselamatan Maklumat SEKTOR AWAM Tujuan untuk membolehkan Sektor Awam mengukur, menganalisis tahap risiko aset maklumat dan seterusnya mengambil tindakan untuk merancang dan mengawal risiko. Kerajaan telah mengeluarkan Surat Pekeliling Am Bil. 6 Tahun 2005 : Garis Panduan Penilaian Risiko Keselamatan Maklumat Sektor Awam bagi memaklumkan kepentingan dan cara melaksanakan penilaian risiko keselamatan maklumat di Sektor Awam. Garis Panduan Penilaian Risiko Keselamatan Maklumat Sektor Awam ini menyediakan kaedah-kaedah dan teknik-teknik dalam proses penilaian risiko maklumat supaya proses penilaian dapat dilaksanakan dengan sistematik dan berkesan.
MyRAM - Objektif Menerima risiko yang akan terjadi selagi ia memenuhi kriteria yang ditetapkan oleh pengurusan; Mengurangkan risiko dengan melaksanakan kawalan yang bersesuaian; Memindahkan risiko ke entiti lain seperti pembekal, pakar runding dan pihak lain yang berkepentingan; dan Mengelak atau mencegah risiko daripada terjadi dengan mengambil tindakan yang dapat menghalang berlakunya risiko.
10 langkah utama dalam MyRAM