SlideShare une entreprise Scribd logo

Chapter1

T
tammy1124

“Public Sector ICT Security

Technologie
1  sur  5
Télécharger pour lire hors ligne
MyMIS Chapter 1 INTRODUCTION 1.1 General Definition “Public Sector ICT Security can be defined as the process of ensuring business continuity and services provision free from unacceptable risk. It also seek to minimize disruptions or damage by preventing and minimizing security incidents” – Public Sector ICT Security Policy (Appendix A). Security of information The security of information within the Government of Malaysia’s Information within the government’s and Communications Technology (ICT) system is a subject of major concern. ICT system is a major concern Threats such as impersonation, malicious code, misuse of data, easily available penetration tools, powerful analytical techniques contribute in whole or in part to the necessity of providing adequate protection to public sector ICT assets. These threats if left unchecked, will result in painful explaination at the very minimum or untold damage to the country. Apart from incurring financial losses, both in terms of resources and unavailable services, these threats severely jeopardises the confidentiality, integrity and availability of official government information and in the end may be of detriment to the country. The hardest thing to comprehend is that an attack can be easily mounted by anyone from anywhere courtesy of the information superhighway and the misused concept of global instantaneous information sharing. Some examples of common threats are listed in Appendix B. Need for effective Public Over the years, government agencies have been religiously collecting vast Sector ICT Security amount of information. It is in the early 70’s that these information have management been deposited into digital format and since then, these repositories have unknowingly become exposed because of the invaluable information they keep and now in a format easily manipulated without stringent audit trail. The government realises this and that the government is also aware that there is an urgent need to secure the vast information resource through effective management of the security of ICT systems. In this regard, efforts are being made to ensure Public Sector ICT Security management achieve and maintain a high level of confidentiality, integrity and availability. A comprehensive A comprehensive approach is required in planning, developing, operating approach to ICT Security and maintaining the government’s ICT security processes. The ICT security processes is required measures need to be incorporated early, in the requirement specification and design of the ICT system, before the implementation stage to ensure a cost-effective and comprehensive system. The main steps include: (a) assessing the current security strengths and vulnerabilities; (b) developing ICT security policies, standards and processes; (c) designing and developing a customised security architecture; and (d) evaluating and selecting the best security system for the organisation. Copyright MAMPU Chapter 1 - 1
MyMIS The ICT security process The ICT security process must cover all aspects of operation, including must cover various mechanisms used by hardware and software systems, networks, databases aspects in achieving a secure enviroment and other related systems and facilities. The goal is to achieve a secure working environment for employees and other persons working at or visiting the government’s facilities as well as to help establish processes to ensure the protection of information. ICT security processes The ICT security process should mirror the management’s direction in should mirror relation to: management’s direction (a) overall organisational policy; (b) organisational roles and responsibilities; (c) personnel; (d) government’s asset classification and control; (e) physical security; (f) system access controls; (g) network and computer management; (h) application development and maintenance; (i) business continuity; (j) compliance to standards as well as legal and statutory requirements; (k) classification and protection of information media; (l) employee awareness programmes; and (m) incident reporting and response. 1.2 Standards Framework This handbook provides This handbook provides essential guidelines to government employees on guidelines on ICT the ICT security process in the public sector. It is based mainly on two security based on international standards standards i.e. the MS ISO/IEC 13335 (Part 1 - 3) and the BS 7799 (Part 1 and 2). It also makes references to the Canadian Handbook on Information Technology Security, German IT Baseline Protection Manual and other related ISO standards. Various levels of details of standards can be viewed in the model depicted in Figure 1.1. In comparison to other standards and documents of ICT security management particularly to their level of detail, this handbook can be positioned along with the BS 7799, the Canadian MG-9 and the American National Institute of Science and Technology (NIST). This is warranted by the fact that this handbook is jurisdictional and specific to the Malaysian public sector. Description of model In the model, the areas and level of details of these standards varies between (Figure 1.1) each standard. Level 1, 2, 3 and 4 represent the Guidelines for the Management of IT Security (GMITS) or ISO/IEC 13335. It indicates the depth of knowledge required to understand the respective level. As an example, a Level 1 document needs no prior knowledge on ICT security management while a Level 2 document needs at least some understanding of the previous level. Level 1 to level 4 of the The model progresses from Level 1 ‘Concepts and Models’ to Level 2 ‘Managing model and Planning IT’, Level 3 ‘Techniques for the Management of IT’ before detailing ‘Selection of Safeguards, Management Guidance on Network and Guidelines for the Management of Trusted Third Parties’ in Level 4. Copyright MAMPU Chapter 1 - 2
MyMIS Levels of details Level 1 ISO/IEC 13335-1 GMITS: Concepts and Models Level 2 ISO/IEC 13335-2 GMITS: Managing and Planning IT World/Global Level 3 ISO/IEC 13335-3 GMITS: Techniques for the Management of IT Level 4 • ISO/IEC 13335-4 GMITS: Selection of Safeguards • ISO/IEC 13335-5 GMITS: Management Guidance on Network • ISO/IEC 14516: Guidelines for the Management of Trusted Third Parties Level 5 Jurisdiction and culture-specific documents (National IT Security guidance documents) • BS 7799 • Canadian Handbook on Information Technology (MG-9) Nation/Organization • The NIST Handbook • MyMIS Level 6 Domain and application specific documents, Industry guides • German IT Baseline Protection Manual • IETF RFC 2196 Site Security Handbook • ISO/TR 13569 Banking and Related Financial Services-Information Security Guidelines Site/Domain • CEN/ENV 12924 Medical Informations & Security Categorisation and Protection for Healthcare systems • ISO/IEC 15947 IT Intrusion Detection Framework w Figure 1.1: Various Levels of Details of Standards and Documents Level 5 of the model Level 5 represents the three standards referred, i.e. BS 7799, the Canadian Handbook of Information Technology and the NIST. Documents under this group are categorised as jurisdictional and culture-specific. The MyMIS handbook is represented at this level. Level 6 of the model The standards within Level 6 are domain and application specific. Examples of such standards are the German IT Baseline Protection document, the IETF RFC 2196 Site Security Handbook, the ISO/TR 13569 on Banking and Related Financial Services, the CEN ENV 12924 on Medical Informatics: Security Categorisation and Protection Healthcare Systems and the ISO/IEC 15947 on IT Intrusion Detection Framework. 1.3 Handbook Coverage This handbook describes This handbook provides the necessary guidelines on ICT security management safeguards, operational safeguards to enable implementation of minimal security measures. It discusses and technical issues and legal implications elements of management safeguard, common operational and technical issues, and legal implications. The appendices at the end of the handbook may be of use to users with templates on security policies, adherence compliance plan, strategic plan, incident reporting mechanism, checklists and procedures. Its capacity is advisory and where the information contained is superceded (changes in technology, processes, legal requirements, public expectation) the reader is advised to refer to current adopted best practices. Copyright MAMPU Chapter 1 - 3
MyMIS ICT security management The ICT security management safeguard identify five (5) major elements safeguards that should be considered by all public sector ministries, departments and agencies to protect their ICT systems. These elements are the ICT security policy, ICT security management programme, ICT security risk management, planning and incorporation of ICT security into the ICT systems life cycle and establishing ICT security assurance. The handbook further explains some fundamental operational components of ICT security that is best recognised by public sector employees. Technical details of ICT Technical security involves the use of safeguards incorporated into computer security and communications hardware and software, operations systems or applications software and other related devices. This chapter explains the technical level of ICT security in greater detail. Legal implications The last chapter of this handbook briefly explains legal matters with respect to Malaysian law. It highlights Malaysian cyber laws and the various aspects of criminal investigations. The appendices of this handbook provide some samples of framework, plan, checklist and forms useful in the ICT security management process. 1.4 Audience Main objective is to The main objective of this handbook is to provide guidance to employees provide guidance to all within government agencies on the essential components of ICT security. government employees It is intended to be the primary reference book used by all government employees in safeguarding the government’s ICT assets. The handbook is for ALL Various categories of government employees will benefit from the handbook government employees as it covers a wide range of topics. Nevertheless this handbook is also useful to anyone wishing to learn about the application of ICT security. Organisation of the The handbook is presented in five (5) chapters that can be divided into three content of the handbook (3) different levels; Essential, Intermediate and Advanced (Figure 1.2). The Essential level, which comprises of Chapter 1, Chapter 2 and Chapter 5, provides fundamental knowledge on ICT security and is suitable for chief executives and managers in the public sector. The Intermediate i.e. Chapter 3 is intended for general ICT users of the public sector. The description and explanation will provide guidance to users on the basic operational security safeguard to be implemented and maintained by them. The Advanced stage i.e. Chapter 4 is proposed for the more experienced ICT administrators and managers. The descriptions on technical details of ICT security should provide guidance and direction on steps that need to be taken to ensure the confidentiality, integrity and availability of public sector ICT systems. Copyright MAMPU Chapter 1 - 4
MyMIS Chapter 1 Chapter 2 Introduction Management Safeguards Chapter 3 Basic Operation Chapter 4 Technical Operation Chapter 5 Legal Matters ESSENTIAL INTERMEDIATE ADVANCED Figure 1.2: Malaysian Public Sector Management of ICT Security Handbook (MyMIS) Roadmap Copyright MAMPU Chapter 1 - 5

Recommandé

I0516064
I0516064I0516064
I0516064
IOSR Journals
 
It Security Awareness Overview
It Security Awareness OverviewIt Security Awareness Overview
It Security Awareness Overview
Nicholas Davis
 
60304756 whitman-ch01-1
60304756 whitman-ch01-160304756 whitman-ch01-1
60304756 whitman-ch01-1
UDCNTT
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
Elumalai Vasan
 
Fundamental Areas of Cyber Security on Latest Technology
Fundamental Areas of Cyber Security on Latest TechnologyFundamental Areas of Cyber Security on Latest Technology
Fundamental Areas of Cyber Security on Latest Technology
ijtsrd
 
Paper Florencio Cano - Patient data security in a wireless and mobile world
Paper Florencio Cano - Patient data security in a wireless and mobile worldPaper Florencio Cano - Patient data security in a wireless and mobile world
Paper Florencio Cano - Patient data security in a wireless and mobile world
WTHS
 
Cyber Security Intelligence
Cyber Security IntelligenceCyber Security Intelligence
Cyber Security Intelligence
ijtsrd
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
Royalzig Luxury Furniture
 

Recommandé

I0516064
I0516064I0516064
I0516064
IOSR Journals
 
It Security Awareness Overview
It Security Awareness OverviewIt Security Awareness Overview
It Security Awareness Overview
Nicholas Davis
 
60304756 whitman-ch01-1
60304756 whitman-ch01-160304756 whitman-ch01-1
60304756 whitman-ch01-1
UDCNTT
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
Elumalai Vasan
 
Fundamental Areas of Cyber Security on Latest Technology
Fundamental Areas of Cyber Security on Latest TechnologyFundamental Areas of Cyber Security on Latest Technology
Fundamental Areas of Cyber Security on Latest Technology
ijtsrd
 
Paper Florencio Cano - Patient data security in a wireless and mobile world
Paper Florencio Cano - Patient data security in a wireless and mobile worldPaper Florencio Cano - Patient data security in a wireless and mobile world
Paper Florencio Cano - Patient data security in a wireless and mobile world
WTHS
 
Cyber Security Intelligence
Cyber Security IntelligenceCyber Security Intelligence
Cyber Security Intelligence
ijtsrd
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
Royalzig Luxury Furniture
 
Ijcatr04061002
Ijcatr04061002Ijcatr04061002
Ijcatr04061002
Editor IJCATR
 
20111010 The National Security Framework of Spain for Guide Share Europe, in ...
20111010 The National Security Framework of Spain for Guide Share Europe, in ...20111010 The National Security Framework of Spain for Guide Share Europe, in ...
20111010 The National Security Framework of Spain for Guide Share Europe, in ...
Miguel A. Amutio
 
IT Security and Management - Prelim Lessons by Mark John Lado
IT Security and Management - Prelim Lessons by Mark John LadoIT Security and Management - Prelim Lessons by Mark John Lado
IT Security and Management - Prelim Lessons by Mark John Lado
Mark John Lado, MIT
 
IT Security and Management - Security Policies
IT Security and Management - Security PoliciesIT Security and Management - Security Policies
IT Security and Management - Security Policies
Mark John Lado, MIT
 
Institutional Cybersecurity from Military Perspective
Institutional Cybersecurity from Military PerspectiveInstitutional Cybersecurity from Military Perspective
Institutional Cybersecurity from Military Perspective
Government
 
113505 6969-ijecs-ijens
113505 6969-ijecs-ijens113505 6969-ijecs-ijens
113505 6969-ijecs-ijens
geekmodeboy
 
Describing The Challenges Of Securing Information
Describing The Challenges Of Securing InformationDescribing The Challenges Of Securing Information
Describing The Challenges Of Securing Information
Nicholas Davis
 
Outlook emerging security_technology_trends
Outlook emerging security_technology_trendsOutlook emerging security_technology_trends
Outlook emerging security_technology_trends
wardell henley
 
Information Risk Security model and metrics
Information Risk Security model and metricsInformation Risk Security model and metrics
Information Risk Security model and metrics
Vladimir Jirasek
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
IRJET Journal
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
Dhani Ahmad
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and Development
IJERD Editor
 
EMERGENCY RESPONSE COMMUNICATIONS AND ASSOCIATED SECURITY CHALLENGES
EMERGENCY RESPONSE COMMUNICATIONS AND ASSOCIATED SECURITY CHALLENGESEMERGENCY RESPONSE COMMUNICATIONS AND ASSOCIATED SECURITY CHALLENGES
EMERGENCY RESPONSE COMMUNICATIONS AND ASSOCIATED SECURITY CHALLENGES
IJNSA Journal
 
Paper Titled Information Security in an organization
Paper Titled Information Security in an organizationPaper Titled Information Security in an organization
Paper Titled Information Security in an organization
Mohammed Mahfouz Alhassan
 
Maloney slides
Maloney slidesMaloney slides
Maloney slides
Onkar Sule
 
Paper id 25201417
Paper id 25201417Paper id 25201417
Paper id 25201417
IJRAT
 
Cyber defence sebagai garda terdepan ketahanan nasional
Cyber defence sebagai garda terdepan ketahanan nasionalCyber defence sebagai garda terdepan ketahanan nasional
Cyber defence sebagai garda terdepan ketahanan nasional
Edi Suryadi
 
Keamanan informasi
Keamanan informasiKeamanan informasi
Keamanan informasi
Nova Novelia
 
Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...
Malaysia University of Science and Technology (MUST)
 
ITU Security in Telecommunications & Information Technology
ITU Security in Telecommunications & Information TechnologyITU Security in Telecommunications & Information Technology
ITU Security in Telecommunications & Information Technology
ITU
 
Revolution Or Evolution Exec Summary
Revolution Or Evolution Exec SummaryRevolution Or Evolution Exec Summary
Revolution Or Evolution Exec Summary
William Beer
 
IT8073 _Information Security _UNIT I Full notes
IT8073 _Information Security _UNIT I Full notesIT8073 _Information Security _UNIT I Full notes
IT8073 _Information Security _UNIT I Full notes
Asst.prof M.Gokilavani
 

Contenu connexe

Tendances

Ijcatr04061002
Ijcatr04061002Ijcatr04061002
Ijcatr04061002
Editor IJCATR
 
20111010 The National Security Framework of Spain for Guide Share Europe, in ...
20111010 The National Security Framework of Spain for Guide Share Europe, in ...20111010 The National Security Framework of Spain for Guide Share Europe, in ...
20111010 The National Security Framework of Spain for Guide Share Europe, in ...
Miguel A. Amutio
 
IT Security and Management - Prelim Lessons by Mark John Lado
IT Security and Management - Prelim Lessons by Mark John LadoIT Security and Management - Prelim Lessons by Mark John Lado
IT Security and Management - Prelim Lessons by Mark John Lado
Mark John Lado, MIT
 
Institutional Cybersecurity from Military Perspective
Institutional Cybersecurity from Military PerspectiveInstitutional Cybersecurity from Military Perspective
Institutional Cybersecurity from Military Perspective
Government
 
113505 6969-ijecs-ijens
113505 6969-ijecs-ijens113505 6969-ijecs-ijens
113505 6969-ijecs-ijens
geekmodeboy
 
Describing The Challenges Of Securing Information
Describing The Challenges Of Securing InformationDescribing The Challenges Of Securing Information
Describing The Challenges Of Securing Information
Nicholas Davis
 
Information Risk Security model and metrics
Information Risk Security model and metricsInformation Risk Security model and metrics
Information Risk Security model and metrics
Vladimir Jirasek
 
EMERGENCY RESPONSE COMMUNICATIONS AND ASSOCIATED SECURITY CHALLENGES
EMERGENCY RESPONSE COMMUNICATIONS AND ASSOCIATED SECURITY CHALLENGESEMERGENCY RESPONSE COMMUNICATIONS AND ASSOCIATED SECURITY CHALLENGES
EMERGENCY RESPONSE COMMUNICATIONS AND ASSOCIATED SECURITY CHALLENGES
IJNSA Journal
 
Maloney slides
Maloney slidesMaloney slides
Maloney slides
Onkar Sule
 
Paper id 25201417
Paper id 25201417Paper id 25201417
Paper id 25201417
IJRAT
 
Cyber defence sebagai garda terdepan ketahanan nasional
Cyber defence sebagai garda terdepan ketahanan nasionalCyber defence sebagai garda terdepan ketahanan nasional
Cyber defence sebagai garda terdepan ketahanan nasional
Edi Suryadi
 
Keamanan informasi
Keamanan informasiKeamanan informasi
Keamanan informasi
Nova Novelia
 

Tendances (18)

Ijcatr04061002
Ijcatr04061002Ijcatr04061002
Ijcatr04061002
 
20111010 The National Security Framework of Spain for Guide Share Europe, in ...
20111010 The National Security Framework of Spain for Guide Share Europe, in ...20111010 The National Security Framework of Spain for Guide Share Europe, in ...
20111010 The National Security Framework of Spain for Guide Share Europe, in ...
 
IT Security and Management - Prelim Lessons by Mark John Lado
IT Security and Management - Prelim Lessons by Mark John LadoIT Security and Management - Prelim Lessons by Mark John Lado
IT Security and Management - Prelim Lessons by Mark John Lado
 
IT Security and Management - Security Policies
IT Security and Management - Security PoliciesIT Security and Management - Security Policies
IT Security and Management - Security Policies
 
Institutional Cybersecurity from Military Perspective
Institutional Cybersecurity from Military PerspectiveInstitutional Cybersecurity from Military Perspective
Institutional Cybersecurity from Military Perspective
 
113505 6969-ijecs-ijens
113505 6969-ijecs-ijens113505 6969-ijecs-ijens
113505 6969-ijecs-ijens
 
Describing The Challenges Of Securing Information
Describing The Challenges Of Securing InformationDescribing The Challenges Of Securing Information
Describing The Challenges Of Securing Information
 
Outlook emerging security_technology_trends
Outlook emerging security_technology_trendsOutlook emerging security_technology_trends
Outlook emerging security_technology_trends
 
Information Risk Security model and metrics
Information Risk Security model and metricsInformation Risk Security model and metrics
Information Risk Security model and metrics
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and Development
 
EMERGENCY RESPONSE COMMUNICATIONS AND ASSOCIATED SECURITY CHALLENGES
EMERGENCY RESPONSE COMMUNICATIONS AND ASSOCIATED SECURITY CHALLENGESEMERGENCY RESPONSE COMMUNICATIONS AND ASSOCIATED SECURITY CHALLENGES
EMERGENCY RESPONSE COMMUNICATIONS AND ASSOCIATED SECURITY CHALLENGES
 
Paper Titled Information Security in an organization
Paper Titled Information Security in an organizationPaper Titled Information Security in an organization
Paper Titled Information Security in an organization
 
Maloney slides
Maloney slidesMaloney slides
Maloney slides
 
Paper id 25201417
Paper id 25201417Paper id 25201417
Paper id 25201417
 
Cyber defence sebagai garda terdepan ketahanan nasional
Cyber defence sebagai garda terdepan ketahanan nasionalCyber defence sebagai garda terdepan ketahanan nasional
Cyber defence sebagai garda terdepan ketahanan nasional
 
Keamanan informasi
Keamanan informasiKeamanan informasi
Keamanan informasi
 

Similaire à Chapter1

Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...
Malaysia University of Science and Technology (MUST)
 
ITU Security in Telecommunications & Information Technology
ITU Security in Telecommunications & Information TechnologyITU Security in Telecommunications & Information Technology
ITU Security in Telecommunications & Information Technology
ITU
 
Cryptography and Network Security Principles and PracticeEigh
Cryptography and Network Security Principles and PracticeEighCryptography and Network Security Principles and PracticeEigh
Cryptography and Network Security Principles and PracticeEigh
MargenePurnell14
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
Christopher Nanchengwa
 
Top Cyber News Magazine Daniel Ehrenreich
Top Cyber News Magazine Daniel Ehrenreich Top Cyber News Magazine Daniel Ehrenreich
Top Cyber News Magazine Daniel Ehrenreich
TopCyberNewsMAGAZINE
 
ISS COMPLIANCE .docx
ISS COMPLIANCE .docx ISS COMPLIANCE .docx
ISS COMPLIANCE .docx
MARRY7
 

Similaire à Chapter1 (20)

Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...Conference Paper at International Conference on Enterprise Information System...
Conference Paper at International Conference on Enterprise Information System...
 
ITU Security in Telecommunications & Information Technology
ITU Security in Telecommunications & Information TechnologyITU Security in Telecommunications & Information Technology
ITU Security in Telecommunications & Information Technology
 
Revolution Or Evolution Exec Summary
Revolution Or Evolution Exec SummaryRevolution Or Evolution Exec Summary
Revolution Or Evolution Exec Summary
 
IT8073 _Information Security _UNIT I Full notes
IT8073 _Information Security _UNIT I Full notesIT8073 _Information Security _UNIT I Full notes
IT8073 _Information Security _UNIT I Full notes
 
IT8073_Information Security_UNIT I _.pdf
IT8073_Information Security_UNIT I _.pdfIT8073_Information Security_UNIT I _.pdf
IT8073_Information Security_UNIT I _.pdf
 
Research Agenda in Security Research
Research Agenda in Security ResearchResearch Agenda in Security Research
Research Agenda in Security Research
 
Cryptography and Network Security Principles and PracticeEigh
Cryptography and Network Security Principles and PracticeEighCryptography and Network Security Principles and PracticeEigh
Cryptography and Network Security Principles and PracticeEigh
 
Ict security essay
Ict security essay Ict security essay
Ict security essay
 
Security in the Internet of Things
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of Things
 
IT Security - Guidelines
IT Security - GuidelinesIT Security - Guidelines
IT Security - Guidelines
 
820 1961-1-pb
820 1961-1-pb820 1961-1-pb
820 1961-1-pb
 
Cybersecurity and continuous intelligence
Cybersecurity and continuous intelligenceCybersecurity and continuous intelligence
Cybersecurity and continuous intelligence
 
Cyber Security.pptx
Cyber Security.pptxCyber Security.pptx
Cyber Security.pptx
 
Management Structures for IT Security
Management Structures for IT SecurityManagement Structures for IT Security
Management Structures for IT Security
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
 
A Review of Information Security Issues and Techniques.pdf
A Review of Information Security Issues and Techniques.pdfA Review of Information Security Issues and Techniques.pdf
A Review of Information Security Issues and Techniques.pdf
 
Whitepaper Pro-active Security Management 2006.pdf
Whitepaper Pro-active Security Management 2006.pdfWhitepaper Pro-active Security Management 2006.pdf
Whitepaper Pro-active Security Management 2006.pdf
 
Top Cyber News Magazine Daniel Ehrenreich
Top Cyber News Magazine Daniel Ehrenreich Top Cyber News Magazine Daniel Ehrenreich
Top Cyber News Magazine Daniel Ehrenreich
 
Case Study.pdf
Case Study.pdfCase Study.pdf
Case Study.pdf
 
ISS COMPLIANCE .docx
ISS COMPLIANCE .docx ISS COMPLIANCE .docx
ISS COMPLIANCE .docx
 

Dernier

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Dernier (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

Chapter1

  • 1. MyMIS Chapter 1 INTRODUCTION 1.1 General Definition “Public Sector ICT Security can be defined as the process of ensuring business continuity and services provision free from unacceptable risk. It also seek to minimize disruptions or damage by preventing and minimizing security incidents” – Public Sector ICT Security Policy (Appendix A). Security of information The security of information within the Government of Malaysia’s Information within the government’s and Communications Technology (ICT) system is a subject of major concern. ICT system is a major concern Threats such as impersonation, malicious code, misuse of data, easily available penetration tools, powerful analytical techniques contribute in whole or in part to the necessity of providing adequate protection to public sector ICT assets. These threats if left unchecked, will result in painful explaination at the very minimum or untold damage to the country. Apart from incurring financial losses, both in terms of resources and unavailable services, these threats severely jeopardises the confidentiality, integrity and availability of official government information and in the end may be of detriment to the country. The hardest thing to comprehend is that an attack can be easily mounted by anyone from anywhere courtesy of the information superhighway and the misused concept of global instantaneous information sharing. Some examples of common threats are listed in Appendix B. Need for effective Public Over the years, government agencies have been religiously collecting vast Sector ICT Security amount of information. It is in the early 70’s that these information have management been deposited into digital format and since then, these repositories have unknowingly become exposed because of the invaluable information they keep and now in a format easily manipulated without stringent audit trail. The government realises this and that the government is also aware that there is an urgent need to secure the vast information resource through effective management of the security of ICT systems. In this regard, efforts are being made to ensure Public Sector ICT Security management achieve and maintain a high level of confidentiality, integrity and availability. A comprehensive A comprehensive approach is required in planning, developing, operating approach to ICT Security and maintaining the government’s ICT security processes. The ICT security processes is required measures need to be incorporated early, in the requirement specification and design of the ICT system, before the implementation stage to ensure a cost-effective and comprehensive system. The main steps include: (a) assessing the current security strengths and vulnerabilities; (b) developing ICT security policies, standards and processes; (c) designing and developing a customised security architecture; and (d) evaluating and selecting the best security system for the organisation. Copyright MAMPU Chapter 1 - 1
  • 2. MyMIS The ICT security process The ICT security process must cover all aspects of operation, including must cover various mechanisms used by hardware and software systems, networks, databases aspects in achieving a secure enviroment and other related systems and facilities. The goal is to achieve a secure working environment for employees and other persons working at or visiting the government’s facilities as well as to help establish processes to ensure the protection of information. ICT security processes The ICT security process should mirror the management’s direction in should mirror relation to: management’s direction (a) overall organisational policy; (b) organisational roles and responsibilities; (c) personnel; (d) government’s asset classification and control; (e) physical security; (f) system access controls; (g) network and computer management; (h) application development and maintenance; (i) business continuity; (j) compliance to standards as well as legal and statutory requirements; (k) classification and protection of information media; (l) employee awareness programmes; and (m) incident reporting and response. 1.2 Standards Framework This handbook provides This handbook provides essential guidelines to government employees on guidelines on ICT the ICT security process in the public sector. It is based mainly on two security based on international standards standards i.e. the MS ISO/IEC 13335 (Part 1 - 3) and the BS 7799 (Part 1 and 2). It also makes references to the Canadian Handbook on Information Technology Security, German IT Baseline Protection Manual and other related ISO standards. Various levels of details of standards can be viewed in the model depicted in Figure 1.1. In comparison to other standards and documents of ICT security management particularly to their level of detail, this handbook can be positioned along with the BS 7799, the Canadian MG-9 and the American National Institute of Science and Technology (NIST). This is warranted by the fact that this handbook is jurisdictional and specific to the Malaysian public sector. Description of model In the model, the areas and level of details of these standards varies between (Figure 1.1) each standard. Level 1, 2, 3 and 4 represent the Guidelines for the Management of IT Security (GMITS) or ISO/IEC 13335. It indicates the depth of knowledge required to understand the respective level. As an example, a Level 1 document needs no prior knowledge on ICT security management while a Level 2 document needs at least some understanding of the previous level. Level 1 to level 4 of the The model progresses from Level 1 ‘Concepts and Models’ to Level 2 ‘Managing model and Planning IT’, Level 3 ‘Techniques for the Management of IT’ before detailing ‘Selection of Safeguards, Management Guidance on Network and Guidelines for the Management of Trusted Third Parties’ in Level 4. Copyright MAMPU Chapter 1 - 2
  • 3. MyMIS Levels of details Level 1 ISO/IEC 13335-1 GMITS: Concepts and Models Level 2 ISO/IEC 13335-2 GMITS: Managing and Planning IT World/Global Level 3 ISO/IEC 13335-3 GMITS: Techniques for the Management of IT Level 4 • ISO/IEC 13335-4 GMITS: Selection of Safeguards • ISO/IEC 13335-5 GMITS: Management Guidance on Network • ISO/IEC 14516: Guidelines for the Management of Trusted Third Parties Level 5 Jurisdiction and culture-specific documents (National IT Security guidance documents) • BS 7799 • Canadian Handbook on Information Technology (MG-9) Nation/Organization • The NIST Handbook • MyMIS Level 6 Domain and application specific documents, Industry guides • German IT Baseline Protection Manual • IETF RFC 2196 Site Security Handbook • ISO/TR 13569 Banking and Related Financial Services-Information Security Guidelines Site/Domain • CEN/ENV 12924 Medical Informations & Security Categorisation and Protection for Healthcare systems • ISO/IEC 15947 IT Intrusion Detection Framework w Figure 1.1: Various Levels of Details of Standards and Documents Level 5 of the model Level 5 represents the three standards referred, i.e. BS 7799, the Canadian Handbook of Information Technology and the NIST. Documents under this group are categorised as jurisdictional and culture-specific. The MyMIS handbook is represented at this level. Level 6 of the model The standards within Level 6 are domain and application specific. Examples of such standards are the German IT Baseline Protection document, the IETF RFC 2196 Site Security Handbook, the ISO/TR 13569 on Banking and Related Financial Services, the CEN ENV 12924 on Medical Informatics: Security Categorisation and Protection Healthcare Systems and the ISO/IEC 15947 on IT Intrusion Detection Framework. 1.3 Handbook Coverage This handbook describes This handbook provides the necessary guidelines on ICT security management safeguards, operational safeguards to enable implementation of minimal security measures. It discusses and technical issues and legal implications elements of management safeguard, common operational and technical issues, and legal implications. The appendices at the end of the handbook may be of use to users with templates on security policies, adherence compliance plan, strategic plan, incident reporting mechanism, checklists and procedures. Its capacity is advisory and where the information contained is superceded (changes in technology, processes, legal requirements, public expectation) the reader is advised to refer to current adopted best practices. Copyright MAMPU Chapter 1 - 3
  • 4. MyMIS ICT security management The ICT security management safeguard identify five (5) major elements safeguards that should be considered by all public sector ministries, departments and agencies to protect their ICT systems. These elements are the ICT security policy, ICT security management programme, ICT security risk management, planning and incorporation of ICT security into the ICT systems life cycle and establishing ICT security assurance. The handbook further explains some fundamental operational components of ICT security that is best recognised by public sector employees. Technical details of ICT Technical security involves the use of safeguards incorporated into computer security and communications hardware and software, operations systems or applications software and other related devices. This chapter explains the technical level of ICT security in greater detail. Legal implications The last chapter of this handbook briefly explains legal matters with respect to Malaysian law. It highlights Malaysian cyber laws and the various aspects of criminal investigations. The appendices of this handbook provide some samples of framework, plan, checklist and forms useful in the ICT security management process. 1.4 Audience Main objective is to The main objective of this handbook is to provide guidance to employees provide guidance to all within government agencies on the essential components of ICT security. government employees It is intended to be the primary reference book used by all government employees in safeguarding the government’s ICT assets. The handbook is for ALL Various categories of government employees will benefit from the handbook government employees as it covers a wide range of topics. Nevertheless this handbook is also useful to anyone wishing to learn about the application of ICT security. Organisation of the The handbook is presented in five (5) chapters that can be divided into three content of the handbook (3) different levels; Essential, Intermediate and Advanced (Figure 1.2). The Essential level, which comprises of Chapter 1, Chapter 2 and Chapter 5, provides fundamental knowledge on ICT security and is suitable for chief executives and managers in the public sector. The Intermediate i.e. Chapter 3 is intended for general ICT users of the public sector. The description and explanation will provide guidance to users on the basic operational security safeguard to be implemented and maintained by them. The Advanced stage i.e. Chapter 4 is proposed for the more experienced ICT administrators and managers. The descriptions on technical details of ICT security should provide guidance and direction on steps that need to be taken to ensure the confidentiality, integrity and availability of public sector ICT systems. Copyright MAMPU Chapter 1 - 4
  • 5. MyMIS Chapter 1 Chapter 2 Introduction Management Safeguards Chapter 3 Basic Operation Chapter 4 Technical Operation Chapter 5 Legal Matters ESSENTIAL INTERMEDIATE ADVANCED Figure 1.2: Malaysian Public Sector Management of ICT Security Handbook (MyMIS) Roadmap Copyright MAMPU Chapter 1 - 5