capacity development workshop on public information...

Bersama Melaksana Transformasi

1

Capacity Development Workshop on Public Information Management Date: 28-30 November 2011 Venue: Suntec City, Singapore


2

ICT Security in the Public Sector

Role of MAMPU in Public Sector Security

Malaysian Government Initiatives


3

ICT SECURITY IN PUBLIC SECTOR

To ensure

Continuity of business or services

AND to minimise damage

by keeping the effects of

security incidents to a minimum


4

Confidentiality

Prevents unauthorised

disclosure of systems

and information

Integrity

Prevents unauthorised

modification of systems

and information

Availability

Prevents disruption of

service and productivity


5

„Agency entrusted for Public Sector

ICT Security is MAMPU, Prime

Minister‟s Department‟

Abstract from paragraph 32 :

“Rangka Dasar Keselamatan Teknologi Maklumat dan Komunikasi Kerajaan”

- Pekeliling Am Bil. 3 Tahun 2000


6

ICT SECURITY – ROLE OF MAMPU

To act as the Pinnacle referral centre for

Public Sector ICT security

Custodian of Public Sector ICT Security

To coordinate Public Sector ICT security

efforts

To plan and implement specific

activities to enhance and protect Public

Sector ICT security


7

POLICY DIRECTION

ALL PUBLIC SECTOR ICT ASSETS MUST BE PROTECTED

SHARED RESPONSIBILITY OF ALL PUBLIC SECTOR EMPLOYEES


8

1. Standard, Policy & Guideline

a. Policy Framework (PA

3/2000)

b. Incident Handling

Mechanism (PA 1/2001)

c. Malaysian Public

Sector Management Of

ICT Security Handbook

(MyMIS)

d. Internet and Email

Ethics

e. Malaysian Public

Sector Management Of

ICT Security Risk

Assessment

Methodology (MyRAM)

2. Security Posture Assessment

3. Risk Assessment

4. Audit

5. Accreditation / Certification

P R O A C T I V E

1. System & Network Monitoring

2. Awareness, Training & Acculturation

3. ICT Security Officer Network

4. Inter Agency Coordination

5. Information Dissemination

C O N T I N U O US

1. Government Computer

Emergency Response

Team (GCERT)

2. Business Continuity

Management

R E A C T I V E

ICT

SECURITY


9

9 9

Government Initiatives:

ICT Security Policy

Malaysian Public Sector ICT Security Monitoring (PRISMA)

Government Computer Emergency Response Team (GCERT)

ICT Security Compliance Scorecard (ISCS)

Information Security Management System (ISMS)

The Malaysian Public Sector Information Security High-Level Risk Assessment (HiLRA)


10


11 11

11

PEKELILING AM BIL. 3 TAHUN 2000

Paragraph 32 of this circular states that the central agency responsible for

ICT security of the Government is MAMPU, Prime Minister’s Department


12


13

13 13

PRISMA – Centre for the Monitoring of ICT Security for Public Sector with objective to protect government ICT assets

Staff strength of 40+ of ICT and security professionals (Government and Private Sector) with 24x7 operations

Monitor over 500 sensors in 177 sites (covering ministries, state agencies and statutory bodies)

Provides threats and vulnerability management, penetration testing as well as training services


14

14 14

Why the need for PRISMA?

Delivery of secured EG applications

Tremendous increase of cyber threats threaten government investments

Centralised monitoring allows agencies to concentrate on core business

Huge investment on ICT infrastructure requires protection from external and internal threats


15

15 15

To continuously, proactively & reactively protect public sector ICT infrastructure

To enhance knowledge and awareness of ICT security

To equip the Government with a defensive and counter attack capabilities

To be a one-stop ICT security reference centre for the public sector


16


17 17

17

PEKELILING AM BIL. 1 TAHUN 2001

Paragraph 5 of this circular states that all ICT security incidents

detected in Public Sector agencies must be reported to GCERT, MAMPU


18 18

18

SURAT PEKELILING AM

BIL. 4 TAHUN 2006


19

19 19

SURAT PEKELILING AM

BIL. 4 TAHUN 2006

Paragraph 4 of this circular states :

All agencies with ICT infrastructure supporting government functions and providing service delivery systems are required to form incident response handling teams (CERTs)

These teams act as first level support to GCERT MAMPU for ICT security incidents in agencies under their purview


20

20 20

OBJECTIVES OF AGENCY CERTs

To strengthen the responsibility of the

ministry or agency in incident response

handling management for agencies

under its purview

To develop human resource capacity in

particular, those in incident response

handling management


21

CERT SABAH

CERT KPKK CERT KKM

CERT KPKT

CERT KeTTHA

NRE CERT

CERT KKR

CERT KSM

QCERT

CERT PP

JPA CERT

CERT KPWKM

CERT MOA

CERT KWP

CERT MOSTI

CERT KLN

CERT KPM

CERT JOHOR

CERT MELAKA

CERT PAHANG

CERT KPDNKK

CERT MOTOUR

CERT TRG

CERT UKM

UTeMCERT

CERT SELANGOR

CERT MPSP

CERT KELANTAN CERT

PERLIS

CERT MPPP

PDC CERT

CERT MOT

CERT KEDAH

CERT KPT CERT KDN

CERT NS

CERT MOF

CERT KBS CERT KKLW

CERT MITI

CERT SUK PERAK

CERT PAJPM

AGENCY CERTs

CERT BPA


22

22 22

ROLE OF GCERT MAMPU

Coordinates ICT security incidents response handling management at agency level

Undertakes both proactive and reactive action

Provides advisories to agency CERTs

Coordinates information sharing and exchange programs

Responsible for smaller agencies in the following :

Receives and detects ICT security incidents, assess the level and type of incident

Provides ICT security incident response and recommendations for minimal recovery


23

23 23

ROLE OF AGENCIES

HEAD OF DEPARTMENT

Ensure agencies and agencies under purview comply to all regulations related to ICT security incident response handling management

Increase compliance to the requirements of acts, instructions, regulations and procedures related to ICT security

AGENCY CERTs

Receive or detect ICT security incidents, assess the severity level and type of incident

Record and conduct initial investigation of the incident

Provide ICT security incident response and undertake to provide assistance for minimal recovery

Contact and report incident to GCERT MAMPU

Advise agencies under purview to undertake control and recovery measures

Disseminate incident related information to agencies under purview

Conduct assessment to gauge the level of ICT security


24

24 24

SOURCES OF INCIDENT REPORTS

GCERT provides incident response handling services to Public Sector agencies with domain .gov.my

Sources of incident report include :

PRISMA

Public Sector Agencies

Malaysian Communications and Multimedia Commission

MyCERT

Media

GCERT detects vulnerabilities at agencies

Members of the public


25


26

26 26

ICT Security Compliance Scorecard (ISCS) is a

system to assist MAMPU and agencies to measure

and monitor compliance in accordance to the

security best practices and

MS ISO / IEC 27001:2007 standard

ISCS


27 27 27

To measure ICT compliance level in accordance with

MS ISO/IEC 27001:2007

To identify non-compliance gaps of ICT security

implementation

To compare the past and the presentICT security

compliance

To improve Government ICT security compliance

To gain the client and stakeholders trust towards the

delivery of government services

Objectives


28


29 29 29

Introduction

Country Total Country Total

Japan 3862

Czech Republic

103

India 526 USA 101

China 492 Spain 75

UK 477 Hungary 68

Taiwan 431 Italy 68

Germany 174 Poland 58

Korea 106 Malaysia 55

www.iso27001certificates.com


30 30 30

To protect critical infrastructure and to avoid

or reduce relevant risk to Government

agencies.

Objective


31 31 31

Target Agencies by 2013

Ministry 11

State Government 13

Federal Government Agency 28

University 16

City Council 11


32


33 33 33

Introduction

HiLRA is a risk assessment process

which comprises of a series of questionnaires

designed along the eleven (11) basic

information security domains derived from

ISO/IEC 27001 Information Security

Management Systems (ISMS).


34 34 34

Objectives

To determine whether a government agency

has met the minimum standard security

requirements of the public sector.

To enable the management to make a quality

and timely decision about the organisation‟s

information security risk rating, current

safeguard measures and best practice

compliance.


35 35 35

Implementation

All government agencies need to perform HiLRA on a regular basis

or when there are changes affecting the information system.

Implementation status from 2005 - 2011

AGENCIES NO. OF AGENCIES

Federal Public Service 106

State Public Service 13

Federal Statutory Bodies 40

Local Authorities 10

TOTAL 169


36

Thank You

[email protected]

36

capacity development workshop on public information...

Documents