capacity development workshop on public information...
TRANSCRIPT
Bersama Melaksana Transformasi
1
Capacity Development Workshop on Public Information Management Date: 28-30 November 2011 Venue: Suntec City, Singapore
Bersama Melaksana Transformasi
2
ICT Security in the Public Sector
Role of MAMPU in Public Sector Security
Malaysian Government Initiatives
Bersama Melaksana Transformasi
3
ICT SECURITY IN PUBLIC SECTOR
To ensure
Continuity of business or services
AND to minimise damage
by keeping the effects of
security incidents to a minimum
Bersama Melaksana Transformasi
4
Confidentiality
Prevents unauthorised
disclosure of systems
and information
Integrity
Prevents unauthorised
modification of systems
and information
Availability
Prevents disruption of
service and productivity
Bersama Melaksana Transformasi
5
„Agency entrusted for Public Sector
ICT Security is MAMPU, Prime
Minister‟s Department‟
Abstract from paragraph 32 :
“Rangka Dasar Keselamatan Teknologi Maklumat dan Komunikasi Kerajaan”
- Pekeliling Am Bil. 3 Tahun 2000
Bersama Melaksana Transformasi
6
ICT SECURITY – ROLE OF MAMPU
To act as the Pinnacle referral centre for
Public Sector ICT security
Custodian of Public Sector ICT Security
To coordinate Public Sector ICT security
efforts
To plan and implement specific
activities to enhance and protect Public
Sector ICT security
Bersama Melaksana Transformasi
7
POLICY DIRECTION
ALL PUBLIC SECTOR ICT ASSETS MUST BE PROTECTED
SHARED RESPONSIBILITY OF ALL PUBLIC SECTOR EMPLOYEES
Bersama Melaksana Transformasi
8
1. Standard, Policy & Guideline
a. Policy Framework (PA
3/2000)
b. Incident Handling
Mechanism (PA 1/2001)
c. Malaysian Public
Sector Management Of
ICT Security Handbook
(MyMIS)
d. Internet and Email
Ethics
e. Malaysian Public
Sector Management Of
ICT Security Risk
Assessment
Methodology (MyRAM)
2. Security Posture Assessment
3. Risk Assessment
4. Audit
5. Accreditation / Certification
P R O A C T I V E
1. System & Network Monitoring
2. Awareness, Training & Acculturation
3. ICT Security Officer Network
4. Inter Agency Coordination
5. Information Dissemination
C O N T I N U O US
1. Government Computer
Emergency Response
Team (GCERT)
2. Business Continuity
Management
R E A C T I V E
ICT
SECURITY
Bersama Melaksana Transformasi
9
9 9
Government Initiatives:
ICT Security Policy
Malaysian Public Sector ICT Security Monitoring (PRISMA)
Government Computer Emergency Response Team (GCERT)
ICT Security Compliance Scorecard (ISCS)
Information Security Management System (ISMS)
The Malaysian Public Sector Information Security High-Level Risk Assessment (HiLRA)
Bersama Melaksana Transformasi
10
Bersama Melaksana Transformasi
11 11
11
PEKELILING AM BIL. 3 TAHUN 2000
Paragraph 32 of this circular states that the central agency responsible for
ICT security of the Government is MAMPU, Prime Minister’s Department
Bersama Melaksana Transformasi
12
Bersama Melaksana Transformasi
13
13 13
PRISMA – Centre for the Monitoring of ICT Security for Public Sector with objective to protect government ICT assets
Staff strength of 40+ of ICT and security professionals (Government and Private Sector) with 24x7 operations
Monitor over 500 sensors in 177 sites (covering ministries, state agencies and statutory bodies)
Provides threats and vulnerability management, penetration testing as well as training services
Bersama Melaksana Transformasi
14
14 14
Why the need for PRISMA?
Delivery of secured EG applications
Tremendous increase of cyber threats threaten government investments
Centralised monitoring allows agencies to concentrate on core business
Huge investment on ICT infrastructure requires protection from external and internal threats
Bersama Melaksana Transformasi
15
15 15
To continuously, proactively & reactively protect public sector ICT infrastructure
To enhance knowledge and awareness of ICT security
To equip the Government with a defensive and counter attack capabilities
To be a one-stop ICT security reference centre for the public sector
Bersama Melaksana Transformasi
16
Bersama Melaksana Transformasi
17 17
17
PEKELILING AM BIL. 1 TAHUN 2001
Paragraph 5 of this circular states that all ICT security incidents
detected in Public Sector agencies must be reported to GCERT, MAMPU
Bersama Melaksana Transformasi
18 18
18
SURAT PEKELILING AM
BIL. 4 TAHUN 2006
Bersama Melaksana Transformasi
19
19 19
SURAT PEKELILING AM
BIL. 4 TAHUN 2006
Paragraph 4 of this circular states :
All agencies with ICT infrastructure supporting government functions and providing service delivery systems are required to form incident response handling teams (CERTs)
These teams act as first level support to GCERT MAMPU for ICT security incidents in agencies under their purview
Bersama Melaksana Transformasi
20
20 20
OBJECTIVES OF AGENCY CERTs
To strengthen the responsibility of the
ministry or agency in incident response
handling management for agencies
under its purview
To develop human resource capacity in
particular, those in incident response
handling management
Bersama Melaksana Transformasi
21
CERT SABAH
CERT KPKK CERT KKM
CERT KPKT
CERT KeTTHA
NRE CERT
CERT KKR
CERT KSM
QCERT
CERT PP
JPA CERT
CERT KPWKM
CERT MOA
CERT KWP
CERT MOSTI
CERT KLN
CERT KPM
CERT JOHOR
CERT MELAKA
CERT PAHANG
CERT KPDNKK
CERT MOTOUR
CERT TRG
CERT UKM
UTeMCERT
CERT SELANGOR
CERT MPSP
CERT KELANTAN CERT
PERLIS
CERT MPPP
PDC CERT
CERT MOT
CERT KEDAH
CERT KPT CERT KDN
CERT NS
CERT MOF
CERT KBS CERT KKLW
CERT MITI
CERT SUK PERAK
CERT PAJPM
AGENCY CERTs
CERT BPA
Bersama Melaksana Transformasi
22
22 22
ROLE OF GCERT MAMPU
Coordinates ICT security incidents response handling management at agency level
Undertakes both proactive and reactive action
Provides advisories to agency CERTs
Coordinates information sharing and exchange programs
Responsible for smaller agencies in the following :
Receives and detects ICT security incidents, assess the level and type of incident
Provides ICT security incident response and recommendations for minimal recovery
Bersama Melaksana Transformasi
23
23 23
ROLE OF AGENCIES
HEAD OF DEPARTMENT
Ensure agencies and agencies under purview comply to all regulations related to ICT security incident response handling management
Increase compliance to the requirements of acts, instructions, regulations and procedures related to ICT security
AGENCY CERTs
Receive or detect ICT security incidents, assess the severity level and type of incident
Record and conduct initial investigation of the incident
Provide ICT security incident response and undertake to provide assistance for minimal recovery
Contact and report incident to GCERT MAMPU
Advise agencies under purview to undertake control and recovery measures
Disseminate incident related information to agencies under purview
Conduct assessment to gauge the level of ICT security
Bersama Melaksana Transformasi
24
24 24
SOURCES OF INCIDENT REPORTS
GCERT provides incident response handling services to Public Sector agencies with domain .gov.my
Sources of incident report include :
PRISMA
Public Sector Agencies
Malaysian Communications and Multimedia Commission
MyCERT
Media
GCERT detects vulnerabilities at agencies
Members of the public
Bersama Melaksana Transformasi
25
Bersama Melaksana Transformasi
26
26 26
ICT Security Compliance Scorecard (ISCS) is a
system to assist MAMPU and agencies to measure
and monitor compliance in accordance to the
security best practices and
MS ISO / IEC 27001:2007 standard
ISCS
Bersama Melaksana Transformasi
27 27 27
To measure ICT compliance level in accordance with
MS ISO/IEC 27001:2007
To identify non-compliance gaps of ICT security
implementation
To compare the past and the presentICT security
compliance
To improve Government ICT security compliance
To gain the client and stakeholders trust towards the
delivery of government services
Objectives
Bersama Melaksana Transformasi
28
Bersama Melaksana Transformasi
29 29 29
Introduction
Country Total Country Total
Japan 3862
Czech Republic
103
India 526 USA 101
China 492 Spain 75
UK 477 Hungary 68
Taiwan 431 Italy 68
Germany 174 Poland 58
Korea 106 Malaysia 55
www.iso27001certificates.com
Bersama Melaksana Transformasi
30 30 30
To protect critical infrastructure and to avoid
or reduce relevant risk to Government
agencies.
Objective
Bersama Melaksana Transformasi
31 31 31
Target Agencies by 2013
Ministry 11
State Government 13
Federal Government Agency 28
University 16
City Council 11
Bersama Melaksana Transformasi
32
Bersama Melaksana Transformasi
33 33 33
Introduction
HiLRA is a risk assessment process
which comprises of a series of questionnaires
designed along the eleven (11) basic
information security domains derived from
ISO/IEC 27001 Information Security
Management Systems (ISMS).
Bersama Melaksana Transformasi
34 34 34
Objectives
To determine whether a government agency
has met the minimum standard security
requirements of the public sector.
To enable the management to make a quality
and timely decision about the organisation‟s
information security risk rating, current
safeguard measures and best practice
compliance.
Bersama Melaksana Transformasi
35 35 35
Implementation
All government agencies need to perform HiLRA on a regular basis
or when there are changes affecting the information system.
Implementation status from 2005 - 2011
AGENCIES NO. OF AGENCIES
Federal Public Service 106
State Public Service 13
Federal Statutory Bodies 40
Local Authorities 10
TOTAL 169