470 likes | 784 Vues
PUBLIC SECTOR ICT SECURITY INITIATIVES Osman Bin Abd Aziz Deputy Director ICT Security Division Malaysian Administrative Modernisation and Management Planning Unit Prime Minister’s Department obaa@mampu.gov.my. Sabah CIO Conference 22 June 2004. Contents. Introduction
E N D
PUBLIC SECTOR ICT SECURITY INITIATIVES Osman Bin Abd Aziz Deputy Director ICT Security Division Malaysian Administrative Modernisation and Management Planning Unit Prime Minister’s Department obaa@mampu.gov.my Sabah CIO Conference 22 June 2004
Contents • Introduction • Scope and ownership of ICT Security • Communications & Multimedia Act 1998 • Administrative Authority on Public Sector ICT Security • Definition • Government Initiatives • Standards & Guidelines • Security Posture Assessment • Lack of ICT Security - Implications • Conclusion • Summary
Contents • Introduction • Scope and ownership of ICT Security • Communications & Multimedia Act 1998 • Administrative Authority on Public Sector ICT Security • Definition • Government Initiatives • Standards & Guidelines • Security Posture Assessment • Lack of ICT Security - Implications • Conclusion • Summary
INTRODUCTION • ICT increased dependencies • Incidence trends– on the increase • Urgent need to upgrade security • Role for everyone
INTRODUCTION • CARDINAL ICT SECURITY PRINCIPLES • Confidentiality • Integrity • Availability • Authenticity • Non repudiation • Single Objective - To protect ICT assets
CONTENTS • Introduction • Scope and ownership of ICT Security • Communications & Multimedia Act 1998 • Administrative Authority on Public Sector ICT Security • Definition • Government Initiatives • Standards & Guidelines • Security Posture Assessment • Lack of ICT Security - Implications • Conclusion • Summary
SCOPE • Communications & Multimedia Act 1998 (Act 588) Part I Clause 3 (2) (j) • “to ensure information security and network reliability and integrity”. The Act states that Information Security is under the purview of the CMC.
SCOPE • Administrative Authority Public Sector ICT Security • Formation of ICT Security Division MAMPU • GITIC • PANEL • JKTT • Public Services Department • In short: • MAMPU is the reference agency on all ICT Security matters within the Public Sector
‘Agency entrusted for Public Sector ICT Security is MAMPU, Prime Minister’s Department’ Abstract from paragraph 32 : “Rangka Dasar Keselamatan Teknologi Maklumat dan Komunikasi Kerajaan” - Pekeliling Am Bil. 3 Tahun 2000
CONTENTS • Introduction • Scope and ownership of ICT Security • Communications & Multimedia Act 1998 • Administrative Authority on Public Sector ICT Security • Definition • Government Initiatives • Standards & Guidelines • Security Posture Assessment • Lack of ICT Security - Implications • Conclusion • Summary
DEFINITION Being secure means: Free from risk, unacceptable threats and vulnerabilities. State of having no doubt, fear or anxiety State of being assured of something • Security is about risk reduction, not threat avoidance • Security is not a destination, it is a journey Bruce Schneier - Founder and CTO Counterpane Internet Security, Inc.
DEFINITION ICT SECURITY IN PUBLIC SECTOR To ensure business or services continuity and to minimize damage by keeping the effects of security incidents to a minimum Relates to the protection of both information and physical assets i.e. information and ICT assets are an integral part of Governmental business
ICT SECURITY DIVISION, MAMPU Pinnacle Referral Centre for ICT Security in the Public Sector Vision To Protect Government of Malaysia ICT Assets Mission • To plan and implement specific activities to enhance and protect Public Sector ICT security • To act as the pinnacle Public Sector ICT security referral centre • To act as the keeper of Public Sector ICT Security • To coordinate Public Sector ICT security efforts Objectives
CONTENTS • Introduction • Scope and ownership of ICT Security • Communications & Multimedia Act 1998 • Administrative Authority on Public Sector ICT Security • Definition • Government Initiatives • Standards & Guidelines • Security Posture Assessment • Lack of ICT Security - Implications • Conclusion • Summary
GOVERNMENT INITIATIVES Three (3) government initiatives towards protection of Public Sector assets STRATEGIC TACTICAL OPERATIONS
STRATEGIC PROTECT ICT ASSETS PREVENTIVE MANAGEMENT ICT security policies, standards, guidelines and risk management INFRASTRUCTURE Network Operating systems Applications Databases KNOWLEDGE/ SKILLS Basic Knowledge ICT security issues Implementation/ operation Legal issues
STRATEGIC PROTECT ICT ASSETS PROACTIVE Guidelines Security Posture Assessment Audit Review Methodology (*MyRAM) Accreditation Scheme RECOVERY GCERT TEAM Business Resumption Incident response Information Dissemination Advisory CIO/ ICTSO Network Inter Agency Coordination Policy Framework Incident Handling Mechanism Malaysian Public Sector Management of ICT Security Handbook (MyMIS) CONTINUOUS System & Network Monitoring (PRISMA) Awareness & Acculturation
TACTICAL Appointment of CIO & ICTSO Awareness & Acculturation Accreditation Methodology To create professional ICTSO New initiatives. Draft accepted Latest updates Patches Early warning Define roles & responsibilities Seminars Training programs Conferences (CIO & ICTSO) Communication program Advisories Knowledge Based Reference Centre Planning stage Accessible to all ICTSO’s, Sys admin, ICT managers ICT incidences within the public sector Mitigation efforts
OPERATION Audit Reviews (MyRAM) Recovery GCERT Team Emergency response centre Advisory Inter agency coordination Information dissemination Objective to minimise impact Assist in recovery & evidence preservation Business resumption Security review methodology Security review Measured against standard To determine risk grouping To determine level of risk (low, medium, high) Recommendations to reduce vulnerabilities New initiatives. Draft accepted
OPERATION Government Security Operation Centre (PRISMA) Security Posture Assessment Cyber Attack Monitoring System (CAMS) Defence System (DS) Gov Security Web Portal (GSWP) Automatic Web Page Recovery System (AWRS) Periodic Vulnerability Scanning System (PVSS) PKI Thorough exercise to determine vulnerabilities Internal & external penetration test Report with recommendations Initially selected sites monitored Online monitoring of security breaches
MALAYSIAN PUBLIC SECTOR MANAGEMENT OF ICT SECURITY HANDBOOKMyMIS
SECURITY IS A MAJOR CONCERN The Security of Information Within the Government of Malaysia’s ICT Systems is a Subject of Major Concern The Increasing incidence of hacking, virus attacks and other form of electronic trespass ICT Security is critical to the objective of implementing Electronic Government Electronic connectivity in the work place has meant that security of ICT assets cannot be provided through conventional means The Rationale For ICT Security Expanded used of ICT in the delivery of Government services The public sector is not insulated from prevailing threats Enhancement of the internal operations of public sector agencies
Major Elements of Management Safeguards MANAGEMENT SAFEGUARDS Public Sector ICT Security Policy Public Sector ICTSecurity Risk Management Public Sector ICT Security ProgrammeManagement Public Sector ICT Security Assurance Incorporating Public Sector ICT Security Into ICT System’s Life Cycle
Strategically, PRISMA will provide the Malaysian Government with: Ability to proactively & reactively protect public sector information assets Enhanced knowledge and awareness of ICT security OBJECTIVES OF PRISMA
CONTENTS • Introduction • Scope and ownership of ICT Security • Communications & Multimedia Act 1998 • Administrative Authority on Public Sector ICT Security • Definition • Government Initiatives • Standards & Guidelines • Security Posture Assessment • Lack of ICT Security - Implications • Conclusion • Summary
INTERNET AND ELECTRONIC MAIL Garis Panduan Mengenai Tatacara Penggunaan Internet dan Mel Elektronik di Agensi-agensi Kerajaan PKPA 1/2003 • circular issued • Internet dan Electronic Mail Ethics • List of “do’s” and “don’ts” Examples: • don’t post anonymous or forged messages • no violating the privacy of other users • don’t send email using other user’s accounts • no illegal activities eg : gambling
RISK ASSESSMENT METHODOLOGY Malaysian Government Risk Assessment Methodology (MyRAM) To Allow Public Sector identify: ICT related assets to organisations ICT related vulnerabilities to the associated assets ICT related threats to the identified assets Existing controls (safeguards) for the identified assets The risks associated with the identified assets
CONTENTS • Introduction • Scope and ownership of ICT Security • Communications & Multimedia Act 1998 • Administrative Authority on Public Sector ICT Security • Definition • Government Initiatives • Standards & Guidelines • Security Posture Assessment • Lack of ICT Security - Implications • Conclusion • Summary
“To establish the current baseline security of the network and systems by discovering known vulnerabilities and weaknesses, with the intention of providing incremental improvements to tighten the security of the network and systems” SECURITY POSTURE ASSESSMENT Objective of the SPA
SECURITY POSTURE ASSESSMENT SPA SCOPE OF WORK Policy review Physical security review Network design & configuration assessment External penetration test Internal penetration test Vulnerability assessment Host assessment
ICT SECURITY INCIDENT GCERT MAMPU, 18 Jun 2004
ICT SECURITY INCIDENT GCERT MAMPU, 18 Jun 2004
PROFESSIONAL COMMITMENTS Some To Do List:
ROLES AND RESPONSIBILITIES CHIEF INFORMATION OFFICER (CIO) • Support the Head of Department in discharging ICT Security responsibilities; • Transform the responsibilities above into an effective action plan; and • Incorporate ICT Security requirements into existing CIO functions. Example: preparing the IT strategic Plan.
CONTENTS • Introduction • Scope and ownership of ICT Security • Communications & Multimedia Act 1998 • Administrative Authority on Public Sector ICT Security • Definition • Government Initiatives • Standards & Guidelines • Security Posture Assessment • Lack of ICT Security - Implications • Conclusion • Summary
IMPLICATIONS FROM LACK OF SECURITY Public embarrassment / image Compromised confidential information Compromised integrity of information Privacy and other legal considerations Fraud by spoofing identities System / Network outages and Business disruption Lack of trust Additional Expenses Theft of Information / Communications / other services Disclosure / tampering of proprietary data Damage through manipulation
CONTENTS • Introduction • Scope and ownership of ICT Security • Communications & Multimedia Act 1998 • Administrative Authority on Public Sector ICT Security • Definition • Government Initiatives • Standards & Guidelines • Lack of ICT Security - Implications • Security Posture Assessment • Conclusion • Summary
CONCLUSION Security problem is worsening
CONTENTS • Introduction • Scope and ownership of ICT Security • Communications & Multimedia Act 1998 • Administrative Authority on Public Sector ICT Security • Definition • Government Initiatives • Standards & Guidelines • Lack of ICT Security - Implications • Security Posture Assessment • Conclusion • Summary
SUMMARY GOM ICT SECURITY INITIATIVES • Public Sector ICT Security Framework • Cooperation with Standards Department & SIRIM on ICT Security Standards • Malaysian Public Sector Management of Information & Communications Technology Security Handbook (MyMIS) • ICT Security Incident Reporting Mechanism • GCERT • MS 17799 Part 1 • MS ISO 13335 Part 1, 2 & 3
SUMMARY GOM ICT SECURITY INITIATIVES ….. (cont) • CIO • ICTSO • Communications Network CIO/ICTSO/Sys Admin/CERTS • ICT Audit Methodology • PRISMA • Acculturation programs • ICTSO Accreditation Scheme