1 / 46

PUBLIC SECTOR ICT SECURITY INITIATIVES Osman Bin Abd Aziz Deputy Director ICT Security Division

PUBLIC SECTOR ICT SECURITY INITIATIVES Osman Bin Abd Aziz Deputy Director ICT Security Division Malaysian Administrative Modernisation and Management Planning Unit Prime Minister’s Department obaa@mampu.gov.my. Sabah CIO Conference 22 June 2004. Contents. Introduction

prema
Télécharger la présentation

PUBLIC SECTOR ICT SECURITY INITIATIVES Osman Bin Abd Aziz Deputy Director ICT Security Division

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PUBLIC SECTOR ICT SECURITY INITIATIVES Osman Bin Abd Aziz Deputy Director ICT Security Division Malaysian Administrative Modernisation and Management Planning Unit Prime Minister’s Department obaa@mampu.gov.my Sabah CIO Conference 22 June 2004

  2. Contents • Introduction • Scope and ownership of ICT Security • Communications & Multimedia Act 1998 • Administrative Authority on Public Sector ICT Security • Definition • Government Initiatives • Standards & Guidelines • Security Posture Assessment • Lack of ICT Security - Implications • Conclusion • Summary

  3. Contents • Introduction • Scope and ownership of ICT Security • Communications & Multimedia Act 1998 • Administrative Authority on Public Sector ICT Security • Definition • Government Initiatives • Standards & Guidelines • Security Posture Assessment • Lack of ICT Security - Implications • Conclusion • Summary

  4. INTRODUCTION • ICT increased dependencies • Incidence trends– on the increase • Urgent need to upgrade security • Role for everyone

  5. INTRODUCTION • CARDINAL ICT SECURITY PRINCIPLES • Confidentiality • Integrity • Availability • Authenticity • Non repudiation • Single Objective - To protect ICT assets

  6. CONTENTS • Introduction • Scope and ownership of ICT Security • Communications & Multimedia Act 1998 • Administrative Authority on Public Sector ICT Security • Definition • Government Initiatives • Standards & Guidelines • Security Posture Assessment • Lack of ICT Security - Implications • Conclusion • Summary

  7. SCOPE • Communications & Multimedia Act 1998 (Act 588) Part I Clause 3 (2) (j) • “to ensure information security and network reliability and integrity”. The Act states that Information Security is under the purview of the CMC.

  8. SCOPE • Administrative Authority Public Sector ICT Security • Formation of ICT Security Division MAMPU • GITIC • PANEL • JKTT • Public Services Department • In short: • MAMPU is the reference agency on all ICT Security matters within the Public Sector

  9. ‘Agency entrusted for Public Sector ICT Security is MAMPU, Prime Minister’s Department’ Abstract from paragraph 32 : “Rangka Dasar Keselamatan Teknologi Maklumat dan Komunikasi Kerajaan” - Pekeliling Am Bil. 3 Tahun 2000

  10. CONTENTS • Introduction • Scope and ownership of ICT Security • Communications & Multimedia Act 1998 • Administrative Authority on Public Sector ICT Security • Definition • Government Initiatives • Standards & Guidelines • Security Posture Assessment • Lack of ICT Security - Implications • Conclusion • Summary

  11. DEFINITION Being secure means: Free from risk, unacceptable threats and vulnerabilities. State of having no doubt, fear or anxiety State of being assured of something • Security is about risk reduction, not threat avoidance • Security is not a destination, it is a journey Bruce Schneier - Founder and CTO Counterpane Internet Security, Inc.

  12. DEFINITION ICT SECURITY IN PUBLIC SECTOR To ensure business or services continuity and to minimize damage by keeping the effects of security incidents to a minimum Relates to the protection of both information and physical assets i.e. information and ICT assets are an integral part of Governmental business

  13. ICT SECURITY DIVISION, MAMPU Pinnacle Referral Centre for ICT Security in the Public Sector Vision To Protect Government of Malaysia ICT Assets Mission • To plan and implement specific activities to enhance and protect Public Sector ICT security • To act as the pinnacle Public Sector ICT security referral centre • To act as the keeper of Public Sector ICT Security • To coordinate Public Sector ICT security efforts Objectives

  14. Security is not about products, it’s a process !!!

  15. CONTENTS • Introduction • Scope and ownership of ICT Security • Communications & Multimedia Act 1998 • Administrative Authority on Public Sector ICT Security • Definition • Government Initiatives • Standards & Guidelines • Security Posture Assessment • Lack of ICT Security - Implications • Conclusion • Summary

  16. GOVERNMENT INITIATIVES Three (3) government initiatives towards protection of Public Sector assets STRATEGIC TACTICAL OPERATIONS

  17. STRATEGIC PROTECT ICT ASSETS PREVENTIVE MANAGEMENT ICT security policies, standards, guidelines and risk management INFRASTRUCTURE Network Operating systems Applications Databases KNOWLEDGE/ SKILLS Basic Knowledge ICT security issues Implementation/ operation Legal issues

  18. STRATEGIC PROTECT ICT ASSETS PROACTIVE Guidelines Security Posture Assessment Audit Review Methodology (*MyRAM) Accreditation Scheme RECOVERY GCERT TEAM Business Resumption Incident response Information Dissemination Advisory CIO/ ICTSO Network Inter Agency Coordination Policy Framework Incident Handling Mechanism Malaysian Public Sector Management of ICT Security Handbook (MyMIS) CONTINUOUS System & Network Monitoring (PRISMA) Awareness & Acculturation

  19. TACTICAL Appointment of CIO & ICTSO Awareness & Acculturation Accreditation Methodology To create professional ICTSO New initiatives. Draft accepted Latest updates Patches Early warning Define roles & responsibilities Seminars Training programs Conferences (CIO & ICTSO) Communication program Advisories Knowledge Based Reference Centre Planning stage Accessible to all ICTSO’s, Sys admin, ICT managers ICT incidences within the public sector Mitigation efforts

  20. OPERATION Audit Reviews (MyRAM) Recovery GCERT Team Emergency response centre Advisory Inter agency coordination Information dissemination Objective to minimise impact Assist in recovery & evidence preservation Business resumption Security review methodology Security review Measured against standard To determine risk grouping To determine level of risk (low, medium, high) Recommendations to reduce vulnerabilities New initiatives. Draft accepted

  21. OPERATION Government Security Operation Centre (PRISMA) Security Posture Assessment Cyber Attack Monitoring System (CAMS) Defence System (DS) Gov Security Web Portal (GSWP) Automatic Web Page Recovery System (AWRS) Periodic Vulnerability Scanning System (PVSS) PKI Thorough exercise to determine vulnerabilities Internal & external penetration test Report with recommendations Initially selected sites monitored Online monitoring of security breaches

  22. MALAYSIAN PUBLIC SECTOR MANAGEMENT OF ICT SECURITY HANDBOOKMyMIS

  23. SECURITY IS A MAJOR CONCERN The Security of Information Within the Government of Malaysia’s ICT Systems is a Subject of Major Concern The Increasing incidence of hacking, virus attacks and other form of electronic trespass ICT Security is critical to the objective of implementing Electronic Government Electronic connectivity in the work place has meant that security of ICT assets cannot be provided through conventional means The Rationale For ICT Security Expanded used of ICT in the delivery of Government services The public sector is not insulated from prevailing threats Enhancement of the internal operations of public sector agencies

  24. Major Elements of Management Safeguards MANAGEMENT SAFEGUARDS Public Sector ICT Security Policy Public Sector ICTSecurity Risk Management Public Sector ICT Security ProgrammeManagement Public Sector ICT Security Assurance Incorporating Public Sector ICT Security Into ICT System’s Life Cycle

  25. Strategically, PRISMA will provide the Malaysian Government with: Ability to proactively & reactively protect public sector information assets Enhanced knowledge and awareness of ICT security OBJECTIVES OF PRISMA

  26. CONTENTS • Introduction • Scope and ownership of ICT Security • Communications & Multimedia Act 1998 • Administrative Authority on Public Sector ICT Security • Definition • Government Initiatives • Standards & Guidelines • Security Posture Assessment • Lack of ICT Security - Implications • Conclusion • Summary

  27. STANDARDS & GUIDELINES

  28. INTERNET AND ELECTRONIC MAIL Garis Panduan Mengenai Tatacara Penggunaan Internet dan Mel Elektronik di Agensi-agensi Kerajaan PKPA 1/2003 • circular issued • Internet dan Electronic Mail Ethics • List of “do’s” and “don’ts” Examples: • don’t post anonymous or forged messages • no violating the privacy of other users • don’t send email using other user’s accounts • no illegal activities eg : gambling

  29. RISK ASSESSMENT METHODOLOGY Malaysian Government Risk Assessment Methodology (MyRAM) To Allow Public Sector identify: ICT related assets to organisations ICT related vulnerabilities to the associated assets ICT related threats to the identified assets Existing controls (safeguards) for the identified assets The risks associated with the identified assets

  30. CONTENTS • Introduction • Scope and ownership of ICT Security • Communications & Multimedia Act 1998 • Administrative Authority on Public Sector ICT Security • Definition • Government Initiatives • Standards & Guidelines • Security Posture Assessment • Lack of ICT Security - Implications • Conclusion • Summary

  31. “To establish the current baseline security of the network and systems by discovering known vulnerabilities and weaknesses, with the intention of providing incremental improvements to tighten the security of the network and systems” SECURITY POSTURE ASSESSMENT Objective of the SPA

  32. SECURITY POSTURE ASSESSMENT SPA SCOPE OF WORK Policy review Physical security review Network design & configuration assessment External penetration test Internal penetration test Vulnerability assessment Host assessment

  33. ICT SECURITY INCIDENT GCERT MAMPU, 18 Jun 2004

  34. ICT SECURITY INCIDENT GCERT MAMPU, 18 Jun 2004

  35. PROFESSIONAL COMMITMENTS Some To Do List:

  36. PROFESSIONAL COMMITMENTS

  37. PROFESSIONAL COMMITMENTS

  38. ROLES AND RESPONSIBILITIES CHIEF INFORMATION OFFICER (CIO) • Support the Head of Department in discharging ICT Security responsibilities; • Transform the responsibilities above into an effective action plan; and • Incorporate ICT Security requirements into existing CIO functions. Example: preparing the IT strategic Plan.

  39. CONTENTS • Introduction • Scope and ownership of ICT Security • Communications & Multimedia Act 1998 • Administrative Authority on Public Sector ICT Security • Definition • Government Initiatives • Standards & Guidelines • Security Posture Assessment • Lack of ICT Security - Implications • Conclusion • Summary

  40. IMPLICATIONS FROM LACK OF SECURITY Public embarrassment / image Compromised confidential information Compromised integrity of information Privacy and other legal considerations Fraud by spoofing identities System / Network outages and Business disruption Lack of trust Additional Expenses Theft of Information / Communications / other services Disclosure / tampering of proprietary data Damage through manipulation

  41. CONTENTS • Introduction • Scope and ownership of ICT Security • Communications & Multimedia Act 1998 • Administrative Authority on Public Sector ICT Security • Definition • Government Initiatives • Standards & Guidelines • Lack of ICT Security - Implications • Security Posture Assessment • Conclusion • Summary

  42. CONCLUSION Security problem is worsening

  43. CONTENTS • Introduction • Scope and ownership of ICT Security • Communications & Multimedia Act 1998 • Administrative Authority on Public Sector ICT Security • Definition • Government Initiatives • Standards & Guidelines • Lack of ICT Security - Implications • Security Posture Assessment • Conclusion • Summary

  44. SUMMARY GOM ICT SECURITY INITIATIVES • Public Sector ICT Security Framework • Cooperation with Standards Department & SIRIM on ICT Security Standards • Malaysian Public Sector Management of Information & Communications Technology Security Handbook (MyMIS) • ICT Security Incident Reporting Mechanism • GCERT • MS 17799 Part 1 • MS ISO 13335 Part 1, 2 & 3

  45. SUMMARY GOM ICT SECURITY INITIATIVES ….. (cont) • CIO • ICTSO • Communications Network CIO/ICTSO/Sys Admin/CERTS • ICT Audit Methodology • PRISMA • Acculturation programs • ICTSO Accreditation Scheme

  46. Thank You

More Related