slide1 l.
Download
Skip this Video
Download Presentation
PUBLIC SECTOR ICT SECURITY INITIATIVES Osman Bin Abd Aziz Deputy Director ICT Security Division

Loading in 2 Seconds...

play fullscreen
1 / 46

PUBLIC SECTOR ICT SECURITY INITIATIVES Osman Bin Abd Aziz Deputy Director ICT Security Division - PowerPoint PPT Presentation


  • 188 Views
  • Uploaded on

PUBLIC SECTOR ICT SECURITY INITIATIVES Osman Bin Abd Aziz Deputy Director ICT Security Division Malaysian Administrative Modernisation and Management Planning Unit Prime Minister’s Department obaa@mampu.gov.my. Sabah CIO Conference 22 June 2004. Contents. Introduction

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'PUBLIC SECTOR ICT SECURITY INITIATIVES Osman Bin Abd Aziz Deputy Director ICT Security Division' - prema


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

PUBLIC SECTOR

ICT SECURITY INITIATIVES

Osman Bin Abd Aziz

Deputy Director

ICT Security Division

Malaysian Administrative Modernisation and Management Planning Unit

Prime Minister’s Department

obaa@mampu.gov.my

Sabah CIO Conference 22 June 2004

slide2

Contents

  • Introduction
  • Scope and ownership of ICT Security
    • Communications & Multimedia Act 1998
    • Administrative Authority on Public Sector ICT Security
  • Definition
  • Government Initiatives
  • Standards & Guidelines
  • Security Posture Assessment
  • Lack of ICT Security - Implications
  • Conclusion
  • Summary
slide3

Contents

  • Introduction
  • Scope and ownership of ICT Security
    • Communications & Multimedia Act 1998
    • Administrative Authority on Public Sector ICT Security
  • Definition
  • Government Initiatives
  • Standards & Guidelines
  • Security Posture Assessment
  • Lack of ICT Security - Implications
  • Conclusion
  • Summary
slide4

INTRODUCTION

  • ICT increased dependencies
  • Incidence trends– on the increase
  • Urgent need to upgrade security
  • Role for everyone
slide5

INTRODUCTION

  • CARDINAL ICT SECURITY PRINCIPLES
    • Confidentiality
    • Integrity
    • Availability
    • Authenticity
    • Non repudiation
  • Single Objective - To protect ICT assets
slide6

CONTENTS

  • Introduction
  • Scope and ownership of ICT Security
    • Communications & Multimedia Act 1998
    • Administrative Authority on Public Sector ICT Security
  • Definition
  • Government Initiatives
  • Standards & Guidelines
  • Security Posture Assessment
  • Lack of ICT Security - Implications
  • Conclusion
  • Summary
slide7

SCOPE

  • Communications & Multimedia Act 1998 (Act 588) Part I Clause 3 (2) (j)
    • “to ensure information security and network reliability and integrity”.

The Act states that Information Security is under the purview of the CMC.

slide8

SCOPE

  • Administrative Authority Public Sector ICT Security
    • Formation of ICT Security Division MAMPU
      • GITIC
      • PANEL
      • JKTT
      • Public Services Department
  • In short:
    • MAMPU is the reference agency on all ICT Security matters within the Public Sector
slide9

‘Agency entrusted for Public Sector ICT Security is MAMPU, Prime Minister’s Department’

Abstract from paragraph 32 :

“Rangka Dasar Keselamatan Teknologi Maklumat dan Komunikasi Kerajaan”

- Pekeliling Am Bil. 3 Tahun 2000

slide10

CONTENTS

  • Introduction
  • Scope and ownership of ICT Security
    • Communications & Multimedia Act 1998
    • Administrative Authority on Public Sector ICT Security
  • Definition
  • Government Initiatives
  • Standards & Guidelines
  • Security Posture Assessment
  • Lack of ICT Security - Implications
  • Conclusion
  • Summary
slide11

DEFINITION

Being secure means:

Free from risk, unacceptable threats and vulnerabilities.

State of having no doubt, fear or anxiety

State of being assured of something

  • Security is about risk reduction, not threat avoidance
  • Security is not a destination, it is a journey

Bruce Schneier - Founder and CTO Counterpane Internet Security, Inc.

slide12

DEFINITION

ICT SECURITY IN PUBLIC SECTOR

To ensure business or services continuity and to minimize damage by keeping the effects of security incidents to a minimum

Relates to the protection of both information and physical assets i.e. information and ICT assets are an integral part of Governmental business

slide13

ICT SECURITY DIVISION, MAMPU

Pinnacle Referral Centre for ICT Security in the Public Sector

Vision

To Protect Government of Malaysia ICT Assets

Mission

  • To plan and implement specific activities to enhance and protect Public Sector ICT security
  • To act as the pinnacle Public Sector ICT security referral centre
  • To act as the keeper of Public Sector ICT Security
  • To coordinate Public Sector ICT security efforts

Objectives

slide15

CONTENTS

  • Introduction
  • Scope and ownership of ICT Security
    • Communications & Multimedia Act 1998
    • Administrative Authority on Public Sector ICT Security
  • Definition
  • Government Initiatives
  • Standards & Guidelines
  • Security Posture Assessment
  • Lack of ICT Security - Implications
  • Conclusion
  • Summary
slide16

GOVERNMENT INITIATIVES

Three (3) government initiatives towards protection of

Public Sector assets

STRATEGIC

TACTICAL

OPERATIONS

slide17

STRATEGIC

PROTECT ICT ASSETS

PREVENTIVE MANAGEMENT

ICT security policies, standards, guidelines and risk management

INFRASTRUCTURE

Network

Operating systems

Applications

Databases

KNOWLEDGE/ SKILLS

Basic Knowledge

ICT security issues

Implementation/ operation

Legal issues

slide18

STRATEGIC

PROTECT ICT ASSETS

PROACTIVE

Guidelines

Security Posture Assessment

Audit Review Methodology (*MyRAM)

Accreditation Scheme

RECOVERY

GCERT TEAM

Business Resumption

Incident response

Information Dissemination

Advisory

CIO/ ICTSO Network

Inter Agency Coordination

Policy Framework

Incident Handling Mechanism

Malaysian Public Sector Management of ICT Security Handbook (MyMIS)

CONTINUOUS

System & Network Monitoring (PRISMA)

Awareness & Acculturation

slide19

TACTICAL

Appointment of CIO & ICTSO

Awareness & Acculturation

Accreditation Methodology

To create professional ICTSO

New initiatives. Draft accepted

Latest updates

Patches

Early warning

Define roles & responsibilities

Seminars

Training programs

Conferences (CIO & ICTSO)

Communication program

Advisories

Knowledge Based Reference Centre

Planning stage

Accessible to all ICTSO’s, Sys admin, ICT managers

ICT incidences within the public sector

Mitigation efforts

slide20

OPERATION

Audit Reviews (MyRAM)

Recovery

GCERT Team

Emergency response centre

Advisory

Inter agency coordination

Information dissemination

Objective to minimise impact

Assist in recovery & evidence preservation

Business resumption

Security review methodology

Security review

Measured against standard

To determine risk grouping

To determine level of risk (low, medium, high)

Recommendations to reduce vulnerabilities

New initiatives. Draft accepted

slide21

OPERATION

Government Security Operation Centre (PRISMA)

Security Posture Assessment

Cyber Attack Monitoring System (CAMS)

Defence System (DS)

Gov Security Web Portal (GSWP)

Automatic Web Page Recovery System (AWRS)

Periodic Vulnerability Scanning System (PVSS)

PKI

Thorough exercise to determine vulnerabilities

Internal & external penetration test

Report with recommendations

Initially selected sites monitored

Online monitoring of security breaches

slide23

SECURITY IS A MAJOR CONCERN

The Security of Information Within the Government of Malaysia’s ICT Systems is a Subject of Major Concern

The Increasing incidence of hacking, virus attacks and other form of electronic trespass

ICT Security is critical to the objective of implementing Electronic Government

Electronic connectivity in the work place has meant that security of ICT assets cannot be provided through conventional means

The Rationale For ICT Security

Expanded used of ICT in the delivery of Government services

The public sector is not insulated from prevailing threats

Enhancement of the internal operations of public sector agencies

slide24

Major Elements of Management Safeguards

MANAGEMENT SAFEGUARDS

Public Sector ICT Security Policy

Public Sector ICTSecurity Risk Management

Public Sector ICT Security ProgrammeManagement

Public Sector ICT Security Assurance

Incorporating Public Sector ICT Security Into ICT System’s Life Cycle

objectives of prisma
Strategically, PRISMA will provide the Malaysian Government with:

Ability to proactively & reactively protect public sector information assets

Enhanced knowledge and awareness of ICT security

OBJECTIVES OF PRISMA
slide26

CONTENTS

  • Introduction
  • Scope and ownership of ICT Security
    • Communications & Multimedia Act 1998
    • Administrative Authority on Public Sector ICT Security
  • Definition
  • Government Initiatives
  • Standards & Guidelines
  • Security Posture Assessment
  • Lack of ICT Security - Implications
  • Conclusion
  • Summary
slide28

INTERNET AND ELECTRONIC MAIL

Garis Panduan Mengenai Tatacara Penggunaan Internet dan Mel Elektronik di Agensi-agensi Kerajaan PKPA 1/2003

  • circular issued
  • Internet dan Electronic Mail Ethics
  • List of “do’s” and “don’ts”

Examples:

  • don’t post anonymous or forged messages
  • no violating the privacy of other users
  • don’t send email using other user’s accounts
  • no illegal activities eg : gambling
risk assessment methodology
RISK ASSESSMENT METHODOLOGY

Malaysian Government Risk Assessment Methodology (MyRAM)

To Allow Public Sector identify:

ICT related assets to organisations

ICT related vulnerabilities to the associated assets

ICT related threats to the identified assets

Existing controls (safeguards) for the identified assets

The risks associated with the identified assets

slide30

CONTENTS

  • Introduction
  • Scope and ownership of ICT Security
    • Communications & Multimedia Act 1998
    • Administrative Authority on Public Sector ICT Security
  • Definition
  • Government Initiatives
  • Standards & Guidelines
  • Security Posture Assessment
  • Lack of ICT Security - Implications
  • Conclusion
  • Summary
objective of the spa
“To establish the current baseline security of the network and systems by discovering known vulnerabilities and weaknesses, with the intention of providing incremental improvements to tighten the security of the network and systems”

SECURITY POSTURE ASSESSMENT

Objective of the SPA
slide32

SECURITY POSTURE ASSESSMENT

SPA SCOPE OF WORK

Policy review

Physical security review

Network design & configuration assessment

External penetration test

Internal penetration test

Vulnerability assessment

Host assessment

slide33

ICT SECURITY INCIDENT

GCERT MAMPU, 18 Jun 2004

slide34

ICT SECURITY INCIDENT

GCERT MAMPU, 18 Jun 2004

slide35

PROFESSIONAL COMMITMENTS

Some To Do List:

slide38

ROLES AND RESPONSIBILITIES

CHIEF INFORMATION OFFICER (CIO)

  • Support the Head of Department in discharging ICT Security responsibilities;
  • Transform the responsibilities above into an effective action plan; and
  • Incorporate ICT Security requirements into existing CIO functions. Example: preparing the IT strategic Plan.
slide39

CONTENTS

  • Introduction
  • Scope and ownership of ICT Security
    • Communications & Multimedia Act 1998
    • Administrative Authority on Public Sector ICT Security
  • Definition
  • Government Initiatives
  • Standards & Guidelines
  • Security Posture Assessment
  • Lack of ICT Security - Implications
  • Conclusion
  • Summary
slide40

IMPLICATIONS FROM LACK OF SECURITY

Public embarrassment / image

Compromised confidential information

Compromised integrity of information

Privacy and other legal considerations

Fraud by spoofing identities

System / Network outages and Business disruption

Lack of trust

Additional Expenses

Theft of Information / Communications / other services

Disclosure / tampering of proprietary data

Damage through manipulation

slide41

CONTENTS

  • Introduction
  • Scope and ownership of ICT Security
    • Communications & Multimedia Act 1998
    • Administrative Authority on Public Sector ICT Security
  • Definition
  • Government Initiatives
  • Standards & Guidelines
  • Lack of ICT Security - Implications
  • Security Posture Assessment
  • Conclusion
  • Summary
slide42

CONCLUSION

Security problem is worsening

slide43

CONTENTS

  • Introduction
  • Scope and ownership of ICT Security
    • Communications & Multimedia Act 1998
    • Administrative Authority on Public Sector ICT Security
  • Definition
  • Government Initiatives
  • Standards & Guidelines
  • Lack of ICT Security - Implications
  • Security Posture Assessment
  • Conclusion
  • Summary
slide44

SUMMARY

GOM ICT SECURITY INITIATIVES

  • Public Sector ICT Security Framework
  • Cooperation with Standards Department & SIRIM on ICT Security Standards
  • Malaysian Public Sector Management of Information & Communications Technology Security Handbook (MyMIS)
  • ICT Security Incident Reporting Mechanism
  • GCERT
  • MS 17799 Part 1
  • MS ISO 13335 Part 1, 2 & 3
slide45

SUMMARY

GOM ICT SECURITY INITIATIVES

….. (cont)

  • CIO
  • ICTSO
  • Communications Network CIO/ICTSO/Sys Admin/CERTS
  • ICT Audit Methodology
  • PRISMA
  • Acculturation programs
  • ICTSO Accreditation Scheme