Safeguard against tech security threats
31st January 2002

THE Government's move to provide information and communications technology (ICT) security guidelines for its agencies is a step in the right direction to prevent leaks and safeguard confidential data.

According to industry observers, the guidelines outlined in the Malaysian Public Sector Management of ICT Security Handbook (MyMIS) are an important element to put in place effective tech security checks in the public sector.

PriceWaterhouseCoopers Malaysia's executive director of operational and systems risk management Ong Ai Lin said the handbook is a necessary step in establishing ICT security as it provides members of the sector with guidelines to benchmark their ICT security level.

She said the move will complement previous initiatives by bodies such as Sirim's technical committee on The International Organisation for Standardisation (ISO) standards for information security in Malaysia, and the task force led by the Energy, Communications and Multimedia Ministry for the National Security Framework for Information Security.

Ong stressed that enforcement of compliance would be important to ensure the success of the guidelines, and there is a need to create the proper procedures for follow-ups.

She said chief information officers/ICT security officers (CIOs/ICTSOs) have a vital role to ensure that there are both compliance of spirit and letter to the handbook.

"Other than enforcement, there must be greater awareness among Government servants on what the implications are if ICT security is breached."

National ICT Security and Emergency Response Centre (Niser)'s director Major Husin Jazri said although the provision of the guidelines by the Government is commendable, it is just an initial step.

"It is hoped that with this initiative, all Government agencies would take precautions on information security threats continuously. However, more needs to be done as threats are evolving daily."

Husin said among the additional measures that the Government needs to look into in the near future is giving authority to CIOs and ICTSOs to enforce the information security policy. This empowerment is important as Government staff work through clear instructions and seniority.

MyMIS, he added, should be transformed from voluntary guidelines to mandatory compliance.

Proper post for the ICTSO should be formalised, and not just "another" job in addition to existing functions. Clear career paths should be outlined so that information security professionals in the Government can remain focused.

"Proper certification programme should be formulated to ensure that all CIOs and ICTSO receive systematic educational programme. Preferably, ICTSO should hold some kind of information security certification such as the Certified Information Systems Security Professional, before being allowed to enforce policies and perform auditing tasks," Husin said.

Another effort suggested is re-engineering the security of digital-based documents so that they conform to the equivalent standard or better than the traditional documents.

"It is hard to tell whether adequate steps have been taken against all ICT security threats. Information security domain is wide, covering more than 10 areas, in which each area itself can be a specialised field on its own. The only way to know is to engage an independent risk assessment and audit service, preferably by a trusted third-party auditor/consultant," Husin said.

At the launch of MyMIS on Monday, Malaysian Administrative Modernisation and Management Planning Unit (Mampu)'s director-general Datuk Dr Muhammad Rais Abdul Karim said Government departments and agencies must make ICT security a priority so as to fend off hacking and other security breaches at all levels.

While the Government and its agencies have developed various defence mechanisms, attacks and threats still persist, as evident in the statistics - there were 36 cases of intrusion or defacement of Web sites in the public sector in 1999, 21 in 2000, 79 last year and three cases so far this year.

Muhammad Rais said these threats and attacks are to be minimised with the availability of MyMIS, which outlines the ICT security guidelines. The handbook forms the basis of voluntary "health" checks on the security level of Government departments and agencies, and will complement other undertakings such as the appointment of CIOs/ICTSOs in all 25 Ministries and 700 Government agencies.