Guide for ICT security
By Rozana Sani
24th July 2003 (Computimes)

THE Malaysian Administrative Modernisation and Management Planning Unit (Mampu) is in the process of developing a risk assessment methodology for the public sector.

Known as the Malaysian Public Sector ICT Risk Assessment Methodology (MyRAM), the initiative is a step towards providing a proactive and guided approach to managing information and communications technology (ICT) security in the civil service.

The move seeks to ensure integrity and confidentiality of data, which is crucial in regard to the wide range of online services that will be offered to the public, through the electronic government effort, said Mampu's ICT security division director Mohd Adzman Musa.

According to him, MyRAM is currently in the design phase, following the completion of the requirements study.

The methodology itself should be ready by early next year. This will be followed by a pilot in a selected government agency, and an eventual roll-out to the entire public sector, he told Computimes last week.

Although the project was initiated by Mampu, the development of MyRAM is a collaborative effort among representatives from key agencies with experience in risk management, which include universities, the public sector as well as banking and private sectors.

"Risk assessment is concerned with gathering information about exposure to risks so that an organisation can make appropriate decisions on counter-measures to be undertaken in order to minimise or manage the risks properly," Mohd Adzman said. "Management of risk involves having processes in place to monitor risks, access to reliable and up-to-date information about risks, the right balance of control in place to deal with the risks and decision-making processes supported by a framework of risk analysis and evaluation."

As the co-ordinator of ICT in the public sector, Mampu has also looked into the development of an audit review methodology and accreditation scheme.

Completed but yet to be implemented, the project is a collaboration among representatives from key government agencies, universities and Sirim Berhad.

According to Mohd Adzman, the audit review methodology comprises guidelines that detail the steps for performing ICT security reviews in the public sector.

He added that the ICT security audit generally tests whether an organisation complies with various ICT security standards and guidelines while the ICT security review is more of a business-driven security examination.

"During the review, the security reviewer will examine security standards, guidelines, policies and procedures, review the business applications and platforms, and determine whether or not any security risks or exposures are present," he said.

"One of the most important outcomes of the ICT security review is the formal risk assessment, which highlights the level of risk to the business systems while taking into account the requirements of the business."

The audit review methodology is supported by the Malaysian Public Sector Management of ICT Security Handbook (MyMIS) and MS-ISO17799, both of which should be referred to during the information security review.

"The guidelines are intended to be the reference document used by all government employees. Various categories of government employees will benefit from the document as it covers a wide range of topics. Nevertheless, this document is also useful to anyone wishing to learn about the ICT security review," Mohd Adzman said.

He stressed that security is a dynamic process, requiring commitment from everybody in the organisation and needs to be ingrained in the entire business processes of the organisation. This includes the need for a departmental security policy, secure operating procedures, ICT infrastructure, application systems and most important of all, the need for enforcement.

To complement the proactive and reactive initiatives mentioned, Mohd Adzman said Mampu also performs continuous network monitoring of selected government agencies as well as co-ordinate ICT security training, awareness and acculturation programme to public sector agencies.