Security policy for private sector
6th May 2004 (Computimes)
By Shyla Sangaran

LOCAL businesses can safeguard their information networks if a policy on information and communications technology (ICT) security for the private sector is put in place.

PricewaterhouseCoopers LLP's global leader for technology and data services, Joseph W. Duffy, said such a policy or standard is now much needed as more businesses are dependent on ICT in their operational and strategic functions.

"It is time for the private sector and Government to be serious about this. On average, companies spend three to four per cent of their ICT budget on security and most of the time their money spent is wasted. This is because they do not have proper solutions and policy in place."

Speaking at the PricewaterhouseCoopers' briefing on the Information Security in These Challenging Times in Kuala Lumpur recently, Duffy said if a company does not have a policy or standard in place, it is difficult for it to have a fundamental surveillance.

"By using a defined model based on value production, an organisation can clearly identify job roles, processes or technology which may not be adequately defined," he added.

In establishing the policy, Duffy said it is important to have public and private partnership to create better opportunity for the private sector to take the ICT security issue seriously.

Duffy suggested that regulators like Bank Negara and Bursa Malaysia Berhad take the lead in the area as it is important to have a rating mechanism or standard to comply with in order to demonstrate whether an organisation is a low-risk one.

"Policies or standards need to be lightweight and not too technical, and enforcement mechanism is needed to make sure the policy is in practice. Awareness and some form of training programme is needed for implementation purposes," he said.

PricewaterhouseCoopers' executive director Ong Ai Lin said many local companies have shown interest in the ISO17799 standard and followed this standard as a guideline.

Ong said companies have to be better equipped with Internet security standards for them to compete at a global level.

"Most local companies have some kind of Internet security policy or standard in place. However, companies must be able to comply with it, and it takes time as they need to buy the right hardware and software to remedy it."

She added that the authories in Malaysia are working towards a similar type of ISO17799 standard for local organisations to follow.

Director of the National ICT Security and Emergency Response Centre (Niser), Husin Jazri, said in Malaysia, there is no single standard or policy in place at present for the private sector to follow.

"The reason why we still do not have a standard in place is because here we have the 'wait-and-see' attitude," he said, adding that Niser is currently working closely with Sirim Bhd to promote the ISO17799 among players in the private sector.

"Action has been taken to mitigate the ICT security breaches and we are following what is happening globally. Malaysian businesses must come forward to share any ICT security threats to the Malaysian Computer Emergency Response Team (MyCERT) to impress the policy makers on how serious the threats are," Husin said.

"Until and unless the private sector comes forward to share with MyCERT, the policy makers will not be impressed or take serious note of the ICT security issues," he said, adding that substantial data should be there to enable such decisions to be made.