Cohesive approach to info-security
17th February 2005 (Computimes)

A more cohesive approach is needed to better harness information security in the public and private sectors in the country.

This is in view of the increasing availability and accessibility of critical information and confidential data on information systems and networks, which of late have become prime targets for abuse and criminal activities, according to info-security experts.

While efforts have been made in the form of various guidelines and security tools to safeguard information, security breaches persist through technology and human means - suggesting that there is still plenty to be done in the area, said National Information and Communication Technology Security and Emergency Response Centre (Niser)'s director Lt Col Husin Jazri.

According to him, a more cohesive approach should start from validation of info-security at the organisation level, regular updates and monitoring of the implementation of relevant guidelines and tools to the training of pertinent personnel.

Guidelines such as the Malaysian Public Sector Management of ICT Security Handbook (MyMIS) and others will only be effective if they are properly converted into working policies that must be adhered to as a security baseline, he added.

"Or else as in many cases, it will remain as a reference book with no guarantee of its implementation. I believe the Government is working towards it through Malaysian Administrative Modernisation and Management Planning Unit (Mampu) for enhanced info-security in the public sector," he told CompuTimes on Monday.

For better info-security for critical national info -structure - be it within the public sector or private sectors, Husin suggests there be a formal validation/audit by a trusted agency in order to better gain the public and investors' trust.

"In some countries, independent information assurance centres are being set up to provide trusted reports on info-security implementation level for critical services in order to minimise serious risks before it is too late. I would say this practise is yet to become a norm in Malaysia," he said.

Wordware Malaysia Sdn Bhd's managing director Wilson Wong meanwhile says, for security incidents that do not involve programming errors, hacking or Trojans, it would be better to have in place many layers of approvals and detailed processing, where approvals are not determined by any single officer but a network of officers.

"There will always be attempts to breach the security of Government departments like the police, National Registration Department or Customs as well as private corporations, colleges and even associations. Motivations differ. Some like the challenge, some are criminals and others want to have some fun. With such a procedure in place, there is joint responsibility. It's like having many firewalls to minimise or eradicate security breaches," he said.

Wong said while it is good to have guidelines and tools, whether they are adequate to safeguard confidential data and critical information depends on several factors.

One of the more important factors is whether these guidelines and tools are updated and upgraded constantly.

"Guidelines and security tools are only as good as their last update. They must keep abreast with changing technology and developments so that they can prevent possible breaches or theft or at least, detect and avert possible attacks. The situation is very dynamic as new viruses and hacking devices are available on the Net continuously. Relevant IT staff must be adequately trained to understand and put in place the necessary security tools. The identified staff must have the required security clearance. Security is such a wide area, and finding holes is easier than finding patches. The best way is to stay abreast with changes and ensure upgrades and updates constantly," he elaborated.