Loading...

System ICT Security Policy and the Implementation by Local Authorities in Malaysia

A Case Study

Research Paper (postgraduate) 2015 9 Pages

Information Management

Excerpt

Table of Contents

1 Introduction
1.1 Problem Statement

2 Project Goals
2.1 Project Objectives
2.2 Project Scope

3 Literature review.
3.1 Issues Raised

4 Methodology

5 System Design
5.1 Database Design
5.2 Program Code

6 Benefits of the System.
6.1 General Benefits of MDM and Local Authorities

7 Conclusion

References

Abstract. ICT Security Policy is a common topic that is being discussed in the public sector, because security incidents happen to organizations that offer online services to the public. These problems or incidents are also affecting the IT Department(BTM) at Marang District Council (MDM), as we also provide computer and internet facilities to our users. Based on the research findings, including inputs gathered from the respondents from Marang District Council, these problems can be reduced by providing a computerized ICT Policy document guideline, creating user awareness programs and by enforcing these ICT Policies [5],[6],[7]. The purpose of this project is to investigate and resolve problems related to the implementation of the security policy in Marang District Council. Furthermore, the ICT Security Policy System is to be designed, developed in order to assist the Information Technology Department(BTM). In addition, these documents must be compliant to the ISO 27001 standard and the Information Technology Security and Communication Policies for the Public Sector which is developed by MAMPU [9],[12],[13]]. The ICT Security Policy System is a web based system. All results would be presented and discussed.

Keywords: organisations, ICT security policy, implementation, system

1 Introduction

The rapid development of Information Technology in this country proves how fortunate our generation nowadays. As a result, we have a world without boundaries. Information, Communication and Technology (ICT) does not only serve as a communication agent, it also acts as a bridge for user to benefit as part of the routine and the necessities of life.

The security of ICT is closely related to ICT assets and information protection [11] [8]. This is because the hardware equipment and software components that are part of the ICT assets in government organisations are large investments and need to be protected[1],[14]. In addition, the information stored in the ICT system is valuable because a lot of resources are required to produce it and the information will be difficult to be re-generated in a short period of time.

Furthermore, certain information that has been processed by the ICT system is deemed to be sensitive and classified. Unauthorized disclosure or information leakage could harm the national interest. Any usage of government’s ICT assets apart from the outlined purpose and intention is considered as misuse of government’s resources. ISMS survey which was conducted by CyberSecurity Malaysia in the month of October 2011 on 100 organizations had revealed that normal attacks are viruses (87%) and mail spamming (83%). In addition, more than 68% of the organizations have little knowledge on ISMS. Moreover, 37% of the organizations do not have any security policy at all [10].

From time to time, in order to address these risks, Government’s ICT Security Policy will be consistently defined through ICT Security Standards which covers guidelines and ICT security measures [4]. The usage of all these documents as an integrated whole is recommended. This is because the formulation of policies, standards, rules, outlines and security measures are oriented in order to protect data confidentiality; information and the conclusion that can be made out of it.

1.1 Problem Statement

It is difficult to fulfill ICT security requirements due to the complexity of ICT systems, which can be exposed to vulnerabilities, threats and risks. ICT systems and its components communicate and dependent to each other often produce various kinds of weaknesses.

However, these risks should be identified and dealt with appropriately. To ensure that the ICT System is secured all the time, ICT Security Policy must cover the safety of all forms of information entered, produced, destroyed, kept, generated, printed, made, distributed, in the delivery and those with backup copies in all ICT assets [15].

2 Project Goals

i) The main goal of the project is to implement a system that will help MDM to comply with ICT Security Policy based on ISO 27001 standards, circular and guidelines from MAMPU.
ii) The set up system will help MDM to implement ICT Security Policy.

2.1 Project Objectives

The objectives of this project are as below:

i) To conduct a research and build a prototype based on existing ICT Security standards, following the guidelines provided by MAMPU and ISO 27001.
ii) To obtain information and suggestions on ICT Security Policy from the system and officers involved in the management of ICT MDM.
iii) To create and produce documents on ICT Security Policy. This will be used generally for Information Technology Department and specifically for MDM using the developed ICT Security Policy system.

2.2 Project Scope

i) To analyze and review ISO 27001 security standards and Information Technology Security Policy and Communication for Public Sector and the circular issued by MAMPU.
ii) The research will be carried out towards MDM, Information Technology Division, whom act as MDM’s ICT security secretariat.
iii) ICT Security Policy system will be implemented to assist MDM’s Information Technology Division to prepare ICT Security Policy documents. To develop this project, PHP and My SQL will be use as the system’s database.
iv) Following are the users of the system, whom will be directly involved in implementing ICT Security Policy:

a) IT Manager (Information Technology Division)
b) MDM’s IT Officer (Management Division, Information Technology Division and Finance Division).

3 Literature review

3.1 Issues Raised

MDM is aware of the importance of ICT security. However, the information and enforcement remained at a low level. Based on the survey conducted in October 2003 by CyberSecurity Malaysia in collaboration with AC Nielsen, for 100 organizations in Malaysia, 76% acknowledged the need of having ICT security. (The percentage fraction shows that 43% is at a beginner level, 27% in intermediate and 6% at an advance level).

illustration not visible in this excerpt

Fig. 1. ISMS level of awareness among organizations

Source: CyberSecurity Malaysia. Malaysia ISMS Survey, 2003, slide 12. http://www.cybersecurity.my/data/content_files/19/124.pdf?.diff=1177114006

Most of the organizations surveyed have security policies to prevent ICT security issues when needed. Based on Figure 2 below, it shows that 63% of the organizations already have Security Policy and more than 37% have conducted security awareness trainings [10].

illustration not visible in this excerpt

Fig. 2. Organizations and their understanding on security

Source: CyberSecurity Malaysia. Malaysia ISMS Survey, 2003, slide 19. http://www.cybersecurity.my/data/content_files/19/124.pdf?.diff=1177114006

Most of the organizations also have realized the need to supervise and control their ICT assets and properties from damage and natural disasters. How and when this is done dependent on the resources and the ability of making decisions in ICT security. Each organization needs to understand the basic elements in risks handling such as asset-management threats, damage and security of assets and the impact to the organization. Disciplines towards these elements are also known as risk management.

4 Methodology

The development of the application system will be based on Rapid Application Development (RAD) strategy. Study on the need of Information Technology, MDM and users have been conducted to improve the quality of services provided. The basic idea of this strategy is to involve the system’s users in the process of analysis, design and implementation of the system.

RAD method is simple and focuses on specific activities in system development against user’s involvement, analysts, designers and system developers [3]. It can also expedite the requirements analysis and design phases. Furthermore, by using this method, the system’s implementation time will be reduced. Figure 3 below illustrates how rapid application development strategy can be used in the development of this system.

illustration not visible in this excerpt

Fig. 3. Rapid application development strategy

[...]

Details

Pages
9
Year
2015
ISBN (eBook)
9783668117426
ISBN (Book)
9783668117433
File size
846 KB
Language
English
Catalog Number
v312614
Grade
A
Tags
system security policy implementation local authorities malaysia case study

Author

Share

Previous

Title: System ICT Security Policy and the Implementation by Local Authorities in Malaysia