CyberSecurity Malaysia
Transcript of CyberSecurity Malaysia
Copyright © 2016 CyberSecurity Malaysia 1
Anwer Yusoff
Head, Industry & Business Development Department
CyberSecurity Malaysia
23rd September 2016
CYBER SECURITY RISK MANAGEMENT
&
PERSONAL DATA PROTECTION
Copyright © 2016 CyberSecurity Malaysia
Program Agenda
9:30 – 10:30 Session 1 - Cyber Security Fundamentals & Overview
10:30 – 11:00 Session 2 – Data Leakage Prevention • Mr Jimmy Liew, MD Evault Technologies Sdn Bhd (CCP-Technical)
11:00 – 11:15 Bio-Break
11:15 – 12:00 Session 3 – IT Security Demonstration
• Mr Clement Arul, CEO Kaapagam Technologies Sdn Bhd (CCP-Technical)
12:00 – 12:30 Session 4 – Introduction to Internet of Things • Mr Saurabh Sarawat, CEO Across Verticals Sdn Bhd (CCP-Technical)
12:30 – 1:00 Re-cap & Questions
Copyright © 2016 CyberSecurity Malaysia
Suspicion in Iran that Stuxnet caused Revolutionary Guards base explosions
debkafile's military and Iranian sources disclose three pieces of information coming out of
the early IRGC probe:
1. Maj. Gen. Moghaddam had gathered Iran's top missile experts around the Sejil 2 to
show them a new type of warhead which could also carry a nuclear payload. No
experiment was planned. The experts were shown the new device and asked for their
comments.
2. Moghaddam presented the new warhead through a computer simulation attached to
the missile. His presentation was watched on a big screen. The missile exploded upon an
order from the computer.
3. The warhead blew first; the solid fuel in its engines next, so explaining the two
consecutive bangs across Tehran and the early impression of two explosions, the first
more powerful than the second, occurring at the huge 52 sq. kilometer complex of
Alghadir.
DEBKAfile Exclusive Report November 18, 2011, 2:29 PM (GMT+02:00)
Is the Stuxnet computer malworm back on the warpath in Iran?
Exhaustive investigations into the deadly explosion last Saturday, Nov. 12 of the
Sejil-2 ballistic missile at the Revolutionary Guards (IRGC) Alghadir base point
increasingly to a technical fault originating in the computer system controlling the
missile and not the missile itself. The head of Iran's ballistic missile program Maj.
Gen. Hassan Moghaddam was among the 36 officers killed in the blast which
rocked Tehran 46 kilometers away.
(Tehran reported 17 deaths although 36 funerals took place.)
Iran's Sejil 2 ballistic missile.
Copyright © 2016 CyberSecurity Malaysia
Photograph: AP
Copyright © 2016 CyberSecurity Malaysia
Iran Nearly Finished Decoding U.S. Drone, Tehran Claims Published December 12, 2011 | Associated Press
Read more: http://www.foxnews.com/world/2011/12/12/iran-
nearly-finished-decoding-us-drone/#ixzz1rkIgb1le
Copyright © 2016 CyberSecurity Malaysia
Copyright © 2016 CyberSecurity Malaysia
7
Naval Air Station Cecil Field
Jacksonville, Florida
December 1982
Anwer Yusoff
1982; Freshie 18+
About me…Anwer Yusoff
Copyright © 2016 CyberSecurity Malaysia
About me… 1172 Anwer
Copyright © 2016 CyberSecurity Malaysia
Where it all started….
9
Copyright © 2016 CyberSecurity Malaysia
Copyright © 2016 CyberSecurity Malaysia
1
1
Copyright © 2016 CyberSecurity Malaysia
• Consumers are bombarded with media reports narrating dangers of the
online world
– Identity Theft
– Embezzlement and fraud
– Credit card
theft
– Corporate
Loss
• Just “fear
mongering”?
Busy media…..cyber headlines everyday
Copyright © 2016 CyberSecurity Malaysia
• Lock the doors and windows and you are secure
– NOT
• Call the police when you feel insecure
– Really?
• Computers are powerful, programmable machines
– Whoever programs them controls them (and not you)
• Networks are ubiquitous
– Carries genuine as well as malicious traffic
13
Cybersecurity…..what is that?
End result: Complete computer security is unattainable, it is a cat
and mouse game
Similar to crime vs. law enforcement
Copyright © 2016 CyberSecurity Malaysia
Cybersecurity is the collection of tools, policies, security concepts, security safeguards,
guidelines, risk management approaches, actions, training, best practices, assurance and
technologies that can be used to protect the cyber environment and organization and
user’s assets.
Organization and user’s assets include connected computing devices, personnel,
infrastructure, applications, services, telecommunications systems, and the totality of
transmitted and/or stored information in the cyber environment. Cybersecurity strives to
ensure the attainment and maintenance of the security properties of the organization and
user’s assets against relevant security risks in the cyber environment.
The general security objectives comprise the following:
Availability
Integrity, which may include authenticity and non-repudiation
Confidentiality
Definition of cybersecurity (referring to ITU-T X.1205 - Overview of cybersecurity)
Copyright © 2016 CyberSecurity Malaysia
Cybersecurity issues overview….
• Computer security
The protection of assets from unauthorized access, use, alteration, or
destruction
• Physical security
Includes tangible protection devices
• Logical security
Protection of assets using nonphysical means
• Threat
Any act or object that poses a danger to computer assets
Copyright © 2016 CyberSecurity Malaysia 16
Sources: Internet World Stats (30 June 2015)
MALAYSIA
MY - 30,513,848 population (2015) - Country Area: 329,758 sq km
Capital City: Kuala Lumpur - population 1,627,172 (2011)
20,596,847 Internet users as of June, 2015, 67.5% penetration, per ITU.
13,589,520 Facebook subscribers on Dec 31-2012
Internet use in
Malaysia
Copyright © 2016 CyberSecurity Malaysia 17
Top 15 countries with highest numbers of users attacked
between April 2013 and July 2014. Malaysia: 1.97% out of
3,408,112 malware attacks
Source: Mobile Cyber Threats. Kaspersky Lab & INTERPOL Joint Report, October 2014
ISSUES & CHALLENGES
- Malaysia Ranked 9th In Malware Attacks
Copyright © 2016 CyberSecurity Malaysia 18
Source: TREND MICRO – TrendLabs 2Q 2014 Security Roundup
ISSUES & CHALLENGES
- Online Banking Malware Attacks
Copyright © 2016 CyberSecurity Malaysia 19
CYBER SPACE
889,469
Reported Case of
Malware & Botnet
Drones Infection
9,915 Reported
Case on General
Incident
Classification
TREND OF MALAYSIA CYBER
SECURITY THREATS IN 2015
156,357 Reported Spam
Emails
CYBER HARASSMENT
FRAUD! Info: www.mycert.my
Copyright © 2016 CyberSecurity Malaysia 20
CYBER INCIDENTS REFERRED TO CYBERSECURITY MALAYSIA
5802
As of 31st Aug
2016
Copyright © 2016 CyberSecurity Malaysia 21 Source: The Nielsen Company (April 2011)
The highest usage was recorded among people
aged 20-24. almost 6 in 10 (57%) regularly
use the internet.
Malaysian internet users (aged 20-24) spend an average of 22.3 hours online per week
87.9% of Malaysians on the internet access Facebook
Once online, Malaysian’s Top 3 activities
1. social networking sites 2. instant messaging 3. reading local news
Internet use in
Malaysia
Copyright © 2016 CyberSecurity Malaysia
The cybercrime situation in
Malaysia
22
in 18,386 cases in 2012
lost to scams
HIGH LEVEL U S A G E = HIGH
RISK
Billion RM 1.6
Source: Federal commercial crime investigation department (CCID)
Copyright © 2016 CyberSecurity Malaysia
Which are more common
Our Honeynet project detected
millions of Malware in
2009, 2010, and 2011 during the height of
Conficker Worm
Outbreak.
23
We believe Malicious attacks are more
common in Malaysia
malicious attacks or accidental breaches?
Copyright © 2016 CyberSecurity Malaysia 24
Which are more common malicious attacks or accidental breaches?
We believe Malicious attacks are more
common in Malaysia
According to Sophos Security Threat Report 2013:
Malaysia is 6th
Riskiest country TER of 17.44%
(TER is measured as the percentage of PCs that experienced a malware attack, whether successful or failed, over a three-month period)
Norway with 1.81% TER
Indonesia with 23.54% TER
Threat Exposure Rate (TER)
Copyright © 2016 CyberSecurity Malaysia
The world is becoming more digitized and interconnected,
opening the door to emerging threats and leaks….
Organizations continue to move to new
platforms including cloud, virtualization,
mobile, social business and more
EVERYTHING
IS EVERYWHERE
With the advent of Enterprise 2.0 and social
business, the line between personal and
professional hours, devices and data has
disappeared
CONSUMERIZATION
OF IT
The age of Big Data – the explosion of digital
information – has arrived and is facilitated by
the pervasiveness of applications accessed
from everywhere
DATA
EXPLOSION
The speed and dexterity of attacks has
increased coupled with new actors with new
motivations from cyber crime to terrorism
to state-sponsored intrusions
ATTACK
SOPHISTICATION
Copyright © 2016 CyberSecurity Malaysia
The Cost of a Breach (and Other Cyber Events)
Direct Costs
• Discovery/Data forensics.
• Notification costs.
• Identity monitoring costs.
• Real-time crisis management
costs.
• Additional security measures,
remediation.
• Lawsuits.
• Regulatory fines.
Indirect Costs
• Loss of customer
confidence.
• Executive management
distraction from core
business objectives.
• Loss of employee
productivity.
• Lost sales.
• Higher customer acquisition
costs.
• Lower stock price.
• Loss to reputation/brand.
Similar Costs for other Cyber Events = Reputational Risk
Copyright © 2016 CyberSecurity Malaysia
Copyright © 2016 CyberSecurity Malaysia
Copyright © 2016 CyberSecurity Malaysia
Key Takeaways….
Issue of data breach businesses face is not if, but when
Businesses need to minimize exposure; create systems
to protect data; respond appropriately and use
insurance to cover response costs
Human beings are inventive; despite the best policies,
non-compliance and resulting breaches will occur
Your crisis management skills will serve you well when
paired with subject matter experts
The issue is not if….but when, how often and how bad will it be?
In Conclusion…
• What can I do? – Focus on data leakage protection - Apply the
appropriate data classifications to such information and secure it accordingly
– Understand not only your weaknesses, but also those of your partners’ - Your network is only as secure as your outsourced service provider - apply as stringent policies to their access as you would to your own employees.
– Pen-tests - Have a third party regularly assess your networks and systems using “real world” methods.
In Conclusion…
• What can I do? – Treat incident detection and response as a consistent
business process — not just something you do reactively. – Understand the threat landscape
• Advanced attackers are no longer relying solely on vulnerable web applications and phishing emails to gain access to targeted companies.
• They are targeting individuals, conducting reconnaissance, and are willing to lie in wait while a user acts to compromise themselves.
– Build intel into your operation - Ensure that security operations incorporate data from intelligence services to identify when domains are compromised
– Awareness is key – train employees (i.e. no USB sticks!!)
Copyright © 2016 CyberSecurity Malaysia
…..questions….kopi/bio break ?
Copyright © 2016 CyberSecurity Malaysia
What steps are taken by the
Malaysian Government to keep cyber threats under control ?
One of the most important
step was in creating :
National Cyber
Security Policy
(NCSP)
Establishing
CyberSecurity
Malaysia to
implement NCSP
Copyright © 2016 CyberSecurity Malaysia 34
Copyright © 2016 CyberSecurity Malaysia
Interdependencies The high degree of interdependency between our critical infrastructure sectors means failures in one sector can propagate into others.
ELECTRICITY
UTILITIES
SECTORS/
SERVICES
Threats to Critical National Information
Infrastructures (CNII)
35
Pervasive and sustained cyber
threats can pose a potentially devastating
impact
Copyright © 2016 CyberSecurity Malaysia
The National Cyber Security
Policy
36
Objectives:
Address The Risks To The Critical National Information Infrastructure
To Ensure That Critical Infrastructure Are Protected To A Level That Is
Commensurate With The Risks
To Develop And Establish A Comprehensive Program And A Series Of
Frameworks
The National Cyber Security Policy formulated by MOSTI
NCSP Adoption and Implementation
The policy recognises the critical and highly interdependent nature of the CNII and aims to develop and establish a comprehensive programme and a series of frameworks that will ensure the effectiveness of cyber security controls over vital assets
Copyright © 2016 CyberSecurity Malaysia
NC
SP T
HR
UST
CN
II S
ECTO
R
VISION Malaysia's Critical National Information Infrastructure shall be secure, resilient and self-reliant. Infused with a culture of
security, it will promote stability, social well being and wealth creation.
NATIONAL CYBER SECURITY POLICY
Def
ence
&
Sec
uri
ty
Tran
spo
rtat
ion
Ba
nki
ng
&
Fin
ance
Go
vern
men
t
Info
rmat
ion
&
Co
mm
un
icat
ion
s
Ene
rgy
Emer
gen
cy
Serv
ices
Wa
ter
Foo
d &
A
gric
ult
ure
He
alth
S
erv
ice
s
NSC | Effective Governance | Establishment of a national info security coordination centre, effective institutional arrangements & Public –Private Cooperation
T1 AGC| Legislation & Regulatory Framework | Reduction of cybercrime & increased success in the prosecution in cyber
crime T2 MOSTI | Cyber Security Technology Framework | Expansion of national certification scheme for InfoSec management & assurance T3
MOSTI | Culture Of Security & Capacity Building | Reduced no. of InfoSec incidents through improved awareness &
skill level T4
MOSTI | R & D Towards Self Reliance | Acceptance & utilization of locally developed info security products
T5 MICC | Compliance & Enforcement | Strengthen or include
infosec enforcement role in all CNII regulators
MICC | International Cooperation | International cooperation & branding on CNII protection with improved
awareness & skill level
T6 NSC | Cyber Security Emergency Readiness | CNII resilience against cyber crime, terrorism, info warfare
T7
T8 CNII | Assets (real & virtual), systems and functions that are vital to the nation that their incapacity or destruction would have a devastating impact on: National Defense & Security | National Economic Strength | National Image | Government capability to function | Public Health & Safety
Copyright © 2016 CyberSecurity Malaysia
Governance
Copyright © 2016 CyberSecurity Malaysia 39
• APPROVED BY THE GOVERNMENT ON 14 JAN 2013 • TO SUPPORT GOVERNMENT’S ASPIRATION IN INFORMATION SECURITY: TO CREATE TRUST IN
INTER-COMMUNICATION AND INTERACTION AMONG USERS IN NATION’S CYBER SPACE • TO ENSURE SECURITY IN E-COMMERCE ACTIVITIES AND TO SUPPORT NATIONAL DIGITAL
TRANSFORMATION AGENDA
Cyphertext
Encryption
KE : Decrypting Key
Plaintext Plaintext
KE : Encrypting Key
Decryption
NATIONAL CRYPTOGRAPHY POLICY
DASAR KRIPTOGRAFI NEGARA
Copyright © 2016 CyberSecurity Malaysia Majlis Keselamatan Negara 40
NATIONAL CRYPTOGRAPHY FRAMEWORK
BAHAGIAN 1: TAKRIFAN
BAHAGIAN 3: PENYATAAN
DASAR
BAHAGIAN 2: PENGENALAN
BAHAGIAN 4: OBJEKTIF DASAR
BAHAGIAN 5: SKOP DASAR
BAHAGIAN 6: RASIONAL DASAR
BAHAGIAN 7: PELAKSANAAN
DASAR
BAHAGIAN 8: PEMAKAIAN
DASAR
BAHAGIAN 9: PENUTUP
Copyright © 2016 CyberSecurity Malaysia Majlis Keselamatan Negara 41
“Negara berpendirian bahawa bidang kriptografi adalah
penting bagi merealisasikan aspirasi Kerajaan dalam
aspek keselamatan maklumat elektronik negara.
Kecekapan dan kemandirian dalam bidang kriptografi
merupakan antara keperluan utama untuk mencapai
kemakmuran ekonomi, kesejahteraan rakyat dan
keselamatan negara”
POLICY STATEMENT
Copyright © 2016 CyberSecurity Malaysia Majlis Keselamatan Negara 42
Melindungi aspek kerahsiaan, integriti, kesahihan dan ketidaksangkalan (non-repudiation) maklumat Kerajaan dan agensi/organisasi CNII;
Meningkatkan penggunaan Produk Kriptografi Terpercaya dalam kalangan agensi/organisasi CNII;
Mempertingkatkan kemandirian negara melalui pembangunan industri kriptografi tempatan; dan
Menggalakkan pembangunan kapasiti sumber manusia dalam bidang kriptografi.
POLICY OBJECTIVES
Copyright © 2016 CyberSecurity Malaysia Majlis Keselamatan Negara 43
7 STRATEGIC APPROACHES
PELAKSANAAN DASAR
(POLICY IMPLEMENTATION)
Penyelidikan dan Pembangunan Kriptografi
(R&D)
Pembudayaan Penggunaan Kriptografi
(Acculturation)
Pembangunan Keupayaan Industri Kriptografi Tempatan
(Local Cryptography Industrial Capacity)
Pembangunan dan Pelaksana Panel Penilaian dan Pensijilan Produk Kriptografi Terpercaya
(Trusted Products)
Pemantapan Pengurusan Teknologi Kriptografi
(Management of Cryptography Technology)
Pemantapan Aspek
Perundangan dan Peraturan
(Legal and Regulatory
Aspects)
Pengwujudan Mekanisme Tadbir Urus
(Effective Governance) 1
2
4
5
6
7 3
Copyright © 2016 CyberSecurity Malaysia Majlis Keselamatan Negara 44
Penggunaan Produk Kriptografi Terpercaya adalah mandatori dalam urusan
yang melibatkan Rahsia Rasmi;
Penggunaan Produk Kriptografi Terpercaya atau produk kriptografi yang diterima pakai oleh industri adalah digalakkan dalam urusan perkhidmatan awam yang melibatkan Maklumat Rasmi; dan
Penggunaan Produk Kriptografi Terpercaya atau produk kriptografi yang diterima pakai oleh industri adalah mandatori bagi urusan yang melibatkan Maklumat Rahsia agensi/organisasi CNII bukan Kerajaan.
POLICY APPLICATIONS
Copyright © 2016 CyberSecurity Malaysia
The ISMS standard has been mandated by Cabinet for CNII
organizations
On 24 February 2010, the Cabinet agreed that CNIIs
should implement and undergo certification for MC
ISO/IEC 27001:2007 Information Security Management
System (ISMS) within 3 years
Copyright © 2016 CyberSecurity Malaysia
GAMBARAN KESELURUHAN RANGKA KERJA KESELAMATAN SIBER
SEKTOR AWAM (2016 – 2020) CYBER SECURITY FRAMEWORK
(RAKKSSA 2016-2020)
Objektif RAKKSSA 2016-2020 adalah bagi memastikan keselamatan
penyampaian perkhidmatan Sektor Awam sekaligus meningkatkan tahap
keyakinan kepada(terhadap) pihak berkepentingan (agensi Kerajaan,
industri dan manusia awam). Rakan strategik yang membangunkan
RAKKSSA 2016-2020 adalah MAMPU, CGSO, CSM dan MIMOS.
Copyright © 2016 CyberSecurity Malaysia
LEGISLATIVE & REGULATORY FRAMEWORK Cyber Laws – Malaysia
Digital Signature Act 1997
Copyright Act
(Amendments) 1997
Computer Crime Act
1997
Personal Data Protection Act
2010
Evidence (Amendment)
(No. 2) Act 2012
TeleMedicine Act 1997
The Communications
and Multimedia Act 1998
The legal challenges in the borderless world will far outpace the existing legal models. Thus, on-going work to identify and recommend changes to
current laws needs to be carried out
Chapter VIA, Offences
Relating to Terrorism,
Penal Code
(Amendment) Act 2007 47
Copyright © 2016 CyberSecurity Malaysia
Malaysia is heading into the right direction
concerning cyber laws….
Existing Penal Code (Act 574) can serve as a general law on criminal
offenses in Malaysia -- Because most cybercrimes are traditional by
nature, instead ICT is used as a medium to commit criminal acts.
Other laws that, while not exactly amount to being a Cyber Law, are in
fact indirectly applicable to the cyberspace as well such as the;
a. Security Offences (Special Measures) Act,
b. Defamation Act,
c. Sedition Act,
d. Evidence Act 114A.
Copyright © 2016 CyberSecurity Malaysia 49
To minimise risks
1. ISMS Certification – to preserve confidentiality, integrity and availability of information assets
2. Malaysia Trustmark – for secure e-Business websites
3. ICT products evaluation and certification under the Common Criteria ISO/IEC 15408
BoD should encourage to comply with
International standards:
Copyright © 2016 CyberSecurity Malaysia 50
1. Rethink approach to IT security • Proactive approach to threats (rather than responsive) • IT security = business enabler, not infrastructure cost • Align IT security strategy to corporate risk management
objectives
2. Update security policies • Organisations need to handle new trends like BYOD, big
data, IoT and cloud
3. Adopt intelligent multi-layer defence • Application security is important in a Web-centric world
4. Maintain up-to-date systems (e.g. patches and regular
security audits)
5. Educate user and implement security best practices
To minimise risks BoD should encourage to comply with
International standards:
Copyright © 2016 CyberSecurity Malaysia 51
Jabatan Perlindungan Data Peribadi Malaysia (JPDP) merupakan agensi di bawah Kementerian Komunikasi dan Multimedia (KKMM) berperanan memastikan pematuhan Akta melalui peningkatan kesedaran/promosi, amalan-nasihat yang baik dan memberikan nasihat umum dan bimbingan serta menjalankan penguatkuasaanTanggungjawab utama mengawal selia pemprosesan data peribadi individu yang terlibat dalam urus niaga komersial oleh pengguna datamenguatkuasakan Akta untuk membanteras penyalahgunaan data peribadi.
Protection of Personal Data
Jabatan Perlindungan Data Peribadi
Malaysia (JPDP)
Copyright © 2016 CyberSecurity Malaysia 52
Protection of Personal Data
Jabatan Perlindungan Data Peribadi Malaysia (JPDP)
OBJEKTIF UMUM
Fokus utama JPDP adalah mengawal selia pemprosesan data peribadi seseorang
individu oleh pengguna data agar ia digunakan dengan cara yang penuh berintegriti,
selamat dan tidak disalahgunakan.
OBJEKTIF OPERASI JPDP
Secara spesifik, JPDP adalah bertanggungjawab memastikan semua pengguna data
peribadi dalam transaksi komersial mematuhi undang-undang perlindungan data
peribadi melalui pelaksanaan penguatkuasaan yang perlu bagi mengelakkan
penyalahgunaan data peribadi.
Copyright © 2016 CyberSecurity Malaysia 53
Protection of Personal Data
Jabatan Perlindungan Data Peribadi Malaysia (JPDP)
7 Prinsip Perlindungan Data Peribadi yang wajib dipatuhi di bawah s. 5(1) dalam Akta ini demi menjaga keutuhan data peribadi Pertama - Prinsip Am di mana seseorang pengguna tidak dibenarkan memproses data peribadi seseorang lain tanpa kebenarannya. Pengertian proses di sini harus dimengertikan sebagai mengendalikan data melalui cara atau kaedah automatis atau pengkomputeran atau apa-apa proses lain Kedua - mesti mematuhi Prinsip Notis dan Pilihan di mana makluman dan tujuan awalan dimaklumkan kepada subjek data berkenaan Ketiga - ialah Prinsip Penzahiran tujuan data peribadi seseorang subjek itu demi mengenal pasti maksud yang baginya data peribadi itu hendak dizahirkan. Keempat - Prinsip Keselamatan - apabila memproses data peribadi mana-mana subjek, mengambil langkah supaya data tersebut selamat, tidak diubahsuai, disalahguna atau diberikan kepada pihak-pihak yang tidak berkenaan. Kelima - Prinsip Penyimpanan: sesuatu data peribadi itu tidak dibenarkan disimpan di dalam sesuatu pemprosesan lebih daripada had masa yang diperlukan Keenam - Prinsip Integriti Data - setiap data peribadi dipastikan supaya tepat, lengkap, tidak mengelirukan dan terkini menepati maksud sesuatu data itu disimpan dan diproses. Ketujuh - Prinsip Akses: seseorang hendaklah diberi hak akses kepada data peribadinya yang dipegang oleh seseorang pengguna data dan juga boleh membetulkan datanya itu supaya terkini.
Copyright © 2016 CyberSecurity Malaysia 54
Protection of Personal Data
Jabatan Perlindungan Data Peribadi Malaysia (JPDP)
Oleh yang demikian, rakyat Malaysia khususnya perlu menyedari hak-hak mereka mengikut prinsip-prinsip yang terdapat di dalam Akta ini. Orang ramai boleh mengemukakan sebarang aduan yang berkaitan APDP 2010 (Seksyen 709) sekiranya merasakan sebuah organisasi atau seseorang telah melanggar salah satu daripada 7 Prinsip Perlindungan Data Peribadi. Berikut adalah amalan yang disarankan kepada pengadu iaitu apabila Akta ini telah berkuatkuasa:- i) Pengadu perlu membuat aduan dan memohon penjelasan kepada organisasi yang terlibat terlebih dahulu; ii) Sekiranya pengadu masih tidak berpuas hati dengan jawapan dan tindakan yang diambil oleh organisasi berkenaan, maka, pengadu bolehlah terus membuat aduan kepada pihak JPDP melalui alamat aduan yang disertakan bagi membolehkan penyiasatan boleh dijalankan; iii) Sekiranya pengadu masih terkilan dengan keputusan Pesuruhjaya berhubung perkara tersebut, maka, ia bolehlah merayu kepada Tribunal Rayuan dengan memfailkan suatu notis rayuan dengan Tribunal Rayuan.
Copyright © 2016 CyberSecurity Malaysia 55
Protection of Personal Data
Jabatan Perlindungan Data Peribadi Malaysia (JPDP)
Butir-butir yang perlu semasa membuat aduan:- Anda hanya perlu menulis surat kepada atau e-mailkan kepada Jabatan Perlindungan Data Peribadi untuk menjelaskan kes anda. Di dalam surat atau e-mel anda, anda perlu menyatakan perkara-perkara berikut:- i) Nama organisasi atau orang yang anda mengadu; ii) Menerangkan sebab kebimbangan anda; iii) Memberi butir-butir tindak balas yang mana anda telah terima daripada organisasi yang disyaki punca kebocoran maklumat; iv) Menyediakan salinan apa-apa surat atau e-mel mengenai perbincangan anda dengan organisasi atau individu berkenaan.
Sebarang aduan awam dan pertanyaan sila kemukakan kepada. Ketua Pengarah Jabatan Perlindungan Data Peribadi Malaysia Aras 6, Kompleks Kementerian Komunikasi dan Multimedia Lot 4G9, Persiaran Perdana Presint 4, Pusat Pentadbiran Kerajaan Persekutuan 62100 Putrajaya Tel: 03 8911 5000/7927/7906/7965 Fax: 03 8911 7959
Copyright © 2016 CyberSecurity Malaysia
Management should be asking these questions on
cyber security…
Is there someone on the board who serves as an IT expert and understands cyber risks and what is the role of board oversight in cybersecurity?
Who is in charge of your cybersecurity plan and which parts of your company are involved?
Is there a committee assigned to address cybersecurity?
Does the company have a chief security officer who reports outside of the IT organization?
Is social media a concern to your company?
Does your company have cyber insurance?
Copyright © 2016 CyberSecurity Malaysia
Do the outsourced providers and contractors have controls and policies in place and do they align with your company’s expectations?
Is there an annual company-wide education or awareness campaign established around cybersecurity?
Who are your likely adversaries (state sponsored, competitive, criminal, etc.) and what crown jewels do you most need to protect from them?
Do you have an incident response plan? Have you done a tabletop exercise?
Management should be asking these questions on
cyber security….cont’d
Copyright © 2016 CyberSecurity Malaysia
What does you network map look like (physical assets, cloud resources, physical and digital security tools and protocols, etc.)?
Who has access to sensitive data, and what is the risk of an insider event?
What are your physical and digital security protocols following employee termination?
How do you interconnect with and share data with your supply chain and other business partners and does your company have a vendor risk management program?
Does your company receive and share information about cybersecurity threats?
Management should be asking these questions on
cyber security….cont’d
Copyright © 2016 CyberSecurity Malaysia
P = People P = Process T = Technology
Bottom Line……PPT
Copyright © 2016 CyberSecurity Malaysia 60
the
The weakest link is..
PEOPLE
Human Factor
Copyright © 2016 CyberSecurity Malaysia
New Board Risks
and Challenges
Cyber Risk
Copyright © 2016 CyberSecurity Malaysia
62
Are we building a Maginot line.......
Copyright © 2016 CyberSecurity Malaysia
63
Are we building a Maginot line.......
1 : a line of defensive fortifications built before World War II to protect the
eastern border of France but easily outflanked by German invaders
2 : a defensive barrier or strategy that inspires a false sense of security
Copyright © 2016 CyberSecurity Malaysia
What’s in this for us……
64
More 2 billion people are connected to the Internet. Cellular phone subscriptions passing the 5 billion mark at the end of 2010. More than 50 billion objects are expected to be digitally connected by 2020, including cars, appliances and cameras. The amount of digital information created and replicated in the world will grow to a staggering amount of 35 trillion gigabytes by 2020.
About USD 8 trillion traded thru e-commerce last year
Copyright © 2016 CyberSecurity Malaysia
What’s in this for us……
65
https://www.siliconrepublic.com/companies/2015/11/25/digital-disruption-changed-8-industries-forever
Copyright © 2016 CyberSecurity Malaysia
Takeaways
Businesses need to minimize exposure; create systems to protect data; respond appropriately and use insurance to cover response costs.
Human beings are inventive; despite the best policies, non-compliance and resulting breaches will occur.
Your crisis management skills will serve you well when paired with subject matter experts.
Issues of cyber risk and data breach that businesses
face is not if….but when.
Copyright © 2016 CyberSecurity Malaysia
67
30 Mar ’07 : NISER
officially registered as 1998 - 2005
1997
• NITC Meeting on 7 Apr 2006 agreed to implement
NCSP and establishment of the Malaysia Cyber
Security Centre to administer NCSP.
• NCSP was endorsed by the Cabinet in May 2006.
• NISER was tasked to be the Malaysia Cyber
Security Centre.
March 2006
CyberSecurity Malaysia
was launched by the
Prime Minister of Malaysia
on 20 Aug 2007
About us…CyberSecurity Malaysia
Copyright © 2016 CyberSecurity Malaysia
Copyright © 2016 CyberSecurity Malaysia
Copyright © 2016 CyberSecurity Malaysia
Find out More
www.cybersecurity.my
www.mycert.org.my
Personal
mobile: +6012-2499476