NATIONAL STRATEGY:- MALAYSIAN EXPERIENCE - TT · • Comprehensive law and policies • Effective...
Transcript of NATIONAL STRATEGY:- MALAYSIAN EXPERIENCE - TT · • Comprehensive law and policies • Effective...
© 2007 Malaysian Communications and Multimedia Commission
NATIONAL STRATEGY:-MALAYSIAN EXPERIENCE
Devi AnnamalaiSecurity, Trust and Governance
MCMC28th August 2007Hanoi. Vietnam
© 2007 Malaysian Communications and Multimedia Commission
BACKGROUND
• MCMC is a statutory body established under the Malaysian Communications and Multimedia Commission Act 1998 to regulate and nurture the communications and multimedia industry in Malaysia.
• The 10th National Policy Objective requires the Commission to ensure information security and the integrity and reliability of the network for the country.
© 2007 Malaysian Communications and Multimedia Commission
NATIONAL STRATEGY
• Comprehensive law and policies• Effective monitoring tools• Awareness and Education• Capacity Building• International collaboration
© 2007 Malaysian Communications and Multimedia Commission
LAWS AND POLICIES
© 2007 Malaysian Communications and Multimedia Commission
Public Private
Presently, matters relating toinformation and networksecurity in the public sector is under the administration of the Malaysian Administrative Modernization and Management Planning Unit(MAMPU) Within MAMPU, there is the ICT Security Division. They recently launched the Malaysian Public SectorManagement of Information &Communications Technology Security Handbook (MyMIS) They also operate The G-CERT. However, MAMPU does nothave any enforcement powers.
The National IT Council gavebirth to NISER (now known asCyber Security Malaysiato addresse-security issues of the nation and as to act as Malaysia’s CERT. NISER offers research invulnerability detection, intrusion detection andcomputer forensic technologyThey offer their services toprivate and public entities.Like MAMPU’s ICT SecurityDivision, they do not have any enforcement powers
MCMCCMA
The PoliceCCACMA
© 2007 Malaysian Communications and Multimedia Commission
MALAYSIAN CYBERLAWS
The Computer Crimes Act 1997
The Communication and Multimedia
Act (1998)
The Copyright (Amendment) Act
1997
The Telemedicine
Act 1997
The Digital Signature Act 1997
Personal Data Protection
The Electronic Government/Transaction
Activities (EGA)
The MalaysianCommunications and
Multimedia Commission Act(1998)
Acts Under MCMC
© 2007 Malaysian Communications and Multimedia Commission
Cyber Crime Related Sections Under CMA 1998
• makes, creates, solicits, initiates transmission of comment, request, other communication•With intent to annoy, abuse, threaten or harass another person•Includes any obscene communication
Improper use of network facilities or network service
233
• Dishonestly transmit or receive• Any communication or obtains service• With intent to avoid payment• Fraudulent use of service or facility
Fraudulent use of network facilities, network service etc
232
• Uses any apparatus or device• With intent to obtain information, content, sender or addressee• Without an approval from SIRIM
Offence if use apparatus or device without authority
231
© 2007 Malaysian Communications and Multimedia Commission
• Knowingly or with intent to defraud• Produces, sells, imports, uses etc• Any equipment, devices that has been modified• Any hardware, software used for altering or modifying any equipment etc• To obtain unauthorized use of any network service etc
Fraud and related activity in connection with access devices
236
• By any willful, dishonest, negligent act or omission• tampers with, adjusts, alters, destroys or damages • Any network facility or any part of them
Damage to network facilities etc
235
• without lawful authority• intercepts, discloses, uses (or attempts to)• knowing that such is in contravention of sec 234• such interception is done in connection of a case
Interception & disclosure of communications prohibited
234
© 2007 Malaysian Communications and Multimedia Commission
OTHER RELEVANT PROVISIONS IN CMA
• Section 263 - General duty of licensees• Section 265 - Network interception capability• Section 266 - Special powers in emergency• Section 267 - Disaster Plan
• Section 264 - Persons not liable for act done in good faith (saving provision for operators)
© 2007 Malaysian Communications and Multimedia Commission
OTHER INSTRUMENTS
• Mandatory Standards to ensure that all communications service provider maintain an acceptable level of network integrity
• Individual license applicants under the CMA is required to provide a disaster recovery plan and details of measures undertaken to ensure network and data security when submitting application for license.
© 2007 Malaysian Communications and Multimedia Commission
MAMPU
• All matters relating to information network security in the public sector is under the administration of MAMPU
• Within MAMPU, there is the ICT Security Division
• Malaysian Public Sector Management of Information & Communications Technology Security Handbook (MyMis)
• Operates G-Cert
© 2007 Malaysian Communications and Multimedia Commission
CYBER SECURITY MALAYSIA
• Offers research in vulnerability detection, intrusion detection and computer forensic technology
• Offer service to private and public sector
• Operates MyCert
© 2007 Malaysian Communications and Multimedia Commission
POLICE
• Provide assistance in enforcement activities (CMA)
• Have jurisdiction over Computer Crimes Act – acts such as unauthorized access to computer material and with intent to commit or facilitate commission of further offence, unauthorized modifications of contents of any computer and wrongful communications.
© 2007 Malaysian Communications and Multimedia Commission
INS POLICY
• The security policy will address the role and responsibilities of licensees under the CMA to ensure information security and the integrity and reliability of the network. It will also act as a guide for other parties relevant to the communications and multimedia industry
• Audits in the future will be based on the policies.
© 2007 Malaysian Communications and Multimedia Commission
REGULATING SPAM
• The MCMC have developed an action plan in 2003 to address the problem that Spam poses.
• The action plans are multi-prong, which includes raising awareness, management by the ISPs, promoting technological solutions and would require the cooperation of all major stakeholders namely, the industry, consumers, service providers, the regulators and the international community.
© 2007 Malaysian Communications and Multimedia Commission
REGULATING SPAM
• On 25th June 2007, MCMC issued a Tender for the Provision of Consultancy Service for Strategic Study and Drafting of Anti-Spam Legislation for Malaysia.
• The study will review the current state of regulatory framework on Spam in Malaysia and recommend forward looking policy and strategy and propose necessary regulatory changes including drafting of relevant legislation.
© 2007 Malaysian Communications and Multimedia Commission
MONITORING TOOLS
© 2007 Malaysian Communications and Multimedia Commission
NETWORK SECURITY CENTRE
© 2007 Malaysian Communications and Multimedia Commission
Security, Trust and Governance
Security
Warning,Response &
Forensic
NetworkMonitoring
VulnerabilityManagement
Network Security Centre
Information and Network Security Portal
© 2007 Malaysian Communications and Multimedia Commission
MAIN FOCUS OF THE NSC
The NSC will coordinate 3 main activities:
a) Network Threat Monitoring and Management;
b) Vulnerability Management; and
c) Incident Management, Network Forensic, Recovery and Advisory
To be operational by end of 2007 – hopefully ☺
© 2007 Malaysian Communications and Multimedia Commission
Periodic testing helps in identifying vulnerabilitiesat the earliest so that remedial measures can be undertaken. This in fact aids in ensuring continued security and reliability of ICT infrastructure.
Enable the IASPs to takemeasures against attacksbefore they do the actualdamage
Benefits
• Quarterly internal and external automated and remote penetration testing of each IASP location
• Report listing vulnerabilities, risk level and recommended mitigation steps after each test
Periodicidentification andmitigation ofvulnerabilities incost effectivemanner
Vulnerability Management
• Early warning on new attacks
• Response action for new attacks
• Monthly Statistics• Monthly Advisories• Annual status and
benchmarking report to be shared with IASP and MCMC
Generating earlywarning ofmassive attacksor maliciouspropagationthrough threatmonitoring
Threat Monitoring& EarlyWarning
DeliverablesObjective
Objectives, Benefits & Deliverables
© 2007 Malaysian Communications and Multimedia Commission
• Investigation of reported incidents, timely remediation
• Advisory services on recent events how to take action on recommendations
• Monthly reports on how to secure against latest threats/ vulnerabilities, international trends
The ‘rapid response’team with tools andprocesses toinvestigate reportedincidents, takeremedial actionenables to manageincidents effectively tocontain the damage
Provide timelyand efficientinformation andrecommendatiosto manage securityincidents tocontain thedamage andconduct forensicsactivities
IncidentManagement andForensics
DeliverablesBenefitsObjective
Objectives, Benefits & Deliverables
© 2007 Malaysian Communications and Multimedia Commission
INFORMATION NETWORK SECURITY PORTAL
© 2007 Malaysian Communications and Multimedia Commission
It is a website that host multiple portal which will serve as a focal point and a one stop information centre on information and network security for the communications and multimedia industry.
What is INS Portal?
© 2007 Malaysian Communications and Multimedia Commission
Information sharing, cooperation and coordination with IASPs and government agencies
Information Sharing Forum (group)
A portal that specifically designed for the industry in concert with the NRC
Network Reporting Portal
To function as centralized repository
Network Abuse Reporting Portal
To house information concerning Information & Network security on various issues
General Information and Network Security Portal
ObjectivesName of Portal
What are the portal available in the enterprise?
© 2007 Malaysian Communications and Multimedia Commission
INS Portal Design
© 2007 Malaysian Communications and Multimedia Commission
SECURITY AUDITS
© 2007 Malaysian Communications and Multimedia Commission
AUDITS
• The MCMC also undertakes to conduct Information and Network Security Audits on CMA licensees.
• The audits are based on internationally accepted information and network security standards and best practices.
© 2007 Malaysian Communications and Multimedia Commission
INFORMATION SHARING FORUM
© 2007 Malaysian Communications and Multimedia Commission
ISF
• On June 22, 2004, the MCMC formed the ISF
• Total of 60 individual members in the ISF
• Share information on security incidents, vulnerabilities, best practices etc
© 2007 Malaysian Communications and Multimedia Commission
AWARENESS AND EDUCATION
© 2007 Malaysian Communications and Multimedia Commission
Awareness and Education
Products, tools,and automation
Consistent andConsistent andRepeatable Repeatable
Skills, roles, and responsibilities
Processes
PeopleTechnologyTechnology
© 2007 Malaysian Communications and Multimedia Commission
AWARENESS PROGRAMS
• Organize industry talks• Collaborate with other agencies • Issue related publications, brochures
and pamphlets
© 2007 Malaysian Communications and Multimedia Commission
TARGET AUDIENCE
Businesses/Organizations
Government
Students
Consumers
© 2007 Malaysian Communications and Multimedia Commission
CAPACITY BUILDING
© 2007 Malaysian Communications and Multimedia Commission
CAPACITY BUILDING
• Focus on licensees
• In partnership with information and network security industry
• Workshops and training for targeted groups
• Industry Talks
© 2007 Malaysian Communications and Multimedia Commission
INTERNATIONAL COLLABORATION
© 2007 Malaysian Communications and Multimedia Commission
International Collaborative Work
• Lead ATRC’s action-plan against Spam;
• Signatory of Seoul-Melbourne MOU and endorsed the London Action Plan against Spam
• APEC TEL’s E-Security and Prosperity Steering Group
© 2007 Malaysian Communications and Multimedia Commission
THANK YOU
Devi AnnamalaiDeputy Director
Security Trust and GovernanceMalaysian Communications and Multimedia Commission