Malaysian public sector management of information & communication technology security handbook / [Jawatankuasa Standard Keselamatan IT Kerajaan].

MANAGEMENT SAFEGUARDS. Public Sector ICT Security Policy. Central Level. Ministry/State Level. Departmental Level. Public Sector ICT Security Programme Management. Central Public Sector ICT Security Programme Management. Operating Level Public Sector ICT Security Programme Management. Public Sector ICT Security Risk Management. Formation of Risk Management Committee. Identification of Risks and Threats. Evaluation of Risks and Threats. Identification of Necessary Safeguards. Managing Residual Risks. Implementing Safeguards and Monitoring Effectiveness. Uncertainty Analysis. Incorporating Public Sector ICT Security into the System Life Cycle. Benefits of Integrating Public Sector ICT Security in the System Life Cycle. The ICT System Life Cycle Phases. Public Sector ICT Security Assurance. Design and Implementation Assurance. Testing and Certification. Conformance Testing. Use of Reliable Architectures. Ease of Safe Use. Evaluation and Reviews. Assurance Documentation. Certification of Product to Operate in Similar Situation. Self- Certification. Warranties and Liabilities. Distribution Assurance. Operational Assurance. Audit Methods and Tools. Monitoring Methods and Tools. Operational Assurance Issues. BASIC OPERATIONS. Information Classification. Roles and Responsibilities. Head of Department. Chief Information Officer. Computer Manager. ICT Security Officer. System Administrators. Help Desk. Users. Vendors, Contractors and External Service Providers. Human Factors. Personnel Security. Confidentiality Agreement. Personnel Screening. Awareness. Problem Employees. Former Employees. Electronic Facilities. Telecommuting. Voice, Telephone and Related Equipment. Access to Voice Mail system. Private Branch Exchange. Spoken Word. Intercept. Casual Viewing. Output Distribution Schemes. Destruction. Clock Synchronization. Facsimile. Modification. Transmission. Acknowledgement. Misdirection of Messages. Disclosure. Unsolicited Messages. Retention of Documents. Electronic Mail. Authorised Users. Physical Protection. Logical Protection. Integrity of Content. Disclosure. Message Retention. Message Reception. Protection against Malicious Code. Security Labelling. Mass Storage Media. Protection of Information in Storage Media. Environmental Considerations. Disposal of Storage Media. Non-Current Storage Media. Intellectual Property Rights. Vendors, Contractors, External Service Providers, Third Party Access. Business Resumption. Risk Analysis. Disaster Recovery/Contingency Plan. Public Sector ICT Security Incident Handling. Causes of Security Incidents. Handling Security Incidents. Developing Security Incidents Handling Capability. Issues to Consider When Setting an Incident Handling Capability. Public Sector ICT Security Awareness, Training, Acculturation And Education. Benefits of Public Sector ICT Security Awareness, Training, Acculturation and Education. Public Sector ICT Security Awareness. Techniques. Public Sector ICT Security Training & Acculturation. General Users. Specialised or Advanced Skills Users. Public Sector ICT Security education. Implementation. Understand the Core Business of the Organisation. Identify Gaps in Public Sector ICT Security Knowledge. Align Skill Gaps to Support the Organisation's Core Business. Identify Suitable Staffs. Allocate Financial Resources and Identify Training Location. Execute, Maintain and Evaluate Programme Effectiveness. Physical and Environmental ICT Security. Physical Security Perimeter. Physical Entry Controls. Secure Area. Working in a Secure Area. Site Protection for Data Centre and Computer Room. Equipment Protection. Hardware Protection. Storage Media Protection. Documentation Protection. Cabling Protection. Environmental Security. Environmental . Control. Power Supply. Emergency Procedures. Cryptography. Symmetric (or Secret) Key Systems. Asymmetric (or Public) Key Systems. Key Management Issues. Disaster Cryptography and Cryptographic Disasters. Disaster Cryptography. Cryptographic Disasters. What to do in the event of a Cryptographic Disaster. Public Key Infrastructure (PKI). Trusted Third Parties (TTP). Assurance. Services of a TTP. Legal issues. TECHNICAL OPERATIONS. Computer Systems. Change Control. Equipment Maintenance. Disposal of Equipment. Operating Systems. Proprietary Issues. Shareware and Freeware Operating System Issues. Logical Access Control. Identification of Users. Authentication of Users. Limiting log-on Attempts. Unattended Terminals. arning Messages. Audit Trails. Back-up. Maintenance. Patches and Vulnerabilities. Upgrades. Application System. Application Software. Databases. Systems which Employ Artificial Intelligence. Application Testing. Defective and Malicious Software. Change of Versions. Availability of Source Code. Unlicensed Software. Intellectual Property Rights. Malicious Code. Unauthorised Memory Resident Programs. Software Provided to External Parties. Software from External Sources. Network System. Securing a Network. Design of a Secure Network. Network Security Controls. Security of Network Equipment. Installation Security. Physical Security. Physical Access. Logical Access. Unauthorised Use of Equipment. Equipment Configuration. Equipment Maintenance. Disposal of Equipment. Securing Different Modes of Communications. Wired Network. Wireless Communication. Microwave Communication. Satellite. User Accessibility. Local Area Network. Remote Access. Dial-up Access. Virtual Private Networks. Connection with other Networks. Integrity of Connections. Firewalls. Public Users. Distributed Network Access. Protection during Transmission. Uploading & Downloading within Intranet. Uploading & Downloading to/from the Internet. Network Monitoring. Problems to be Monitored. How to Overcome Insider Attacks and Hackers. Monitoring Tools. Security Posture Assessment of ICT. LEGAL MATTERS. Cyber Laws and Legal Implications. Digital Signature Act 1997. Computer Crime Act 1997. Telemedicine Act 1997. Copyright (Amendment) Act 1997. Communications and Multimedia Act 1998. Malaysian Communications & Multimedia Commission Act 1998. Crime Investigation. Definition of Computer Crime. Examples of Computer Essentials. Examples of Computer Non-Essentials. Evidence. Types of Evidence. Conducting Computer Crime Investigation. Detection and Containment. Report to Management. The Preliminary Investigation. Determine if Disclosure is Required. Investigation Considerations. Who should Conduct the Investigation.

eng/may