State Government ICT Security

1
State Government ICT Security
Sabah State Government CIO Conference 2004

• Presented by
• Dr Mingu Jumaan
• Director
• Jabatan Perkhidmatan Komputer Negeri

22 June 2004
2
Background

• Recognised ICT as a strategic tool
• Established SITC on 23 July 1996
• to spearhead ICT deployment and development in
  the State
• Modelled along the NITC

3
Background
Sabah IT Council (SITC)
Chairman
Chief Minister
Deputy Chairman
Minister of Resource Development and IT
Secretariat
State IT Unit
Members
Public, Private and Third sectors
4
Functions of SITC
Background

• Formulates policies
• Monitors ICT projects
• Advises State Government
• Liases with Federal Government
• Promotes use of ICT
• Strategies ICT development

5
Background

• Launched Electronic Government and SabahNet on
  23rd September 1997.
• One of the desired features of an electronic
  government is to guarantee that
• confidential data held in the system is fully
  protected.
• network be protected from unauthorized access,
  malicious attack and loss of data integrity
• External and internal threats on ICT security
• Poor ICT Security can leads to inability to
  function and lose of data, incur more cost to fix
  and recover data, disruption to government
  operation, and damage reputation.

6
Background

• Security policy needs to be defined to protect
  the government ICT assets as well as to provide
  better and faster response to security incidents.
• SITC endorsed the formation of a Working
  Committee on State Government ICT Security on
  29th May 2002.

7
State Government ICT Security Working Committee

• State Chief Information Officer (CIO) - Chairman
• State Chief Security Officer (CSO) - Head of
  secretariat
• Setiausaha Tetap Kementerian Kewangan - member
• Pengarah Jabatan Perkhidmatan Awam Negeri
  member
• Pengarah Unit Kemajuan IT - member 
• Pegawai Keselamatan Malaysia, Negeri Sabah -
  member
• Setiausaha Hal Ehwal Dalam Negeri dan
  Penyelidikan -member

8
Terms of Reference
State Government ICT Security Working Committee

• To recommend specific measures in addressing ICT
  security issues to SITC
• Prepare reports and present findings for the
  deliberation of SITC

9
Objectives of Working Committee
State Government ICT Security Working Committee

• To minimize the adverse effect of security
  incidents
• To educate users of ICT assets security measures
• To provide a mechanism for reporting of security
  incidents so that remedy / action can be taken
  quickly
• To ensure that ICT security measures/guidelines
  are adhered to by users

10
Functions of Working Committee
State Government ICT Security Working Committee

• To formulate and review policies, goals,
  strategies, standard and operational guidelines
  pertaining to ICT security of the state
  government
• To advise the state government on the development
  of human resources to ensure successful
  implementation of ICT security measures
• To liaise with the federal government on national
  ICT security policies and plans

11
Functions (cont)
State Government ICT Security Working Committee

• To monitor, review and co-ordinate the
  implementation of state ICT security measures
  among state public agencies
• To establish standard in the application of ICT
  security measures
• To carry out auditing on state ICT assets so that
  security measures/guidelines are adhered to
• To carry out research and development on ICT
  security technologies

12
Secretariat of Working Committee
State Government ICT Security Working Committee

• Secretariat - JPKN
• Chairman of the secretariat - Director of JPKN
• Members - JPKN, UKIT and KKIPC
• Terms of reference of the secretariat shall be
  to provide secretarial, organizational and
  administrative services to the ICT security
  working committee

13
State ICT Security Teams

• Under the State Government ICT Security Working
  Committee, five teams were formed to look after
  specific areas of State ICT security matters

14
State ICT Security Teams
sgCERT
Audit
Monitoring
State ICT Security Working Committee
Secretariat (JPKN)
HRD
RD
15
Incident Response Forensic (sgCERT)
State ICT Security Teams

• Membership
• Core Technical Members
• Members from State Government ICT Security Team
• Remote Agents
• Selected personnel at each major remote sites
• Functions
• To formulate / review procedures in responding to
  incidents
• To report ICT security Incidents

16
State ICT Security Teams

• sgCERT (Cont)
• To respond to report of ICT Security incidents
• To identify and inform relevant personnel on
  incidents based on need to know basis
• To collect and analyse forensic evidence
• To write reports on incidents and propose the
  next course of action
• Lodge police report for legal action
• Patch systems and fix vulnerability

17
Audit and Assessment
State ICT Security Teams

• Membership
• Core Technical Members
• Members from State Government ICT Security Team
• Remote Agents
• Selected personnel at each major remote sites
• Independent Auditors
• To compare the actual ICT security level and with
  the perceived ICT security baseline

18
Audit and Assessment (Cont)
State ICT Security Teams

• Functions
• To formulate and review ICT security auditing and
  assessment procedures
• To take pre-emptive actions to remove possible
  source of vulnerabilities based on security
  advisories received
• To plan for security enhancement
• To register all ICT equipment /facilities
  /services
• To periodically audit and assess the ICT security
  and update the ICT security baseline.

19
Education and Awareness (HRD)
State ICT Security Teams

• Membership
• Members from State Government ICT Security Team
• INSAN
• Functions
• To formulate and review training curriculum on
  ICT security
• To plan, conduct and review ICT security
  awareness activities
• To conduct regular ICT security training

20
Security Monitoring
State ICT Security Teams

• Membership
• Core members
• Members of the State Government ICT Security Team
• Sabah.Net Secure Network Operating Center
• Remote agents
• Selected personnel at each major remote sites
• Functions
• To formulate and review ICT Security Monitoring
  procedures
• To monitor and ensure Security Policy Compliance
• To monitor and create Security Advisory
• To report suspicious activities
• To monitor daily security logs

21
Research Development
State ICT Security Teams

• Membership
• Members from State Government ICT Security Team
• Functions
• To evaluate security tools and propose
  recommendation
• To study Systems / Network / Application Security
  improvement propose recommendation
• To create customised tools / scripts to improve
  ICT securities
• To create commercial ICT security products
• To report new vulnerabilities found to vendors

22
Future Activities

• Policy formulation
• Awareness training
• Security forums
• Security auditing

23
Challenges

• Attitude and mindset of the users Not bother
  and not sensitive
• Lack of staff with time and skills devoted to
  security
• Local security training available insufficient

24
Closing Remarks
ICT security is important ..
The most critical security hole not lie with the
system, but the people operating the systems.
Need to treat ICT security seriously. ICT
security matters are everyone responsibility.
Secured ICT
The only truly secured ICT is where the computer
is buried in concrete, with the power turned off
and the network cable cut.
25
Thank You