INFORMATION SECURITY STANDARDS DEVELOPMENT IN MALAYSIA

By THAIB MUSTAFA, CHAIRMAN TECHNICAL COMMITTEE FOR INFORMATION SECURITY (TC/G/5) INDUSTRY STANDARDS COMMITTEE FOR INFORMATION TECHNOLOGY, COMMUNICATION AND MULTIMEDIA (ISC G)
23RD MAY 2012

Presentation Agenda

1. 2. 3. 4. 5. 6.

INTRODUCTION ACTIVITIES ACHIEVEMENTS CHALLENGES MOVING FORWARD CONCLUSION

TC5 Information Security 2012 All Rights Reserved

INTRODUCTION: Technical Committee for Information Security (TC/G/5)

Non-profit, appointed group of volunteered members: Information security professionals Risk and compliance professionals Auditors and assurance professionals Governance and management professionals Lead Agency: Standards Malaysia, MOSTI Support Agency: SIRIM, MOSTI Representatives Organizations: ICT, security, banking/financial services, government, public/private sectors, regulatory, technology, utilities, consulting, universities, etc. Mission: Trusted to develop, prepare and review Information Security and its related standards for Malaysia
TC5 Information Security 2012 All Rights Reserved 3

BACKGROUND
In 1966, Institutes of Standards Malaysia (ISM) was established in Malaysia and later Standards Malaysia In 1969, Malaysia became a member of ISO In 1975, SIRIM was established In 1996, SIRIM was appointed as National Standard Development Agency in Malaysia SIRIM established Industry Standards Committees (ISC) to undertake standard developments activities In 2001, Industry Standards Committees (ISC) responsible for IT, Telecommunications and Multimedia (ISC G) established TC/G/5, the Technical Committee responsible for Information Security
TC5 Information Security 2012 All Rights Reserved 4

Standards Malaysia, SIRIM, ISC G, TC/G/5 and ISO/IEC, JTC, SC27

MEMBERS OF
Industry Standard Committee for Information Technology, Communication & Multimedia (ISC G) MEMBERS OF

Technical Committee on Information Security (TC/G/5)

SC 27
Security Techniques ISO/IEC JTC 1/SC 27

WG1

WG2

WG3

WG4

WG5

WG7

WG1

WG2

WG3

WG4

WG5

TC5 Information Security 2012 All Rights Reserved

MEMBERS OF
Technical Committee on Information Security (TC/G/5)

CHAIRMAN

Telekom Malaysia Berhad

Mr Thaib Mustafa

Bank Negara Malaysia

Dr Solahuddin Shamsuddin

Mr Zainal Abidin Ma'arif / Ms Nor Asma Ghazali

Association of the Computer and Multimedia Industry of Malaysia

Ms Julaila Engan

Dr Dzaharudin Mansor

CyberSecurity Malaysia
Mr Muhammad bin Ali

Chief Government Security Office Malaysian Communications and Multimedia Commission

Ms Roshda Md Yunan Mr Ruzamri Ruwandi

Malaysian Administrative, Modernisation and Management Planning Unit (MAMPU)

Ms Foo Mei Ling

Malaysian National Computer Confederation

Mr Tan Chuan On/ Mr Gan Kim Sai

Ministry of Information, Communication and Culture

Ministry of Science, Technology and Innovation

Ms Ong Ai Lin

Multimedia Development Corporation Sdn Bhd

Mr Mohd Zahari Zakaria

Mr Tan Tze Meng

PricewaterhouseCoopers Advisory Services Sdn Bhd

Ms Haliza Ibrahim

Teknimuda Sdn Bhd

Mr Mohd Mohd Ismail Ahmad

SIRIM QAS International Sdn Bhd

TC5 Information Security 2012 All Rights Reserved 6

Tenaga Nasional Berhad

List of Working Groups (WG) under Information Security

Ms Raja Azrina Raja Othman JARING Communications Sdn Bhd

Mr Thaib Mustafa TELEKOM Malaysia

TC/G/5

Technical Committee on Information Security

SCOPE Standardisation in Information Security

Participation(P) Member to ISO/IEC JTC1/SC27

Dr Jamalul-lail Ab Manan MIMOS Berhad

Mr Wan Roshaimi Wan Abdullah Stratsec.net Sdn Bhd

WG/G/5-1

WG/G/5-2

WG/G/5-3

Working Group on Information Security Management Systems

SCOPE Standardisation on Information Security Management System
Lt Col Asmuni Yusof CyberSecurity Malaysia

Working Group on Cryptography & Security Mechanisms

SCOPE Standardisation on Cryptography & Security Mechanisms

Working Group on Information Security Evaluation Criteria

SCOPE Standardisation on Security Evaluation Criteria
Mr Badlissah Adnan PETRONAS

WG/G/5-4

Mr Ng Kang Siong MIMOS Berhad

WG/G/5-5

WG/G/5-7

Working Group on Security Control Working Group on Identity & Services Management & Privacy Technologies
SCOPE SCOPE Standardisation on BCM Framework for all Standardisation on Management & Privacy sectors & supplementary BCM Framework Technologies for specific sectors

Working Group on Industry Automation & Control Systems

SCOPE Standardisation of the information or cyber security aspects of Supervisory Control and Data Acquisition (SCADA) sytems

Accountabilities & Responsibilities: Technical Committee on Information Security (TC/G/5)

1. Responsible for developing, preparing and reviewing Malaysian Standards. 2. Approval to release draft Malaysian Standards within its purview for the purposes of soliciting public comments. 3. Responsible for reviewing comments and make the necessary revision to draft Malaysian Standards in light of comments received. 4. Submit draft standards developed under its direction to the ISC for approval as final draft Malaysian Standards. 5. Responsible for supporting the work of its parent ISC in international standardisation by: a) studying and assessing the relevant international standards and formulate national views and comments on issues related to the scope of the TC/SC; b) studying and commenting and/or voting on draft international standards in related areas; and c) recommending the adoption of International Standards as Malaysian Standards where appropriate. 6. Support the ISC in co-ordinating participation in international/regional standardisation. 7. Establish Working Group (WG) in accordance with the Terms of Reference of WG for the purpose of undertaking specific tasks.
TC5 Information Security 2012 All Rights Reserved 8

ISO/IEC 27001 Information Security Management System

Specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS) Conformance to this standard means an organization has a management system that ensures the confidentiality, integrity and accessibility of its information Information generated, received, retained or transmitted manually or electronically is controlled and managed based on the level of risk to the information An ISMS is an assurance to customers and stakeholders that their information is protected and secured from damaged, lost and misused
TC5 Information Security 2012 All Rights Reserved 9

ACTIVITIES TC/G/5
Identify standards that meet national objectives and industries needs Information security standard preparation, development and review Endorse release of draft Malaysia Standard (MS) after public comments and ensure meeting national and industry needs Review and adopt (with certain criteria) International Standards as Malaysian Standards Recommend approval of standard and report activities to ISC G Develop indigenous standards if required and when no international standards available Support standardization activities at WGs, national, regional and international Review and participate in ISO/IEC JTC1/SC 27 projects and meetings Participate in regional meetings (e.g. RAISE) and provide liaison with other TCs
TC5 Information Security 2012 All Rights Reserved 10

ACTIVITIES - WGs
Working Groups in TC 5 mirroring JTC 1 SC 27 WG WG 1 - Information Security Management Systems WG 2 - Cryptography and Security Mechanisms WG 3 - Information Security Evaluation Criteria WG 4 - Security Controls and Services WG 5 - Identity Management and Privacy Technologies WG7 - Industry Automation and Control Systems Meeting regularly to review standardization projects and related documentation specific projects specified by TC/G/5 Develop indigenous standardization projects as approved by TC/G/5 Participate in meeting, talks, workshops and seminars at national, regional and international level Perform liaison with other related standards committees (e.g. biometrics and telecommunications) as required by TC/G/5
TC5 Information Security 2012 All Rights Reserved 11

ACHIEVEMENTS 1/2
More than 30 Standards approved and published
Information Security Management Systems Requirements (MS ISO/IEC 27001:2006) Code of practice for Information Security Management (MS ISO/IEC 27002:2005) Methodology for IT Security Evaluation (MS ISO/IEC 18045:2005) Evaluation criteria for IT security-Part 3: Security assurance requirements (First revision) (MS ISO/IEC 15408-3:2005) ISMS Implementation Guidance (27003) Information Security Risk Management (27005) Information Security Management Guidelines for Telecommunication Organizations (27011)

To date 22 SC27 approved new publications from 2011

TC5 Information Security 2012 All Rights Reserved 12

ACHIEVEMENTS 2/2
Editorship for WG4 Guidelines on Identification, Collection, Acquisition and Preservation of Digital Evidence is currently being approved for publication in Dec 2012 (ISO/IEC 27037) In Nov 2005, hosted ISO/IEC JTC 1 SC 27 WGs Meeting in KL In Apr 2010, hosted ISO/IEC JTC 1 SC 27 WGs & HoD Meeting in Melaka Participated in international ISO/IEC and regional standards developments Meetings Organized/participated in Information Security Workshops and Seminars promoting awareness, gather comments and public reviews

TC5 Information Security 2012 All Rights Reserved

13

Programme of Works - WG1

NEW PUBLICATIONS (WG 1)
ISO/IEC 27005:2011-06-01 (2nd ed.), Information security risk management ISO/IEC 27006:2011-12-01 (2nd ed.), Requirements for bodies providing audit and certification of information security management systems ISO/IEC 27007:2011-11-15 (1st ed.), Guidelines for information security management systems guidelines auditing ISO/IEC TR 27008:2011-10-15 (1st ed.), Guidelines for auditors on information security controls ISO/IEC 27010: 2012-04-01 (1st ed.), Information security management for inter-sector and inter-organisational communications

TC5 Information Security 2012 All Rights Reserved

14

Programme of Works - WG2

NEW PUBLICATIONS (WG 2)
ISO/IEC 9797-2:2011-06-15 (2nd ed.), Message Authentication Codes (MACs) Part 2: Mechanisms using a dedicated hash-function ISO/IEC 9797-3:2011-11-15 (1st ed.), Message authentication codes (MACs) Part 3: Mechanisms using a universal hash-function ISO/IEC 11770-5:2011-12-15 (1st ed.), Key management Part 5: Group key management ISO/IEC 18031:2011-11-15 (2nd ed.), Random bit generation ISO/IEC 18033-4:2011-12-15 (2nd ed.), Encryption algorithms Part 4: Stream ciphers ISO/IEC 29150:2011-12-15 (1st ed.), Signcryption ISO/IEC 29192-2:2012-01-15 (1st ed.), Lightweight cryptography Part 2: Block ciphers
TC5 Information Security 2012 All Rights Reserved 15

Programme of Works - WG3

NEW PUBLICATIONS (WG 3)
ISO/IEC 15408-2:2008-08-15 (3rd ed.) corrected and reprinted 201106-01 Evaluation criteria for IT security Part 2: Security functional components ISO/IEC 15408-3:2008-08-15 (3rd ed.) corrected and reprinted 201106-01 Evaluation criteria for IT security Part 3: Security assurance components ISO/IEC 18045:2008-08-15 (2nd ed.) corrected and reprinted 201106-01 Methodology for IT security evaluation ISO/IEC 29128:2011-12-15 (1st ed.) Verification of cryptographic protocols

TC5 Information Security 2012 All Rights Reserved

16

Programme of Works - WG4&5

NEW PUBLICATIONS (WG 4)
ISO/IEC 27034-1:2011-11-15 (1st ed.), Application security - Part 1: Overview and concepts ISO/IEC 27035:2011-09-01 (1st ed.), Information security incident management ISO/IEC TR 29149:2012-03-15 (1st ed.), Best practices for the provision and use of time-stamping services

NEW PUBLICATIONS (WG 5)

ISO/IEC 24745:2011-06-15 (1st ed.), Biometric information protection ISO/IEC 24760-1: 2011-12-15 (1st ed.), A framework for identity management Part 1: Terminology and concepts ISO/IEC 29100:2011-12-15 (1st ed.) Privacy framework TC5 Information Security 2012 All Rights Reserved 17

CHALLENGES
Inconsistent projects/activities participation (assignment on volunteer basis with almost regular changes to memberships) Shortage of subject matter experts from relevant industries and academia to contribute in WGs (WG 2, WG3, WG5 and WG7) Lack of commitment from industries, government departments/agencies, GLCs to provide resources and budget for standard development activities Very limited funding available to sponsor editorships & secretariat participations at regional and international level Lack of recognition and incentives for standards development works
TC5 Information Security 2012 All Rights Reserved 18

To achieve the aspiration of IS standard development transformation, we need to understand the current issues and challenges and introduce standards as creative business solutions 1 Understanding the issues
and the business needs Provide business values and clear benefits Industry Experience

4
Deliver Value

2
Business Demand

3
Market Reach
Reach out, establish the network and support the market
TC5 Information Security 2012 All Rights Reserved 19

Creating business drivers and industry eco systems

MOVING FORWARD: Information Security Standard Development Master Plan 2012-2015

2014-2015
Recognition: ISMS as a Service

2013 2012
Discovery: Establish the Baseline

Transformation: Capability Building

Strategies Key Programs (Industry Survey, roadshows, etc) 3-5 years transformation roadmap Critical milestone Challenges KPIs
20

TC5 Information Security 2012 All Rights Reserved

CONCLUSION
1. Information Security is a Business Issues 2. Information Security Management is part of Corporate Governance 3. ISMS 27001 is a mandatory baseline standard for Information Security Management for any organization 4. Compliance, Compliance & Compliance 5. Certify as security professionals 6. Certify all critical infrastructure 7. Join us at TC5 and participate as WGs members

TC5 Information Security 2012 All Rights Reserved

21

THANK YOU thaibmus@tm.com.my

Further information please contact TC/G/5 Secretariat Wan Rosmawarni Wan Sulaiman mawar@sirim.my 0355446353
TC5 Information Security 2012 All Rights Reserved 22