isms_tc5
DESCRIPTION
information securityTRANSCRIPT
INFORMATION SECURITY STANDARDS DEVELOPMENT
IN MALAYSIA By
THAIB MUSTAFA, CHAIRMAN
TECHNICAL COMMITTEE FOR INFORMATION SECURITY (TC/G/5)
INDUSTRY STANDARDS COMMITTEE FOR INFORMATION TECHNOLOGY, COMMUNICATION AND MULTIMEDIA (ISC G)
23RD MAY 2012
1. INTRODUCTION
2. ACTIVITIES
3. ACHIEVEMENTS
4. CHALLENGES
5. MOVING FORWARD
6. CONCLUSION
Presentation Agenda
TC5 Information Security 2012 All Rights Reserved 2
Non-profit, appointed group of volunteered members:
• Information security professionals
• Risk and compliance professionals
• Auditors and assurance professionals
• Governance and management professionals
Lead Agency: Standards Malaysia, MOSTI
Support Agency: SIRIM, MOSTI
Representatives Organizations: ICT, security, banking/financial services, government, public/private sectors, regulatory, technology, utilities, consulting, universities, etc.
Mission: Trusted to develop, prepare and review Information Security and its related standards for Malaysia
INTRODUCTION: Technical Committee for Information Security (TC/G/5)
TC5 Information Security 2012 All Rights Reserved 3
BACKGROUND
In 1966, Institutes of Standards Malaysia (ISM) was established in Malaysia and later Standards Malaysia
In 1969, Malaysia became a member of ISO
In 1975, SIRIM was established
In 1996, SIRIM was appointed as National Standard Development Agency in Malaysia
SIRIM established Industry Standards Committees (ISC) to undertake standard developments activities
In 2001, Industry Standards Committees (ISC) responsible for IT, Telecommunications and Multimedia (ISC G) established TC/G/5, the Technical Committee responsible for Information Security
TC5 Information Security 2012 All Rights Reserved 4
SC 27
Security Techniques
ISO/IEC JTC 1/SC 27
WG1 WG2 WG3 WG4 WG5
Standards Malaysia, SIRIM, ISC G, TC/G/5 and ISO/IEC, JTC, SC27
Industry Standard Committee
for Information Technology,
Communication & Multimedia
(ISC G)
MEMBERS OF
Technical Committee on
Information Security
(TC/G/5)
MEMBERS OF
WG1 WG2 WG3 WG4 WG7 WG5
TC5 Information Security 2012 All Rights Reserved 5
Technical Committee on
Information Security
(TC/G/5)
MEMBERS OF
Telekom Malaysia Berhad CHAIRMAN
Association of the Computer and
Multimedia Industry of Malaysia Bank Negara Malaysia
Chief Government Security Office CyberSecurity Malaysia
Malaysian Communications and
Multimedia Commission
Malaysian National Computer
Confederation
Ministry of Information,
Communication and Culture
Ministry of Science,
Technology and Innovation
SIRIM QAS International Sdn Bhd
Malaysian Administrative, Modernisation
and Management Planning Unit (MAMPU)
PricewaterhouseCoopers
Advisory Services Sdn Bhd
Mr Thaib Mustafa
Dr Dzaharudin Mansor
Dr Solahuddin Shamsuddin
Mr Muhammad bin Ali
Multimedia Development
Corporation Sdn Bhd
Mr Tan Tze Meng
Teknimuda Sdn Bhd Mr Mohd Zahari Zakaria
Ms Haliza Ibrahim
Ms Ong Ai Lin
Tenaga Nasional Berhad Mr Mohd Mohd Ismail Ahmad
Ms Julaila Engan
Mr Zainal Abidin Ma'arif / Ms Nor Asma Ghazali
Ms Foo Mei Ling
Mr Ruzamri Ruwandi
Ms Roshda Md Yunan
Mr Tan Chuan On/ Mr Gan Kim Sai
TC5 Information Security 2012 All Rights Reserved 6
Technical Committee on
Information Security
SCOPE Standardisation in Information Security
TC/G/5
Working Group on Information
Security Management Systems
SCOPE Standardisation on Information Security
Management System
WG/G/5-1
Participation(P)
Member to
ISO/IEC JTC1/SC27
Working Group on Cryptography
& Security Mechanisms
SCOPE Standardisation on Cryptography &
Security Mechanisms
WG/G/5-2
Working Group on Information
Security Evaluation Criteria
SCOPE Standardisation on Security Evaluation
Criteria
WG/G/5-3
Working Group on Security Control
& Services
SCOPE Standardisation on BCM Framework for all
sectors & supplementary BCM Framework
for specific sectors
WG/G/5-4
Working Group on Identity
Management & Privacy Technologies
SCOPE Standardisation on Management & Privacy
Technologies
WG/G/5-5
Working Group on Industry
Automation & Control Systems
SCOPE Standardisation of the information or
cyber security aspects of Supervisory
Control and Data Acquisition (SCADA)
sytems
WG/G/5-7
List of Working Groups (WG) under Information Security
Mr Thaib Mustafa
TELEKOM Malaysia
Dr Jamalul-lail Ab Manan
MIMOS Berhad
Mr Ng Kang Siong
MIMOS Berhad
Lt Col Asmuni Yusof
CyberSecurity Malaysia
Ms Raja Azrina Raja Othman
JARING Communications Sdn Bhd
Mr Wan Roshaimi
Wan Abdullah
Stratsec.net
Sdn Bhd
Mr Badlissah Adnan
PETRONAS
Accountabilities & Responsibilities: Technical Committee on Information Security (TC/G/5)
1. Responsible for developing, preparing and reviewing Malaysian Standards.
2. Approval to release draft Malaysian Standards within its purview for the purposes of
soliciting public comments.
3. Responsible for reviewing comments and make the necessary revision to draft Malaysian
Standards in light of comments received.
4. Submit draft standards developed under its direction to the ISC for approval as final
draft Malaysian Standards.
5. Responsible for supporting the work of its parent ISC in international standardisation by:
a) studying and assessing the relevant international standards and formulate national
views and comments on issues related to the scope of the TC/SC;
b) studying and commenting and/or voting on draft international standards in related
areas; and
c) recommending the adoption of International Standards as Malaysian Standards where
appropriate.
6. Support the ISC in co-ordinating participation in international/regional standardisation.
7. Establish Working Group (WG) in accordance with the Terms of Reference of WG for the
purpose of undertaking specific tasks.
TC5 Information Security 2012 All Rights Reserved 8
ISO/IEC 27001 Information Security Management System Specifies the requirements for establishing, implementing,
operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS)
Conformance to this standard means an organization has a management system that ensures the confidentiality, integrity and accessibility of its information
Information generated, received, retained or transmitted manually or electronically is controlled and managed based on the level of risk to the information
An ISMS is an assurance to customers and stakeholders that their information is protected and secured from damaged, lost and misused
TC5 Information Security 2012 All Rights Reserved 9
ACTIVITIES – TC/G/5
Identify standards that meet national objectives and industries needs
Information security standard preparation, development and review
Endorse release of draft Malaysia Standard (MS) after public comments and ensure meeting national and industry needs
Review and adopt (with certain criteria) International Standards as Malaysian Standards
Recommend approval of standard and report activities to ISC G
Develop ‘indigenous’ standards if required and when no international standards available
Support standardization activities at WGs, national, regional and international
Review and participate in ISO/IEC JTC1/SC 27 projects and meetings
Participate in regional meetings (e.g. RAISE) and provide liaison with other TCs
TC5 Information Security 2012 All Rights Reserved 10
ACTIVITIES - WGs
Working Groups in TC 5 mirroring JTC 1 SC 27 WG
WG 1 - Information Security Management Systems
WG 2 - Cryptography and Security Mechanisms
WG 3 - Information Security Evaluation Criteria
WG 4 - Security Controls and Services
WG 5 - Identity Management and Privacy Technologies
WG7 - Industry Automation and Control Systems
Meeting regularly to review standardization projects and related documentation specific projects specified by TC/G/5
Develop indigenous standardization projects as approved by TC/G/5
Participate in meeting, talks, workshops and seminars at national, regional and international level
Perform liaison with other related standards committees (e.g. biometrics and telecommunications) as required by TC/G/5
TC5 Information Security 2012 All Rights Reserved 11
More than 30 Standards approved and published
Information Security Management Systems Requirements (MS ISO/IEC 27001:2006)
Code of practice for Information Security Management (MS ISO/IEC 27002:2005)
Methodology for IT Security Evaluation (MS ISO/IEC 18045:2005)
Evaluation criteria for IT security-Part 3: Security assurance requirements (First revision) (MS ISO/IEC 15408-3:2005)
ISMS Implementation Guidance (27003)
Information Security Risk Management (27005)
Information Security Management Guidelines for Telecommunication Organizations (27011)
To date 22 SC27 approved new publications from 2011
ACHIEVEMENTS 1/2
TC5 Information Security 2012 All Rights Reserved 12
Editorship for WG4 – Guidelines on Identification, Collection, Acquisition and Preservation of Digital Evidence is currently being approved for publication in Dec 2012 (ISO/IEC 27037)
In Nov 2005, hosted ISO/IEC JTC 1 SC 27 WGs Meeting in KL
In Apr 2010, hosted ISO/IEC JTC 1 SC 27 WGs & HoD Meeting in Melaka
Participated in international ISO/IEC and regional standards developments Meetings
Organized/participated in Information Security Workshops and Seminars –promoting awareness, gather comments and public reviews
ACHIEVEMENTS 2/2
TC5 Information Security 2012 All Rights Reserved 13
NEW PUBLICATIONS (WG 1) ISO/IEC 27005:2011-06-01 (2nd ed.),
Information security risk management
ISO/IEC 27006:2011-12-01 (2nd ed.), Requirements for bodies providing audit and certification of information security management systems
ISO/IEC 27007:2011-11-15 (1st ed.), Guidelines for information security management systems guidelines auditing
ISO/IEC TR 27008:2011-10-15 (1st ed.), Guidelines for auditors on information security controls
ISO/IEC 27010: 2012-04-01 (1st ed.), Information security management for inter-sector and inter-organisational communications
Programme of Works - WG1
TC5 Information Security 2012 All Rights Reserved 14
NEW PUBLICATIONS (WG 2) ISO/IEC 9797-2:2011-06-15 (2nd ed.), Message Authentication Codes (MACs)
— Part 2: Mechanisms using a dedicated hash-function
ISO/IEC 9797-3:2011-11-15 (1st ed.), Message authentication codes (MACs) – Part 3: Mechanisms using a universal hash-function
ISO/IEC 11770-5:2011-12-15 (1st ed.), Key management – Part 5: Group key management
ISO/IEC 18031:2011-11-15 (2nd ed.), Random bit generation
ISO/IEC 18033-4:2011-12-15 (2nd ed.), Encryption algorithms – Part 4: Stream ciphers
ISO/IEC 29150:2011-12-15 (1st ed.), Signcryption
ISO/IEC 29192-2:2012-01-15 (1st ed.), Lightweight cryptography – Part 2: Block ciphers
Programme of Works - WG2
TC5 Information Security 2012 All Rights Reserved 15
NEW PUBLICATIONS (WG 3)
ISO/IEC 15408-2:2008-08-15 (3rd ed.) corrected and reprinted 2011-06-01 Evaluation criteria for IT security – Part 2: Security functional components
ISO/IEC 15408-3:2008-08-15 (3rd ed.) corrected and reprinted 2011-06-01 Evaluation criteria for IT security – Part 3: Security assurance components
ISO/IEC 18045:2008-08-15 (2nd ed.) corrected and reprinted 2011-06-01 Methodology for IT security evaluation
ISO/IEC 29128:2011-12-15 (1st ed.) Verification of cryptographic protocols
Programme of Works - WG3
TC5 Information Security 2012 All Rights Reserved 16
NEW PUBLICATIONS (WG 4)
ISO/IEC 27034-1:2011-11-15 (1st ed.), Application security - Part 1: Overview and concepts
ISO/IEC 27035:2011-09-01 (1st ed.), Information security incident management
ISO/IEC TR 29149:2012-03-15 (1st ed.), Best practices for the provision and use of time-stamping services
NEW PUBLICATIONS (WG 5)
ISO/IEC 24745:2011-06-15 (1st ed.), Biometric information protection
ISO/IEC 24760-1: 2011-12-15 (1st ed.), A framework for identity management – Part 1: Terminology and concepts
ISO/IEC 29100:2011-12-15 (1st ed.) Privacy framework
Programme of Works - WG4&5
TC5 Information Security 2012 All Rights Reserved 17
Inconsistent projects/activities participation (assignment on volunteer basis with almost regular changes to memberships)
Shortage of subject matter experts from relevant industries and academia to contribute in WGs (WG 2, WG3, WG5 and WG7)
Lack of commitment from industries, government departments/agencies, GLCs to provide resources and budget for standard development activities
Very limited funding available to sponsor editorships & secretariat participations at regional and international level
Lack of recognition and incentives for standards development works
CHALLENGES
TC5 Information Security 2012 All Rights Reserved 18
Industry Experience
Deliver Value
Market Reach
Business Demand
1
2
3
4
Reach out, establish the
network and support the
market
Understanding the issues
and the business needs
Creating business
drivers and industry
eco systems
Provide business
values and clear
benefits
To achieve the aspiration of IS standard development transformation, we need to understand the current issues and challenges and introduce standards as creative business solutions…
TC5 Information Security 2012 All Rights Reserved 19
2012 2013
2014-2015
• Strategies • Key Programs (Industry Survey, roadshows, etc) • 3-5 years transformation roadmap • Critical milestone • Challenges • KPIs
MOVING FORWARD: Information Security Standard Development Master Plan 2012-2015
Discovery: Establish the Baseline
Transformation: Capability Building
Recognition: ISMS as a Service
TC5 Information Security 2012 All Rights Reserved 20
1. Information Security is a Business Issues
2. Information Security Management is part of Corporate Governance
3. ISMS 27001 is a mandatory baseline standard for Information Security Management for any organization
4. Compliance, Compliance & Compliance
5. Certify as security professionals
6. Certify all critical infrastructure
7. Join us at TC5 and participate as WGs members
CONCLUSION
TC5 Information Security 2012 All Rights Reserved 21
THANK YOU [email protected]
Further information please contact TC/G/5 Secretariat
Wan Rosmawarni Wan Sulaiman
0355446353
TC5 Information Security 2012 All Rights Reserved 22