document

232 views

Published on

Published in: Education, Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
232
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

document

  1. 1. ICT SECURITY MANAGEMENT HANDBOOK Educational Technology Division Ministry of Education October 2005 MINIST RY OF EDUCATION M A LAYSIA
  2. 2. ISBN : 983-3244-27-0 FIRST EDITION: OCTOBER 2005 Copyright © 2005 Educational Technology Division, Ministry of Education All rights reserved, except for educational purposes with no commercial interests. No part of this publication may be produced transmitted in any form or by any means, electronics or mechanical including photocopying, recorded or by any information storage or retrieval system, without prior permission from the Director-General of Education, Ministry of Education Malaysia. Published by Infrastructure and Repository Sector Smart Educational Development Educational Technology Division Ministry of Education Pesiaran Bukit Kiara 50604 Kuala Lumpur Tel : 603-2098 7768/6245 Fax : 603-2098 6242
  3. 3. Contents iii Contents Background ...................................................................... v Foreword ....................................................................... vi Preface ........................................................................... vii Introduction .................................................................. viii 1 Acceptable Internet And E-Mail Usage .................... 1 1.1 Introduction ....................................................... 1 1.2 Purpose ..............................................................1 1.3 Responsibilities ....................................................1 1.4 Internet Usage ....................................................2 1.5 E-Mail ............................................................... 4 2 Choosing Quality Passwords .................................... 7 2.1 Introduction ...................................................... 7 2.2 Purpose ............................................................ 7 2.3 Responsibilities ................................................. 7 2.4 Compromise Of Passwords .................................. 8 2.5 General Password Rules ...................................... 8 2.6 Password Composition Rules ............................... 9 2.7 Changing And Reusing Of Passwords ................... 10 3 Physical Security For The ICT Infrastructure ........ 11 3.1 Introduction .................................................... 11 3.2 Purpose .......................................................... 11 3.3 Responsibilities ................................................ 11 3.4 Working In ICT Infrastructure ............................ 11 4 Mobile Computing ................................................. 14 4.1 Introduction ..................................................... 14
  4. 4. Contents iv 4.2 Purpose ........................................................... 14 4.3 Responsibilities ..................................................14 4.4 Use Of Mobile Computing Devices ........................ 15 4.5 Physical Security ................................................15 4.6 Configuration Changes ....................................... 16 4.7 Connecting Mobile Computing Devices To Unsecured Networks .........................................................17 5 Information Classification And Handling ................ 18 5.1 Introduction ......................................................18 5.2 Purpose ............................................................18 5.3 Responsibilities ..................................................18 5.4 Scope Of Coverage ............................................ 19 5.5 Information Classification ....................................19 5.6 Information Handling ..........................................20 Glossary ......................................................................... 27 References ..................................................................... 31 Enquiries ........................................................................ 31 Contributors ................................................................... 32
  5. 5. Contents v Background Background The ICT Security Management Handbook is a new handbook, updated and adapted from the Smart School Security Management Policies and Procedures Version 1.0 published under the Smart School Pilot Project in the year 2000. The original document was first reviewed in 2001. Users of the first and second editions of this handbook will realise that the text has been completely revised; a major part of the revision being the separation of the content into two new documents, one for the School ICT Coordinators and another for other users. This ICT Security Management Handbook is based on the ICT security management information contained in the Malaysian Public Sector Management of Information & Communications Technology Security Handbook published by MAMPU.
  6. 6. Contents vi Director-General of Education Malaysia Foreword I would like to congratulate the Handbook Committee, coordinated by the Educational Technology Division, for their dedication in completing this informative handbook. Their commitment in the preparation of this handbook is highly commended. This handbook is meant to give thorough and concise guidelines on ICT Security Management. It is hoped that the guidelines and procedures listed are useful to all readers. I would also like to thank all teachers involved for their invaluable contribution to this handbook, an important contribution to the ICT landscape of schools. (DATO’ DR. HJ. AHAMAD BIN SIPON) Director-General of Education Ministry of Education Malaysia
  7. 7. Contents vii Educational Technology Division Preface This handbook gives a brief overview on ICT Security Management for all schools in Malaysia. This handbook is meant to be a useful source of reference for all schools in implementing effective ICT security management. Although there can be no guarantee for absolute security within an international electronic works environment, using the guidelines in this handbook should mitigate many of the risks to which ICT-based systems are exposed. I wish to congratulate the committee and all others involved in producing this handbook. (DATO’ HJ. YUSOFF BIN HARUN) Director Educational Technology Division Ministry of Education
  8. 8. Contents viii Introduction This handbook has been adapted from the Malaysian Public Sector Management of Information & Communications Technology Security Handbook produced by MAMPU, and the Smart School Security Management Policies and Procedures Version 1.0 produced by the Smart School Pilot Project Team of the Ministry Of Education. The content is arranged according to topics to help users practise security management systematically and effectively. The content in each topic has been arranged in such a manner that the steps listed are easy to follow and provide comprehensive guidance to ICT security management. Each topic in this handbook starts with an introduction and purpose followed by guidelines which provide an overview of ICT security management. Using these guidelines, users should be able to practise ICT security effectively. The ICT Security Management Handbook will help widen the reader’s knowledge and create awareness in ICT security management. A glossary is included for better understanding of the content. Introduction
  9. 9. 1 Acceptable Internet And E-Mail Usage 1 1 Acceptable Internet And E-Mail Usage 1.1 Introduction The advancement of information and communications technology (ICT) allows information to be sent and received rapidly. This facility has brought the Internet and electronic mail (e-mail) usage to the rise. Electronic communication is now being used widely as the alternative medium for sharing information. However, uncontrolled usage of Internet and e-mail services may expose us to various security threats. Hence, security protection needs to be in place to ensure confidentiality, integrity and availability of information. 1.2 Purpose The purpose of this section is to outline the acceptable use of Internet and e-mail services in schools. These rules should be put in place to protect all residents of schools. Inappropriate use may expose schools to risks, including virus attacks, compromise of network systems and services, and legal issues. 1.3 Responsibilities All school residents who are given access to the school ICT system are required to comply with the rules and regulations contained this section.
  10. 10. 1 Acceptable Internet And E-Mail Usage 2 1.4 Internet Usage 1) The school electronic communication system or ICT facilities are generally used for facilitating and improving the administration and operations of the school. Users should be aware that the data they create and the system they use remain the property of the Government of Malaysia. 2) Web surfing should be restricted to work-related matters or other purposes as authorised by the School Head. 3) Users are advised to verify the integrity and accuracy of materials downloaded from the Internet. These materials have to be scanned to ensure that they are free from malicious codes. 4) Materials downloaded from the Internet (e.g. software) should be vetted to avoid infringement of copyrights. Users should quote references of all Internet materials used. 5) Information to be uploaded to the Internet should be reviewed by the School ICT Coordinator and authorised by the School Head. 6) Only authorised officers are allowed to participate in online public forums such as newsgroups or bulletin boards. Users who participate in such forums should exercise good judgement on the information shared as they represent the public image of the school, Ministry of Education and the Government of Malaysia.
  11. 11. 1 Acceptable Internet And E-Mail Usage 3 7) Users are prohibited from the following: a) Violating the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws of regulations, including, but not limited to, the installation or distribution of pirated software that are not appropriately licensed for use by the school. b) Uploading, downloading, storing or using unlicensed software. c) Uploading, downloading, or sending files greater than 2Mb that may paralyse the computer network system and pre-empt other official activities. d) Preparing, uploading, downloading and storing speeches, images or other materials that may: i) be constructed as sexual, ethnic and racial harassment; ii) cause chaotic situations of any form such as rumour mongering, defamation or instigation; and iii) tarnish the reputation of the school, M i n i s t r y o f E d u c a t i o n o r t h e Government of Malaysia. e) Engaging in non-work related activities (commercial, political or others) which interfere with staff productivity and consume more than a trivial amount of resources such as: i) online chatting; and
  12. 12. 1 Acceptable Internet And E-Mail Usage 4 ii) download, storing and using entertainment software such as those for playing games, videos or songs. f) Engaging in criminal activities such as spreading of materials involving gambling, weaponry and terrorism. g) Misusing online public forums such as newsgroups and bulletin boards. 8) Users are not allowed to engage in unauthorised online activities such as hacking, sniffing, hijacking or giving fraudulent information. 1.5 E-Mail 1) E-mail allows users to communicate with each other in the form of electronic messages. The usage of e-mail is getting more prevalent as it allows more effective two-way communication. 2) All residents of a school are given e-mail accounts for the purpose of official correspondence. An example of an e-mail address is name@moe.edu.my. 3) The usage of e-mail service is subject to the rules stipulated in this section and the School ICT Coordinator has the right to revoke such usage if users do not comply with the rules. 4) E-mail is one of the official communication channels within the school. As such, it has to be composed with caution. For example, using upper case is not encouraged as it is considered inappropriate. Users are advised to compose e-mail using simple, courteous and correct language. Users should ensure that the subject corresponds with the content of the e-mail.
  13. 13. 1 Acceptable Internet And E-Mail Usage 5 5) All official correspondence have to be sent via the official e-mail account. Users should ensure that the recipient’s e-mail address is correctly entered prior to sending the e-mail. The carbon copy (cc) can be used, should there be a need to send the e-mail to other recipients. However, a blind carbon copy (bcc) is not encouraged. 6) Users are not allowed to send e-mail attachments that are greater than 2Mb. Appropriate compression utilities such as WinZip should be used to reduce the size of the attachment. 7) Users should refrain from opening e-mail from unknown or suspicious senders. 8) Users should scan all attachments prior to opening. 9) All e-mail is not encrypted by default. Users are prohibited from sending sensitive information unless it has been first encrypted. Please refer to Information Handling Procedure for details. 10) Users should verify the identity of users with whom they communicate and exchange information via e-mail. This is to protect information from any form of misuse. 11) All official e-mail sent or received should be archived accordingly. The user is encouraged to archive the e-mail in other storage media, such as diskettes, for safety reasons.
  14. 14. 1 Acceptable Internet And E-Mail Usage 12) Unimportant e-mail that is no longer needed or has no archival value should be deleted. 13) Users are prohibited from the following: a) sharing e-mail accounts; b) using fake accounts and purporting to be valid senders; c) using e-mail for commercial or political purposes; d) sending or owning materials that are against the law or cause sexual, ethnic or racial harassment; e) spamming; and f) introducing or spreading malicious codes such as virus, worms and Trojan horses that will disrupt the network. 6
  15. 15. 2 Choosing Quality Passwords 2.1 Introduction Passwords are one of the principal means of validating a user’s authority to access a computer system. Therefore, users should be aware of their responsibilities in maintaining effective access controls particularly regarding the use of passwords. Given the number of passwords that one has to keep track, it is crucial that the passwords selected are easy to remember and follow good security practices. This section provides some good password security practices that all school users are expected to follow. 2.2 Purpose The main purpose of this section is to ensure that the registered school users follow the best practices in using and selecting passwords for all application and network systems to which they have access. 2.3 Responsibilities All school residents who are given access to the school ICT system should comply with the guidelines stipulated in this section. 2 Choosing Quality Passwords 7
  16. 16. 2.4 Compromise Of Passwords Over time, passwords may be compromised in many ways. The following are some examples where passwords are compromised. 1) Users share them with friends or co-workers. 2) Written passwords are exposed to others. 3) Passwords are guessed, either by other users or security diagnostic software. 4) The servers that store passwords are compromised, and their passwords are accessed by intruders. 5) Transmitted passwords are compromised and recorded by an intruder. 6) Users are tricked into providing their passwords to intruders via a social engineering effort. 2.5 General Password Rules 1) Passwords are to be kept strictly confidential and are not to be shared. Do not disclose your password to anyone at any time. 2) Do not write your password down or leave it unsecured. 3) Do not leave a computer session unattended unless it is locked and password-protected. Never leave a computer idle for long periods of time - shut it down and reboot when necessary. 2 Choosing Quality Passwords 8
  17. 17. 4) If you suspect that anyone has gained access to your password, contact the School ICT Coordinator immediately to request for a password reset. 5) After three (3) unsuccessful attempts to enter the password, the user shall be disallowed from using the system for a particular time period. Intervention of the School ICT Coordinator will be required to reset the password. 2.6 Password Composition Rules One of the primary weaknesses of passwords is that they may be guessed. While a user may give up after guessing ten or a hundred possible passwords, there is software which could easily try millions of combinations and break the particular password. Good password composition rules are as follows: 1) To combat password guessing attack, users are advised to pick hard-to-guess passwords. 2) Users are required to choose their passwords from the widest set of characters, subject to the constraints of the possible systems where those passwords reside. 3) Passwords should be at least eight (8) characters long and contain alphanumeric characters (e.g. p@S5w07D). 2 Choosing Quality Passwords 9
  18. 18. 2.7 Changing And Reusing Of Passwords 1) All default passwords should be changed during the first log on. 2) To limit the possibility of passwords being compromised, a practical solution is to change them regularly, at most every 180 days, and preferably more frequently. 3) Users should not reuse old passwords, as they may have already been compromised. 4) Reuse of a user’s last four passwords should be avoided altogether. 2 Choosing Quality Passwords 10
  19. 19. 3 Physical Security For The ICT Infrastructure 11 3 Physical Security For The ICT Infrastructure 3.1 Introduction Physical security is the first layer of defence in any ICT security architecture. The need to physically protect assets from real or perceived threats cannot be overlooked or mitigated by other security disciplines. There is no substitute for good physical security control. 3.2 Purpose The purpose of these guidelines is to prevent unauthorised access, damage and interference to the ICT Infrastructure that could result in disruption or damage to the school information asset. 3.3 Responsibilities All school residents who are given access to the ICT Infrastructure are required to observe these guidelines. 3.4 Working In ICT Infrastructure 1) All computing facilities provided by the school are used for facilitating the daily operations and learning activities of the school residents. Therefore, only authorised users such as teachers, students and staff of the school are allowed to use these computing facilities.
  20. 20. 3 Physical Security For The ICT Infrastructure 12 Third parties (or non-school residents) who wish to use such facilities should be authorised by the School Head. 2) Visitors or users to the computer laboratory, media centre and access centre should log their names, date, time and duration of access in the log book. 3) All students using the computer laboratory should be accompanied by a teacher. Students who need to use the computers in the computer laboratory without supervision of the teacher should obtain permission from authorised personnel. 4) After school hours, access to the computer laboratory must be controlled and monitored. 5) Third parties such as vendors who provide maintenance service to the equipment should be escorted or supervised at all times while in the ICT infrastructure. 6) Doors and windows to the computer laboratory should be locked when unattended. 7) No food and drinks are allowed in the ICT infrastructure. 8) Visitors or users to the computer laboratory should take off their shoes (if necessary) to ensure cleanliness of the place. 9) Users should shut down the system properly to prevent computer damage. 10) Users should log off the system to prevent unauthorised users from accessing the system.
  21. 21. 3 Physical Security For The ICT Infrastructure 13 11) Users should keep the ICT infrastructure clean and tidy at all times. 12) Users are not allowed to bring out any equipment or devices which belong to the school. Anyone found stealing or attempting to steal will be subject to disciplinary action. 13) Users are not allowed to relocate the equipment (e.g. switching of monitors), repair the faulty equipment or change the configuration of the system without authorisation by the School ICT Coordinator or authorised school personnel. 14) Users should report to the School ICT Coordinator or assigned school personnel when they notice security incidents or potential security incidents. These include incidents such as break-ins, thefts, and hardware and software failures. 15) Users should prevent computer overheating by not covering the computer monitor vents. 16) All facilities such as air conditioners and lights should be properly used. Users are required to switch on these facilities when using the computer laboratory. Similarly, these facilities should be switched off after use.
  22. 22. 4 Mobile Computing 14 4 Mobile Computing 4.1 Introduction Technological advancement has made mobile computing devices available to a wide audience and these devices are gradually used for easy access. The prevalence of mobile computing devices has opened up various security risks that could compromise the confidentiality, integrity and availability of information. The very nature of mobile computing devices means that they are at a greater risk of theft over their less portable counterparts. The latter are normally located in secure premises with good physical security, whereas mobile computing devices normally reside outside an organisation’s physical security perimeter. This section aims to establish a procedural guidance to be observed by users of mobile computing devices. 4.2 Purpose This section is established to ensure information and physical securities when using mobile computing devices. 4.3 Responsibilities All school residents who use mobile computing devices for processing school information are required to adhere to the guidelines outlined in this section.
  23. 23. 4 Mobile Computing 15 4.4 Use Of Mobile Computing Devices 1) The use of personal mobile computing devices such as laptops, tablet PCs, palmtops and smart phones for processing school information is prohibited unless they have been first authorised by the school administrator and configured with necessary security controls such as anti- malicious software or personal firewall under the guidance of the School ICT Coordinator. 2) Third party mobile computing devices (owned by contractors or vendors) should not be connected to the school network or granted access without first being authorised by the school administrator and configured with necessary security controls under the guidance of the School ICT Coordinator. This is to prevent virus infection of the school network. 3) All Ministry of Education owned mobile computing devices should be installed with necessary security controls such as anti- malicious software before they are released to the users. Such devices should be automatically configured to receive security updates from the server. 4) Use of mobile computing devices is subject to Acceptable Internet and E-mail Usage. 4.5 Physical Security 1) Mobile computing devices should be physically protected against thefts especially when left in cars and other forms of transport, hotel rooms, conference centres and meeting places.
  24. 24. 4 Mobile Computing 16 2) Mobile computing devices carrying important, sensitive or confidential information should not be left unattended and where possible, should be physically locked. 3) It is important that when such devices are used in public places, care should be taken to avoid the risk of accidental disclosure of information to unauthorised persons. 4) Mobile users should report to the School ICT Coordinator or school administrator immediately for any damage and loss of Ministry of Education assets. 5) The movement of all mobile computing devices owned by the Ministry of Education should be recorded. 4.6 Configuration Changes 1) Users should not change the configuration or system settings of mobile computing devices supplied by the Ministry of Education except for official and authorised purposes such as configuring the network settings (IP address, DNS address, etc.) based on the existing network environment. 2) Mobile computing devices supplied by the Ministry of Education should not be altered in any way (e.g. processor upgrade, memory expansion or extra circuit boards). If any changes in software or hardware are required, the users should seek authorisation from the School ICT Coordinator. Only the School ICT Coordinator is allowed to make such changes.
  25. 25. 4 Mobile Computing 17 4.7 Connecting Mobile Computing Devices To Unsecured Networks 1) The school network is a protected environment within which mobile computing devices are well protected against infection by malicious software and regular deployment of security updates. Networks outside the perimeter of the school, whether through a wireless local area network at an airport or a broadband Internet connection at home, are considered unsecured networks. In this sort of environment, the device is connected directly to the Internet with none of the protections like firewalls in place. This exposes the device to a great range of threats, including direct attacks from entities on the Internet, whether they be users or malicious codes. 2) Users should refrain from connecting to unsecured networks as this may expose sensitive information to unauthorised parties. 3) If such connection is deemed necessary, users may consider encrypting sensitive information to prevent unauthorised disclosure. Data encryption offers the best protection against the dissemination of sensitive information from lost or stolen devices. Information protected by strong, well implemented, encryption techniques can be rendered useless to a thief.
  26. 26. 5 Information Classification And Handling 18 5 Information Classification And Handling 5.1 Introduction Information must be handled accordingly to ensure the confidentiality, integrity and availability of the information is not compromised. Information classification and handling activities are performed to safeguard national secrets. Often classified information is kept (or should be kept) segregated from each other. The possible impact on schools and the Ministry of Education of disclosure or alteration of information varies with the type of information. Hence, the effort and cost warranted for protection against these risks varies accordingly. Some basis is therefore required to determine which security measures are applicable to different types of information. 5.2 Purpose The main purpose of this section is to provide guidelines for the classification of information and the appropriate set of procedures for information handling in accordance with the classification scheme defined. 5.3 Responsibilities All school residents who are given access to classified information are required to comply with this section.
  27. 27. 5 Information Classification And Handling 19 5.4 Scope Of Coverage All school information is bound by this section irrespective of: 1) the way information is represented (written, spoken, electronic or other forms); 2) the technology used to handle the information (e.g. file cabinets, fax machines, computers and local area networks); 3) the location of information (e.g. in the office, computer lab or server room); and 4) the lifecycle of information (e.g. origin, entry into a system, processing, dissemination, storage and disposal). 5.5 Information Classification According to the government’s Arahan Keselamatan, information is classified into five levels: 1) Public: Official documents/information available for public knowledge, viewing or usage. 2) Restricted: Official documents/information excluding those classified as Top Secret, Secret or Confidential but required to be provided with a security measure level. Refer to Table 1: Information Handling. 3) Confidential: Official documents/information if exposed without authorisation, even though it does not endanger national security - could have an impact on national interest or dignity, the activity of the government or
  28. 28. 5 Information Classification And Handling 20 the individual; would cause embarrassment or difficulty to the current administration; and would benefit foreign authorities. 4) Secret: Official documents/information if exposed without authorisation would endanger national security, cause substantial loss/damage to the national interest or dignity; and would provide substantial benefit to foreign authorities. 5) Top Secret: Official documents/information if exposed without authorisation would cause extreme loss/damage to the nation. 5.6 Information Handling 1) The asset owner should determine the classification of information. 2) The handling of the information in any form depends on the classification of the information defined by the asset owner. 3) Sufficient security measures for classified information are required to protect the confidentiality, integrity and availability of the information. 4) The existing or planned operating procedures should consider all users who are allowed to view classified information. 5) Users should have knowledge of those who may endanger the security of classified information and must abide by the guidelines or procedures to prevent those people from viewing it.
  29. 29. 5 Information Classification And Handling 21 6) Adequate authorisation and access control should be implemented: a) to prevent unauthorised people from viewing classified information; b) as classified information would depend on the level of classification; c) so that the School ICT Coordinator and information owner can determine the access rights of users who have access to classified information. 7) The following provides the information handling guide for each lifecycle of the information, starting from its creation until destruction.
  30. 30. 5 Information Classification And Handling 22 Table1:InformationHandling TopSecretSecretConfidentialRestrictedPublic Labelling Electronic Media Labelling 1)Labelledas‘TopSecret’or‘Secret’or‘Confidential’or ‘Restricted’. Not required Hardcopy Labelling 1)Labelledas‘TopSecret’or‘Secret’or‘Confidential’or ‘Restricted’onthefrontandbackcovers,andeverypageofthe document.SeeArahanKeselamatan–Clause48-52. 2)Labelledwithareminder.SeeArahanKeselamatan–Clause 53. Not required ReferenceTheownersoftherespectiveinformationshouldworktogetherwith theschool’sadministrativepersonneltodefinethereferencenumber foreachdocumentproduced. Not required Storage Storageon FixedMedia Encryptedwhereapplicableorothercompensatingcontrolssuchas accesscontrols,passwordmanagementandothernetworkcontrols. Not required Storageon Exchangeable Media Encryptedwhereapplicableorothercompensatingcontrolssuchas accesscontrols,passwordmanagementandothernetworkcontrols. Not required
  31. 31. 5 Information Classification And Handling 23 TopSecretSecretConfidentialRestrictedPublic Physical Storage 1)Strongroomorsafewith locks. 2)Workinprogresscanbe keptincabinet(iron)with locks. 3)SeeArahanKeselamatan– Clause58–60. 1)Cabinet(iron). 2)SeeArahanKeselamatan– Clause58–60. Nospecial storage required Sending/Transmission/Processing Sending documents 1)Acknowledgementonreceiptofdocument(2copies)needsto beprepared. 2)Mailpackagingfordocumentscarriedsecurely: a)Onlyone(1)envelopewithmarking,referencenumber, nameandaddress. b)Theenvelopemustbesealed. 3)Mailpackagingfordocumentscarriedunsecurely: a)Two(2)envelopesrequired. b)Internalenvelopewithmarking,referencenumber,name andaddress; c)Externalenvelopewithnameandaddressanditmustbe Not required
  32. 32. 5 Information Classification And Handling 24 TopSecretSecretConfidentialRestrictedPublic sealed. 4)SeeArahanKeselamatan–Clause61–65. Faxing /Telephone /Telegraph 1)Notallowed. 2)SeeArahanKeselamatan–Clause66. No restriction Carrying Documents Outfromthe Office 1)Writtenapprovalfromthe SecretaryGeneralofthe MinistryofEducation. 2)SeeArahanKeselamatan– Clause67. 1)WrittenapprovalfromHead ofDepartmentisrequired. 2)SeeArahanKeselamatan– Clause67. No restriction Sendingvia PublicNetwork 1)Encryptionwhereapplicable.Not required Copying1)Authorisationfrominformationownerisrequired. 2)Trackingonthenumberofcopiesissuedisrequired. 3)SeeArahanKeselamatan–Clause55-57. No restriction ReleasetoThirdParties Releaseto ThirdParties 1)Nottobereleasedtoothercountrieswithouttheapprovalofthe GovernmentofMalaysia. 2)Releasetothirdpartiesshouldberestrictedbasedontheneed Ordinary trash
  33. 33. 5 Information Classification And Handling 25 TopSecretSecretConfidentialRestrictedPublic forsuchaccessandisauthorisedbytheinformationowner. 3)Releasetopressisnotallowedwithoutapprovalfromthe informationowner. 4)SeeArahanKeselamatan–Clause68–70. GrantingofAccessRights Grantingof AccessRights 1)Accessrightsaregrantedbytheinformationowner 2)TheaccesscontrolistobeimplementedbytheSchoolICT Coordinator. No restriction Disposal Physical Disposal 1)Notallowedunlessexplicitlyinstructedbytheinformation owner.Totaldestructionmustbeperformed. 2)Disposalmustbelogged. 3)Documentmustbeshredded. 4)SeeArahanKeselamatan–Clause71–74. Ordinary trash Electronic Disposal Securedelete.Ordinary delete
  34. 34. 5 Information Classification And Handling 26 TopSecretSecretConfidentialRestrictedPublic LossofDocuments/Information Reportingof loss 1)Lossofdocuments/informationshouldbereportedimmediately totheschooladministratorwithin24hours. 2)Aninvestigationshouldbewarrantedtoestimatetheimpactof suchlosses.Ifnecessary,areporttoexternalpartiessuchas thepoliceshouldbemade. 3)SeeArahanKeselamatan–Clause75–76. Not required
  35. 35. Glossary 27 GLOSSARY Alphanumeric Consist of the union of the set of alphabetic characters characters and the set of numeric characters. Availability This is the effect on the system and/or the organisation that would result from deliberate or accidental denial of the asset’s use. If a mission-critical system is unavailable to its end users, the organisation’s mission may be affected. Loss of system functionality and operational effectiveness, for example, may result in loss of productive time, thus impeding the end users’ performance of their functions in supporting the organisation’s mission. Broadband A type of data transmission in which a single medium (wire) can carry several channels at once. Confidentiality This is the effect on the system and/or the organisation that would result from the deliberate, unauthorised or inadvertent disclosure of the asset. The effect of unauthorised disclosure of confidential information can result in loss of public confidence, embarrassment, or legal action against the organisation. E-mail Short for electronic mail, one or many, the transmission of messages over communication networks. Encryption The translation of data into a secret text of gibberish that is not readable to unauthorised parties.
  36. 36. Glossary 28 Exchangeable Material used to store data that can be media taken out of a machine. Examples include floppy disc, magnetic tape and compact disc. Firewall A system designed to prevent unauthorised access to or from a private network. Fixed media Mass storage in which the material that holds data is a permanent part of the device. Example includes hard drive. Information Individual/Division/Department/Unit who/ owner whom is referred to as the proprietor of an asset. Integrity This is the effect on the system and/or the organisation that would result from the deliberate, unauthorised or inadvertent disclosure of the asset. The effect of unauthorised disclosure of confidential information can result in loss of public confidence, embarrassment, or legal action against the organisation. Internet A global network connecting millions of computers. Local Area A network of computers confined within a Network small area such as an office building or school. Malicious code A programme of piece of code that is loaded onto the computer without the owner’s knowledge and runs against the owner’s wishes. Example include virus, worm and Trojan horse. Malicious A programme or piece of code that is software loaded onto the computer without the owner’s knowledge and runs against the owner’s wishes. Example include virus, worm and Trojan horse.
  37. 37. Glossary 29 Mobile Portable-computing devices that can Computing connect by cable, telephone wire, wireless transmission, or via any Internet connection to any network infrastructure and/or data systems. Examples of mobile computing devices include notebooks, palmtops, laptops and mobile phones. Password One of the means of user authentication. Password contains a series of characters entered by the users to gain access to the system. School ICT A person who is appointed by the school Coordinator to be in charge of management and coordination of the school ICT infrastructure. Secure delete Assure the total wipe out of magnetically recorded information. Social In the field of computer security, social Engineering engineering is the practice of obtaining confidential information by manipulation of legitimate users. Spam Electronic junk mail or more generally referred as unsolicited e-mail. Trojan horse A Trojan Horse portrays itself as something other than what it is at the point of execution. While it may advertise its activity after launching, this information is not apparent to the user beforehand. A Trojan Horse neither replicates nor copies itself, but causes damage or compromises the security of the computer. A Trojan Horse must be sent by someone or carried by another program and may arrive in the from of a joke program or software of some sort. The malicious functionality of a Trojan Horse may be anything undesirable for a computer user, including data destruction
  38. 38. Glossary 30 or compromising a system by providing a means for another computer to gain access, thus bypassing normal access controls. Users Residents of schools who are using the ICT facilities provided. For example, teachers, students, clerks, administrators and others. Virus A virus is a program or code that replicates itself onto other files with which it comes in contact; that is, a virus can infect another programme, boot sector, partition sector, or a document that supports macros, by inserting itself or attaching itself to that medium. Most viruses only replicate, though many can do damage to a computer system or a user’s data as well. Wireless A method of communication that uses radio waves to transmit data between devices. Worm A worm is a programme that makes and facilitates the distribution of copies of itself; for example, from one disk drive to another, or by copying itself using e-mail or another transport mechanism. The worm may do damage and compromise the security of the computer. It may arrive via exploitation of system vulnerability or by clicking on an infected e-mail.
  39. 39. Glossary 31 References 1) Malaysian Public Sector Management of Information & Communications Technology Security Handbook (MyMIS). 2) Pekeliling Kemajuan Pentadbiran Awam Bilangan 1 Tahun 2003 - Garis Panduan Mengenai Tatacara Penggunaan Internet Dan Mel Elektronik Di Agensi- agensi Kerajaan. 3) Buku Arahan Keselamatan. 4) Prosedur dan Dasar Pengurusan Keselamatan Sekolah Bestari Versi 2.0. Enquiries Enquiries about this document should be directed to: Director Educational Technology Division Ministry Of Education Pesiaran Bukit Kiara 50604 Kuala Lumpur (Attn : Infrastructure and Repository Sector) Tel.: 03-2098 7768/6245 Fax: 03-2098 6242 E-mail: sir@moe.edu.my
  40. 40. Glossary 32 CONTRIBUTORS ADVISOR Dato’ Haji Yusoff bin Harun Director Educational Technology Division EDITORIAL BOARD Khalidah binti Othman Educational Technology Division Chan Foong Mae Educational Technology Division Anthony Gerard Foley Educational Technology Division Haji Mohd Azman bin Ismail Educational Technology Division Mohd Arifen bin Naim Educational Technology Division Yap Ley Har Educational Technology Division Junainiwati binti Mohd Deris Educational Technology Division Roimah binti Dollah Educational Technology Division Nik Fajariah binti Nik Mustaffa Educational Technology Division Rozina binti Ramli SMK Aminuddin Baki, Kuala Lumpur Nirmal Kaur SMK Victoria, Kuala Lumpur Mohd Hisham bin Abdul Wahab SMK(L) Methodist, Kuala Lumpur Ab. Aziz bin Mamat Sekolah Seri Puteri, Selangor Abd Aziz bin Mohd Hassan SMK USJ 8, Selangor Widiana binti Ahmad Fazil SMK Pandan Jaya, Selangor Rogayah binti Harun Kolej Tunku Kurshiah, Negeri Sembilan Mohd Zali bin Zakri SM Sains Tuanku Jaafar, Negeri Sembilan Jaya Lakshmi a/p Mutusamy SMK(A) Persekutuan Labu, Negeri Sembilan Azmi bin Abdul Latiff SMK(A) Persekutuan Labu, Negeri Sembilan Haji Zulkiflee bin A. Rahman SM Teknik Muar, Johor Daud bin Yusof SMK Buluh Kasap, Johor

×