Upload
norafizi-mohamad-desa
View
221
Download
0
Embed Size (px)
Citation preview
8/8/2019 ICT Security Management Handbook For Schools
1/40
ICT SECURITY
MANAGEMENT
HANDBOOK
Educational Technology Division
Ministry of EducationOctober 2005
MIN
ISTRYO
FEDUCATION M
AL
AY
SIA
8/8/2019 ICT Security Management Handbook For Schools
2/40
ISBN : 983-3244-27-0
FIRST EDITION: OCTOBER 2005
Copyright 2005 Educational Technology Division,Ministry of Education
All rights reserved, except for educational purposes withno commercial interests. No part of this publication maybe produced transmitted in any form or by any means,electronics or mechanical including photocopying,
recorded or by any information storage or retrievalsystem, without prior permission from the Director-Generalof Education, Ministry of Education Malaysia.
Published byInfrastructure and Repository SectorSmart Educational DevelopmentEducational Technology DivisionMinistry of EducationPesiaran Bukit Kiara50604 Kuala LumpurTel : 603-2098 7768/6245Fax : 603-2098 6242
8/8/2019 ICT Security Management Handbook For Schools
3/40
8/8/2019 ICT Security Management Handbook For Schools
4/40
Contents
iv
4.2 Purpose ........................................................... 14
4.3 Responsibilities ..................................................14
4.4 Use Of Mobile Computing Devices ........................ 15
4.5 Physical Security ................................................15
4.6 Configuration Changes ....................................... 16
4.7 Connecting Mobile Computing Devices To UnsecuredNetworks ......................................................... 17
5 Information Classification And Handling ................ 18
5.1 Introduction ......................................................18
5.2 Purpose ............................................................18
5.3 Responsibilities ..................................................18
5.4 Scope Of Coverage ............................................ 19
5.5 Information Classification ....................................19
5.6 Information Handling ..........................................20
Glossary ......................................................................... 27
References ..................................................................... 31
Enquiries ........................................................................ 31
Contributors ................................................................... 32
8/8/2019 ICT Security Management Handbook For Schools
5/40
Contents
v
Background
Background
The ICT Security Management Handbook is a newhandbook, updated and adapted from the Smart SchoolSecurity Management Policies and Procedures Version 1.0published under the Smart School Pilot Project in the year2000. The original document was first reviewed in 2001.
Users of the first and second editions of this handbook willrealise that the text has been completely revised; a major
part of the revision being the separation of the contentinto two new documents, one for the School ICTCoordinators and another for other users.
This ICT Security Management Handbook is based on theICT security management information contained in theMalaysian Public Sector Management of Information &Communications Technology Security Handbookpublishedby MAMPU.
8/8/2019 ICT Security Management Handbook For Schools
6/40
Contents
vi
Director-General of Education Malaysia
Foreword
I would like to congratulate the Handbook
Committee, coordinated by the EducationalTechnology Division, for their dedication incompleting this informative handbook. Theircommitment in the preparation of this handbook ishighly commended.
This handbook is meant to give thorough andconcise guidelines on ICT Security Management. Itis hoped that the guidelines and procedures listed
are useful to all readers.
I would also like to thank all teachers involved fortheir invaluable contribution to this handbook, animportant contribution to the ICT landscape ofschools.
(DATO DR. HJ. AHAMAD BIN SIPON)Director-General of Education
Ministry of EducationMalaysia
8/8/2019 ICT Security Management Handbook For Schools
7/40
Contents
vii
Educational Technology Division
Preface
This handbook gives a brief overview on ICTSecurity Management for all schools in Malaysia.
This handbook is meant to be a useful source ofreference for all schools in implementing effectiveICT security management. Although there can be noguarantee for absolute security within aninternational electronic works environment, usingthe guidelines in this handbook should mitigate
many of the risks to which ICT-based systems areexposed.
I wish to congratulate the committee and all othersinvolved in producing this handbook.
(DATO HJ. YUSOFF BIN HARUN)DirectorEducational Technology DivisionMinistry of Education
8/8/2019 ICT Security Management Handbook For Schools
8/40
Contents
viii
Introduction
This handbook has been adapted from the MalaysianPublic Sector Management of Information &Communications Technology Security Handbookproducedby MAMPU, and the Smart School Security ManagementPolicies and Procedures Version 1.0produced by theSmart School Pilot Project Team of the Ministry OfEducation.
The content is arranged according to topics to help userspractise security management systematically and effectively.The content in each topic has been arranged in such amanner that the steps listed are easy to follow and providecomprehensive guidance to ICT security management.
Each topic in this handbook starts with an introduction andpurpose followed by guidelines which provide an overview ofICT security management. Using these guidelines, users
should be able to practise ICT security effectively.
The ICT Security Management Handbookwill help widen thereaders knowledge and create awareness in ICT securitymanagement.
A glossary is included for better understanding of thecontent.
Introduction
8/8/2019 ICT Security Management Handbook For Schools
9/40
1 Acceptable Internet And E-Mail Usage
1
1 Acceptable Internet And E-Mail Usage
1.1 Introduction
The advancement of information and communicationstechnology (ICT) allows information to be sent andreceived rapidly. This facility has brought the Internetand electronic mail (e-mail) usage to the rise.Electronic communication is now being used widelyas the alternative medium for sharing information.
However, uncontrolled usage of Internet and e-mailservices may expose us to various security threats.Hence, security protection needs to be in place toensure confidentiality, integrity and availability ofinformation.
1.2 Purpose
The purpose of this section is to outline theacceptable use of Internet and e-mail services inschools. These rules should be put in place toprotect all residents of schools. Inappropriate usemay expose schools to risks, including virus attacks,compromise of network systems and services, andlegal issues.
1.3 Responsibilities
All school residents who are given access to theschool ICT system are required to comply with therules and regulations contained this section.
8/8/2019 ICT Security Management Handbook For Schools
10/40
1 Acceptable Internet And E-Mail Usage
2
1.4 Internet Usage
1) The school electronic communication system orICT facilities are generally used for facilitatingand improving the administration and operationsof the school. Users should be aware that thedata they create and the system they useremain the property of the Government ofMalaysia.
2) Web surfing should be restricted to work-relatedmatters or other purposes as authorised by theSchool Head.
3) Users are advised to verify the integrity andaccuracy of materials downloaded from theInternet. These materials have to be scanned toensure that they are free from malicious codes.
4) Materials downloaded from the Internet (e.g.software) should be vetted to avoid infringement
of copyrights. Users should quote references ofall Internet materials used.
5) Information to be uploaded to the Internetshould be rev iewed by the Schoo l ICTCoordinator and authorised by the SchoolHead.
6) Only authori sed o ff icers are a ll owed toparticipate in online public forums such as
newsgroups or bulletin boards. Users whoparticipate in such forums should exercise good
judgement on the information shared as theyrepresent the public image of the school,Ministry of Education and the Government ofMalaysia.
8/8/2019 ICT Security Management Handbook For Schools
11/40
1 Acceptable Internet And E-Mail Usage
3
7) Users are prohibited from the following:
a) Vio lating the r ights of any person or
company protected by copyright, tradesecret, patent or other intel lectualproperty, or similar laws of regulations,including, but not l imited to, theinstallation or distribution of piratedsoftware that are not appropriately licensedfor use by the school.
b) Uploading, downloading, storing or using
unlicensed software.
c) Uploading, downloading, or sending filesgreater than 2Mb that may paralyse thecomputer network system and pre-emptother official activities.
d) Preparing, uploading, downloading andstoring speeches, images or other materialsthat may:
i) be constructed as sexual, ethnic andracial harassment;
ii) cause chaotic situations of any formsuch as rumour mongering, defamationor instigation; and
iii) tarnish the reputation of the school,M i n i s t r y o f E d u c a t i o n o r t h e
Government of Malaysia.
e) Engaging in non-work related activities(commercial, political or others) whichinterfere with staff productivity andconsume more than a trivial amount ofresources such as:
i) online chatting; and
8/8/2019 ICT Security Management Handbook For Schools
12/40
1 Acceptable Internet And E-Mail Usage
4
ii) download, storing and using entertainmentsoftware such as those for playing
games, videos or songs.f) Engaging in criminal activit ies such as
spreading of materials involving gambling,weaponry and terrorism.
g) Misusing online public forums such asnewsgroups and bulletin boards.
8) Users are not allowed to engage in unauthorisedonline activities such as hacking, sniffing,hijacking or giving fraudulent information.
1.5 E-Mail
1) E-mail allows users to communicate with eachother in the form of electronic messages. Theusage of e-mail is getting more prevalent as itallows more effective two-way communication.
2) All residents of a school are given e-mailaccounts for the purpose of off ic ialcorrespondence. An example of an e-mailaddress is [email protected].
3) The usage of e-mail service is subject to therules stipulated in this section and the SchoolICT Coordinator has the right to revoke suchusage if users do not comply with the rules.
4) E-mail is one of the official communicationchannels within the school. As such, it has to becomposed with caution. For example, usingupper case is not encouraged as it is consideredinappropriate. Users are advised to composee-mail using simple, courteous and correctlanguage. Users should ensure that the subjectcorresponds with the content of the e-mail.
8/8/2019 ICT Security Management Handbook For Schools
13/40
1 Acceptable Internet And E-Mail Usage
5
5) All official correspondence have to be sent viathe official e-mail account. Users should ensure
that the recipients e-mail address is correctlyentered prior to sending the e-mail. The carboncopy (cc) can be used, should there be a needto send the e-mail to other recipients. However,a blind carbon copy (bcc) is not encouraged.
6) U se rs ar e n ot al lo wed t o s end e -mai lattachments that are greater than 2Mb.Appropriate compression utilities such as WinZipshould be used to reduce the size of theattachment.
7) Users should refrain from opening e-mail fromunknown or suspicious senders.
8) Users should scan all attachments prior toopening.
9) All e-mail is not encrypted by default. Users areprohibited from sending sensitive information
unless it has been first encrypted. Please referto Information Handling Procedure for details.
10) Users should verify the identity of users withwhom they communicate and exchangeinformation via e-mail. This is to protectinformation from any form of misuse.
11) All official e-mail sent or received should bearchived accordingly. The user is encouraged toarchive the e-mail in other storage media, suchas diskettes, for safety reasons.
8/8/2019 ICT Security Management Handbook For Schools
14/40
1 Acceptable Internet And E-Mail Usage
12) Unimportant e-mail that is no longer needed orhas no archival value should be deleted.
13) Users are prohibited from the following:
a) sharing e-mail accounts;
b) using fake accounts and purporting to bevalid senders;
c) using e-mail for commercial or politicalpurposes;
d) sending or owning materials that areagainst the law or cause sexual, ethnic orracial harassment;
e) spamming; and
f) introducing or spreading malicious codessuch as virus, worms and Trojan horsesthat will disrupt the network.
6
8/8/2019 ICT Security Management Handbook For Schools
15/40
2 Choosing Quality Passwords
2.1 Introduction
Passwords are one of the principal means ofvalidating a users authority to access a computersystem. Therefore, users should be aware of theirresponsibilities in maintaining effective accesscontrols particularly regarding the use of passwords.Given the number of passwords that one has to
keep track, it is crucial that the passwords selectedare easy to remember and follow good securitypractices. This section provides some goodpassword security practices that all school users areexpected to follow.
2.2 Purpose
The main purpose of this section is to ensure that theregistered school users follow the best practices inusing and selecting passwords for all application andnetwork systems to which they have access.
2.3 Responsibilities
All school residents who are given access to theschool ICT system should comply with the guidelinesstipulated in this section.
2 Choosing Quality Passwords
7
8/8/2019 ICT Security Management Handbook For Schools
16/40
2.4 Compromise Of Passwords
Over time, passwords may be compromised in manyways. The following are some examples wherepasswords are compromised.
1) Users share them with friends or co-workers.
2) Written passwords are exposed to others.
3) Passwords are guessed, either by other users orsecurity diagnostic software.
4) T he s er ve rs t ha t s to re p as swor ds a recompromised, and their passwords are accessedby intruders.
5) Transmitted passwords are compromised andrecorded by an intruder.
6) Users are tricked into providing their passwordsto intruders via a social engineering effort.
2.5 General Password Rules
1) Passwords are to be kept strictly confidential andare not to be shared. Do not disclose yourpassword to anyone at any time.
2) Do not write your password down or leave itunsecured.
3) Do not leave a computer session unattended
unless it is locked and password-protected.Never leave a computer idle for long periodsof time - shut it down and reboot whennecessary.
2 Choosing Quality Passwords
8
8/8/2019 ICT Security Management Handbook For Schools
17/40
4) If you suspect that anyone has gained access toyour password, contact the School ICT
Coordinator immediately to request for apassword reset.
5) After three (3) unsuccessful attempts to enterthe password, the user shall be disallowed fromusing the system for a particular time period.Intervention of the School ICT Coordinator willbe required to reset the password.
2.6 Password Composition Rules
One of the primary weaknesses of passwords is thatthey may be guessed. While a user may give up afterguessing ten or a hundred possible passwords, thereis software which could easily try millions ofcombinations and break the particular password.Good password composition rules are as follows:
1) To combat password guessing attack, users are
advised to pick hard-to-guess passwords.
2) Users are required to choose their passwordsfrom the widest set of characters, subject to theconstraints of the possible systems where thosepasswords reside.
3) Passwords shou ld be at leas t e ight (8 )characters long and contain alphanumericcharacters (e.g. p@S5w07D).
2 Choosing Quality Passwords
9
8/8/2019 ICT Security Management Handbook For Schools
18/40
2.7 Changing And Reusing Of Passwords
1) All default passwords should be changed during
the first log on.
2) To limit the possibility of passwords beingcompromised, a practical solution is to changethem regularly, at most every 180 days, andpreferably more frequently.
3) Users should not reuse old passwords, as theymay have already been compromised.
4) Reuse of a users last four passwords should beavoided altogether.
2 Choosing Quality Passwords
10
8/8/2019 ICT Security Management Handbook For Schools
19/40
3 Physical Security For The ICT Infrastructure
11
3 Physical Security For The ICT Infrastructure
3.1 Introduction
Physical security is the first layer of defence in anyICT security architecture. The need to physicallyprotect assets from real or perceived threats cannotbe overlooked or mitigated by other securitydisciplines. There is no substitute for good physicalsecurity control.
3.2 Purpose
The purpose of these guidelines is to preventunauthorised access, damage and interference to theICT Infrastructure that could result in disruption ordamage to the school information asset.
3.3 Responsibilities
All school residents who are given access to the ICTInfrastructure are required to observe theseguidelines.
3.4 Working In ICT Infrastructure
1) All computing facilities provided by the schoolare used for facilitating the daily operations andlearning activities of the school residents.Therefore, only authorised users such asteachers, students and staff of the school areallowed to use these computing facilities.
8/8/2019 ICT Security Management Handbook For Schools
20/40
3 Physical Security For The ICT Infrastructure
12
Third parties (or non-school residents) who wishto use such facilities should be authorised by the
School Head.2) Visitors or users to the computer laboratory,
media centre and access centre should log theirnames, date, time and duration of access in thelog book.
3) All students using the computer laboratoryshould be accompanied by a teacher. Studentswho need to use the computers in the computer
laboratory without supervision of the teachershould obtain permission from authorisedpersonnel.
4) After school hours, access to the computerlaboratory must be controlled and monitored.
5) Third parties such as vendors who providemaintenance service to the equipment shouldbe escorted or supervised at all times while in the
ICT infrastructure.
6) Doors and windows to the computer laboratoryshould be locked when unattended.
7) No food and drinks are allowed in the ICTinfrastructure.
8) Visitors or users to the computer laboratoryshould take off their shoes (if necessary) to
ensure cleanliness of the place.
9) Users should shut down the system properly toprevent computer damage.
10) Users should log off the system to preventunauthor ised users from accessing thesystem.
8/8/2019 ICT Security Management Handbook For Schools
21/40
3 Physical Security For The ICT Infrastructure
13
11) Users should keep the ICT infrastructure cleanand tidy at all times.
12) Users are not a l lowed to br ing out anyequipment or devices which belong to theschool. Anyone found stealing or attempting tosteal will be subject to disciplinary action.
13) Users are not allowed to relocate the equipment(e.g. switching of monitors), repair the faultyequipment or change the configuration of thesystem without authorisation by the School ICT
Coordinator or authorised school personnel.
14) Users should report to the School ICTCoordinator or assigned school personnel whenthey notice security incidents or potentialsecurity incidents. These include incidents suchas break-ins, thefts, and hardware and softwarefailures.
15) Users should prevent computer overheating by
not covering the computer monitor vents.
16) All facilities such as air conditioners and lightsshould be properly used. Users are required toswitch on these facilities when using thecomputer laboratory. Similarly, these facilitiesshould be switched off after use.
8/8/2019 ICT Security Management Handbook For Schools
22/40
4 Mobile Computing
14
4 Mobile Computing
4.1 Introduction
Technological advancement has made mobilecomputing devices available to a wide audience andthese devices are gradually used for easy access. Theprevalence of mobile computing devices has openedup various security risks that could compromise theconfidentiality, integrity and availability of
information. The very nature of mobile computingdevices means that they are at a greater risk of theftover their less portable counterparts. The latter arenormally located in secure premises with goodphysical security, whereas mobile computing devicesnormally reside outside an organisations physicalsecurity perimeter. This section aims to establish aprocedural guidance to be observed by users ofmobile computing devices.
4.2 Purpose
This section is established to ensure information andphysical securities when using mobile computingdevices.
4.3 Responsibilities
All school residents who use mobile computingdevices for processing school information are requiredto adhere to the guidelines outlined in this section.
8/8/2019 ICT Security Management Handbook For Schools
23/40
4 Mobile Computing
15
4.4 Use Of Mobile Computing Devices
1) The use of personal mobile computing devices
such as laptops, tablet PCs, palmtops and smartphones for processing school information isprohibited unless they have been first authorisedby the school administrator and configured withnecessary security controls such as anti-malicious software or personal firewall under theguidance of the School ICT Coordinator.
2) Third party mobile computing devices (owned by
contractors or vendors) should not be connectedto the school network or granted access withoutfirst being authorised by the schooladministrator and configured with necessarysecurity controls under the guidance of theSchool ICT Coordinator. This is to prevent virusinfection of the school network.
3) All Ministry of Educat ion owned mobi le
computing devices should be installed withnecessary security controls such as anti-malicious software before they are released tothe users. Such devices should be automaticallyconfigured to receive security updates from theserver.
4) Use of mobile computing devices is subject toAcceptable Internet and E-mail Usage.
4.5 Physical Security
1) Mobile computing devices should be physicallyprotected against thefts especially when left incars and other forms of transport, hotel rooms,conference centres and meeting places.
8/8/2019 ICT Security Management Handbook For Schools
24/40
4 Mobile Computing
16
2) Mobile computing devices carrying important,sensitive or confidential information should not
be left unattended and where possible, should bephysically locked.
3) It is important that when such devices are usedin public places, care should be taken to avoidthe risk of accidental disclosure of information tounauthorised persons.
4) Mobile users should report to the School ICTCoordinator or school administrator immediately
for any damage and loss of Ministry of Educationassets.
5) The movement of all mobile computing devicesowned by the Ministry of Education should berecorded.
4.6 Configuration Changes
1) Users should not change the configuration orsystem settings of mobile computing devicessupplied by the Ministry of Education except forofficial and authorised purposes such asconfiguring the network settings (IP address,DNS address, etc.) based on the existingnetwork environment.
2) Mobile computing devices supplied by the
Ministry of Education should not be altered inany way (e.g. processor upgrade, memoryexpansion or extra circuit boards). If anychanges in software or hardware are required,the users should seek authorisation from theSchool ICT Coordinator. Only the School ICTCoordinator is allowed to make such changes.
8/8/2019 ICT Security Management Handbook For Schools
25/40
4 Mobile Computing
17
4.7 Connecting Mobile Computing Devices ToUnsecured Networks
1) The school network is a protected environmentwithin which mobile computing devices arewell protected against infection by malicioussoftware and regular deployment of securityupdates. Networks outside the perimeter of theschool, whether through a wireless local areanetwork at an airport or a broadband Internetconnection at home, are considered unsecurednetworks. In this sort of environment, thedevice is connected directly to the Internet withnone of the protections like firewalls in place.This exposes the device to a great range ofthreats, including direct attacks from entities onthe Internet, whether they be users ormalicious codes.
2) Users should refrain f rom connect ing tounsecured networks as this may expose
sensitive information to unauthorised parties.
3) If such connection is deemed necessary, usersmay consider encrypting sensitive information toprevent unauthorised disclosure. Data encryptionoffers the best protection against thedissemination of sensitive information from lostor stolen devices. Information protected bystrong, well implemented, encryption techniques
can be rendered useless to a thief.
8/8/2019 ICT Security Management Handbook For Schools
26/40
5 Information Classification And Handling
18
5 Information Classification And Handling
5.1 Introduction
Information must be handled accordingly to ensurethe confidentiality, integrity and availability of theinformation is not compromised. Informationclassification and handling activities are performed tosafeguard national secrets. Often classifiedinformation is kept (or should be kept) segregated
from each other. The possible impact on schools andthe Ministry of Education of disclosure or alteration ofinformation varies with the type of information.Hence, the effort and cost warranted for protectionagainst these risks varies accordingly. Some basis istherefore required to determine which securitymeasures are applicable to different types ofinformation.
5.2 Purpose
The main purpose of this section is to provideguidelines for the classification of information and theappropriate set of procedures for information handlingin accordance with the classification scheme defined.
5.3 Responsibilities
All school residents who are given access toclassified information are required to comply withthis section.
8/8/2019 ICT Security Management Handbook For Schools
27/40
5 Information Classification And Handling
19
5.4 Scope Of Coverage
All school information is bound by this sectionirrespective of:
1) the way information is represented (written,spoken, electronic or other forms);
2) the technology used to handle the information(e.g. file cabinets, fax machines, computers andlocal area networks);
3) the location of information (e.g. in the office,computer lab or server room); and
4) the lifecycle of information (e.g. origin, entryinto a system, processing, dissemination,storage and disposal).
5.5 Information Classification
According to the governments Arahan
Keselamatan, information is classified into fivelevels:
1) Public: Official documents/information availablefor public knowledge, viewing or usage.
2) Restricted: Official documents/informationexcluding those classified as Top Secret, Secretor Confidential but required to be provided witha security measure level. Refer to Table 1:Information Handling.
3) Confidential: Official documents/informationi f exposed without author isat ion, eventhough it does not endanger national security- could have an impact on national interestor dignity, the activity of the government or
8/8/2019 ICT Security Management Handbook For Schools
28/40
5 Information Classification And Handling
20
the individual; would cause embarrassmentor difficulty to the current administration;
and would benefit foreign authorities.4) Secret: Official documents/information if
exposed without authorisation would endangernational security, cause substantial loss/damageto the national interest or dignity; and wouldprovide substantial benefit to foreignauthorities.
5) Top Secret: Official documents/information if
exposed without authorisation would causeextreme loss/damage to the nation.
5.6 Information Handling
1) The asse t owner shou ld de te rm ine t heclassification of information.
2) The handling of the information in any formdepends on the classification of the informationdefined by the asset owner.
3) Sufficient security measures for classif iedinformation are required to protect theconfidentiality, integrity and availability of theinformation.
4) The existing or planned operating procedures
should consider all users who are allowed toview classified information.
5) Users should have knowledge of those whomay endanger the security of classif iedinformation and must abide by the guidelinesor procedures to prevent those people fromviewing it.
8/8/2019 ICT Security Management Handbook For Schools
29/40
5 Information Classification And Handling
21
6) Adequate authorisation and access controlshould be implemented:
a) to prevent unauthor ised people fromviewing classified information;
b) as classified information would depend onthe level of classification;
c) so that the School ICT Coordinator andinformation owner can determine theaccess rights of users who have access toclassified information.
7) The following provides the information handlingguide for each lifecycle of the information,starting from its creation until destruction.
8/8/2019 ICT Security Management Handbook For Schools
30/40
5 Information Classification And Handling
22
Table1:InformationHandling
TopSecret
Secret
Confidential
R
estricted
Public
Labe
lling
Elect
ronic
Media
Labe
lling
1)
Labelle
dasTopSecretorSe
cretorConfidentialor
Restricted.
Not
required
Hard
copy
Labe
lling
1)
Labelle
dasTopSecretorSe
cretorConfidentialor
Restrictedonthefrontandbackcovers,andeveryp
ageofthe
document.SeeArahanKesela
matanClause48-52.
2)
Labelle
dwithareminder.See
ArahanKeselamatan
Clause
53.
Not
required
Reference
Theownersoftherespectiveinfo
rmationshouldworktogetherwith
theschoolsadministrativeperson
neltodefinetherefere
ncenumber
foreachdo
cumentproduced.
Not
required
Storage
Stora
geon
Fixed
Media
Encrypted
whereapplicableoroth
ercompensatingcontro
lssuchas
accesscon
trols,passwordmanagementandothernetworkcontrols.
Not
required
Stora
geon
Exch
angeable
Media
Encrypted
whereapplicableoroth
ercompensatingcontro
lssuchas
accesscon
trols,passwordmanagementandothernetworkcontrols.
Not
required
8/8/2019 ICT Security Management Handbook For Schools
31/40
5 Information Classification And Handling
23
TopSecret
Secret
Confidential
R
estricted
Public
Physical
Stora
ge
1)
Strong
room
orsafewith
locks.
2)
Workinprogresscanbe
keptin
cabinet(iron)with
locks.
3)
SeeAr
ahanKeselamatan
Clause
5860.
1)
Cabinet(iron).
2)
SeeArahanKeselamatan
Clause5860.
Nospecial
storage
required
Send
ing/Transmission/P
rocessing
Send
ing
docu
ments
1)
Acknowledgementonreceiptofdocument(2copies)
needsto
beprepared.
2)
Mailpa
ckagingfordocuments
carriedsecurely:
a)
On
lyone(1)envelopewit
hmarking,referencenumber,
na
meandaddress.
b)
Th
eenvelopemustbesea
led.
3)
Mailpa
ckagingfordocuments
carriedunsecurely:
a)
Tw
o(2)envelopesrequire
d.
b)
Internalenvelopewithma
rking,referencenumbe
r,name
an
daddress;
c)
Externalenvelopewithna
meandaddressanditmustbe
Not
required
8/8/2019 ICT Security Management Handbook For Schools
32/40
8/8/2019 ICT Security Management Handbook For Schools
33/40
5 Information Classification And Handling
25
TopSecret
Secret
Confidential
R
estricted
Public
forsuc
haccessandisauthorisedbytheinformationowner.
3)
Releas
etopressisnotallowedwithoutapprovalfrom
the
inform
ationowner.
4)
SeeAr
ahanKeselamatanClause6870.
Gran
tingofAccessRights
Gran
ting
of
AccessRights
1)
Access
rightsaregrantedbyt
heinformationowner
2)
Theac
cesscontrolistobeimplementedbytheSchoolICT
Coordinator.
Norestrictio
n
Disp
osal
Physical
Disposal
1)
Notallowedunlessexplicitlyinstructedbytheinformation
owner.Totaldestructionmust
beperformed.
2)
Dispos
almustbelogged.
3)
Docum
entmustbeshredded.
4)
SeeAr
ahanKeselamatanClause7174.
Ordinary
trash
Elect
ronic
Disposal
Securedel
ete.
Ordinary
delete
8/8/2019 ICT Security Management Handbook For Schools
34/40
5 Information Classification And Handling
26
TopSecret
Secret
Confidential
R
estricted
Public
Loss
ofDocuments/Information
Repo
rtingof
loss
1)
Lossofdocuments/informationshouldbereportedim
mediately
tothe
schooladministratorwi
thin24hours.
2)
Aninvestigationshouldbewa
rrantedtoestimatethe
impactof
suchlo
sses.Ifnecessary,areporttoexternalpartiessuchas
thepoliceshouldbemade.
3)
SeeAr
ahanKeselamatanClause7576.
Not
required
8/8/2019 ICT Security Management Handbook For Schools
35/40
Glossary
27
GLOSSARY
Alphanumeric Consist of the union of the set of alphabeticcharacters characters and the set of numeric
characters.
Availability This is the effect on the system and/orthe organisation that would result fromdeliberate or accidental denial of theassets use. If a mission-critical system isunavailable to its end users, theorganisations mission may be affected.Loss of system functionality andoperational effectiveness, for example,may result in loss of productive time, thusimpeding the end users performance oftheir functions in supporting theorganisations mission.
Broadband A type of data transmission in which a
single medium (wire) can carry severalchannels at once.
Confidentiality This is the effect on the system and/orthe organisation that would result fromthe deliberate, unauthorised orinadvertent disclosure of the asset. Theeffect of unauthorised disclosure ofconfidential information can result in loss
of public confidence, embarrassment, orlegal action against the organisation.
E-mail Short for electronic mail, one or many, thetransmission of messages overcommunication networks.
Encryption The translation of data into a secret textof gibberish that is not readable tounauthorised parties.
8/8/2019 ICT Security Management Handbook For Schools
36/40
Glossary
28
Exchangeable Material used to store data that can be
media taken out of a machine. Examples include
floppy disc, magnetic tape and compactdisc.
Firewall A system designed to preventunauthorised access to or from a privatenetwork.
Fixed media Mass storage in which the material thatholds data is a permanent part of thedevice. Example includes hard drive.
Information Individual/Division/Department/Unit who/owner whom is referred to as the proprietor of
an asset.
Integrity This is the effect on the system and/orthe organisation that would result fromthe deliberate, unauthorised or inadvertentdisclosure of the asset. The effect ofunauthorised disclosure of confidential
information can result in loss of publicconfidence, embarrassment, or legalaction against the organisation.
Internet A global network connecting millions of computers.
Local Area A network of computers confined within aNetwork small area such as an office building or
school.
Malicious code A programme of piece of code that isloaded onto the computer without theowners knowledge and runs against theowners wishes. Example include virus,worm and Trojan horse.
Malicious A programme or piece of code that issoftware loaded onto the computer without the
owners knowledge and runs against theowners wishes. Example include virus,worm and Trojan horse.
8/8/2019 ICT Security Management Handbook For Schools
37/40
Glossary
29
Mobile Portable-computing devices that canComputing connect by cable, telephone wire, wireless
transmission, or via any Internetconnection to any network infrastructureand/or data systems. Examples of mobilecomputing devices include notebooks,palmtops, laptops and mobile phones.
Password One of the means of user authentication.Password contains a series of charactersentered by the users to gain access tothe system.
School ICT A person who is appointed by the schoolCoordinator to be in charge of management and
coordination of the school ICTinfrastructure.
Secure delete Assure the total wipe out of magneticallyrecorded information.
Social In the field of computer security, socialEngineering engineering is the practice of obtaining
confidential information by manipulationof legitimate users.
Spam Electronic junk mail or more generallyreferred as unsolicited e-mail.
Trojan horse A Trojan Horse portrays i tsel f assomething other than what it is at thepoint of execution. While it may advertiseits activity after launching, thisinformation is not apparent to the userbeforehand. A Trojan Horse neitherreplicates nor copies itself, but causesdamage or compromises the security ofthe computer. A Trojan Horse must besent by someone or carried by anotherprogram and may arrive in the from of a
joke program or software of some sort.
The malicious functionality of a TrojanHorse may be anything undesirable for acomputer user, including data destruction
8/8/2019 ICT Security Management Handbook For Schools
38/40
Glossary
30
or compromising a system by providing ameans for another computer to gain
access, thus bypassing normal accesscontrols.
Users Residents of schools who are using theICT facilities provided. For example,teachers, students, clerks, administratorsand others.
Virus A virus is a program or code thatreplicates itself onto other files with which
it comes in contact; that is, a virus caninfect another programme, boot sector,partition sector, or a document thatsupports macros, by inserting itself orattaching itself to that medium. Mostviruses only replicate, though many cando damage to a computer system or ausers data as well.
Wireless A method of communication that usesradio waves to transmit data betweendevices.
Worm A worm is a programme that makes andfacilitates the distribution of copies ofitself; for example, from one disk drive toanother, or by copying itself using e-mailor another transport mechanism. Theworm may do damage and compromisethe security of the computer. It mayarrive via exploitation of systemvulnerability or by clicking on an infectede-mail.
8/8/2019 ICT Security Management Handbook For Schools
39/40
Glossary
31
References
1) Malaysian Public Sector Management of Information &
Communications Technology Security Handbook(MyMIS).
2) Pekeliling Kemajuan Pentadbiran Awam Bilangan 1Tahun 2003 - Garis Panduan Mengenai TatacaraPenggunaan Internet Dan Mel Elektronik Di Agensi-agensi Kerajaan.
3) Buku Arahan Keselamatan.
4) Prosedur dan Dasar Pengurusan KeselamatanSekolah Bestari Versi 2.0.
Enquiries
Enquiries about this document should be directed to:
Director
Educational Technology DivisionMinistry Of EducationPesiaran Bukit Kiara50604 Kuala Lumpur(Attn : Infrastructure and Repository Sector)
Tel.: 03-2098 7768/6245Fax: 03-2098 6242E-mail: [email protected]
8/8/2019 ICT Security Management Handbook For Schools
40/40
Glossary
CONTRIBUTORS
ADVISOR
Dato Haji Yusoff bin Harun Director
Educational Technology Division
EDITORIAL BOARD
Khalidah binti Othman Educational Technology Division
Chan Foong Mae Educational Technology Division
Anthony Gerard Foley Educational Technology Division
Haji Mohd Azman bin Ismail Educational Technology Division
Mohd Arifen bin Naim Educational Technology Division
Yap Ley Har Educational Technology Division
Junainiwati binti Mohd Deris Educational Technology Division
Roimah binti Dollah Educational Technology Division
Nik Fajariah binti Nik Mustaffa Educational Technology Division
Rozina binti Ramli SMK Aminuddin Baki, Kuala Lumpur
Nirmal Kaur SMK Victoria, Kuala Lumpur
Mohd Hisham bin Abdul Wahab SMK(L) Methodist, Kuala Lumpur
Ab. Aziz bin Mamat Sekolah Seri Puteri, Selangor
Abd Aziz bin Mohd Hassan SMK USJ 8, Selangor
Widiana binti Ahmad Fazil SMK Pandan Jaya, Selangor
Rogayah binti Harun Kolej Tunku Kurshiah, Negeri Sembilan
Mohd Zali bin Zakri SM Sains Tuanku Jaafar, Negeri Sembilan
Jaya Lakshmi a/p Mutusamy SMK(A) Persekutuan Labu, Negeri Sembilan
Azmi bin Abdul Latiff SMK(A) Persekutuan Labu, Negeri Sembilan
Haji Zulkiflee bin A. Rahman SM Teknik Muar, Johor
Daud bin Yusof SMK Buluh Kasap, Johor