ICT Security Management Handbook For Schools

8/8/2019 ICT Security Management Handbook For Schools

1/40

ICT SECURITY

MANAGEMENT

HANDBOOK

Educational Technology Division

Ministry of EducationOctober 2005

MIN

ISTRYO

FEDUCATION M

AL

AY

SIA


2/40

ISBN : 983-3244-27-0

FIRST EDITION: OCTOBER 2005

Copyright 2005 Educational Technology Division,Ministry of Education

All rights reserved, except for educational purposes withno commercial interests. No part of this publication maybe produced transmitted in any form or by any means,electronics or mechanical including photocopying,

recorded or by any information storage or retrievalsystem, without prior permission from the Director-Generalof Education, Ministry of Education Malaysia.

Published byInfrastructure and Repository SectorSmart Educational DevelopmentEducational Technology DivisionMinistry of EducationPesiaran Bukit Kiara50604 Kuala LumpurTel : 603-2098 7768/6245Fax : 603-2098 6242


3/40


4/40

Contents

iv

4.2 Purpose ........................................................... 14

4.3 Responsibilities ..................................................14

4.4 Use Of Mobile Computing Devices ........................ 15

4.5 Physical Security ................................................15

4.6 Configuration Changes ....................................... 16

4.7 Connecting Mobile Computing Devices To UnsecuredNetworks ......................................................... 17

5 Information Classification And Handling ................ 18

5.1 Introduction ......................................................18

5.2 Purpose ............................................................18

5.3 Responsibilities ..................................................18

5.4 Scope Of Coverage ............................................ 19

5.5 Information Classification ....................................19

5.6 Information Handling ..........................................20

Glossary ......................................................................... 27

References ..................................................................... 31

Enquiries ........................................................................ 31

Contributors ................................................................... 32


5/40

Contents

v

Background

Background

The ICT Security Management Handbook is a newhandbook, updated and adapted from the Smart SchoolSecurity Management Policies and Procedures Version 1.0published under the Smart School Pilot Project in the year2000. The original document was first reviewed in 2001.

Users of the first and second editions of this handbook willrealise that the text has been completely revised; a major

part of the revision being the separation of the contentinto two new documents, one for the School ICTCoordinators and another for other users.

This ICT Security Management Handbook is based on theICT security management information contained in theMalaysian Public Sector Management of Information &Communications Technology Security Handbookpublishedby MAMPU.


6/40

Contents

vi

Director-General of Education Malaysia

Foreword

I would like to congratulate the Handbook

Committee, coordinated by the EducationalTechnology Division, for their dedication incompleting this informative handbook. Theircommitment in the preparation of this handbook ishighly commended.

This handbook is meant to give thorough andconcise guidelines on ICT Security Management. Itis hoped that the guidelines and procedures listed

are useful to all readers.

I would also like to thank all teachers involved fortheir invaluable contribution to this handbook, animportant contribution to the ICT landscape ofschools.

(DATO DR. HJ. AHAMAD BIN SIPON)Director-General of Education

Ministry of EducationMalaysia


7/40

Contents

vii


Preface

This handbook gives a brief overview on ICTSecurity Management for all schools in Malaysia.

This handbook is meant to be a useful source ofreference for all schools in implementing effectiveICT security management. Although there can be noguarantee for absolute security within aninternational electronic works environment, usingthe guidelines in this handbook should mitigate

many of the risks to which ICT-based systems areexposed.

I wish to congratulate the committee and all othersinvolved in producing this handbook.

(DATO HJ. YUSOFF BIN HARUN)DirectorEducational Technology DivisionMinistry of Education


8/40

Contents

viii

Introduction

This handbook has been adapted from the MalaysianPublic Sector Management of Information &Communications Technology Security Handbookproducedby MAMPU, and the Smart School Security ManagementPolicies and Procedures Version 1.0produced by theSmart School Pilot Project Team of the Ministry OfEducation.

The content is arranged according to topics to help userspractise security management systematically and effectively.The content in each topic has been arranged in such amanner that the steps listed are easy to follow and providecomprehensive guidance to ICT security management.

Each topic in this handbook starts with an introduction andpurpose followed by guidelines which provide an overview ofICT security management. Using these guidelines, users

should be able to practise ICT security effectively.

The ICT Security Management Handbookwill help widen thereaders knowledge and create awareness in ICT securitymanagement.

A glossary is included for better understanding of thecontent.

Introduction


9/40

1 Acceptable Internet And E-Mail Usage

1


1.1 Introduction

The advancement of information and communicationstechnology (ICT) allows information to be sent andreceived rapidly. This facility has brought the Internetand electronic mail (e-mail) usage to the rise.Electronic communication is now being used widelyas the alternative medium for sharing information.

However, uncontrolled usage of Internet and e-mailservices may expose us to various security threats.Hence, security protection needs to be in place toensure confidentiality, integrity and availability ofinformation.

1.2 Purpose

The purpose of this section is to outline theacceptable use of Internet and e-mail services inschools. These rules should be put in place toprotect all residents of schools. Inappropriate usemay expose schools to risks, including virus attacks,compromise of network systems and services, andlegal issues.

1.3 Responsibilities

All school residents who are given access to theschool ICT system are required to comply with therules and regulations contained this section.


10/40


2

1.4 Internet Usage

1) The school electronic communication system orICT facilities are generally used for facilitatingand improving the administration and operationsof the school. Users should be aware that thedata they create and the system they useremain the property of the Government ofMalaysia.

2) Web surfing should be restricted to work-relatedmatters or other purposes as authorised by theSchool Head.

3) Users are advised to verify the integrity andaccuracy of materials downloaded from theInternet. These materials have to be scanned toensure that they are free from malicious codes.

4) Materials downloaded from the Internet (e.g.software) should be vetted to avoid infringement

of copyrights. Users should quote references ofall Internet materials used.

5) Information to be uploaded to the Internetshould be rev iewed by the Schoo l ICTCoordinator and authorised by the SchoolHead.

6) Only authori sed o ff icers are a ll owed toparticipate in online public forums such as

newsgroups or bulletin boards. Users whoparticipate in such forums should exercise good

judgement on the information shared as theyrepresent the public image of the school,Ministry of Education and the Government ofMalaysia.


11/40


3

7) Users are prohibited from the following:

a) Vio lating the r ights of any person or

company protected by copyright, tradesecret, patent or other intel lectualproperty, or similar laws of regulations,including, but not l imited to, theinstallation or distribution of piratedsoftware that are not appropriately licensedfor use by the school.

b) Uploading, downloading, storing or using

unlicensed software.

c) Uploading, downloading, or sending filesgreater than 2Mb that may paralyse thecomputer network system and pre-emptother official activities.

d) Preparing, uploading, downloading andstoring speeches, images or other materialsthat may:

i) be constructed as sexual, ethnic andracial harassment;

ii) cause chaotic situations of any formsuch as rumour mongering, defamationor instigation; and

iii) tarnish the reputation of the school,M i n i s t r y o f E d u c a t i o n o r t h e

Government of Malaysia.

e) Engaging in non-work related activities(commercial, political or others) whichinterfere with staff productivity andconsume more than a trivial amount ofresources such as:

i) online chatting; and


12/40


4

ii) download, storing and using entertainmentsoftware such as those for playing

games, videos or songs.f) Engaging in criminal activit ies such as

spreading of materials involving gambling,weaponry and terrorism.

g) Misusing online public forums such asnewsgroups and bulletin boards.

8) Users are not allowed to engage in unauthorisedonline activities such as hacking, sniffing,hijacking or giving fraudulent information.

1.5 E-Mail

1) E-mail allows users to communicate with eachother in the form of electronic messages. Theusage of e-mail is getting more prevalent as itallows more effective two-way communication.

2) All residents of a school are given e-mailaccounts for the purpose of off ic ialcorrespondence. An example of an e-mailaddress is [email protected].

3) The usage of e-mail service is subject to therules stipulated in this section and the SchoolICT Coordinator has the right to revoke suchusage if users do not comply with the rules.

4) E-mail is one of the official communicationchannels within the school. As such, it has to becomposed with caution. For example, usingupper case is not encouraged as it is consideredinappropriate. Users are advised to composee-mail using simple, courteous and correctlanguage. Users should ensure that the subjectcorresponds with the content of the e-mail.


13/40


5

5) All official correspondence have to be sent viathe official e-mail account. Users should ensure

that the recipients e-mail address is correctlyentered prior to sending the e-mail. The carboncopy (cc) can be used, should there be a needto send the e-mail to other recipients. However,a blind carbon copy (bcc) is not encouraged.

6) U se rs ar e n ot al lo wed t o s end e -mai lattachments that are greater than 2Mb.Appropriate compression utilities such as WinZipshould be used to reduce the size of theattachment.

7) Users should refrain from opening e-mail fromunknown or suspicious senders.

8) Users should scan all attachments prior toopening.

9) All e-mail is not encrypted by default. Users areprohibited from sending sensitive information

unless it has been first encrypted. Please referto Information Handling Procedure for details.

10) Users should verify the identity of users withwhom they communicate and exchangeinformation via e-mail. This is to protectinformation from any form of misuse.

11) All official e-mail sent or received should bearchived accordingly. The user is encouraged toarchive the e-mail in other storage media, suchas diskettes, for safety reasons.


14/40


12) Unimportant e-mail that is no longer needed orhas no archival value should be deleted.

13) Users are prohibited from the following:

a) sharing e-mail accounts;

b) using fake accounts and purporting to bevalid senders;

c) using e-mail for commercial or politicalpurposes;

d) sending or owning materials that areagainst the law or cause sexual, ethnic orracial harassment;

e) spamming; and

f) introducing or spreading malicious codessuch as virus, worms and Trojan horsesthat will disrupt the network.

6


15/40

2 Choosing Quality Passwords

2.1 Introduction

Passwords are one of the principal means ofvalidating a users authority to access a computersystem. Therefore, users should be aware of theirresponsibilities in maintaining effective accesscontrols particularly regarding the use of passwords.Given the number of passwords that one has to

keep track, it is crucial that the passwords selectedare easy to remember and follow good securitypractices. This section provides some goodpassword security practices that all school users areexpected to follow.

2.2 Purpose

The main purpose of this section is to ensure that theregistered school users follow the best practices inusing and selecting passwords for all application andnetwork systems to which they have access.


All school residents who are given access to theschool ICT system should comply with the guidelinesstipulated in this section.


7


16/40

2.4 Compromise Of Passwords

Over time, passwords may be compromised in manyways. The following are some examples wherepasswords are compromised.

1) Users share them with friends or co-workers.

2) Written passwords are exposed to others.

3) Passwords are guessed, either by other users orsecurity diagnostic software.

4) T he s er ve rs t ha t s to re p as swor ds a recompromised, and their passwords are accessedby intruders.

5) Transmitted passwords are compromised andrecorded by an intruder.

6) Users are tricked into providing their passwordsto intruders via a social engineering effort.

2.5 General Password Rules

1) Passwords are to be kept strictly confidential andare not to be shared. Do not disclose yourpassword to anyone at any time.

2) Do not write your password down or leave itunsecured.

3) Do not leave a computer session unattended

unless it is locked and password-protected.Never leave a computer idle for long periodsof time - shut it down and reboot whennecessary.


8


17/40

4) If you suspect that anyone has gained access toyour password, contact the School ICT

Coordinator immediately to request for apassword reset.

5) After three (3) unsuccessful attempts to enterthe password, the user shall be disallowed fromusing the system for a particular time period.Intervention of the School ICT Coordinator willbe required to reset the password.

2.6 Password Composition Rules

One of the primary weaknesses of passwords is thatthey may be guessed. While a user may give up afterguessing ten or a hundred possible passwords, thereis software which could easily try millions ofcombinations and break the particular password.Good password composition rules are as follows:

1) To combat password guessing attack, users are

advised to pick hard-to-guess passwords.

2) Users are required to choose their passwordsfrom the widest set of characters, subject to theconstraints of the possible systems where thosepasswords reside.

3) Passwords shou ld be at leas t e ight (8 )characters long and contain alphanumericcharacters (e.g. p@S5w07D).


9


18/40

2.7 Changing And Reusing Of Passwords

1) All default passwords should be changed during

the first log on.

2) To limit the possibility of passwords beingcompromised, a practical solution is to changethem regularly, at most every 180 days, andpreferably more frequently.

3) Users should not reuse old passwords, as theymay have already been compromised.

4) Reuse of a users last four passwords should beavoided altogether.


10


19/40

3 Physical Security For The ICT Infrastructure

11


3.1 Introduction

Physical security is the first layer of defence in anyICT security architecture. The need to physicallyprotect assets from real or perceived threats cannotbe overlooked or mitigated by other securitydisciplines. There is no substitute for good physicalsecurity control.

3.2 Purpose

The purpose of these guidelines is to preventunauthorised access, damage and interference to theICT Infrastructure that could result in disruption ordamage to the school information asset.


All school residents who are given access to the ICTInfrastructure are required to observe theseguidelines.

3.4 Working In ICT Infrastructure

1) All computing facilities provided by the schoolare used for facilitating the daily operations andlearning activities of the school residents.Therefore, only authorised users such asteachers, students and staff of the school areallowed to use these computing facilities.


20/40


12

Third parties (or non-school residents) who wishto use such facilities should be authorised by the

School Head.2) Visitors or users to the computer laboratory,

media centre and access centre should log theirnames, date, time and duration of access in thelog book.

3) All students using the computer laboratoryshould be accompanied by a teacher. Studentswho need to use the computers in the computer

laboratory without supervision of the teachershould obtain permission from authorisedpersonnel.

4) After school hours, access to the computerlaboratory must be controlled and monitored.

5) Third parties such as vendors who providemaintenance service to the equipment shouldbe escorted or supervised at all times while in the

ICT infrastructure.

6) Doors and windows to the computer laboratoryshould be locked when unattended.

7) No food and drinks are allowed in the ICTinfrastructure.

8) Visitors or users to the computer laboratoryshould take off their shoes (if necessary) to

ensure cleanliness of the place.

9) Users should shut down the system properly toprevent computer damage.

10) Users should log off the system to preventunauthor ised users from accessing thesystem.


21/40


13

11) Users should keep the ICT infrastructure cleanand tidy at all times.

12) Users are not a l lowed to br ing out anyequipment or devices which belong to theschool. Anyone found stealing or attempting tosteal will be subject to disciplinary action.

13) Users are not allowed to relocate the equipment(e.g. switching of monitors), repair the faultyequipment or change the configuration of thesystem without authorisation by the School ICT

Coordinator or authorised school personnel.

14) Users should report to the School ICTCoordinator or assigned school personnel whenthey notice security incidents or potentialsecurity incidents. These include incidents suchas break-ins, thefts, and hardware and softwarefailures.

15) Users should prevent computer overheating by

not covering the computer monitor vents.

16) All facilities such as air conditioners and lightsshould be properly used. Users are required toswitch on these facilities when using thecomputer laboratory. Similarly, these facilitiesshould be switched off after use.


22/40

4 Mobile Computing

14

4 Mobile Computing

4.1 Introduction

Technological advancement has made mobilecomputing devices available to a wide audience andthese devices are gradually used for easy access. Theprevalence of mobile computing devices has openedup various security risks that could compromise theconfidentiality, integrity and availability of

information. The very nature of mobile computingdevices means that they are at a greater risk of theftover their less portable counterparts. The latter arenormally located in secure premises with goodphysical security, whereas mobile computing devicesnormally reside outside an organisations physicalsecurity perimeter. This section aims to establish aprocedural guidance to be observed by users ofmobile computing devices.

4.2 Purpose

This section is established to ensure information andphysical securities when using mobile computingdevices.


All school residents who use mobile computingdevices for processing school information are requiredto adhere to the guidelines outlined in this section.


23/40

4 Mobile Computing

15

4.4 Use Of Mobile Computing Devices

1) The use of personal mobile computing devices

such as laptops, tablet PCs, palmtops and smartphones for processing school information isprohibited unless they have been first authorisedby the school administrator and configured withnecessary security controls such as anti-malicious software or personal firewall under theguidance of the School ICT Coordinator.

2) Third party mobile computing devices (owned by

contractors or vendors) should not be connectedto the school network or granted access withoutfirst being authorised by the schooladministrator and configured with necessarysecurity controls under the guidance of theSchool ICT Coordinator. This is to prevent virusinfection of the school network.

3) All Ministry of Educat ion owned mobi le

computing devices should be installed withnecessary security controls such as anti-malicious software before they are released tothe users. Such devices should be automaticallyconfigured to receive security updates from theserver.

4) Use of mobile computing devices is subject toAcceptable Internet and E-mail Usage.

4.5 Physical Security

1) Mobile computing devices should be physicallyprotected against thefts especially when left incars and other forms of transport, hotel rooms,conference centres and meeting places.


24/40

4 Mobile Computing

16

2) Mobile computing devices carrying important,sensitive or confidential information should not

be left unattended and where possible, should bephysically locked.

3) It is important that when such devices are usedin public places, care should be taken to avoidthe risk of accidental disclosure of information tounauthorised persons.

4) Mobile users should report to the School ICTCoordinator or school administrator immediately

for any damage and loss of Ministry of Educationassets.

5) The movement of all mobile computing devicesowned by the Ministry of Education should berecorded.

4.6 Configuration Changes

1) Users should not change the configuration orsystem settings of mobile computing devicessupplied by the Ministry of Education except forofficial and authorised purposes such asconfiguring the network settings (IP address,DNS address, etc.) based on the existingnetwork environment.

2) Mobile computing devices supplied by the

Ministry of Education should not be altered inany way (e.g. processor upgrade, memoryexpansion or extra circuit boards). If anychanges in software or hardware are required,the users should seek authorisation from theSchool ICT Coordinator. Only the School ICTCoordinator is allowed to make such changes.


25/40

4 Mobile Computing

17

4.7 Connecting Mobile Computing Devices ToUnsecured Networks

1) The school network is a protected environmentwithin which mobile computing devices arewell protected against infection by malicioussoftware and regular deployment of securityupdates. Networks outside the perimeter of theschool, whether through a wireless local areanetwork at an airport or a broadband Internetconnection at home, are considered unsecurednetworks. In this sort of environment, thedevice is connected directly to the Internet withnone of the protections like firewalls in place.This exposes the device to a great range ofthreats, including direct attacks from entities onthe Internet, whether they be users ormalicious codes.

2) Users should refrain f rom connect ing tounsecured networks as this may expose

sensitive information to unauthorised parties.

3) If such connection is deemed necessary, usersmay consider encrypting sensitive information toprevent unauthorised disclosure. Data encryptionoffers the best protection against thedissemination of sensitive information from lostor stolen devices. Information protected bystrong, well implemented, encryption techniques

can be rendered useless to a thief.


26/40

5 Information Classification And Handling

18


5.1 Introduction

Information must be handled accordingly to ensurethe confidentiality, integrity and availability of theinformation is not compromised. Informationclassification and handling activities are performed tosafeguard national secrets. Often classifiedinformation is kept (or should be kept) segregated

from each other. The possible impact on schools andthe Ministry of Education of disclosure or alteration ofinformation varies with the type of information.Hence, the effort and cost warranted for protectionagainst these risks varies accordingly. Some basis istherefore required to determine which securitymeasures are applicable to different types ofinformation.

5.2 Purpose

The main purpose of this section is to provideguidelines for the classification of information and theappropriate set of procedures for information handlingin accordance with the classification scheme defined.


All school residents who are given access toclassified information are required to comply withthis section.


27/40


19

5.4 Scope Of Coverage

All school information is bound by this sectionirrespective of:

1) the way information is represented (written,spoken, electronic or other forms);

2) the technology used to handle the information(e.g. file cabinets, fax machines, computers andlocal area networks);

3) the location of information (e.g. in the office,computer lab or server room); and

4) the lifecycle of information (e.g. origin, entryinto a system, processing, dissemination,storage and disposal).

5.5 Information Classification

According to the governments Arahan

Keselamatan, information is classified into fivelevels:

1) Public: Official documents/information availablefor public knowledge, viewing or usage.

2) Restricted: Official documents/informationexcluding those classified as Top Secret, Secretor Confidential but required to be provided witha security measure level. Refer to Table 1:Information Handling.

3) Confidential: Official documents/informationi f exposed without author isat ion, eventhough it does not endanger national security- could have an impact on national interestor dignity, the activity of the government or


28/40


20

the individual; would cause embarrassmentor difficulty to the current administration;

and would benefit foreign authorities.4) Secret: Official documents/information if

exposed without authorisation would endangernational security, cause substantial loss/damageto the national interest or dignity; and wouldprovide substantial benefit to foreignauthorities.

5) Top Secret: Official documents/information if

exposed without authorisation would causeextreme loss/damage to the nation.

5.6 Information Handling

1) The asse t owner shou ld de te rm ine t heclassification of information.

2) The handling of the information in any formdepends on the classification of the informationdefined by the asset owner.

3) Sufficient security measures for classif iedinformation are required to protect theconfidentiality, integrity and availability of theinformation.

4) The existing or planned operating procedures

should consider all users who are allowed toview classified information.

5) Users should have knowledge of those whomay endanger the security of classif iedinformation and must abide by the guidelinesor procedures to prevent those people fromviewing it.


29/40


21

6) Adequate authorisation and access controlshould be implemented:

a) to prevent unauthor ised people fromviewing classified information;

b) as classified information would depend onthe level of classification;

c) so that the School ICT Coordinator andinformation owner can determine theaccess rights of users who have access toclassified information.

7) The following provides the information handlingguide for each lifecycle of the information,starting from its creation until destruction.


30/40


22

Table1:InformationHandling

TopSecret

Secret

Confidential

R

estricted

Public

Labe

lling

Elect

ronic

Media

Labe

lling

1)

Labelle

dasTopSecretorSe

cretorConfidentialor

Restricted.

Not

required

Hard

copy

Labe

lling

1)

Labelle

dasTopSecretorSe

cretorConfidentialor

Restrictedonthefrontandbackcovers,andeveryp

ageofthe

document.SeeArahanKesela

matanClause48-52.

2)

Labelle

dwithareminder.See

ArahanKeselamatan

Clause

53.

Not

required

Reference

Theownersoftherespectiveinfo

rmationshouldworktogetherwith

theschoolsadministrativeperson

neltodefinetherefere

ncenumber

foreachdo

cumentproduced.

Not

required

Storage

Stora

geon

Fixed

Media

Encrypted

whereapplicableoroth

ercompensatingcontro

lssuchas

accesscon

trols,passwordmanagementandothernetworkcontrols.

Not

required

Stora

geon

Exch

angeable

Media

Encrypted

whereapplicableoroth

ercompensatingcontro

lssuchas

accesscon

trols,passwordmanagementandothernetworkcontrols.

Not

required


31/40


23

TopSecret

Secret

Confidential

R

estricted

Public

Physical

Stora

ge

1)

Strong

room

orsafewith

locks.

2)

Workinprogresscanbe

keptin

cabinet(iron)with

locks.

3)

SeeAr

ahanKeselamatan

Clause

5860.

1)

Cabinet(iron).

2)

SeeArahanKeselamatan

Clause5860.

Nospecial

storage

required

Send

ing/Transmission/P

rocessing

Send

ing

docu

ments

1)

Acknowledgementonreceiptofdocument(2copies)

needsto

beprepared.

2)

Mailpa

ckagingfordocuments

carriedsecurely:

a)

On

lyone(1)envelopewit

hmarking,referencenumber,

na

meandaddress.

b)

Th

eenvelopemustbesea

led.

3)

Mailpa

ckagingfordocuments

carriedunsecurely:

a)

Tw

o(2)envelopesrequire

d.

b)

Internalenvelopewithma

rking,referencenumbe

r,name

an

daddress;

c)

Externalenvelopewithna

meandaddressanditmustbe

Not

required


32/40


33/40


25

TopSecret

Secret

Confidential

R

estricted

Public

forsuc

haccessandisauthorisedbytheinformationowner.

3)

Releas

etopressisnotallowedwithoutapprovalfrom

the

inform

ationowner.

4)

SeeAr

ahanKeselamatanClause6870.

Gran

tingofAccessRights

Gran

ting

of

AccessRights

1)

Access

rightsaregrantedbyt

heinformationowner

2)

Theac

cesscontrolistobeimplementedbytheSchoolICT

Coordinator.

Norestrictio

n

Disp

osal

Physical

Disposal

1)

Notallowedunlessexplicitlyinstructedbytheinformation

owner.Totaldestructionmust

beperformed.

2)

Dispos

almustbelogged.

3)

Docum

entmustbeshredded.

4)

SeeAr


Ordinary

trash

Elect

ronic

Disposal

Securedel

ete.

Ordinary

delete


34/40


26

TopSecret

Secret

Confidential

R

estricted

Public

Loss

ofDocuments/Information

Repo

rtingof

loss

1)

Lossofdocuments/informationshouldbereportedim

mediately

tothe

schooladministratorwi

thin24hours.

2)

Aninvestigationshouldbewa

rrantedtoestimatethe

impactof

suchlo

sses.Ifnecessary,areporttoexternalpartiessuchas

thepoliceshouldbemade.

3)

SeeAr


Not

required


35/40

Glossary

27

GLOSSARY

Alphanumeric Consist of the union of the set of alphabeticcharacters characters and the set of numeric

characters.

Availability This is the effect on the system and/orthe organisation that would result fromdeliberate or accidental denial of theassets use. If a mission-critical system isunavailable to its end users, theorganisations mission may be affected.Loss of system functionality andoperational effectiveness, for example,may result in loss of productive time, thusimpeding the end users performance oftheir functions in supporting theorganisations mission.

Broadband A type of data transmission in which a

single medium (wire) can carry severalchannels at once.

Confidentiality This is the effect on the system and/orthe organisation that would result fromthe deliberate, unauthorised orinadvertent disclosure of the asset. Theeffect of unauthorised disclosure ofconfidential information can result in loss

of public confidence, embarrassment, orlegal action against the organisation.

E-mail Short for electronic mail, one or many, thetransmission of messages overcommunication networks.

Encryption The translation of data into a secret textof gibberish that is not readable tounauthorised parties.


36/40

Glossary

28

Exchangeable Material used to store data that can be

media taken out of a machine. Examples include

floppy disc, magnetic tape and compactdisc.

Firewall A system designed to preventunauthorised access to or from a privatenetwork.

Fixed media Mass storage in which the material thatholds data is a permanent part of thedevice. Example includes hard drive.

Information Individual/Division/Department/Unit who/owner whom is referred to as the proprietor of

an asset.

Integrity This is the effect on the system and/orthe organisation that would result fromthe deliberate, unauthorised or inadvertentdisclosure of the asset. The effect ofunauthorised disclosure of confidential

information can result in loss of publicconfidence, embarrassment, or legalaction against the organisation.

Internet A global network connecting millions of computers.

Local Area A network of computers confined within aNetwork small area such as an office building or

school.

Malicious code A programme of piece of code that isloaded onto the computer without theowners knowledge and runs against theowners wishes. Example include virus,worm and Trojan horse.

Malicious A programme or piece of code that issoftware loaded onto the computer without the

owners knowledge and runs against theowners wishes. Example include virus,worm and Trojan horse.


37/40

Glossary

29

Mobile Portable-computing devices that canComputing connect by cable, telephone wire, wireless

transmission, or via any Internetconnection to any network infrastructureand/or data systems. Examples of mobilecomputing devices include notebooks,palmtops, laptops and mobile phones.

Password One of the means of user authentication.Password contains a series of charactersentered by the users to gain access tothe system.

School ICT A person who is appointed by the schoolCoordinator to be in charge of management and

coordination of the school ICTinfrastructure.

Secure delete Assure the total wipe out of magneticallyrecorded information.

Social In the field of computer security, socialEngineering engineering is the practice of obtaining

confidential information by manipulationof legitimate users.

Spam Electronic junk mail or more generallyreferred as unsolicited e-mail.

Trojan horse A Trojan Horse portrays i tsel f assomething other than what it is at thepoint of execution. While it may advertiseits activity after launching, thisinformation is not apparent to the userbeforehand. A Trojan Horse neitherreplicates nor copies itself, but causesdamage or compromises the security ofthe computer. A Trojan Horse must besent by someone or carried by anotherprogram and may arrive in the from of a

joke program or software of some sort.

The malicious functionality of a TrojanHorse may be anything undesirable for acomputer user, including data destruction


38/40

Glossary

30

or compromising a system by providing ameans for another computer to gain

access, thus bypassing normal accesscontrols.

Users Residents of schools who are using theICT facilities provided. For example,teachers, students, clerks, administratorsand others.

Virus A virus is a program or code thatreplicates itself onto other files with which

it comes in contact; that is, a virus caninfect another programme, boot sector,partition sector, or a document thatsupports macros, by inserting itself orattaching itself to that medium. Mostviruses only replicate, though many cando damage to a computer system or ausers data as well.

Wireless A method of communication that usesradio waves to transmit data betweendevices.

Worm A worm is a programme that makes andfacilitates the distribution of copies ofitself; for example, from one disk drive toanother, or by copying itself using e-mailor another transport mechanism. Theworm may do damage and compromisethe security of the computer. It mayarrive via exploitation of systemvulnerability or by clicking on an infectede-mail.


39/40

Glossary

31

References

1) Malaysian Public Sector Management of Information &

Communications Technology Security Handbook(MyMIS).

2) Pekeliling Kemajuan Pentadbiran Awam Bilangan 1Tahun 2003 - Garis Panduan Mengenai TatacaraPenggunaan Internet Dan Mel Elektronik Di Agensi-agensi Kerajaan.

3) Buku Arahan Keselamatan.

4) Prosedur dan Dasar Pengurusan KeselamatanSekolah Bestari Versi 2.0.

Enquiries

Enquiries about this document should be directed to:

Director

Educational Technology DivisionMinistry Of EducationPesiaran Bukit Kiara50604 Kuala Lumpur(Attn : Infrastructure and Repository Sector)

Tel.: 03-2098 7768/6245Fax: 03-2098 6242E-mail: [email protected]


40/40

Glossary

CONTRIBUTORS

ADVISOR

Dato Haji Yusoff bin Harun Director


EDITORIAL BOARD

Khalidah binti Othman Educational Technology Division

Chan Foong Mae Educational Technology Division

Anthony Gerard Foley Educational Technology Division

Haji Mohd Azman bin Ismail Educational Technology Division

Mohd Arifen bin Naim Educational Technology Division

Yap Ley Har Educational Technology Division

Junainiwati binti Mohd Deris Educational Technology Division

Roimah binti Dollah Educational Technology Division

Nik Fajariah binti Nik Mustaffa Educational Technology Division

Rozina binti Ramli SMK Aminuddin Baki, Kuala Lumpur

Nirmal Kaur SMK Victoria, Kuala Lumpur

Mohd Hisham bin Abdul Wahab SMK(L) Methodist, Kuala Lumpur

Ab. Aziz bin Mamat Sekolah Seri Puteri, Selangor

Abd Aziz bin Mohd Hassan SMK USJ 8, Selangor

Widiana binti Ahmad Fazil SMK Pandan Jaya, Selangor

Rogayah binti Harun Kolej Tunku Kurshiah, Negeri Sembilan

Mohd Zali bin Zakri SM Sains Tuanku Jaafar, Negeri Sembilan

Jaya Lakshmi a/p Mutusamy SMK(A) Persekutuan Labu, Negeri Sembilan

Azmi bin Abdul Latiff SMK(A) Persekutuan Labu, Negeri Sembilan

Haji Zulkiflee bin A. Rahman SM Teknik Muar, Johor

Daud bin Yusof SMK Buluh Kasap, Johor