Académique Documents
Professionnel Documents
Culture Documents
By THAIB MUSTAFA, CHAIRMAN TECHNICAL COMMITTEE FOR INFORMATION SECURITY (TC/G/5) INDUSTRY STANDARDS COMMITTEE FOR INFORMATION TECHNOLOGY, COMMUNICATION AND MULTIMEDIA (ISC G)
23RD MAY 2012
Presentation Agenda
1. 2. 3. 4. 5. 6.
BACKGROUND
In 1966, Institutes of Standards Malaysia (ISM) was established in Malaysia and later Standards Malaysia In 1969, Malaysia became a member of ISO In 1975, SIRIM was established In 1996, SIRIM was appointed as National Standard Development Agency in Malaysia SIRIM established Industry Standards Committees (ISC) to undertake standard developments activities In 2001, Industry Standards Committees (ISC) responsible for IT, Telecommunications and Multimedia (ISC G) established TC/G/5, the Technical Committee responsible for Information Security
TC5 Information Security 2012 All Rights Reserved 4
MEMBERS OF
Industry Standard Committee for Information Technology, Communication & Multimedia (ISC G) MEMBERS OF
SC 27
Security Techniques ISO/IEC JTC 1/SC 27
WG1
WG2
WG3
WG4
WG5
WG7
WG1
WG2
WG3
WG4
WG5
MEMBERS OF
Technical Committee on Information Security (TC/G/5)
CHAIRMAN
Dr Dzaharudin Mansor
CyberSecurity Malaysia
Mr Muhammad bin Ali
TC/G/5
WG/G/5-1
WG/G/5-2
WG/G/5-3
WG/G/5-4
WG/G/5-5
WG/G/5-7
Working Group on Security Control Working Group on Identity & Services Management & Privacy Technologies
SCOPE SCOPE Standardisation on BCM Framework for all Standardisation on Management & Privacy sectors & supplementary BCM Framework Technologies for specific sectors
ACTIVITIES TC/G/5
Identify standards that meet national objectives and industries needs Information security standard preparation, development and review Endorse release of draft Malaysia Standard (MS) after public comments and ensure meeting national and industry needs Review and adopt (with certain criteria) International Standards as Malaysian Standards Recommend approval of standard and report activities to ISC G Develop indigenous standards if required and when no international standards available Support standardization activities at WGs, national, regional and international Review and participate in ISO/IEC JTC1/SC 27 projects and meetings Participate in regional meetings (e.g. RAISE) and provide liaison with other TCs
TC5 Information Security 2012 All Rights Reserved 10
ACTIVITIES - WGs
Working Groups in TC 5 mirroring JTC 1 SC 27 WG WG 1 - Information Security Management Systems WG 2 - Cryptography and Security Mechanisms WG 3 - Information Security Evaluation Criteria WG 4 - Security Controls and Services WG 5 - Identity Management and Privacy Technologies WG7 - Industry Automation and Control Systems Meeting regularly to review standardization projects and related documentation specific projects specified by TC/G/5 Develop indigenous standardization projects as approved by TC/G/5 Participate in meeting, talks, workshops and seminars at national, regional and international level Perform liaison with other related standards committees (e.g. biometrics and telecommunications) as required by TC/G/5
TC5 Information Security 2012 All Rights Reserved 11
ACHIEVEMENTS 1/2
More than 30 Standards approved and published
Information Security Management Systems Requirements (MS ISO/IEC 27001:2006) Code of practice for Information Security Management (MS ISO/IEC 27002:2005) Methodology for IT Security Evaluation (MS ISO/IEC 18045:2005) Evaluation criteria for IT security-Part 3: Security assurance requirements (First revision) (MS ISO/IEC 15408-3:2005) ISMS Implementation Guidance (27003) Information Security Risk Management (27005) Information Security Management Guidelines for Telecommunication Organizations (27011)
ACHIEVEMENTS 2/2
Editorship for WG4 Guidelines on Identification, Collection, Acquisition and Preservation of Digital Evidence is currently being approved for publication in Dec 2012 (ISO/IEC 27037) In Nov 2005, hosted ISO/IEC JTC 1 SC 27 WGs Meeting in KL In Apr 2010, hosted ISO/IEC JTC 1 SC 27 WGs & HoD Meeting in Melaka Participated in international ISO/IEC and regional standards developments Meetings Organized/participated in Information Security Workshops and Seminars promoting awareness, gather comments and public reviews
13
14
16
CHALLENGES
Inconsistent projects/activities participation (assignment on volunteer basis with almost regular changes to memberships) Shortage of subject matter experts from relevant industries and academia to contribute in WGs (WG 2, WG3, WG5 and WG7) Lack of commitment from industries, government departments/agencies, GLCs to provide resources and budget for standard development activities Very limited funding available to sponsor editorships & secretariat participations at regional and international level Lack of recognition and incentives for standards development works
TC5 Information Security 2012 All Rights Reserved 18
To achieve the aspiration of IS standard development transformation, we need to understand the current issues and challenges and introduce standards as creative business solutions 1 Understanding the issues
and the business needs Provide business values and clear benefits Industry Experience
4
Deliver Value
2
Business Demand
3
Market Reach
Reach out, establish the network and support the market
TC5 Information Security 2012 All Rights Reserved 19
2013 2012
Discovery: Establish the Baseline
Strategies Key Programs (Industry Survey, roadshows, etc) 3-5 years transformation roadmap Critical milestone Challenges KPIs
20
CONCLUSION
1. Information Security is a Business Issues 2. Information Security Management is part of Corporate Governance 3. ISMS 27001 is a mandatory baseline standard for Information Security Management for any organization 4. Compliance, Compliance & Compliance 5. Certify as security professionals 6. Certify all critical infrastructure 7. Join us at TC5 and participate as WGs members
21