document

ICT SECURITYMANAGEMENT

HANDBOOK

Educational Technology DivisionMinistry of Education

October 2005

MIN

ISTRY OF EDUCATION MALAYS

IA

ISBN : 983-3244-27-0

FIRST EDITION: OCTOBER 2005

Copyright © 2005 Educational Technology Division,Ministry of Education

All rights reserved, except for educational purposes withno commercial interests. No part of this publication maybe produced transmitted in any form or by any means,electronics or mechanical including photocopying,recorded or by any information storage or retrievalsystem, without prior permission from the Director-Generalof Education, Ministry of Education Malaysia.

Published byInfrastructure and Repository SectorSmart Educational DevelopmentEducational Technology DivisionMinistry of EducationPesiaran Bukit Kiara50604 Kuala LumpurTel : 603-2098 7768/6245Fax : 603-2098 6242

Contents

iii

Contents

Background ...................................................................... v

Foreword ....................................................................... vi

Preface ........................................................................... vii

Introduction .................................................................. viii

1 Acceptable Internet And E-Mail Usage .................... 1

1.1 Introduction ....................................................... 1

1.2 Purpose ..............................................................1

1.3 Responsibilities ....................................................1

1.4 Internet Usage ....................................................2

1.5 E-Mail ............................................................... 4

2 Choosing Quality Passwords .................................... 7

2.1 Introduction ...................................................... 7

2.2 Purpose ............................................................ 7

2.3 Responsibilities ................................................. 7

2.4 Compromise Of Passwords .................................. 8

2.5 General Password Rules ...................................... 8

2.6 Password Composition Rules ............................... 9

2.7 Changing And Reusing Of Passwords ................... 10

3 Physical Security For The ICT Infrastructure ........ 11

3.1 Introduction .................................................... 11

3.2 Purpose .......................................................... 11

3.3 Responsibilities ................................................ 11

3.4 Working In ICT Infrastructure ............................ 11

4 Mobile Computing ................................................. 14

4.1 Introduction ..................................................... 14

Contents

iv

4.2 Purpose ........................................................... 14

4.3 Responsibilities ..................................................14

4.4 Use Of Mobile Computing Devices ........................ 15

4.5 Physical Security ................................................15

4.6 Configuration Changes ....................................... 16

4.7 Connecting Mobile Computing Devices To UnsecuredNetworks .........................................................17

5 Information Classification And Handling ................ 18

5.1 Introduction ......................................................18

5.2 Purpose ............................................................18

5.3 Responsibilities ..................................................18

5.4 Scope Of Coverage ............................................ 19

5.5 Information Classification ....................................19

5.6 Information Handling ..........................................20

Glossary ......................................................................... 27

References ..................................................................... 31

Enquiries ........................................................................ 31

Contributors ................................................................... 32

Contents

v

Background

Background

The ICT Security Management Handbook is a newhandbook, updated and adapted from the Smart SchoolSecurity Management Policies and Procedures Version 1.0published under the Smart School Pilot Project in the year2000. The original document was first reviewed in 2001.

Users of the first and second editions of this handbook willrealise that the text has been completely revised; a majorpart of the revision being the separation of the contentinto two new documents, one for the School ICTCoordinators and another for other users.

This ICT Security Management Handbook is based on theICT security management information contained in theMalaysian Public Sector Management of Information &Communications Technology Security Handbook publishedby MAMPU.

Contents

vi

Director-General of Education Malaysia

Foreword

I would like to congratulate the HandbookCommittee, coordinated by the EducationalTechnology Division, for their dedication incompleting this informative handbook. Theircommitment in the preparation of this handbook ishighly commended.

This handbook is meant to give thorough andconcise guidelines on ICT Security Management. Itis hoped that the guidelines and procedures listedare useful to all readers.

I would also like to thank all teachers involved fortheir invaluable contribution to this handbook, animportant contribution to the ICT landscape ofschools.

(DATO’ DR. HJ. AHAMAD BIN SIPON)Director-General of EducationMinistry of EducationMalaysia

Contents

vii

Educational Technology Division

Preface

This handbook gives a brief overview on ICTSecurity Management for all schools in Malaysia.

This handbook is meant to be a useful source ofreference for all schools in implementing effectiveICT security management. Although there can be noguarantee for absolute security within aninternational electronic works environment, usingthe guidelines in this handbook should mitigatemany of the risks to which ICT-based systems areexposed.

I wish to congratulate the committee and all othersinvolved in producing this handbook.

(DATO’ HJ. YUSOFF BIN HARUN)DirectorEducational Technology DivisionMinistry of Education

Contents

viii

Introduction

This handbook has been adapted from the MalaysianPublic Sector Management of Information &Communications Technology Security Handbook producedby MAMPU, and the Smart School Security ManagementPolicies and Procedures Version 1.0 produced by theSmart School Pilot Project Team of the Ministry OfEducation.

The content is arranged according to topics to help userspractise security management systematically and effectively.The content in each topic has been arranged in such amanner that the steps listed are easy to follow and providecomprehensive guidance to ICT security management.

Each topic in this handbook starts with an introduction andpurpose followed by guidelines which provide an overview ofICT security management. Using these guidelines, usersshould be able to practise ICT security effectively.

The ICT Security Management Handbook will help widen thereader’s knowledge and create awareness in ICT securitymanagement.

A glossary is included for better understanding of thecontent.

Introduction

1 Acceptable Internet And E-Mail Usage

1


1.1 Introduction

The advancement of information and communicationstechnology (ICT) allows information to be sent andreceived rapidly. This facility has brought the Internetand electronic mail (e-mail) usage to the rise.Electronic communication is now being used widelyas the alternative medium for sharing information.However, uncontrolled usage of Internet and e-mailservices may expose us to various security threats.Hence, security protection needs to be in place toensure confidentiality, integrity and availability ofinformation.

1.2 Purpose

The purpose of this section is to outline theacceptable use of Internet and e-mail services inschools. These rules should be put in place toprotect all residents of schools. Inappropriate usemay expose schools to risks, including virus attacks,compromise of network systems and services, andlegal issues.

1.3 Responsibilities

All school residents who are given access to theschool ICT system are required to comply with therules and regulations contained this section.


2

1.4 Internet Usage

1) The school electronic communication system orICT facilities are generally used for facilitatingand improving the administration and operationsof the school. Users should be aware that thedata they create and the system they useremain the property of the Government ofMalaysia.

2) Web surfing should be restricted to work-relatedmatters or other purposes as authorised by theSchool Head.

3) Users are advised to verify the integrity andaccuracy of materials downloaded from theInternet. These materials have to be scanned toensure that they are free from malicious codes.

4) Materials downloaded from the Internet (e.g.software) should be vetted to avoid infringementof copyrights. Users should quote references ofall Internet materials used.

5) Information to be uploaded to the Internetshou ld be rev iewed by the Schoo l ICTCoordinator and authorised by the SchoolHead.

6) Only authorised off icers are al lowed toparticipate in online public forums such asnewsgroups or bulletin boards. Users whoparticipate in such forums should exercise goodjudgement on the information shared as theyrepresent the public image of the school,Ministry of Education and the Government ofMalaysia.


3

7) Users are prohibited from the following:

a) Violating the rights of any person orcompany protected by copyright, tradesecret, patent or other intel lectualproperty, or similar laws of regulations,including, but not l imited to, theinstallation or distribution of piratedsoftware that are not appropriately licensedfor use by the school.

b) Uploading, downloading, storing or usingunlicensed software.

c) Uploading, downloading, or sending filesgreater than 2Mb that may paralyse thecomputer network system and pre-emptother official activities.

d) Preparing, uploading, downloading andstoring speeches, images or other materialsthat may:

i) be constructed as sexual, ethnic andracial harassment;

ii) cause chaotic situations of any formsuch as rumour mongering, defamationor instigation; and

iii) tarnish the reputation of the school,M i n i s t r y o f E d u c a t i o n o r t h eGovernment of Malaysia.

e) Engaging in non-work related activities(commercial, political or others) whichinterfere with staff productivity andconsume more than a trivial amount ofresources such as:

i) online chatting; and


4

ii) download, storing and using entertainmentsoftware such as those for playinggames, videos or songs.

f) Engaging in criminal activities such asspreading of materials involving gambling,weaponry and terrorism.

g) Misusing online public forums such asnewsgroups and bulletin boards.

8) Users are not allowed to engage in unauthorisedonline activities such as hacking, sniffing,hijacking or giving fraudulent information.

1.5 E-Mail

1) E-mail allows users to communicate with eachother in the form of electronic messages. Theusage of e-mail is getting more prevalent as itallows more effective two-way communication.

2) All residents of a school are given e-mailaccounts for the purpose of off ic ia lcorrespondence. An example of an e-mailaddress is [email protected].

3) The usage of e-mail service is subject to therules stipulated in this section and the SchoolICT Coordinator has the right to revoke suchusage if users do not comply with the rules.

4) E-mail is one of the official communicationchannels within the school. As such, it has to becomposed with caution. For example, usingupper case is not encouraged as it is consideredinappropriate. Users are advised to composee-mail using simple, courteous and correctlanguage. Users should ensure that the subjectcorresponds with the content of the e-mail.


5

5) All official correspondence have to be sent viathe official e-mail account. Users should ensurethat the recipient’s e-mail address is correctlyentered prior to sending the e-mail. The carboncopy (cc) can be used, should there be a needto send the e-mail to other recipients. However,a blind carbon copy (bcc) is not encouraged.

6) Users a re no t a l l owed to send e -ma i lattachments that are greater than 2Mb.Appropriate compression utilities such as WinZipshould be used to reduce the size of theattachment.

7) Users should refrain from opening e-mail fromunknown or suspicious senders.

8) Users should scan all attachments prior toopening.

9) All e-mail is not encrypted by default. Users areprohibited from sending sensitive informationunless it has been first encrypted. Please referto Information Handling Procedure for details.

10) Users should verify the identity of users withwhom they communicate and exchangeinformation via e-mail. This is to protectinformation from any form of misuse.

11) All official e-mail sent or received should bearchived accordingly. The user is encouraged toarchive the e-mail in other storage media, suchas diskettes, for safety reasons.


12) Unimportant e-mail that is no longer needed orhas no archival value should be deleted.

13) Users are prohibited from the following:

a) sharing e-mail accounts;

b) using fake accounts and purporting to bevalid senders;

c) using e-mail for commercial or politicalpurposes;

d) sending or owning materials that areagainst the law or cause sexual, ethnic orracial harassment;

e) spamming; and

f) introducing or spreading malicious codessuch as virus, worms and Trojan horsesthat will disrupt the network.

6

2 Choosing Quality Passwords

2.1 Introduction

Passwords are one of the principal means ofvalidating a user’s authority to access a computersystem. Therefore, users should be aware of theirresponsibilities in maintaining effective accesscontrols particularly regarding the use of passwords.Given the number of passwords that one has tokeep track, it is crucial that the passwords selectedare easy to remember and follow good securitypractices. This section provides some goodpassword security practices that all school users areexpected to follow.

2.2 Purpose

The main purpose of this section is to ensure that theregistered school users follow the best practices inusing and selecting passwords for all application andnetwork systems to which they have access.


All school residents who are given access to theschool ICT system should comply with the guidelinesstipulated in this section.


7

2.4 Compromise Of Passwords

Over time, passwords may be compromised in manyways. The following are some examples wherepasswords are compromised.

1) Users share them with friends or co-workers.

2) Written passwords are exposed to others.

3) Passwords are guessed, either by other users orsecurity diagnostic software.

4) The se rvers tha t s to re passwords a recompromised, and their passwords are accessedby intruders.

5) Transmitted passwords are compromised andrecorded by an intruder.

6) Users are tricked into providing their passwordsto intruders via a social engineering effort.

2.5 General Password Rules

1) Passwords are to be kept strictly confidential andare not to be shared. Do not disclose yourpassword to anyone at any time.

2) Do not write your password down or leave itunsecured.

3) Do not leave a computer session unattendedunless it is locked and password-protected.Never leave a computer idle for long periodsof time - shut it down and reboot whennecessary.


8

4) If you suspect that anyone has gained access toyour password, contact the School ICTCoordinator immediately to request for apassword reset.

5) After three (3) unsuccessful attempts to enterthe password, the user shall be disallowed fromusing the system for a particular time period.Intervention of the School ICT Coordinator willbe required to reset the password.

2.6 Password Composition Rules

One of the primary weaknesses of passwords is thatthey may be guessed. While a user may give up afterguessing ten or a hundred possible passwords, thereis software which could easily try millions ofcombinations and break the particular password.Good password composition rules are as follows:

1) To combat password guessing attack, users areadvised to pick hard-to-guess passwords.

2) Users are required to choose their passwordsfrom the widest set of characters, subject to theconstraints of the possible systems where thosepasswords reside.

3) Passwords should be at least e ight (8)characters long and contain alphanumericcharacters (e.g. p@S5w07D).


9

2.7 Changing And Reusing Of Passwords

1) All default passwords should be changed duringthe first log on.

2) To limit the possibility of passwords beingcompromised, a practical solution is to changethem regularly, at most every 180 days, andpreferably more frequently.

3) Users should not reuse old passwords, as theymay have already been compromised.

4) Reuse of a user’s last four passwords should beavoided altogether.


10

3 Physical Security For The ICT Infrastructure

11


3.1 Introduction

Physical security is the first layer of defence in anyICT security architecture. The need to physicallyprotect assets from real or perceived threats cannotbe overlooked or mitigated by other securitydisciplines. There is no substitute for good physicalsecurity control.

3.2 Purpose

The purpose of these guidelines is to preventunauthorised access, damage and interference to theICT Infrastructure that could result in disruption ordamage to the school information asset.


All school residents who are given access to the ICTInfrastructure are required to observe theseguidelines.

3.4 Working In ICT Infrastructure

1) All computing facilities provided by the schoolare used for facilitating the daily operations andlearning activities of the school residents.Therefore, only authorised users such asteachers, students and staff of the school areallowed to use these computing facilities.


12

Third parties (or non-school residents) who wishto use such facilities should be authorised by theSchool Head.

2) Visitors or users to the computer laboratory,media centre and access centre should log theirnames, date, time and duration of access in thelog book.

3) All students using the computer laboratoryshould be accompanied by a teacher. Studentswho need to use the computers in the computerlaboratory without supervision of the teachershould obtain permission from authorisedpersonnel.

4) After school hours, access to the computerlaboratory must be controlled and monitored.

5) Third parties such as vendors who providemaintenance service to the equipment shouldbe escorted or supervised at all times while in theICT infrastructure.

6) Doors and windows to the computer laboratoryshould be locked when unattended.

7) No food and drinks are allowed in the ICTinfrastructure.

8) Visitors or users to the computer laboratoryshould take off their shoes (if necessary) toensure cleanliness of the place.

9) Users should shut down the system properly toprevent computer damage.

10) Users should log off the system to preventunauthor ised users f rom access ing thesystem.


13

11) Users should keep the ICT infrastructure cleanand tidy at all times.

12) Users are not a l lowed to br ing out anyequipment or devices which belong to theschool. Anyone found stealing or attempting tosteal will be subject to disciplinary action.

13) Users are not allowed to relocate the equipment(e.g. switching of monitors), repair the faultyequipment or change the configuration of thesystem without authorisation by the School ICTCoordinator or authorised school personnel.

14) Users should report to the School ICTCoordinator or assigned school personnel whenthey notice security incidents or potentialsecurity incidents. These include incidents suchas break-ins, thefts, and hardware and softwarefailures.

15) Users should prevent computer overheating bynot covering the computer monitor vents.

16) All facilities such as air conditioners and lightsshould be properly used. Users are required toswitch on these facilities when using thecomputer laboratory. Similarly, these facilitiesshould be switched off after use.

4 Mobile Computing

14

4 Mobile Computing

4.1 Introduction

Technological advancement has made mobilecomputing devices available to a wide audience andthese devices are gradually used for easy access. Theprevalence of mobile computing devices has openedup various security risks that could compromise theconfidentiality, integrity and availabil ity ofinformation. The very nature of mobile computingdevices means that they are at a greater risk of theftover their less portable counterparts. The latter arenormally located in secure premises with goodphysical security, whereas mobile computing devicesnormally reside outside an organisation’s physicalsecurity perimeter. This section aims to establish aprocedural guidance to be observed by users ofmobile computing devices.

4.2 Purpose

This section is established to ensure information andphysical securities when using mobile computingdevices.


All school residents who use mobile computingdevices for processing school information are requiredto adhere to the guidelines outlined in this section.

4 Mobile Computing

15

4.4 Use Of Mobile Computing Devices

1) The use of personal mobile computing devicessuch as laptops, tablet PCs, palmtops and smartphones for processing school information isprohibited unless they have been first authorisedby the school administrator and configured withnecessary security controls such as anti-malicious software or personal firewall under theguidance of the School ICT Coordinator.

2) Third party mobile computing devices (owned bycontractors or vendors) should not be connectedto the school network or granted access withoutfirst being authorised by the schooladministrator and configured with necessarysecurity controls under the guidance of theSchool ICT Coordinator. This is to prevent virusinfection of the school network.

3) All Ministry of Education owned mobilecomputing devices should be installed withnecessary security controls such as anti-malicious software before they are released tothe users. Such devices should be automaticallyconfigured to receive security updates from theserver.

4) Use of mobile computing devices is subject toAcceptable Internet and E-mail Usage.

4.5 Physical Security

1) Mobile computing devices should be physicallyprotected against thefts especially when left incars and other forms of transport, hotel rooms,conference centres and meeting places.

4 Mobile Computing

16

2) Mobile computing devices carrying important,sensitive or confidential information should notbe left unattended and where possible, should bephysically locked.

3) It is important that when such devices are usedin public places, care should be taken to avoidthe risk of accidental disclosure of information tounauthorised persons.

4) Mobile users should report to the School ICTCoordinator or school administrator immediatelyfor any damage and loss of Ministry of Educationassets.

5) The movement of all mobile computing devicesowned by the Ministry of Education should berecorded.

4.6 Configuration Changes

1) Users should not change the configuration orsystem settings of mobile computing devicessupplied by the Ministry of Education except forofficial and authorised purposes such asconfiguring the network settings (IP address,DNS address, etc.) based on the existingnetwork environment.

2) Mobile computing devices supplied by theMinistry of Education should not be altered inany way (e.g. processor upgrade, memoryexpansion or extra circuit boards). If anychanges in software or hardware are required,the users should seek authorisation from theSchool ICT Coordinator. Only the School ICTCoordinator is allowed to make such changes.

4 Mobile Computing

17

4.7 Connecting Mobile Computing Devices ToUnsecured Networks

1) The school network is a protected environmentwithin which mobile computing devices arewell protected against infection by malicioussoftware and regular deployment of securityupdates. Networks outside the perimeter of theschool, whether through a wireless local areanetwork at an airport or a broadband Internetconnection at home, are considered unsecurednetworks. In this sort of environment, thedevice is connected directly to the Internet withnone of the protections like firewalls in place.This exposes the device to a great range ofthreats, including direct attacks from entities onthe Internet, whether they be users ormalicious codes.

2) Users should refrain from connecting tounsecured networks as this may exposesensitive information to unauthorised parties.

3) If such connection is deemed necessary, usersmay consider encrypting sensitive information toprevent unauthorised disclosure. Data encryptionoffers the best protection against thedissemination of sensitive information from lostor stolen devices. Information protected bystrong, well implemented, encryption techniquescan be rendered useless to a thief.

5 Information Classification And Handling

18


5.1 Introduction

Information must be handled accordingly to ensurethe confidentiality, integrity and availability of theinformation is not compromised. Informationclassification and handling activities are performed tosafeguard national secrets. Often classifiedinformation is kept (or should be kept) segregatedfrom each other. The possible impact on schools andthe Ministry of Education of disclosure or alteration ofinformation varies with the type of information.Hence, the effort and cost warranted for protectionagainst these risks varies accordingly. Some basis istherefore required to determine which securitymeasures are applicable to different types ofinformation.

5.2 Purpose

The main purpose of this section is to provideguidelines for the classification of information and theappropriate set of procedures for information handlingin accordance with the classification scheme defined.


All school residents who are given access toclassified information are required to comply withthis section.


19

5.4 Scope Of Coverage

All school information is bound by this sectionirrespective of:

1) the way information is represented (written,spoken, electronic or other forms);

2) the technology used to handle the information(e.g. file cabinets, fax machines, computers andlocal area networks);

3) the location of information (e.g. in the office,computer lab or server room); and

4) the lifecycle of information (e.g. origin, entryinto a system, processing, dissemination,storage and disposal).

5.5 Information Classification

According to the government ’s ArahanKeselamatan, information is classified into fivelevels:

1) Public: Official documents/information availablefor public knowledge, viewing or usage.

2) Restricted: Official documents/informationexcluding those classified as Top Secret, Secretor Confidential but required to be provided witha security measure level. Refer to Table 1:Information Handling.

3) Confidential: Official documents/informationi f exposed without author isat ion, eventhough it does not endanger national security- could have an impact on national interestor dignity, the activity of the government or


20

the individual; would cause embarrassmentor difficulty to the current administration;and would benefit foreign authorities.

4) Secret: Official documents/information ifexposed without authorisation would endangernational security, cause substantial loss/damageto the national interest or dignity; and wouldprovide substantial benefit to foreignauthorities.

5) Top Secret: Official documents/information ifexposed without authorisation would causeextreme loss/damage to the nation.

5.6 Information Handling

1) The asset owner should determine theclassification of information.

2) The handling of the information in any formdepends on the classification of the informationdefined by the asset owner.

3) Sufficient security measures for classifiedinformation are required to protect theconfidentiality, integrity and availability of theinformation.

4) The existing or planned operating proceduresshould consider all users who are allowed toview classified information.

5) Users should have knowledge of those whomay endanger the security of classif iedinformation and must abide by the guidelinesor procedures to prevent those people fromviewing it.


21

6) Adequate authorisation and access controlshould be implemented:

a) to prevent unauthorised people fromviewing classified information;

b) as classified information would depend onthe level of classification;

c) so that the School ICT Coordinator andinformation owner can determine theaccess rights of users who have access toclassified information.

7) The following provides the information handlingguide for each lifecycle of the information,starting from its creation until destruction.


22

Tab

le 1

: In

form

ati

on

Han

dlin

g

To

p S

ecret

Secret

Co

nfi

den

tial

Restr

icte

dP

ub

lic

Lab

ellin

g

Ele

ctr

onic

Media

Labellin

g

1)

Labelled a

s ‘Top S

ecre

t’ o

r ‘S

ecre

t’ o

r ‘C

onfidential’ o

r

‘Restr

icte

d’.

Not

required

Hard

copy

Labellin

g

1)

Labelled a

s ‘Top S

ecre

t’ o

r ‘S

ecre

t’ o

r ‘C

onfidential’ o

r

‘Restr

icte

d’ on t

he fro

nt

and b

ack c

overs

, and e

very

page o

f th

e

docum

ent.

See A

rahan K

esela

mata

n –

Cla

use 4

8-5

2.

2)

Labelled w

ith a

rem

inder.

See A

rahan K

esela

mata

n –

Cla

use

53.

Not

required

Refe

rence

The o

wners

of

the r

espective i

nfo

rmation s

hould

work

togeth

er

with

the s

chool’s a

dm

inis

trative p

ers

onnel to

define t

he r

efe

rence n

um

ber

for

each d

ocum

ent

pro

duced.

Not

required

Sto

rag

e

Sto

rage o

n

Fix

ed M

edia

Encry

pte

d w

here

applicable

or

oth

er

com

pensating c

ontr

ols

such a

s

access c

ontr

ols

, passw

ord

managem

ent

and o

ther

netw

ork

contr

ols

.

Not

required

Sto

rage o

n

Exchangeable

Media

Encry

pte

d w

here

applicable

or

oth

er

com

pensating c

ontr

ols

such a

s

access c

ontr

ols

, passw

ord

managem

ent

and o

ther

netw

ork

contr

ols

.

Not

required


23

To

p S

ecret

Secret

Co

nfi

den

tial

Restr

icte

dP

ub

lic

Physic

al

Sto

rage

1)

Str

ong r

oom

or

safe

with

locks.

2)

Work

in p

rogre

ss c

an b

e

kept

in c

abin

et

(iro

n)

with

locks.

3)

See A

rahan K

esela

mata

n –

Cla

use 5

8 –

60.

1)

Cabin

et

(iro

n).

2)

See A

rahan K

esela

mata

n –

Cla

use 5

8 –

60.

No s

pecia

l

sto

rage

required

Sen

din

g/

Tran

sm

issio

n /

Pro

cessin

g

Sendin

g

docum

ents

1)

Acknow

ledgem

ent

on r

eceip

t of docum

ent

(2 c

opie

s)

needs t

o

be p

repare

d.

2)

Mail p

ackagin

g for

docum

ents

carr

ied s

ecure

ly:

a)

Only

one (

1)

envelo

pe w

ith m

ark

ing,

refe

rence n

um

ber,

nam

e a

nd a

ddre

ss.

b)

The e

nvelo

pe m

ust

be s

eale

d.

3)

Mail p

ackagin

g for

docum

ents

carr

ied u

nsecure

ly:

a)

Tw

o (

2)

envelo

pes r

equired.

b)

Inte

rnal envelo

pe w

ith m

ark

ing,

refe

rence n

um

ber,

nam

e

and a

ddre

ss;

c)

Exte

rnal envelo

pe w

ith n

am

e a

nd a

ddre

ss a

nd it

must

be

Not

required


24

To

p S

ecret

Secret

Co

nfi

den

tial

Restr

icte

dP

ub

lic

seale

d.

4)

See A

rahan K

esela

mata

n –

Cla

use 6

1 –

65.

Faxin

g

/Tele

phone

/Tele

gra

ph

1)

Not

allow

ed.

2)

See A

rahan K

esela

mata

n –

Cla

use 6

6.

No

restr

iction

Carr

yin

g

Docum

ents

Out

from

the

Offic

e

1)

Writt

en a

ppro

val fr

om

the

Secre

tary

Genera

l of th

e

Min

istr

y o

f Education.

2)

See A

rahan K

esela

mata

n –

Cla

use 6

7.

1)

Writt

en a

ppro

val fr

om

Head

of D

epart

ment

is r

equired.

2)

See A

rahan K

esela

mata

n –

Cla

use 6

7.

No

restr

iction

Sendin

g v

ia

Public N

etw

ork

1)

Encry

ption w

here

applicable

.N

ot

required

Copyin

g1)

Auth

orisation fro

m info

rmation o

wner

is r

equired.

2)

Tra

ckin

g o

n t

he n

um

ber

of copie

s issued is r

equired.

3)

See A

rahan K

esela

mata

n –

Cla

use 5

5-5

7.

No

restr

iction

Rele

ase t

o T

hir

d P

arti

es

Rele

ase t

o

Third P

art

ies

1)

Not

to b

e r

ele

ased t

o o

ther

countr

ies w

ithout

the a

ppro

val of th

e

Govern

ment

of M

ala

ysia

.

2)

Rele

ase t

o t

hird p

art

ies s

hould

be r

estr

icte

d b

ased o

n t

he n

eed

Ord

inary

trash


25

To

p S

ecret

Secret

Co

nfi

den

tial

Restr

icte

dP

ub

lic

for

such a

ccess a

nd is a

uth

orised b

y t

he info

rmation o

wner.

3)

Rele

ase t

o p

ress is n

ot

allow

ed w

ithout

appro

val fr

om

the

info

rmation o

wner.

4)

See A

rahan K

esela

mata

n –

Cla

use 6

8 –

70.

Gran

tin

g o

f A

ccess R

igh

ts

Gra

nting of

Access R

ights

1)

Access r

ights

are

gra

nte

d b

y t

he info

rmation o

wner

2)

The a

ccess c

ontr

ol is

to b

e im

ple

mente

d b

y t

he S

chool IC

T

Coord

inato

r.

No

restr

iction

Dis

po

sal

Physic

al

Dis

posal

1)

Not

allow

ed u

nle

ss e

xplicitly

instr

ucte

d b

y t

he info

rmation

ow

ner.

Tota

l destr

uction m

ust

be p

erf

orm

ed.

2)

Dis

posal m

ust

be logged.

3)

Docum

ent

must

be s

hre

dded.

4)

See A

rahan K

esela

mata

n –

Cla

use 7

1 –

74.

Ord

inary

trash

Ele

ctr

onic

Dis

posal

Secure

dele

te.

Ord

inary

dele

te


26

To

p S

ecret

Secret

Co

nfi

den

tial

Restr

icte

dP

ub

lic

Lo

ss o

f D

ocu

men

ts /

In

form

ati

on

Report

ing o

f

loss

1)

Loss o

f docum

ents

/info

rmation s

hould

be r

eport

ed im

media

tely

to t

he s

chool adm

inis

trato

r w

ithin

24 h

ours

.

2)

An investigation s

hould

be w

arr

ante

d t

o e

stim

ate

the im

pact

of

such losses.

If necessary

, a r

eport

to e

xte

rnal part

ies s

uch a

s

the p

olice s

hould

be m

ade.

3)

See A

rahan K

esela

mata

n –

Cla

use 7

5 –

76.

Not

required

Glossary

27

GLOSSARY

Alphanumeric Consist of the union of the set of alphabeticcharacters characters and the set of numeric

characters.

Availability This is the effect on the system and/orthe organisation that would result fromdeliberate or accidental denial of theasset’s use. If a mission-critical system isunavailable to its end users, theorganisation’s mission may be affected.Loss of system functionality andoperational effectiveness, for example,may result in loss of productive time, thusimpeding the end users’ performance oftheir functions in supporting theorganisation’s mission.

Broadband A type of data transmission in which asingle medium (wire) can carry severalchannels at once.

Confidentiality This is the effect on the system and/orthe organisation that would result fromthe deliberate, unauthorised orinadvertent disclosure of the asset. Theeffect of unauthorised disclosure ofconfidential information can result in lossof public confidence, embarrassment, orlegal action against the organisation.

E-mail Short for electronic mail, one or many, thetransmission of messages overcommunication networks.

Encryption The translation of data into a secret textof gibberish that is not readable tounauthorised parties.

Glossary

28

Exchangeable Material used to store data that can be

media taken out of a machine. Examples includefloppy disc, magnetic tape and compactdisc.

Firewall A system designed to preventunauthorised access to or from a privatenetwork.

Fixed media Mass storage in which the material thatholds data is a permanent part of thedevice. Example includes hard drive.

Information Individual/Division/Department/Unit who/owner whom is referred to as the proprietor of

an asset.

Integrity This is the effect on the system and/orthe organisation that would result fromthe deliberate, unauthorised or inadvertentdisclosure of the asset. The effect ofunauthorised disclosure of confidentialinformation can result in loss of publicconfidence, embarrassment, or legalaction against the organisation.

Internet A global network connecting millions ofcomputers.

Local Area A network of computers confined within aNetwork small area such as an office building or

school.

Malicious code A programme of piece of code that isloaded onto the computer without theowner’s knowledge and runs against theowner’s wishes. Example include virus,worm and Trojan horse.

Malicious A programme or piece of code that issoftware loaded onto the computer without the

owner’s knowledge and runs against theowner’s wishes. Example include virus,worm and Trojan horse.

Glossary

29

Mobile Portable-computing devices that canComputing connect by cable, telephone wire, wireless

transmission, or via any Internetconnection to any network infrastructureand/or data systems. Examples of mobilecomputing devices include notebooks,palmtops, laptops and mobile phones.

Password One of the means of user authentication.Password contains a series of charactersentered by the users to gain access tothe system.

School ICT A person who is appointed by the schoolCoordinator to be in charge of management and

coordination of the school ICTinfrastructure.

Secure delete Assure the total wipe out of magneticallyrecorded information.

Social In the field of computer security, socialEngineering engineering is the practice of obtaining

confidential information by manipulationof legitimate users.

Spam Electronic junk mail or more generallyreferred as unsolicited e-mail.

Trojan horse A Trojan Horse portrays itself assomething other than what it is at thepoint of execution. While it may advertiseits activity after launching, thisinformation is not apparent to the userbeforehand. A Trojan Horse neitherreplicates nor copies itself, but causesdamage or compromises the security ofthe computer. A Trojan Horse must besent by someone or carried by anotherprogram and may arrive in the from of ajoke program or software of some sort.The malicious functionality of a TrojanHorse may be anything undesirable for acomputer user, including data destruction

Glossary

30

or compromising a system by providing ameans for another computer to gainaccess, thus bypassing normal accesscontrols.

Users Residents of schools who are using theICT facilities provided. For example,teachers, students, clerks, administratorsand others.

Virus A virus is a program or code thatreplicates itself onto other files with whichit comes in contact; that is, a virus caninfect another programme, boot sector,partition sector, or a document thatsupports macros, by inserting itself orattaching itself to that medium. Mostviruses only replicate, though many cando damage to a computer system or auser’s data as well.

Wireless A method of communication that usesradio waves to transmit data betweendevices.

Worm A worm is a programme that makes andfacilitates the distribution of copies ofitself; for example, from one disk drive toanother, or by copying itself using e-mailor another transport mechanism. Theworm may do damage and compromisethe security of the computer. It mayarrive via exploitation of systemvulnerability or by clicking on an infectede-mail.

Glossary

31

References

1) Malaysian Public Sector Management of Information &Communications Technology Security Handbook(MyMIS).

2) Pekeliling Kemajuan Pentadbiran Awam Bilangan 1Tahun 2003 - Garis Panduan Mengenai TatacaraPenggunaan Internet Dan Mel Elektronik Di Agensi-agensi Kerajaan.

3) Buku Arahan Keselamatan.

4) Prosedur dan Dasar Pengurusan KeselamatanSekolah Bestari Versi 2.0.

Enquiries

Enquiries about this document should be directed to:

DirectorEducational Technology DivisionMinistry Of EducationPesiaran Bukit Kiara50604 Kuala Lumpur(Attn : Infrastructure and Repository Sector)

Tel.: 03-2098 7768/6245Fax: 03-2098 6242E-mail: [email protected]

Glossary

32

CONTRIBUTORS

ADVISOR

Dato’ Haji Yusoff bin Harun Director

Educational Technology Division

EDITORIAL BOARD

Khalidah binti Othman Educational Technology Division

Chan Foong Mae Educational Technology Division

Anthony Gerard Foley Educational Technology Division

Haji Mohd Azman bin Ismail Educational Technology Division

Mohd Arifen bin Naim Educational Technology Division

Yap Ley Har Educational Technology Division

Junainiwati binti Mohd Deris Educational Technology Division

Roimah binti Dollah Educational Technology Division

Nik Fajariah binti Nik Mustaffa Educational Technology Division

Rozina binti Ramli SMK Aminuddin Baki, Kuala Lumpur

Nirmal Kaur SMK Victoria, Kuala Lumpur

Mohd Hisham bin Abdul Wahab SMK(L) Methodist, Kuala Lumpur

Ab. Aziz bin Mamat Sekolah Seri Puteri, Selangor

Abd Aziz bin Mohd Hassan SMK USJ 8, Selangor

Widiana binti Ahmad Fazil SMK Pandan Jaya, Selangor

Rogayah binti Harun Kolej Tunku Kurshiah, Negeri Sembilan

Mohd Zali bin Zakri SM Sains Tuanku Jaafar, Negeri Sembilan

Jaya Lakshmi a/p Mutusamy SMK(A) Persekutuan Labu, Negeri Sembilan

Azmi bin Abdul Latiff SMK(A) Persekutuan Labu, Negeri Sembilan

Haji Zulkiflee bin A. Rahman SM Teknik Muar, Johor

Daud bin Yusof SMK Buluh Kasap, Johor

document

Education

new handbook

physical security

handbook committee

informative handbook

ict infrastructure

ministry of education

contents background

information classification