Abstract
Information and communication technology (ICT) is an important strategic and essential functional requirement for many institutions of higher learning. In the developing world, ICT is achieving breakthrough in management and teaching through online learning, which helps to cater for the increasing student population. However, the security of the information being processed stored and exchanged is a growing concern to the management as the dependence on ICT for most of the institutions’ core services functions are increasing. This chapter discusses the current state of ICT security policy practices in University Science of Malaysia (USM); one of the Higher Education Institution in Malaysia. USM has been granted accelerated programme for excellence (APEX) status due to the mission of readiness, transformation plan and preparedness to change and transform it into Malaysia‘s first world-class university. The discussion encapsulates the problems, consequences of ICT risks and ICT awareness. Furthermore, it highlights the ICT policy guideline, ICT security policy formulation, ICT security management safeguards, principles and ICT security and adherence compliance plan.
TopIct Security
ICT security can be defined as “the process of ensuring business continuity and services provision free from unacceptable risk. It also seek to minimize disruptions or damage by preventing and minimizing security incidents” – report from Public Sector ICT Security Policy (2000) pp 1.
The purpose of ICT security policy is to help the stakeholder to provide effective and efficient services and to ensure that all users of the ICT systems aware of the security risks that are always present such as threats whether internal or external, deliberate or accidental. ICT security policy in HEI will contain standards for information security, comprehensive sets of security controls to improve the level of security within the organisation. In addition to this policy, a wide-ranging set of standards, procedures and protocols governing the use of the ICT is available on the Intranet.
The Government of Malaysia is committed towards modernising its administrative machinery and enhancing its service delivery mechanisms. The process of ensuring an efficient and effective public sector is being driven by the enabling capabilities of information and communication technology (ICT). The resultant widespread adoption of ICT systems by the public sector has meant that more and more government agencies are moving towards the paperless work environment where ICT systems have become indispensable for the provision of government services to citizens.
Key Terms in this Chapter
Malaysian Administrative Modernisation and Management Planning Unit (MAMPU): A leading role in implementing modernization strategies for Malaysian Public Service. In implementing its responsibility, MAMPU focuses on initiatives that could upgrade the quality, efficiency, effectiveness, and integrity of Malaysian Public Service. All these initiatives encompass the areas of quality acculturation, organizational development, the management integrity, ICT development, and enhancing the relationship between public sector and private sector.
Malaysian Public Sector ICT Management Security Handbook (MyMIS): Intended as a reference and guide for public sector personnel in managing security in all public sector ICT installations. MyMIS serves to complement the ICT security measures taken earlier by the Government by way of Pekeliling Am Bil. 3 Tahun 2000 entitled ‘Rangka Dasar Keselamatan Teknologi Maklumat dan Komunikasi Kerajaan’ (Government Information and Communications Technology Security Policy Framework) and Surat Pekeliling Am Bil.1 Tahun 2001 entitled ‘Mekanisme Pelaporan Insiden Keselamatan Teknologi Maklumat dan Komunikasi (ICT)’ (Information and Communications Technology (ICT) Security Incident Reporting Mechanism).
Chief Information Security Officer (CISO): A job that focuses on information security within an organization. A CISO of the organization is the policy maker with security operations as implementer and an IT Auditor is the person who verifies compliance. A CISO is mandated to continuously question the existing standards in the light of the changes in the environment and make suitable changes to the policies of the organization.
Information and Communication Technology (ICT): Term that covers all advanced technologies in manipulating and communicating information, particularly on these two communities: education and government. General term that describes any technology that helps to produce, manipulate, store, communicate, and/or disseminate information. Presumably, when speaking of Information Technology (IT) as a whole, it is noted that the use of computers and information are associated.
Higher Education Institution (HEI): A level of education that is provided by universities, vocational universities, community colleges, liberal arts colleges, institutes of technology and other collegiate level institutions, such as vocational schools, trade schools and career colleges, that award academic degrees or professional certifications.
Pusat Pengetahuan, Komunikasi dan Teknologi (PPKT): The Centre for Knowledge, Communication and Technology (PPKT – Malay acronym) provides ICT planning and implementation on ICT related projects. Apart from running the operational ICT services, PPKT provides consultancy / advice to the University Science of Malaysia with regards to utilising, managing and linking Knowledge, Information, Communications and Technology.