protective security management
-
Upload
khangminh22 -
Category
Documents
-
view
3 -
download
0
Transcript of protective security management
PROTECTIVE SECURITY MANAGEMENT IN CRITICAL SECTORS OF
MALAYSIAN GOVERNMENT AGENCIES
BY
MOHD SAIFUL HISHAM BIN MD. SALLEH
A dissertation submitted in fulfilment of the requirement for the Master of Protective Security Management
Kulliyah of Information and Communication Technology International Islamic University Malaysia
DECEMBER 2016
ABSTRACT
The crime, opportunities for rule breaking violations, weakness or gap in a security program include structural, procedural, policy, electronic, human and other elements would provide opportunities to attack government assets and critical information. Statistics and case study shows that the vulnerable area need to improve soon. Thus, the government must do a systematic approach used to assess a government department's security posture, analyze the effectiveness of the existing security program and tools, and identify security weaknesses. To implement protective security standards, agencies are required to clearly identify internal security governance structures and delineate responsibilities. The follow up and follow through movement across level of public servant are most required. There are many benefits an organization will enjoy when it makes those improvements, not the least of which is the budget justification for creating a security awareness program that help will boost security effectiveness overall. Organizations that have achieved a high level of security effectiveness are better able to identify major security breaches, secure confidential information, limit physical access to government assets, and achieve compliance with legal and self-regulatory frameworks. Organizations that maximize the efficacy of their security awareness programs stand to benefit not only from better incident prevention, but many other benefits as well, including improved reputation and customer loyalty.
II
APPROVAL PAGE
I certify that I have supervised and read this study and that in my opinion, it conforms to acceptable standards of scholarly presentation and is fully adequate, in scope and quality, as a dissertation for the Master of Protective Security Management
Jamaluddin bin Ibrahim Supervisor
I certify that I have read this study and that in my opinion it conforms to acceptable standards of scholarly presentation and is fully adequate, in scope and quality, as a dissertation for the Master of Protective Security Management.
Nurul Nuha binti Abdul Molok Examiner
This dissertation was submitted to the Kulliyah of Information and Communication Technology and is accepted as a fulfilment of the requirement for the Master of Protective Security Management.
Lili Marziana binti Abdullah Head, Centre fo r IT Advancement
This dissertation was submitted to the Kulli yyah of Information and Communication Technology and is accepted as a fulfilment of the requirement for the Master of Protective Security Management.
IV
Abdul Wahab bin Abdul Rahman Dean, Kulliyah of Information and Communication Technology
DECLARATION
I hereby declare that this dissertation is the result of my own investigations, except
where otherwise stated. I also declare that it has not been previously or concurrently
submitted as a whole for any other degrees at IIUM or other institutions.
Mohd Saiful Hisham bin Md. Salleh
Signature .......................................... Date ... . ....... .............. .
V
INTERNATIONAL ISLAMIC UNIVERSITY MALAYSIA
DECLARATION OF COPYRIGHT AND AFFIRMATION OF FAIR USE OF UNPUBLISHED RESEARCH
PROTECTIVE SECURITY MANAGEMENT IN CRITICAL SECTORS OF MALAYSIAN GOVERNMENT AGENCIES
I declare that the copyright holder of this dissertation is Mohd Saiful Hisham bin Md. Salleh
Copyright© 20I6MohdSaifu1HishamMd.Salleh. All rights reserved.
No part of this unpublished research may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without prior written permission of the copyright holder except as provided below
1. Any material contained in or derived from this unpublished research may only be used by others in their writing with due acknowledgement.
2. IIUM or its library will have the right to make and transmit copies (print or electronic) for institutional and academic purpose.
3. The IIUM library will have the right to make, store in a retrieval system and supply copies of this unpublished research if requested by other universities and research libraries.
By s igning this form, I acknowledged that I have read and understand the IIUM Inte llectual Property Right and Commercialization policy.
Affirmed by Mohd Saiful Hisham bin Md. Salleh
Signature Date
VI
This dissertation is dedicated to my late parents for laying the foundation of what I turned out to be in life.
V II
ACKNOWLEDGEMENTS
All glory is due to Allah, the Almighty, whose Grace and Mercies have been with me throughout the duration of my programme. Although, it has been tasking, His Mercies and Blessings on me ease the herculean task of completing this thesis.
My gratitude goes to my beloved wife, Syaidatul Izam binti Arshad and lovely childrens; Arif Ajmal, Arif Farhan and Ibrahim Naufal for their prayers, understanding and endurance while away.
I am most indebted to by supervisor, Prof. Jamaluddin bin Ibrahim, whose enduring disposition, kindness, promptitude, thoroughness and friendship have facilitated the successful completion of my work. I put on record and appreciate his detailed comments, useful suggestions and inspiring queries which have considerably improved this thesis. His brilliant grasp of the aim and content of this work led to his insightful comments, suggestions and queries which helped me a great deal. Despite his commitments, he took time to listen and attend to me whenever requested. The moral support he extended to me is in no doubt a boost that helped in building and writing the draft of this research work.
Once again, we glorify Allah for His endless mercy on us one of which is enabling us to successfully round off the efforts of writing this thesis.
A lhamdul ill ah.
VIII
TABLE OF CONTENT
Abstract ...... .. ... ...... .. ..................... . . . ......................................... 11
Abstract in Arabic ....... ............................................................... .iii Approval Page .... ....... ..... ... .............. .. ......................................... iv Declaration .................................................... . .... . ....................... v Copyright .................................................................................. vi Dedication . ... ................................. ..... ..................................... v ii Acknowledgement ..................................................................... viii List of Tables ............................................................................. xi List of Figure ............... ............................................................. xii List of Abbreviations .................................................................... xiii
CHAPTER ONE: AN OVERVIEW OF PROTECTIVE ........................ 1 SECURITY MANAGEMENT INTRODUCTION
1.0 Introduction ............................................................ . ........ 1 1 .1 Research Background ......................... ........ ........................ 2
1.1.1 Protective Security Management .................................... 2 1.1.2 Physical Security ........................................................ 3 1. 1.3 Document and Information Security ................... . .... ...... .. 5 1.1.4 Personnel Security ...................................................... 6
1.2 Problem Statement. ............................................................ 8 1.3 Research Question .................................... . .......................... 11 1.4 Research Objective .................................. . .. . .. ... .... ....... ...... 12 1.5 Overview of Research Design ....................... .. .. . .. .... . ............ 13
1.5.1 Contextual Study ............. .... .... ...... . . ........... ..... .... .. ... 13 1.5.2 Document Review ..................... . ................. ... .......... 13 1.5.3 Case Study ... . . .. ...... ... .... ............... ........ ................. 13
1.6 Significant of Research ..... . .... ... .. . ....... ........... . ................... 13
CHAPTER TWO: PROTECTIVE SECURITY MANAGEMENT .......... 15 IN MALAYSIA.
2.0 Introduction .......................... .............. . ... .......... .... .. ........ 15
2.1 Protective Security Management in Malaysian ... ....... ...... .......... 16 Government Agencies
2.2 Physical Security ............................................................. 18
2.3 Document Security .......... ..... ..... .............................. ........ . 19 2.4 Personnel Security .. . ..... ... . . .. .. . ..... ............ . .. . .... . .. . . .. ....... .. . 20 2.5 Conclusion ...... ............................... ... ............................. 22
CHAPTER THREE: RESEARCH DESIGN ................................... .... 27 3.0 Introduction ... .. ........... .... ....................... . ...... ..... . ..... .... ... 27 3. I . Conceptual Study ............................................................ 27 3.2 Data Collection ...... ... ....... ...... ............................... ......... 28 3.3 Data Analysis . ... . ............. . ... ........... . . . ............. .. ... . .......... 28
IX
3.4 Result Reporting ............................................................. 28 3.5 Qualitative Research ........................................................ 29 3 .6 The Role of Researcher. ..................................................... 29 3.7 Data Collection ................................................................. 30
CHAPTER FOUR: ANALYSIS AND FINDINGS ............................... 33 4.0 Introduction .................................................................... 33 4.1 Findings from Document Review ........................................... 33
4.1.1 Education .............................................................. 35 4.1.2 Health .................................................................. 36 4.1.3 Security ................................................................ 37
4.2 Findings from Case Study ................................................... 38 4.3 Conclusion .................................................................... 40
CHAPTER FIVE: DISCUSSION AND CONCLUSION ...................... .42 5.0 Introduction ................................................................... 42 5.1 Contribution to Research ................................................... .44 5.2 Contribution to Practice ..................................................... .45 5.3. Conclusion .................................................................... 45
REFERENCES ............................................. . .. . ......... .. .... . ... ...... 47
APPENDIX I: QUESTIONNAIRES SURVEY FORM .. . .. . ...... ............ 49
APPENDIX II: CLARIFICATION UNDER OFFICIAL ...................... 50 SECRET ACT 1972, SAFEGUARDING AN OFFICIAL OFFICIAL SECRET INFORMATION FORM
APPENDIX III: CLARIFICATION UNDER OFFICIAL .................... 51 SECRET ACT 1972, SAFEKEEPING AN OFFICIAL OFFICIAL SECRET INFORMATION FORM AFTER RETIREMENT
X
LIST OF TABLES
Table 3.4a Statistics on Standard and Compliance Security Audit 2015 32
Table 4.1 Finding population on non-conformance protective 35 security directive within 3 critical sectors
Table 4.2 Comparison between actual incidents of the physical security, 39 document/ information security and personnel security in year 2015 in Putrajaya
Figure 4.2b Incident case report on news 40
XI
LIST OF FIGURE
Figure 1.1 Framework of Protective Security Management J
Figure I .1.2a Layered Security Approach 4
Figure I. 1.2b Layered Security 5
Figure 1.2a Various Incident Case Reported by Media 9
Figure 1.2b Information Leakage in GovernmentAgencies 9
Figure 1.2c Various Media Social Used to Leak An Official Information 10
Figure 1.2d Spying Activity by The Mask 11
Figure 4.2 Incident Case Report On News 39
XII
CCTV
CGSO
CPTED
DSO
GSO
HOD
ICT
RMP
LIST OF ABBREVIATIONS
Close Circuit Television
Chief Government Security Officer
Crime Prevention Through Environmental Design
Departmental Security Officer
Government Security Officer
Head of Department
Information and Communication Technology
Royal Malaysia Police
XIII
CHAPTER I
AN OVERVIEW OF PROTECTIVE SECURITY MANAGEMENT
1.0 INTRODUCTION
The rapid advancement and changes of threats in this era of globalization is a challenge
to the complexity of security system protection strategy. Although, the Chief Government
Security Office (CGSO) who are responsible to regularize the implementation of
protective security system by formulating the best solution on the progress, development
and changes in government agencies, at the end of the day the agencies itself will
determine the outcome of it. As a responsible agency for protective security protection,
CGSO is constantly working to ensure that policies, directives and regulations are being
strictly followed by the Heads of Depaitment as well as the civil servants to protect the
government assets. Through the 'Arahan Keselamatan' or well known as 'black book', all
government agencies and personnel are guided how to protect the government assets.
Protective security uses a multi-layered approach including the physical security,
document security as well as information security and personnel security. This is in line
with The Protective Security Requirement by New Zealand Information Security Manual,
2016, which outlines the Protective Security as the Government's expectations for
managing personnel, physical and information security, a better approach to manage
business risks and assure continuity of service delivery. The policy clearly sets out what
agencies must and should consider to ensure that they are managing security effectively.
It's provides a policy framework that, when implemented, guiding a pathways for
successfully protecting, people, information and assets. In Malaysia government
perspective, protective security systems are well performed by the ministries, agencies,
state government agencies, local authorities and also the government link companies. In
a way to ensure they are comply in line with the protective security framework, they are
required to do their yearly self-auditing through the security checklist provided. Then,
they will formulating the plan, do check and act cycle to ensure the effectiveness of
protective security system in their department.
1.1 RESEARCH BACKGROUND
This research are going to analyze how the protective security management in Malaysia
Government provides the maximum security protection on government assets especially
in the selected government critical sectors. With regards of government new slogan 'as
people first, perform now', a better understanding to mitigate the risk and to assure
continuity of a quality service delivery, smooth running of government role become top
priority. In the Australia Government Human Services perspective for instant, assets
protection identified as the property and items you or your partner own or have an interest
in, including assets held outside Australia, can affect your payment. Thus, the protective
security management play an important role to mitigate any opportunities ofloss potential
as it related to their risk environment.
1.1.1 Protective Security Management
The protective security management is a set framework of policies, guidelines, controls
and protocol which is the government's mandatory requirements and management
requirements related to security governance. These have been apply in New Zealand
Government as per figure 1.1 The ultimate aim of protective security is to safeguard
government assets and also people from any opportunities of loss and mitigate any ri sk
environment. ' Defense in depth' approach for instant means combining several measures
to counter any possibilities of risk and vulnerabilities happen such as an unauthorized
2
access, act of sabotage, espionage and subversive activities. By implementing the
physical security, document and information security as well as personnel security should
complement and support one another to give the maximum security protection in the
government agencies. The protective security management are known widely, practiced
in Commonwealth Countries; i.e. Singapore, Australia, New Zealand, and United
Kingdom. Most of the countries views the protective security as a key elements of
physical security, document security, information security and personnel security.
\c security D;,.. 'b,.ri,q f!c,. .
C:,~ It,~
protecting
our people, information and assets
Figure 1.1: Framework of Protective Security Management in New Zealand Government
1.1.2 Physical Security
The United States Geological Survey, 2005 defined the best definition for physical
security:
3
There is no object so well protected that it cannot be stolen, damaged, destroyed, or
observed by unauthorized individuals. A balanced security system provides protection
against a defined set of threats by informing the user of attempted intrusions and
providing resistance to the would-be intruder 's attack paths. The first part of this
definition is common to all security efforts; we cannot stop a highl y motivated attacker.
It is in the second sentence of the above definition that the objectives of physical security
is to prevent on any attack toward an asset. Said another way, the purpose· of physical
security is to delay an intruder's advance toward a target long enough to detect and
respond with human intervention. Human intervention includes on-site security guards,
police, or other relevant human controls. Layered securi ty as per figure 1.1.2a also
applies to physical security. Each layer supports others to prevent successful intrusions.
For our purposes, I placed controls into two categories; deterrence and delay (prevention)
and detection and respond (disseminate).
Figure l . l .2a: Layered security approach
Layered security as per fi gure I . l .2b also appli es to physical security. Achieving physical
security objectives requires policies, standards, guidelines, and controls addressing
4
prevention, detection, delay, response, and assessment. We identify gaps with physical
security risk assessments and surveys, simi lar to those used for logical security. Through
all physical security planning, we must remember one very important principle: ensuring
human safety become the most important outcome.
Site Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
- --·---------- . . Site . •
Building • . . • . • Target •
", . . . . • . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . :
Figure I .2.2b: Layered security
1.1.3 Document and Information Security
Information security is a combination of governance, assurance, protective and
procedural measures designed to mitigate risks associated with producing, handling,
transmitting, storing and protecting all government information and assets. It includes
measures relating to the confidentiality, availabi lity, and integrity of information that is
processed, stored and communicated by electronic and other means. All important
information associated with producing, handling, transpire, safekeep ing may also
5
protected under the law i.e. official secret act, to avoid any exploitation by threats to gain
unauthorized access to the information or any occurrence of leakage. Agencies must
protectively mark official information and material in accordance with the Circular of
Governing Official Secret Information In Line With the Official Secret Act 1972.
Agencies must adopt the compliance approach to cover all areas of protective security
across their organization, in accordance with the directives . Incompliance with those
directives may increase residual risk for the agency. This residual risk needs to be agreed
and acknowledged by the head of department. Compliance with the information security
guideline or policy enabling high assurance within agency information management
systems and promoting the adherence to government mission. These will help the head
of department to meet their oversight responsibilities.
1.1.4 Personnel Security
Personnel security focuses on assessing the trustworthiness, integrity and reliability of
staff, vendors and contractors. It involves identifying suitable staff, educating staff on
their responsibilities and evaluating their continuing suitability. Appropriate personnel
security is vital for the protection of people, information and assets. In the Protective
Security Requirement by New Zealand Government, 2016 indicates 7 mandatory require
ments relating to personnel security that agencies must follow. They include:
1.1.4.1 ensuring all personnel are, and remain, suitable to access official information and
resources;
1.1.4.2 identifying who needs a security clearance and at what level within an agency;
1.1.4.3 keeping an agency register of personnel with security clearances;
1.1.4.4 sponsoring their employees and contracted staff for security clearance vetting;
6
1.1.4.5 receiving a recommendation from the government before the agency head grants
a security clearance;
1.1.4.6 having personnel security clearance management arrangements in place for all
clearance holders; and
1.1.4. 7 notify the government when a clearance holder experiences a change in their per
sonal circumstances which might affect their suitability to hold a security clear-
ance.
Centre for Protection of National Infrastructure, UK, 2015 describe the personnel
security as a system of policies and procedures which seek to manage the risk of staff
(permanent, temporary or contract staff) exploiting, or intending to exploit, their legiti
mate access to an organisation's assets or premises for unauthorised purposes. Although
many organisations regard personnel security as an issue resolved during the recruitment
process, it is a discipline that needs to be maintained throughout a memher of stafrs time
in employment. This includes robust pre-employment screening, effective line manage
ment, employee welfare, clear lines of communication, and a strong security culture. It
should also include a formal process for managing staff leaving the business.
When applied consistently, personnel security measures not only reduce operational
vulnerabilities, they can also help build a hugely beneficial security culture at every level
of an organisation. Robust personnel security helps organisations to:
• employ reliable people;
• minimise the chances of staff becoming unreliable once they have been employed;
• detect suspicious behaviour and resolve security concerns once they emerge.
7
1.2 PROBLEM ST A TEMENT
The Government has launched an ongoing programme designed by Malaysian Prime
Minister Naj ib Tun Razak on 16 September 20 I 0, calling for the cabinet, government
agencies, and civil servants to more strongly emphasize ethnic harmony, national unity,
and efficient governance. As a 'people first, performance now' become the ultimate
yardstick quality to the government services to the citizen, there must be a quality
standard of government protective security system employed to ensure good quality of
service to them and the smooth running of government function guaranteed.
There are many angle of security threats in government agencies. But in this
research study, our focus are the increasing security breaches, break in incident, top secret
information leaks, theft of government assets, counterfeit of government document
recently happen and would reflect to the public and investors' confidence on government
mission. Web Business Dictionary, 2016 describe the security breaches is an act from
outside an organization that bypasses or contravenes security policies, practices, or
procedures. A similar internal act is called security violation. This may happened when a
co-worker opened an unknown email containing multiple viruses, infected our data
center, and caused a large security breach in our network. Break in incident and theft of
government asset (Figure 1.2a) as reported in the media will also portray bad image and
reputation to the people.
8
Three schools lose laptops} ~ ci C i mm ~m itli fiHH !~,I LCDs worth RM230 000 j it! .n,t.-1 . .• ~m. ···-·· ·"'it
Perompak I pecah m asuk m ahkamah
Figure I .2a: Various incident case reported by media
Information leakage is the way in which confidential information reaches the media
through unofficial channel or the unofficial passing of secret information or information
which has not yet been published to newspapers or television stations are among the
yearly threat that we faced. (Figure 1.2b)
Figure I .2b: Information leakage in government agencies
9
The bloggers, media social and an interactive media social such WhatsApp,
lnstagram, Facebook identified that the most popular media used to leak an official
information. (Figure 1.2c ).
2012 2014 2015
WhatApp/Facebook/SMS 1 8 4
Laman Web/Blog 1 2 3 5
Faksimili/K.enyataan Media 4 3
JUMLAH 2 2 15 12
Figure 1.2c: Various media social used to leak an official information
The government official secret information may be sniffed by the hackers through
the back doors, inserting a malware, which cou ld spying any data fro m the criti cal office
or department. According Edward Snowden, NSA use the prism and x-keyscore program
to searching and analyzing global Internet data, which it coll ects on a daily basis. While
Kipersky Lab have been detected using a malware code to steal critical info rmation in the
Malaysia cyberspace.(figure 1.2d) .
10
KERATAN AKHBAR BERIT A HARIAN (NASIONAL) : MUKA SURAT 6
TARIKH : 5 MEI 2015 (SELASA)
The Mask dikesan mengintip 7 tahun Kuala Lumpur: Pemian jaha1 (malware) yang dikenali 'The Mask' boleh mertjalankan pengl n tlpan bertahun·tahun atau seJama mana yang <li· perlukan di ruang siber "'" sebual11\1.'gafa a tau organisasi. tanpa di,edan
Takllk The Mask ditemui fir· ma kcselamatan antarabangsa Kasperu<y Labs ,elepas tajuh tahun ,a mertjalankan pengin· tipan di ruang siber sasaran.
ffll difahamkan, taktik sama amat berbahaya kerana la boleh mengambil allh sistem ka· wahn l"""Wat yang S<'dang tcrbang drngan mudah dari humi. rnalah ~huah ncgara m'1)u d,katakan dapat mengalahkan 11cgar,1 lain ,..irpa.s <i<· tcm l)('rtahanannya c.h;m1h1I allh~lanl_a~ 1 _
ialay,.1.i, Ll Kul lB, ill u 1-,an4 berkata malware ber kenaan sudah menyasarkan hcberapa organJsasl kerajaan, kedutaan dan korporat di 31 negara.
n Ip m al<lumat n l'g,l ~ Pcngrntipan slberberlaku ke
rana negara atau organisasi terbabit mahu mencapal keunggula n maklumat, bagl mendapat kelebihan stralegi.k dalam polil1k. ekonomi dan ketenteraan. l'l'ngintipan indu.,tri pula dilokukan untuk mengatasl pesolng dalam pemla· gaan globa I yang semaki n kompel1t1f,
· Peng,ntipan at•u perisikan <h l"'nngkal strotegik lx>rkail ,k·ni;.:in doklrin *'<'buah nellJr.l. Jadi. l>U Uli. U<_lak . <h?i!~
11affi<on pembabitan mereka. • Aktivili penglntipan siber
k,ni sema.kin mcluas dengan menggun3kan tcknologi dig)· tal digunakan sebagai medium dan ejen penglntipan. Ciri•ciri tanpa nanlll dan tanpa ,en~ padan yang wttjud dJ ruang siber serta pcnciptaan ma· lware mcmbolchkan pengln· lipan dilakukan dari mana· mana lokasi di dunJa inJ ta.npa dikesan; katanya kepada BIi.
sazall berkata, sei:angan sl· ber sepenl pencacatan web dan Penaflnn Perkhidmatan Tcrogih sering dlisytiharkan oleh penggodam dan impak· nya boich dilihat
Bai;aimanapun, pengintlpan ,,bcr mo lcbih bahaya kcrana ia tulak dnsytihark.on dan 1mpakn1:~ Uclak (lapal _do hh~t.
lindak secara langsung atau menaja kumpulan penggodam vrulll mcmpunyai lu,Jlakaran tinggi untuk bert,ndak bag, pi· hak mereka.
r,cll)t'rang ,ulrarillke!la ~llY<'raJll! siber sul<arclikesan
kerana mereka bcr!oelindung di sebalik lnfr.lstn,ktur botnet (,ekumpulan program yang sahng terllubu1111 melalui ,nter· net dan bcrkomunikasi dengan program seumpamanya bag! melakukan tui;.u tcrtentu) Da· lam konteks inJ, mfrnstruktur hotnet digunakan sebagai pangkalan untuk melanraHum s.•rangan siber global
Botnet yang terdir1 d.tnpa· da "'mua knmputer yang dl· Jangk1t1 maiware bok h d1ram pas _da~ ~1k.~~•\. okh l><'"VC-
Figure 1.2d: spying activity by the The Mask
The crime, opportunities for rule breaking violations, weakness o r gap in a security
program include structural, procedural, electronic, human and other elements would
provide opportunities to attack government assets. Thus, the government must do a
systematic approach used to assess a government department's security posture, analyze
the effectiveness of the existing security program and tools, and identify security
weaknesses.
1.3 RESEARCH QUESTION
A research question are based on the key element of protective security measures whereby
the assessment would gathers data that reflects who, what, how, where, when, and why
of a government department are threatened by security incident. This is to determine
what are the opportunities exist to exploit current security policies and procedures,
physical security equipment, the classified documents and information 's and personnel
security. What are the most critical areas in governing the protective security system
11