PROTECTIVE SECURITY MANAGEMENT IN CRITICAL SECTORS OF

MALAYSIAN GOVERNMENT AGENCIES

BY

MOHD SAIFUL HISHAM BIN MD. SALLEH

A dissertation submitted in fulfilment of the requirement for the Master of Protective Security Management

Kulliyah of Information and Communication Technology International Islamic University Malaysia

DECEMBER 2016

ABSTRACT

The crime, opportunities for rule breaking violations, weakness or gap in a security program include structural, procedural, policy, electronic, human and other elements would provide opportunities to attack government assets and critical information. Statistics and case study shows that the vulnerable area need to improve soon. Thus, the government must do a systematic approach used to assess a government department's security posture, analyze the effectiveness of the existing security program and tools, and identify security weaknesses. To implement protective security standards, agencies are required to clearly identify internal security governance structures and delineate responsibilities. The follow up and follow through movement across level of public servant are most required. There are many benefits an organization will enjoy when it makes those improvements, not the least of which is the budget justification for creating a security awareness program that help will boost security effectiveness overall. Organizations that have achieved a high level of security effectiveness are better able to identify major security breaches, secure confidential information, limit physical access to government assets, and achieve compliance with legal and self-regulatory frameworks. Organizations that maximize the efficacy of their security awareness programs stand to benefit not only from better incident prevention, but many other benefits as well, including improved reputation and customer loyalty.

II

111

APPROVAL PAGE

I certify that I have supervised and read this study and that in my opinion, it conforms to acceptable standards of scholarly presentation and is fully adequate, in scope and quality, as a dissertation for the Master of Protective Security Management

Jamaluddin bin Ibrahim Supervisor

I certify that I have read this study and that in my opinion it conforms to acceptable standards of scholarly presentation and is fully adequate, in scope and quality, as a dissertation for the Master of Protective Security Management.

Nurul Nuha binti Abdul Molok Examiner

This dissertation was submitted to the Kulliyah of Information and Communication Technology and is accepted as a fulfilment of the requirement for the Master of Protective Security Management.

Lili Marziana binti Abdullah Head, Centre fo r IT Advancement

This dissertation was submitted to the Kulli yyah of Information and Communication Technology and is accepted as a fulfilment of the requirement for the Master of Protective Security Management.

IV

Abdul Wahab bin Abdul Rahman Dean, Kulliyah of Information and Communication Technology

DECLARATION

I hereby declare that this dissertation is the result of my own investigations, except

where otherwise stated. I also declare that it has not been previously or concurrently

submitted as a whole for any other degrees at IIUM or other institutions.

Mohd Saiful Hisham bin Md. Salleh

Signature .......................................... Date ... . ....... .............. .

V

INTERNATIONAL ISLAMIC UNIVERSITY MALAYSIA

DECLARATION OF COPYRIGHT AND AFFIRMATION OF FAIR USE OF UNPUBLISHED RESEARCH

PROTECTIVE SECURITY MANAGEMENT IN CRITICAL SECTORS OF MALAYSIAN GOVERNMENT AGENCIES

I declare that the copyright holder of this dissertation is Mohd Saiful Hisham bin Md. Salleh

Copyright© 20I6MohdSaifu1HishamMd.Salleh. All rights reserved.

No part of this unpublished research may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without prior written permission of the copyright holder except as provided below

1. Any material contained in or derived from this unpublished research may only be used by others in their writing with due acknowledgement.

2. IIUM or its library will have the right to make and transmit copies (print or electronic) for institutional and academic purpose.

3. The IIUM library will have the right to make, store in a retrieval system and supply copies of this unpublished research if requested by other universities and research libraries.

By s igning this form, I acknowledged that I have read and understand the IIUM Inte llectual Property Right and Commercialization policy.

Affirmed by Mohd Saiful Hisham bin Md. Salleh

Signature Date

VI

This dissertation is dedicated to my late parents for laying the foundation of what I turned out to be in life.

V II

ACKNOWLEDGEMENTS

All glory is due to Allah, the Almighty, whose Grace and Mercies have been with me throughout the duration of my programme. Although, it has been tasking, His Mercies and Blessings on me ease the herculean task of completing this thesis.

My gratitude goes to my beloved wife, Syaidatul Izam binti Arshad and lovely childrens; Arif Ajmal, Arif Farhan and Ibrahim Naufal for their prayers, understanding and endurance while away.

I am most indebted to by supervisor, Prof. Jamaluddin bin Ibrahim, whose enduring disposition, kindness, promptitude, thoroughness and friendship have facilitated the successful completion of my work. I put on record and appreciate his detailed comments, useful suggestions and inspiring queries which have considerably improved this thesis. His brilliant grasp of the aim and content of this work led to his insightful comments, suggestions and queries which helped me a great deal. Despite his commitments, he took time to listen and attend to me whenever requested. The moral support he extended to me is in no doubt a boost that helped in building and writing the draft of this research work.

Once again, we glorify Allah for His endless mercy on us one of which is enabling us to successfully round off the efforts of writing this thesis.

A lhamdul ill ah.

VIII

TABLE OF CONTENT

Abstract ...... .. ... ...... .. ..................... . . . ......................................... 11

Abstract in Arabic ....... ............................................................... .iii Approval Page .... ....... ..... ... .............. .. ......................................... iv Declaration .................................................... . .... . ....................... v Copyright .................................................................................. vi Dedication . ... ................................. ..... ..................................... v ii Acknowledgement ..................................................................... viii List of Tables ............................................................................. xi List of Figure ............... ............................................................. xii List of Abbreviations .................................................................... xiii

CHAPTER ONE: AN OVERVIEW OF PROTECTIVE ........................ 1 SECURITY MANAGEMENT INTRODUCTION

1.0 Introduction ............................................................ . ........ 1 1 .1 Research Background ......................... ........ ........................ 2

1.1.1 Protective Security Management .................................... 2 1.1.2 Physical Security ........................................................ 3 1. 1.3 Document and Information Security ................... . .... ...... .. 5 1.1.4 Personnel Security ...................................................... 6

1.2 Problem Statement. ............................................................ 8 1.3 Research Question .................................... . .......................... 11 1.4 Research Objective .................................. . .. . .. ... .... ....... ...... 12 1.5 Overview of Research Design ....................... .. .. . .. .... . ............ 13

1.5.1 Contextual Study ............. .... .... ...... . . ........... ..... .... .. ... 13 1.5.2 Document Review ..................... . ................. ... .......... 13 1.5.3 Case Study ... . . .. ...... ... .... ............... ........ ................. 13

1.6 Significant of Research ..... . .... ... .. . ....... ........... . ................... 13

CHAPTER TWO: PROTECTIVE SECURITY MANAGEMENT .......... 15 IN MALAYSIA.

2.0 Introduction .......................... .............. . ... .......... .... .. ........ 15

2.1 Protective Security Management in Malaysian ... ....... ...... .......... 16 Government Agencies

2.2 Physical Security ............................................................. 18

2.3 Document Security .......... ..... ..... .............................. ........ . 19 2.4 Personnel Security .. . ..... ... . . .. .. . ..... ............ . .. . .... . .. . . .. ....... .. . 20 2.5 Conclusion ...... ............................... ... ............................. 22

CHAPTER THREE: RESEARCH DESIGN ................................... .... 27 3.0 Introduction ... .. ........... .... ....................... . ...... ..... . ..... .... ... 27 3. I . Conceptual Study ............................................................ 27 3.2 Data Collection ...... ... ....... ...... ............................... ......... 28 3.3 Data Analysis . ... . ............. . ... ........... . . . ............. .. ... . .......... 28

IX

3.4 Result Reporting ............................................................. 28 3.5 Qualitative Research ........................................................ 29 3 .6 The Role of Researcher. ..................................................... 29 3.7 Data Collection ................................................................. 30

CHAPTER FOUR: ANALYSIS AND FINDINGS ............................... 33 4.0 Introduction .................................................................... 33 4.1 Findings from Document Review ........................................... 33

4.1.1 Education .............................................................. 35 4.1.2 Health .................................................................. 36 4.1.3 Security ................................................................ 37

4.2 Findings from Case Study ................................................... 38 4.3 Conclusion .................................................................... 40

CHAPTER FIVE: DISCUSSION AND CONCLUSION ...................... .42 5.0 Introduction ................................................................... 42 5.1 Contribution to Research ................................................... .44 5.2 Contribution to Practice ..................................................... .45 5.3. Conclusion .................................................................... 45

REFERENCES ............................................. . .. . ......... .. .... . ... ...... 47

APPENDIX I: QUESTIONNAIRES SURVEY FORM .. . .. . ...... ............ 49

APPENDIX II: CLARIFICATION UNDER OFFICIAL ...................... 50 SECRET ACT 1972, SAFEGUARDING AN OFFICIAL OFFICIAL SECRET INFORMATION FORM

APPENDIX III: CLARIFICATION UNDER OFFICIAL .................... 51 SECRET ACT 1972, SAFEKEEPING AN OFFICIAL OFFICIAL SECRET INFORMATION FORM AFTER RETIREMENT

X

LIST OF TABLES

Table 3.4a Statistics on Standard and Compliance Security Audit 2015 32

Table 4.1 Finding population on non-conformance protective 35 security directive within 3 critical sectors

Table 4.2 Comparison between actual incidents of the physical security, 39 document/ information security and personnel security in year 2015 in Putrajaya

Figure 4.2b Incident case report on news 40

XI

LIST OF FIGURE

Figure 1.1 Framework of Protective Security Management J

Figure I .1.2a Layered Security Approach 4

Figure I. 1.2b Layered Security 5

Figure 1.2a Various Incident Case Reported by Media 9

Figure 1.2b Information Leakage in GovernmentAgencies 9

Figure 1.2c Various Media Social Used to Leak An Official Information 10

Figure 1.2d Spying Activity by The Mask 11

Figure 4.2 Incident Case Report On News 39

XII

CCTV

CGSO

CPTED

DSO

GSO

HOD

ICT

RMP

LIST OF ABBREVIATIONS

Close Circuit Television

Chief Government Security Officer

Crime Prevention Through Environmental Design

Departmental Security Officer

Government Security Officer

Head of Department

Information and Communication Technology

Royal Malaysia Police

XIII

CHAPTER I

AN OVERVIEW OF PROTECTIVE SECURITY MANAGEMENT

1.0 INTRODUCTION

The rapid advancement and changes of threats in this era of globalization is a challenge

to the complexity of security system protection strategy. Although, the Chief Government

Security Office (CGSO) who are responsible to regularize the implementation of

protective security system by formulating the best solution on the progress, development

and changes in government agencies, at the end of the day the agencies itself will

determine the outcome of it. As a responsible agency for protective security protection,

CGSO is constantly working to ensure that policies, directives and regulations are being

strictly followed by the Heads of Depaitment as well as the civil servants to protect the

government assets. Through the 'Arahan Keselamatan' or well known as 'black book', all

government agencies and personnel are guided how to protect the government assets.

Protective security uses a multi-layered approach including the physical security,

document security as well as information security and personnel security. This is in line

with The Protective Security Requirement by New Zealand Information Security Manual,

2016, which outlines the Protective Security as the Government's expectations for

managing personnel, physical and information security, a better approach to manage

business risks and assure continuity of service delivery. The policy clearly sets out what

agencies must and should consider to ensure that they are managing security effectively.

It's provides a policy framework that, when implemented, guiding a pathways for

successfully protecting, people, information and assets. In Malaysia government

perspective, protective security systems are well performed by the ministries, agencies,

state government agencies, local authorities and also the government link companies. In

a way to ensure they are comply in line with the protective security framework, they are

required to do their yearly self-auditing through the security checklist provided. Then,

they will formulating the plan, do check and act cycle to ensure the effectiveness of

protective security system in their department.

1.1 RESEARCH BACKGROUND

This research are going to analyze how the protective security management in Malaysia

Government provides the maximum security protection on government assets especially

in the selected government critical sectors. With regards of government new slogan 'as

people first, perform now', a better understanding to mitigate the risk and to assure

continuity of a quality service delivery, smooth running of government role become top

priority. In the Australia Government Human Services perspective for instant, assets

protection identified as the property and items you or your partner own or have an interest

in, including assets held outside Australia, can affect your payment. Thus, the protective

security management play an important role to mitigate any opportunities ofloss potential

as it related to their risk environment.

1.1.1 Protective Security Management

The protective security management is a set framework of policies, guidelines, controls

and protocol which is the government's mandatory requirements and management

requirements related to security governance. These have been apply in New Zealand

Government as per figure 1.1 The ultimate aim of protective security is to safeguard

government assets and also people from any opportunities of loss and mitigate any ri sk

environment. ' Defense in depth' approach for instant means combining several measures

to counter any possibilities of risk and vulnerabilities happen such as an unauthorized

2

access, act of sabotage, espionage and subversive activities. By implementing the

physical security, document and information security as well as personnel security should

complement and support one another to give the maximum security protection in the

government agencies. The protective security management are known widely, practiced

in Commonwealth Countries; i.e. Singapore, Australia, New Zealand, and United

Kingdom. Most of the countries views the protective security as a key elements of

physical security, document security, information security and personnel security.

\c security D;,.. 'b,.ri,q f!c,. .

C:,~ It,~

protecting

our people, information and assets

Figure 1.1: Framework of Protective Security Management in New Zealand Government

1.1.2 Physical Security

The United States Geological Survey, 2005 defined the best definition for physical

security:

3

There is no object so well protected that it cannot be stolen, damaged, destroyed, or

observed by unauthorized individuals. A balanced security system provides protection

against a defined set of threats by informing the user of attempted intrusions and

providing resistance to the would-be intruder 's attack paths. The first part of this

definition is common to all security efforts; we cannot stop a highl y motivated attacker.

It is in the second sentence of the above definition that the objectives of physical security

is to prevent on any attack toward an asset. Said another way, the purpose· of physical

security is to delay an intruder's advance toward a target long enough to detect and

respond with human intervention. Human intervention includes on-site security guards,

police, or other relevant human controls. Layered securi ty as per figure 1.1.2a also

applies to physical security. Each layer supports others to prevent successful intrusions.

For our purposes, I placed controls into two categories; deterrence and delay (prevention)

and detection and respond (disseminate).

Figure l . l .2a: Layered security approach

Layered security as per fi gure I . l .2b also appli es to physical security. Achieving physical

security objectives requires policies, standards, guidelines, and controls addressing

4

prevention, detection, delay, response, and assessment. We identify gaps with physical

security risk assessments and surveys, simi lar to those used for logical security. Through

all physical security planning, we must remember one very important principle: ensuring

human safety become the most important outcome.

Site Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

- --·---------- . . Site . •

Building • . . • . • Target •

", . . . . • . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . :

Figure I .2.2b: Layered security

1.1.3 Document and Information Security

Information security is a combination of governance, assurance, protective and

procedural measures designed to mitigate risks associated with producing, handling,

transmitting, storing and protecting all government information and assets. It includes

measures relating to the confidentiality, availabi lity, and integrity of information that is

processed, stored and communicated by electronic and other means. All important

information associated with producing, handling, transpire, safekeep ing may also

5

protected under the law i.e. official secret act, to avoid any exploitation by threats to gain

unauthorized access to the information or any occurrence of leakage. Agencies must

protectively mark official information and material in accordance with the Circular of

Governing Official Secret Information In Line With the Official Secret Act 1972.

Agencies must adopt the compliance approach to cover all areas of protective security

across their organization, in accordance with the directives . Incompliance with those

directives may increase residual risk for the agency. This residual risk needs to be agreed

and acknowledged by the head of department. Compliance with the information security

guideline or policy enabling high assurance within agency information management

systems and promoting the adherence to government mission. These will help the head

of department to meet their oversight responsibilities.

1.1.4 Personnel Security

Personnel security focuses on assessing the trustworthiness, integrity and reliability of

staff, vendors and contractors. It involves identifying suitable staff, educating staff on

their responsibilities and evaluating their continuing suitability. Appropriate personnel

security is vital for the protection of people, information and assets. In the Protective

Security Requirement by New Zealand Government, 2016 indicates 7 mandatory require­

ments relating to personnel security that agencies must follow. They include:

1.1.4.1 ensuring all personnel are, and remain, suitable to access official information and

resources;

1.1.4.2 identifying who needs a security clearance and at what level within an agency;

1.1.4.3 keeping an agency register of personnel with security clearances;

1.1.4.4 sponsoring their employees and contracted staff for security clearance vetting;

6

1.1.4.5 receiving a recommendation from the government before the agency head grants

a security clearance;

1.1.4.6 having personnel security clearance management arrangements in place for all

clearance holders; and

1.1.4. 7 notify the government when a clearance holder experiences a change in their per­

sonal circumstances which might affect their suitability to hold a security clear-

ance.

Centre for Protection of National Infrastructure, UK, 2015 describe the personnel

security as a system of policies and procedures which seek to manage the risk of staff

(permanent, temporary or contract staff) exploiting, or intending to exploit, their legiti­

mate access to an organisation's assets or premises for unauthorised purposes. Although

many organisations regard personnel security as an issue resolved during the recruitment

process, it is a discipline that needs to be maintained throughout a memher of stafrs time

in employment. This includes robust pre-employment screening, effective line manage­

ment, employee welfare, clear lines of communication, and a strong security culture. It

should also include a formal process for managing staff leaving the business.

When applied consistently, personnel security measures not only reduce operational

vulnerabilities, they can also help build a hugely beneficial security culture at every level

of an organisation. Robust personnel security helps organisations to:

• employ reliable people;

• minimise the chances of staff becoming unreliable once they have been employed;

• detect suspicious behaviour and resolve security concerns once they emerge.

7

1.2 PROBLEM ST A TEMENT

The Government has launched an ongoing programme designed by Malaysian Prime

Minister Naj ib Tun Razak on 16 September 20 I 0, calling for the cabinet, government

agencies, and civil servants to more strongly emphasize ethnic harmony, national unity,

and efficient governance. As a 'people first, performance now' become the ultimate

yardstick quality to the government services to the citizen, there must be a quality

standard of government protective security system employed to ensure good quality of

service to them and the smooth running of government function guaranteed.

There are many angle of security threats in government agencies. But in this

research study, our focus are the increasing security breaches, break in incident, top secret

information leaks, theft of government assets, counterfeit of government document

recently happen and would reflect to the public and investors' confidence on government

mission. Web Business Dictionary, 2016 describe the security breaches is an act from

outside an organization that bypasses or contravenes security policies, practices, or

procedures. A similar internal act is called security violation. This may happened when a

co-worker opened an unknown email containing multiple viruses, infected our data

center, and caused a large security breach in our network. Break in incident and theft of

government asset (Figure 1.2a) as reported in the media will also portray bad image and

reputation to the people.

8

Three schools lose laptops} ~ ci C i mm ~m itli fiHH !~,I LCDs worth RM230 000 j it! .n,t.-1 . .• ~m. ···-·· ·"'it

Perompak I pecah m asuk m ahkamah

Figure I .2a: Various incident case reported by media

Information leakage is the way in which confidential information reaches the media

through unofficial channel or the unofficial passing of secret information or information

which has not yet been published to newspapers or television stations are among the

yearly threat that we faced. (Figure 1.2b)

Figure I .2b: Information leakage in government agencies

9

The bloggers, media social and an interactive media social such WhatsApp,

lnstagram, Facebook identified that the most popular media used to leak an official

information. (Figure 1.2c ).

2012 2014 2015

WhatApp/Facebook/SMS 1 8 4

Laman Web/Blog 1 2 3 5

Faksimili/K.enyataan Media 4 3

JUMLAH 2 2 15 12

Figure 1.2c: Various media social used to leak an official information

The government official secret information may be sniffed by the hackers through

the back doors, inserting a malware, which cou ld spying any data fro m the criti cal office

or department. According Edward Snowden, NSA use the prism and x-keyscore program

to searching and analyzing global Internet data, which it coll ects on a daily basis. While

Kipersky Lab have been detected using a malware code to steal critical info rmation in the

Malaysia cyberspace.(figure 1.2d) .

10

KERATAN AKHBAR BERIT A HARIAN (NASIONAL) : MUKA SURAT 6

TARIKH : 5 MEI 2015 (SELASA)

The Mask dikesan mengintip 7 tahun Kuala Lumpur: Pemian jaha1 (malware) yang dikenali 'The Mask' boleh mertjalankan pe­ngl n tlpan bertahun·tahun atau seJama mana yang <li· perlukan di ruang siber "'" sebual11\1.'gafa a tau organisasi. tanpa di,edan

Takllk The Mask ditemui fir· ma kcselamatan antarabangsa Kasperu<y Labs ,elepas tajuh tahun ,a mertjalankan pengin· tipan di ruang siber sasaran.

ffll difahamkan, taktik sama amat berbahaya kerana la bo­leh mengambil allh sistem ka· wahn l"""Wat yang S<'dang tcrbang drngan mudah dari humi. rnalah ~huah ncgara m'1)u d,katakan dapat menga­lahkan 11cgar,1 lain ,..irpa.s <i<· tcm l)('rtahanannya c.h;m1h1I allh~lanl_a~ 1 _

ialay,.1.i, Ll Kul lB, ill u 1-,an4 berkata malware ber kenaan sudah menyasarkan hcberapa organJsasl kerajaan, kedutaan dan korporat di 31 negara.

n Ip m al<lumat n l'g,l ~ Pcngrntipan slberberlaku ke­

rana negara atau organisasi terbabit mahu mencapal ke­unggula n maklumat, bagl mendapat kelebihan stralegi.k dalam polil1k. ekonomi dan ke­tenteraan. l'l'ngintipan indu.,­tri pula dilokukan untuk me­ngatasl pesolng dalam pemla· gaan globa I yang semaki n kompel1t1f,

· Peng,ntipan at•u perisikan <h l"'nngkal strotegik lx>rkail ,k·ni;.:in doklrin *'<'buah ne­llJr.l. Jadi. l>U Uli. U<_lak . <h?i!~

11affi<on pembabitan mereka. • Aktivili penglntipan siber

k,ni sema.kin mcluas dengan menggun3kan tcknologi dig)· tal digunakan sebagai medium dan ejen penglntipan. Ciri•ciri tanpa nanlll dan tanpa ,en~ padan yang wttjud dJ ruang siber serta pcnciptaan ma· lware mcmbolchkan pengln· lipan dilakukan dari mana· mana lokasi di dunJa inJ ta.npa dikesan; katanya kepada BIi.

sazall berkata, sei:angan sl· ber sepenl pencacatan web dan Penaflnn Perkhidmatan Tcrogih sering dlisytiharkan oleh penggodam dan impak· nya boich dilihat

Bai;aimanapun, pengintlpan ,,bcr mo lcbih bahaya kcrana ia tulak dnsytihark.on dan 1mpak­n1:~ Uclak (lapal _do hh~t.

lindak secara langsung atau menaja kumpulan penggodam vrulll mcmpunyai lu,Jlakaran tinggi untuk bert,ndak bag, pi· hak mereka.

r,cll)t'rang ,ulrarillke!la ~llY<'raJll! siber sul<arclikesan

kerana mereka bcr!oelindung di sebalik lnfr.lstn,ktur botnet (,ekumpulan program yang sa­hng terllubu1111 melalui ,nter· net dan bcrkomunikasi dengan program seumpamanya bag! melakukan tui;.u tcrtentu) Da· lam konteks inJ, mfrnstruktur hotnet digunakan sebagai pangkalan untuk melanraHum s.•rangan siber global

Botnet yang terdir1 d.tnpa· da "'mua knmputer yang dl· Jangk1t1 maiware bok h d1ram pas _da~ ~1k.~~•\. okh l><'"VC-

Figure 1.2d: spying activity by the The Mask

The crime, opportunities for rule breaking violations, weakness o r gap in a security

program include structural, procedural, electronic, human and other elements would

provide opportunities to attack government assets. Thus, the government must do a

systematic approach used to assess a government department's security posture, analyze

the effectiveness of the existing security program and tools, and identify security

weaknesses.

1.3 RESEARCH QUESTION

A research question are based on the key element of protective security measures whereby

the assessment would gathers data that reflects who, what, how, where, when, and why

of a government department are threatened by security incident. This is to determine

what are the opportunities exist to exploit current security policies and procedures,

physical security equipment, the classified documents and information 's and personnel

security. What are the most critical areas in governing the protective security system

11