CyberSecurity Malaysia
Transcription
CyberSecurity Malaysia
An Agency Under MOSTI Ministry of Science, Technology and Innovation CyberSecurity Malaysia (726630-U) Tingkat 7, Sapura @ Mines, 7, Jalan Tasik, The Mines Resort City, 43300 Seri Kembangan, Selangor Darul Ehsan, Malaysia. T : +603 - 8992 6888 F : +603 - 8945 3205 E : [email protected] www.cybersecurity.my 3. To be valid the proxy form duly completed must be deposited at the Registered Office of the CyberSecurity Malaysia at Level 7, Sapura@Mines, No 7, Jalan Tasik, The Mines Resort City, Seri Kembangan 43300 Selangor Darul Ehsan, Malaysia not less than forty-eight (48) hours before the time for holding the meeting. 2. The instrument appointing a proxy shell be in writing under the hand of the appointor or his attorney duly authorised in writing or if the appointor is a body corporate, either under seal or under hand of the officer or attorney duly authorised. 1. A Proxy need not be a member of the CyberSecurity Malaysia PROVIDED that a member shell not be entitled to appoint a person who is not a member as his proxy unless that person is an advocate, an approved company auditor or a person approved by the Registrar of Companies. Note: * Delete whichever is not desired (Signature of Appointor) Signed this ......................................... day of ........... 20 ........... time ............................. and at any adjournment thereof. The Mines Resort City, 43300 Seri Kembangan, Selangor on the ................ day of ................. 20 ..... the Company to be held at the Board Room of Company, Level 7, Sapura@Mines, No 7, Jalan Tasik, as *my [ / our] proxy to vote for *me / us on my / our behalf at the Third Annual General Meeting of of ..................................................................................................................................................... or failing him .................................................................................................................................... of ..................................................................................................................................................... .......................................................................................................................................................... being a Member of the Company hereby appoint ............................................................................. of ..................................................................................................................................................... *I / We .............................................................................................................................................. FORM OF PROXY Company No. 726630-U (Incorporated in Malaysia) CyberSecurity Malaysia 7. 6. 5. 4. 3. 2. 1. 2 6 5 4 3 1 Head, Finance Department Ketua, Jabatan Kewangan Azman bin Ismail Acting Head, Procurement Department Pemangku Ketua, Jabatan Perolehan Tormizi bin Kasim Head, Internal Auditor Department Ketua, Jabatan Juruaudit Dalaman Abd Rouf bin Mohammed Sayuti Head, Corporate Planning and Strategy Department Ketua, Jabatan Strategi dan Perancangan Korporat Roshdi bin Hj Ahmad Head, Legal and Secretarial Department Company Secretary Ketua, Jabatan Perundangan dan Kesetiausahaan/Setiausaha Syarikat Jailany bin Jaafar Manager, Corporate Branding & Media Relations Department Pengurus, Jabatan Penjenamaan Korporat & Perhubungan Media Sandra Isnaji Head, Corporate Branding & Media Relations Department Ketua, Jabatan Penjenamaan Korporat & Perhubungan Media Mohd Shamil bin Mohd Yusoff 7 Editorial Committee Jawatankuasa Editorial 100 We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit opinion An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The procedures selected depend on our judgment, Including the assessment of risks of material misstatement of the financial statements, whether due to fraud or errpr. In making those risk assessments, we consider internal control relevant to Company’s preparation and fair presentation of the financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the Company’s internal control. An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of accounting estimates made by the Director, as well as evaluating the overall presentation of the financial statements. Our responsibility is to express an opinion on these financial statements based on our audit. We conducted our audit in accordance with approved standards on auditing in Malaysia. Those standards require that we comply with ethical requirements and plan and perform the audit to obtain reasonable assurance whether the financial statements are free from material misstatement. Auditor’ Responsibility The Directors of the Company are responsible for the preparation and fair presentation of these financial statements in accordance with Financial Reporting Standards and the Companies Act. 1965 in Malaysia. This responsibility includes: designing, implementing and maintaining internal control relevant to the preparation of financial statements that are free from material misstatement, whether due to fraud or error; selecting and applying appropriate accounting policies; and making accounting estimates that are reasonable in the circumstances. Directors’ Responsibility for the Finance Statements We have audited the financial statements of CYBERSECURITY MALAYSIA, which comprise the balance sheet as at 31st December, 2008 of the Company, and the income statement, statement of changes in equity and cash flow statement of the Company for the year then ended, and a summary of significant accounting policies and other explanatory notes, as set out on pages 4 to 20. Report on the Financial Statement Kuala Lumpur Date : 10th June, 2009 SIVADASAN A/L NARAYANAN NAIR 1420/12/09(J) Partner of the Firm AZMAN, WONG, SALLEH & CO AF : 0012 chartered accountants 101 This report is made solely to the members of the Company, as a body, in accordance with Section 174 of the Companies Act, 1965 in Malaysia and for no other purpose. We do not assume responsibility to any other person for the content of this report. Other Matters In accordance with the requirements of the Companies Act, 1965 in Malaysia, we also report that in our opinion the accounting and other records and the registers required by the Act to be kept by the Company have been properly kept in accordance with the provisions of the Act. Report on Other Legal and Regulatory Requirements In our opinion, the financial statements have been properly drawn up in accordance with Financial Reporting Standards and the Companies Act, 1965 in Malaysia so as to give a true and fair view of the financial position of the Company as of 31st December, 2008 and of its financial performance and cash flows for the year then ended. (Company No. : 726630-U) CYBERSECURITY MALAYSIA 12th floor, wisma tun sambanthan, no. 2, jalan sultan sulaiman, 50764 kuala Lumpur tel : 03-22732688 fax : 03-22748688 Opinion (AF:0012) INDEPENDENT AUDITOR’S REPORT TO THE MEMBERS OF akauntan bertauliah chartered accountants azman, wong, salleh & co. 98 Kuala Lumpur, Date: 10th June, 2009 LT COL HUSIN BIN JAZRI (RETIRED) DATO’ ABDUL HANAN BIN ALANG ENDUT COMMISSIONER FOR OATHS Before me, 99 Subscribed and solemnly declared by the abovenamed LT COL HUSIN BIN JAZRI (RETIRED) at Kuala Lumpur on 10th June, 2009. LT COL HUSIN BIN JAZRI (RETIRED) I, LT COL HUSIN BIN JAZRI (RETIRED), the director primarily responsible for the financial management of CYBERSECURITY MALAYSIA , do solemnly and sincerely declare that the financial statements set out on pages 4 to 20 are in my opinion correct and I make this solemn declaration conscientiously believing the same to be true, and by virtue of the provisions of the Statutory Declarations Act, 1960. We, DATO’ ABDUL HANAN BIN ALANG ENDUT and LT COL HUSIN BIN JAZRI (RETIRED), being two of the Directors of CYBERSECURITY MALAYSIA , do hereby state that in the opinion of the Directors, the financial statements set out on pages 4 to 20 are drawn up in accordance with the Financial Reporting Standards issued by the Malaysian Accounting Standards Board and the provisions of the Companies Act, 1965 so as to give a true and fair view of the state of affairs of the Company as at 31st December, 2008 and of its results and cash flows for the year ended on that date. In accordance with a resolution of the Board of Directors dated 10th June, 2009. STATUTORY DECLARATION STATEMENT BY DIRECTORS 96 260,787 8,965,907 (b) Employees benefit costs 5,760,439 184,211 1,537,846 67,041 471,667 The employees benefit costs excludes director's emoluments and includes contribution to the Employees Provident Fund of RM958,988 (2007: RM758,549). 241,791 Director's emoluments 1,748,391 Amortisation of intangible assets Office rental 892,741 9,000 RM 11,000 2007 RM 30,906 57,877 2008 28,475 50,956 2,431 RM RM 6,921 2007 2008 Depreciation of property, plant and equipment (a) Audit fees This is stated after charging:- 13. SURPLUS OF INCOME BEFORE TAXATION Interest income Tender and documentation fees 12. OTHER INCOME 9,740,164 14,033,690 12,334,215 24,399,940 Operating fund (Note 9(b)) 4,293,526 RM RM 12,065,725 2007 2008 Development fund (Note 9(a)) 11. INCOME FROM GRANTS This represents consultancy service charges and seminar and training fees. 10. REVENUE Authorised capital expenditure approved but not contracted for 15. CAPITAL COMMITMENT 12,110,000 RM 2009 - RM 2008 97 The Company had applied on 17th November, 2008 for an extension of the tax exemption from Ministry of Finance (MOF) and is waiting a reply from MOF. The Company is incorporated as a non-profit company limited by guarantee and is fully funded by grants from the Government of Malaysia. The Company has been granted a 100% tax exemption on statutory income except for dividend for a period of 3 years pursuant to Paragraph 5 and 6 Schedule 7A of the Income Tax Act 1967 effective from 2006 to 2008. 14. TAXATION The maturity terms of the deposits range from 1 to 365 days (2007: Nil). The effective weighted average interest rate of the short term deposits during the year was 2.7% (2007: Nil) per annum. 8. SHORT TERM DEPOSITS WITH LICENSED BANKS 96,875 RM RM 122,975 2007 2008 The normal credit terms of trade receivables vary between 0 to 45 days. Trade receivables 7. TRADE RECEIVABLES 94 482,792 71,385 67,140 4,245 554,177 299,467 This relates to software on Cyber Forensic tools and Customer Relations Management acquired. 1,230,806 At 31st December Carrying value at 31st December 260,787 332,172 Charge for the year At 1st January 71,385 1,562,978 At 31st December Accumulated amortisation 1,008,801 254,710 RM RM 554,177 2007 2008 Addition At 1st January Cost : 6. INTANGIBLE ASSETS 18,102,564 961,902 1,296,117 (9,740,164) (12,334,215) (9,740,164) (11,942,314) (73,287) - 11,036,281 13,296,117 (318,614) 11,147,800 (111,519) 11,689,487 12,000,000 1,296,117 17,140,662 (4,293,526) (12,065,725) (67,140) (3,754,818) (187,500) (11,304,099) 95 This represents grants received from the Government of Malaysia for the purposes of financing the Company's daily operations and acquiring property, plant and equipment. As at 31st December - Operational expenses - Amortisation for intangible assets - Depreciation for property, plant and equipment Less: Transfer to Income Statement Add: Grants received from the Government of Malaysia At 1st January (b) Operating Fund As at 31st December - Operational expenses - Amortisation for intangible assets - Depreciation for property, plant and equipment (471,568) 29,206,387 (574,126) 15,983,013 17,516,900 Less: Transfer to Income Statement 11,051,475 11,689,487 Add: - Grants received from the Government of Malaysia 4,931,538 1,296,117 12,985,604 961,902 11,689,487 RM RM 17,140,662 2007 2008 At 1st January (a) Development Fund (a) (b) Operating Fund Note Development Fund 9. GOVERNMENT GRANTS 92 Items included in the financial statements of the Company are measured using the currency of the primary economic environment in which the entity operates ("functional currency"). The financial statements are presented in Ringgit Malaysia, which is the Company's functional and presentation currency. (o) Functional and Presentation Currency Cash represents cash and bank balances while cash equivalents are short term, highly liquid placements that are readily convertible to cash with insignificant risks to changes in value. (n) Cash and Cash Equivalents Operating grants receivable from the Government of Malaysia are credited to the Government Grants Account and recognised in the income statement in the same period as the related expenses which they are intended to compensate. Operating grants utilised for capital expenditure are credited to the Government Grants Account - Operating Fund. The amount utilised are recognised in the income statement over the life of the assets acquired by the annual transfer of an amount equal to the depreciation charge. Development grants received for deliverables under the RMK 9 projects are recognised in the income statement in the same period as the related expenses which they are intended to compensate. Development grants in respect of capital expenditure receivable from the Government of Malaysia are credited to the Government Grants Account - Development Fund. The amounts utilised are recognised in the income statement over the life of the assets acquired by the annual transfer of an amount equal to the depreciation charge. (m) Recognition of Grants A financial instrument issued by the Company is classified as a liability or equity in accordance with the substance of the contractual arrangement. Interest, gains and losses relating to a financial instrument classified as liability are reported as expense or income. Distributions to holders of financial instruments classified as equity are charged directly to equity. Financial instruments are offset when the Company has a legally enforceable right to set off the recognised amounts and intends either to settle on a net basis, or to realise the asset and settle the liability simultaneously. A financial asset is any asset that is cash; a contractual right to receive cash or another financial asset from another enterprise; a contractual right to exchange financial instrument with another enterprise under conditions that are potentially favourable; or an equity instrument of another enterprise. Total Motor Vehicles Office Equipment RM RM RM RM Furniture & Fittings 4. SIGNIFICANT ACCOUNTING POLICIES (Contd) 1,842,413 IT Equipment RM RM Renovation & Improvement 2008 4,949,904 351,711 2,103,163 9,763,259 At 1st January 652,617 4,813,355 171,926 176,012 2,699,283 171,926 527,723 4,802,446 920,480 1,498,271 Additions 267,863 3,340,684 As at 31st December 892,741 10,030 45,420 448,490 509,265 20,385 225,996 193,294 83,692 305,109 Charge for the year At 1st January 69,590 1,402,006 10,030 65,805 674,486 8,361,253 161,896 461,918 4,127,960 767,198 2,842,281 Net Book Value At 31st December, 2008 153,282 498,403 As at 31st December 3,800,174 137,041 374,878 2,516,202 221,670 93,314 1,811,285 4,949,904 389,933 Additions 732,416 2,555,839 At 1st January (1,366,472) (7,000) (173,113) (1,103,359) (83,000) 351,711 2,103,163 652,617 1,842,413 As at 31st December Adjustment 37,697 1,198 6,545 509,265 169,748 6,408 23,546 At 1st January 471,568 19,187 219,451 4,440,639 Charge for the year 63,182 20,385 225,996 331,326 1,877,167 583,027 193,294 69,590 1,649,119 Net Book Value At 31st December, 2007 As at 31st December Accumulated Depreciation: Cost: 2007 Accumulated Depreciation: Cost: 5. PROPERTY, PLANT AND EQUIPMENT 93 90 Provisions are made when the Group and the Company have a present legal or constructive obligation as a result of past events, when it is probable that an outflow of resources will be required to settle the obligation, and when a reliable estimate of the amount can be made. (h) Provision for Liabilities Trade receivables are stated at invoiced amount less allowance for doubtful debts. Allowance for doubtful debts is made based on estimates of possible losses which may arise from noncollection of certain receivable accounts at the end of the financial year. Bad debts are written off when identified. (g) Receivables An impairment loss is charged to the income statement immediately. Subsequent increase in the recoverable amount of an asset is treated as a reversal of the previous impairment loss and is recognised to the extent of the carrying amount of the asset that would have been determined (net of amortisation and depreciation) had no impairment loss been recognised. The reversal is recognised in the income statement immediately. The carrying values of assets (other than inventories and financial assets) are reviewed for impairment when there is an indication that the asset value might be impaired. Impairment is measured by comparing the carrying values of the assets with their recoverable amounts. The recoverable amount is the higher of net realisable value and value in use, which is measured by reference to discounted future cash flows. Recoverable amounts are estimated for individual assets or, if it is not possible, for the relevant cash-generating unit. (f) Impairment of Assets Computer software development costs recognised as assets are amortised over 5 years using the straight line basis. Costs associated with developing and maintaining computer software programmes are recognised as an expense when incurred. Costs that are directly associated with identifiable and unique software products controlled by the Company, and that will probably generate economic benefits exceeding costs beyond one year, are recognised as intangible assets. Acquired computer software licences are capitalised on the basis of the costs incurred to acquire and bring to use the specific software. These costs are amortised over their estimated useful lives, not exceeding a period of 5 years. This comprises specialised computer software. (e) Intangible Assets 4. SIGNIFICANT ACCOUNTING POLICIES (Contd) 91 Financial instruments carried on the balance sheet include cash and bank balances, receivables and payables. The particular recognition methods adopted are disclosed in the individual accounting policy statement associated with each item. (l) Financial Instruments Consultancy service charges, seminar and training fees and interest income are recognised on an accruals basis. (k) Income Recognition As required by law, the Company makes contributions to the Employees Provident Fund (“EPF”). The contributions are recognised as an expense in the income statement as incurred. Defined contribution benefits Wages, salaries and bonuses are recognised as an expense in the year in which the associated services are rendered by employees of the Company. Short term accumulating compensated absences such as paid annual leave are recognised when services are rendered by employees that increase their entitlement to future compensated absences, and short term non-accumulating compensated absences such as sick leave are recognised when the absences occur. Short term benefits (j) Employee Benefits Deferred tax is provided for, using the liability method, on temporary differences at the balance sheet date between the tax bases of assets and liabilities and their carrying amounts in the financial statements. In principle, deferred tax liabilities are recognised for all taxable temporary differences and deferred tax assets are recognised for all deductible temporary differences, unabsorbed tax losses and unutilised capital allowances to the extent that it is probable that taxable profit will be available against which the deductible temporary differences, unabsorbed tax losses and unutilised capital allowances can be utilised. Deferred tax is measured at the tax rates that are expected to apply in the period when the asset is realised or the liability is settled, based on tax rates that have been enacted or substantively enacted at the balance sheet date. Income tax on the results for the period comprises current and deferred tax. Current tax is the expected amount of income taxes payable in respect of the taxable income for the year and is measured using the tax rate at the balance sheet date. (i) Income Tax 88 89 Residual values and useful lives of assets are reviewed, and adjusted, if appropriate, at each balance sheet date. IC Interpretation 10 does not allow an impairment loss recognised in a previous interim period in respect of goodwill or an investment in either an equity instrument or a financial asset carried at cost to be reversed at a subsequent balance sheet date. IC Interpretation 10 is not relevant to the Company's operations. 10% 10% 20% 10% When property, plant and equipment is disposed, the resultant gain or loss on disposal is determined by comparing the disposal proceeds with the carrying amount and is included in the income statement. Furniture and fittings Office equipment IT Equipment Renovation and Improvements Depreciation on property, plant and equipment is calculated on a straight line basis to write down the costs of assets to their residual values over the estimated useful lives of the assets. The annual rates of depreciation used for this purpose are as follows:- Property, plant and equipment are stated at cost less accumulated depreciation and impairment losses, if any. (d) Property, Plant and Equipment IC Interpretation 14 addresses how entities should determine the limit placed on the amount of a surplus in a pension plan they can recognised as an asset. Also, it addresses how a minimum funding requirement affects that limit and when a minimum funding requirement creates an onerous obligation that should be recognised as a liability in addition to that otherwise recognised under IAS 19. This interpretation is not relevant to the Company's operations. IC Interpretation 14 : The Limit on a Defined Benefit Asset, Minimum Funding Requirements and Their Interaction IC Interpretation 13 explains how entities that grant loyalty award points to its customers should account for their obligations to provide free or discounted goods or services if and when the customers redeem the points. This interpretation is not relevant to the Company's operations. IC Interpretation 13 : Customer Loyalty Programmes IC Interpretation 11 clarifies how share-based payment transactions involving its own or another entity's instruments in the same group are to be treated and that cancellations by parties other than the entity are to be treated in the same way as cancellations by the entity. This interpretation is not relevant to the Company's operations. IC Interpretation 11 : FRS 2 - Group and Treasury Share Transactions IC Interpretation 10 : Interim Financial Reporting and Impairment IC Interpretation 9 requires an entity to assess whether an embedded derivative is required to be separated from the host contract and accounted for as a derivative when the entity first becomes a party to the contract. Subsequent reassessment is prohibited unless there is a change in the terms of the contract that significantly modifies the cash flows that otherwise would be required under the contract in which case reassessment is required. The adoption of this interpretation will not have any significant financial impact on the financial statements of the Company. IC Interpretation 9 : Reassessment of Embedded Derivatives The amendments to FRS 127 removes the requirement to distinguish between the pre and post acquisition dividends from a subsidiary, jointly controlled entities or associates. FRS 127 has also been amended to deal with situations where a parent reorganises its group by establishing a new entity as its parent. Under the new rules, the new parent measures the cost of its investments in the original parent at the recognition date. These amendments are not relevent to the Company's operations. The amendments to FRS 1 allow an entity, on transition to the FRS framework, to measure the initial cost of investments in subsidiaries, jointly controlled entities and associates either at cost as determined by FRS 127 or deemed cost. Deemed cost is either the fair value or the carrying amount under the previous accounting practice. These amendments are not relevant to the Company as the Company has already adopted FRS. Amendment to FRS 1 : First-time Adoption of Financial Reporting Standards and FRS 127, Consolidated and Separate Financial Statements - Cost of an Investment in a Subsidiary, Jointly Controlled Entity and Associates The amendments to FRS 2 clarify that vesting conditions are service condiitons and performance conditions only and do not include other features of share-based payments; also the amendments clarify that cancellations by parties other than the entity are to be treated in the same way as cancellations by the entity. This amendment is not relevent to the Company's operations. Amendment to FRS 2 : Share-based Payments - Vesting Conditions and Cancellations (c) FRSs And IC Interpretations That Are Not Yet Effective and Have Not Been Early Adopted (Contd) 4. SIGNIFICANT ACCOUNTING POLICIES (Contd) 86 The limit on a Defined Benefit Asset, Minimum 1 January 2010 Funding Requirements and their interaction __________________________________________________________________________________ IC Interpretation 14 IC Interpretation 11 Group and Treasury Share Transactions 1 January 2010 __________________________________________________________________________________ IC Interpretation 13 Customer Loyalty Programmes 1 January 2010 __________________________________________________________________________________ IC Interpretation 9 Reassessment of Embedded Derivatives 1 January 2010 __________________________________________________________________________________ IC Interpretation 10 Interim Financial Reporting and Impairment 1 January 2010 __________________________________________________________________________________ Consolidated and Separate Financial Statements: 1 January 2010 Cost of an Investment in a Subsidiary, Jointly Controlled Entity or Associate __________________________________________________________________________________ Amendments to FRS 127 Amendments to Share-based Payment - Vesting Conditons and 1 January 2010 FRS 2 Cancellations __________________________________________________________________________________ Amendments to First-time Adoption of Financial Reporting Standards 1 January 2010 FRS 1 __________________________________________________________________________________ Financial Instruments : 1 January 2010 Recognition and Measurement __________________________________________________________________________________ FRS 139 FRS 8 Operating Segments 1 July 2009 __________________________________________________________________________________ FRS 123 Borrowing costs 1 January 2010 __________________________________________________________________________________ FRS 4 Insurance Contracts 1 January 2010 __________________________________________________________________________________ FRS 7 Financial Instruments : Disclosure 1 January 2010 __________________________________________________________________________________ Effective for financial period beginning on or after __________________________________________________________________________________ The Company has not early adopted the following new FRSs and the IC Interpretations which have been issued by the MASB but are not yet effective :- (c) FRSs And IC Interpretations That Are Not Yet Effective and Have Not Been Early Adopted The amendment to FRS 121 requires that all exchange differences arising from a monetary item that forms part of the Company's net investment in a foreign operation to be recognised as a separate component of the equity in the consolidated financial statements regardless of the currency in which the monetary item is denominated. The adoption of this amendment did not have any financial impact on the financial statements of the Company. The FRS 107, 112, 118, 134 and 137 were revised to remove local guidance and editorial matters to be indentical to the International Financial Reporting Standards. The adoption of these standards did not result in any significant changes to the Company's accounting policies and did not have any significant impact on the amounts reported in the financial statements. 4. SIGNIFICANT ACCOUNTING POLICIES (Contd) 87 FRS 139 establishes principles for recognising and measuring financial assets, financial liabilities and some contracts to buy or sell non-financial items. Hedge accounting is permitted only under strict circumstances. The impact of applying FRS 139 on these financial statements upon first adoption of the standard is not disclosed by virtue of the exemption provided under paragraph 103A of FRS 139. FRS 139 : Financial Instruments - Recognition and Measurement FRS 123 replaces FRS 1232004 and removes the option of immediately recognising as an expense borrowing costs that are directly attributable to the acquisition, construction or production of a qualifying assets. The adoption of this standard will not have any significant financial impact on the financial statements of the Company. FRS 123 : Borrowing Costs FRS 8 requires an entity to report financial and descriptive information about its operating segments on the same basis as those used internally for evaluating operating segment performance and deciding how to allocate resources to operating segments. FRS 8 is not relevant to the Company's operations. FRS 8 : Operating Segments FRS 7 requires disclosures of information relating to the significance of financial instruments on an entity's financial position and performance and the nature and extent of risks arising from financial instruments to which the entity is exposed during the period and at the reporting date and how the entity manages those risks. The impact of applying FRS 7 on these financial statements upon its first adoption is not disclosed by virtue of exemption provided under paragraph 44AB of this standard. FRS 7 : Financial Instruments - Disclosure FRS 4 specifies the financial reporting for insurance contracts by any entity that issues such contracts ("insurers"). In particular, this standard requires disclosure that identifies and explains the amounts in an insurer's financial statements arising from insurance contracts and helps users of those financial statements to understand the amounts, timing and uncertainty of future cash flows from insurance contracts. FRS 4 is not relevant to the Company's operations. FRS 4 : Insurance Contracts 84 The financial statements of the Company are prepared under the historical cost convention except as disclosed in this summary of significant accounting policies. The financial statements comply with Financial Reporting Standards ("FRS") issued by the Malaysian Accounting Standards Board ("MASB") and the provisions of the Companies Act, 1965. (a) Basis of Preparation 4. SIGNIFICANT ACCOUNTING POLICIES The Company's risk exposure is attributable to receivables in respect of trading activities which are principally conducted on cost recovery basis. As the Company is not involved in trade, the exposure to credit risk is minimal. Credit risk The Company practises prudent liquidity risk management to minimise the mismatch between financial assets and liabilities. Since the Company's operations are fully funded by the Government of Malaysia, the element of risk is low. Liquidity risk The Company's risk management policies seek to ensure that adequate financial resources are available for the development of its operations while managing its liquidity and credit risk. 3. FINANCIAL RISK MANAGEMENT POLICIES The address of the registered office and principal place of operations is located at Level 7, Sapura@ Mines, No. 7 Jalan Tasik, The Mines Resort City, 43300 Seri Kembangan, Selangor. The Company is a company limited by guarantee, not having a share capital, not for profit, incorporated and domiciled in Malaysia . Currently, the Company has 2 members. In the event that the Company is wound up, a member or a person who was a member twelve months prior to that event is liable to contribute to the assets of the Company a sum not exceeding Ringgit Malaysia One Hundred (RM100). The financial statements of the Company were authorised for issue on 10th June, 2009 by the Board of Directors. 2. GENERAL INFORMATION There have been no significant changes in these activities during the year. The principal activities of the Company are the provision of cyber security services to the Malaysian public namely Computer Emergency services, Security Quality Management services, Cyber Threats and Policy Research services and Training and Outreach services. 1. PRINCIPAL ACTIVITIES 31ST DECEMBER, 2008 NOTES TO THE FINANCIAL STATEMENTS 85 IC Interpretation 8 Scope of FRS 2 - Share-based Payment __________________________________________________________________________________ Liabilities arising from Participating in a Specific Market - Waste Electrical and Electronic Equipment __________________________________________________________________________________ IC Interpretation 7 Applying the Restatement Approach under FRS 1292004 - Financial Reporting in Hyperinflationary Economies __________________________________________________________________________________ IC Interpretation 6 IC Interpretation 2 Members' Shares in Co-operative Entities and Similar Instruments __________________________________________________________________________________ IC Interpretation 5 Rights to Interests arising from Decommissioning, Restoration and Environmental Rehabilitation Funds __________________________________________________________________________________ FRS 134 Interim Financial Reporting __________________________________________________________________________________ IC Interpretation 1 Changes in Existing Decommissioning, Restoration and Similar Liabilities __________________________________________________________________________________ FRS 126 Accounting and Reporting by Retirement Benefit Plans __________________________________________________________________________________ FRS 129 Financial Reporting in Hyperinflationary Economies __________________________________________________________________________________ __________________________________________________________________________________ FRS 111 Construction Contracts __________________________________________________________________________________ The other new and revised FRSs and IC Interpretations issued by the MASB that are effective beginning on after 1st July, 2007 but which are not applicable to the Company's operations are as follows :- FRS 137 Provision, Contingent Liabilities and Contingent Assets __________________________________________________________________________________ Amendment to FRS 121 The Effects of Changes in Foreign Exchange Rates __________________________________________________________________________________ FRS 120 Accounting for Government Grants and Disclosure for Government Assistance __________________________________________________________________________________ FRS 112 Income Taxes __________________________________________________________________________________ FRS 118 Revenue __________________________________________________________________________________ __________________________________________________________________________________ FRS 107 Cash Flow Statement __________________________________________________________________________________ During the year, the Company adopted the following new and revised FRSs that are relevant to its operations and which are mandatory for the financial period beginning on or after 1st July, 2007 :- (b) FRSs And IC Interpretations That Are Effective In the preparation of the financial statements, management has been required to make judgements, estimates and assumptions that affect the application of accounting policies and the reported amounts of assets, liabilities, income and expenses. Actual results may differ from these estimates. Estimates and underlying assumptions are reviewed on an ongoing basis. Revisions to accounting estimates are recognised in the financial statements in the period in which the estimate is revised and in any future periods affected. 427,736 686,079 (175,778) 510,301 Net surplus of income for the year Balance at 31st December, 2007 Net deficit of income for the year Balance at 31st December, 2008 82 (The notes on pages 84 to 97 form part of these financial statements.) 258,343 As at 1st January, 2007 RM (The notes on pages 84 to 97 form part of these financial statements.) Fixed deposit Cash and bank balances 3,000,000 6,426,961 9,426,961 9,426,961 CASH AND CASH EQUIVALENTS AT END OF YEAR CASH AND CASH EQUIVALENTS COMPRISE:- 9,105,219 321,742 17,516,900 CASH AND CASH EQUIVALENTS AT BEGINNING OF THE YEAR NET INCREASE IN CASH AND CASH EQUIVALENTS DURING THE YEAR CASH FLOWS FROM FINANCING ACTIVITY Government grants received (Note 9a) (4,813,355) (1,008,801) (5,822,156) 12,000,000 (50,956) (11,373,002) Government grants received (Note 9b) Interest received Net cash used in operating activities CASH FLOWS FROM INVESTING ACTIVITIES Purchase of property, plant and equipment Purchase of intangible assets (28,812) (108,813) 186,813 (23,322,046) 260,787 892,741 50,956 (24,399,940) (23,371,234) (175,778) 2008 RM Increase in trade receivables (Increase)/decrease in other receivables Increase/(decrease) in other payables Changes in working capital :- Amortisation of intangible assets Depreciation of property, plant and equipment Interest income Grant income recognised Adjustments for: (Deficit)/surplus of income before tax CASH FLOWS FROM OPERATING ACTIVITIES FOR THE YEAR ENDED 31ST DECEMBER, 2008 FOR THE YEAR ENDED 31ST DECEMBER, 2008 Accumulated Reserves CASH FLOW STATEMENT STATEMENT OF CHANGES IN RESERVES 9,105,219 9,105,219 9,105,219 4,640,352 4,464,867 11,051,475 (1,149,730) (299,467) (1,449,197) 11,147,800 (28,475) (5,137,411) (56,775) 25,574 (3,186,764) (16,256,736) 67,140 471,568 28,475 (14,033,690) (13,038,771) 427,736 2007 RM 83 96,875 19,608,132 Total Reserves and Liabilities 80 (The notes on pages 84 to 97 form part of these financial statements.) 995,267 18,102,564 Other payables and accruals Current Liabilities Government grants Non Current Liabilities 14,480,137 808,454 12,985,604 686,079 (The notes on pages 84 to 97 form part of these financial statements.) NET (DEFICIT)/SURPLUS OF INCOME FOR THE YEAR 14 510,301 TAXATION Accumulated reserves Reserves (175,778) - (175,778) (6,706,006) GENERAL AND OTHER EXPENSES (17,029,211) 57,877 (1,306,364) 12 24,399,940 407,986 (271,824) 679,810 RM 2008 ADVERTISING AND MARKETING EXPENSES ADMINISTRATIVE EXPENSES OTHER INCOME 11 13 14,480,137 9,556,706 10,016,073 19,608,132 9,105,219 - 354,612 6,426,961 3,000,000 466,137 122,975 INCOME FROM GRANTS SURPLUS OF INCOME BEFORE TAXATION 9 8 7 482,792 4,923,431 1,230,806 9,592,059 4,440,639 10 Note RESERVES AND LIABILITIES Total Assets Cash and bank balances Short term deposits with licensed banks Other receivables Trade receivables Current Assets 6 Intangible assets 8,361,253 COST OF SERVICES RENDERED 5 Non Current Assets Property, plant and equipment REVENUE RM 2007 ASSETS RM 2008 FOR THE YEAR ENDED 31ST DECEMBER, 2008 AS AT 31ST DECEMBER, 2008 Note INCOME STATEMENT BALANCE SHEET 427,736 - 427,736 (3,461,641) (434,407) (9,855,822) 30,906 14,033,690 115,010 (281,820) 396,830 RM 2007 81 (Appointed on 11th May, 2009) (Resigned on 29th August, 2008) (Resigned on 23rd June, 2008) (Chairman) (Appointed on 13th November, 2008) any contingent liability of the Company which has arisen since the end of the financial year. (b) The auditors, Azman, Wong, Salleh & Co., have expressed their willingness to continue in office. In accordance with a resolution of the Board of Directors dated 10th June, 2009. Before the income statement and balance sheet were made out, the Directors took reasonable steps: to ascertain that action had been taken in relation to the writing off of bad debts and the making of allowance for doubtful debts and have satisfied themselves that all known bad debts had been written off and that adequate allowance had been made for doubtful debts; and to ensure that any current assets, other than debts, which were unlikely to realise in the ordinary course of business their values as shown in the accounting records of the Company had been written down to an amount which they might be expected so to realise. (a) (b) which would render the values attributed to current assets in the financial statements of the Company misleading; or which have arisen which render adherence to the existing method of valuation of assets or liabilities of the Company misleading or inappropriate. (b) (c) 78 which would render the amounts written off for bad debts or the amount of the allowance for doubtful debts in the financial statements of the Company inadequate to any substantial extent; or (a) Kuala Lumpur, Date: 10th June, 2009 LT COL HUSIN BIN JAZRI (RETIRED) 79 AUDITORS OTHER STATUTORY INFORMATION At the date of this report, the Directors are not aware of any circumstances: there has not arisen in the interval between the end of the financial year and the date of this report any item, transaction or event of a material and unusual nature likely to substantially affect the results of the operations of the Company for the financial year in which this report is made. (b) Neither during nor at the end of the financial year was the Company a party to any arrangements whose object was to enable the Directors to acquire benefits by means of the acquisition of shares in or debentures of the Company or any other body corporate. DATO’ ABDUL HANAN BIN ALANG ENDUT the results of the Company's operations during the financial year were not substantially affected by any item, transaction or event of a material and unusual nature; and In the opinion of the Directors: At the date of this report, the Directors are not aware of any circumstances not otherwise dealt with in this report or the financial statements which would render any amount stated in the financial statements misleading. any charge on the assets of the Company which has arisen since the end of the financial year which secures the liability of any other person; or (a) At the date of this report, there does not exist: No contingent or other liability has become enforceable or is likely to become enforceable within the period of twelve months after the end of the financial year which, in the opinion of the Directors, will or may substantially affect the ability of the Company to meet its obligations as and when they fall due. (a) Since the end of the last financial year, no Director of the Company has received or become entitled to receive any benefit (other than a benefit included in the aggregate amount of emoluments received or due and receivable by the Directors shown in the financial statements, or the fixed salary of a full time employee of the Company) by reason of a contract made by the Company or a related corporation with the Director or with a firm of which the Director is a member, or with a company in which the Director has a substantial financial interest. DIRECTORS BENEFIT Dato' Abdul Hanan bin Alang Endut Lt Col Husin Bin Jazri (Retired) Rubaiah bte Hashim Ir Md Shah Nuri Md Zain Datuk Abang Abdul Wahap bin Abg Julai Datuk Alihan bin Hj A Hamid Tuan Haji Hanaffi bin Ahmad The Directors in office since the date of last Directors' Report are:- DIRECTORS OF THE COMPANY 76 Ringgit Malaysia (RM) Functional and Presentation Currency Azman, Wong, Salleh & Co. (AF: 0012) Chartered Accountants Auditors Jailany bin Jaafar Company Secretary Level 7, Sapura@Mines No. 7 Jalan Tasik The Mines Resort City 43300 Seri Kembangan Selangor Administrative and Correspondence Address Level 7, Sapura@Mines No. 7 Jalan Tasik The Mines Resort City 43300 Seri Kembangan Selangor Registered Office RM 175,778 77 There were no material transfers to or from reserves or provisions during the year ended 31st December, 2008. RESERVES AND PROVISIONS Net deficit of income for the year RESULTS The Company was incorporated under the Companies Act, 1965 on 14th March, 2006 as a company limited by guarantee, not having a share capital and not for profit. Currently, the Company has 2 members. In the event that the Company is wound up, a member or a person who was a member twelve months prior to that event is liable to contribute to the assets of the Company a sum not exceeding Ringgit Malaysia One Hundred (RM100). LIMITED LIABILITY There have been no significant changes in this activity during the year. The principal activities of the Company are the provision of Cyber National Security Services namely Computer Emergency services, Security Quality Management services, Cyber Threats and Policy Research services and Training and Outreach services. At a Cabinet meeting held on 28th September, 2005, it was agreed that Cybersecurity Malaysia be formed as a Company limited by Guarantee (“CLG”) which shall be fully funded by the Government of Malaysia to take over the NISER division of MIMOS Berhad. The take over of NISER division was implemented via transfer of all relevant assets, liabilities, rights, obligations, employees and operations with effect from 9th May, 2006. PRINCIPAL ACTIVITY The Directors have pleasure in submitting their report and the audited financial statements of the Company for the year ended 31st December, 2008. Board of Directors Dato' Abdul Hanan bin Alang Endut (Chairman) Lt Col Husin Bin Jazri (Retired) Rubaiah bte Hashim Ir Md Shah Nuri Md Zain Datuk Abang Abdul Wahap bin Abg Julai DIRECTORS' REPORT CORPORATE INFORMATION 74 For The Year Ended 31st December 2008 STATUTORY FINANCIAL STATEMENTS CYBERSECURITY MALAYSIA (Company Limited By Guarantee) 75 14 September CyberSecurity Malaysia telah dipanggil untuk turut serta dalam siasatan forensik digital yang dikendalikan oleh Suruhanjaya Syarikat Malaysia (SSM) 22 Ogos Majlis Penganugerahan SIRIM – Industri 2008, di Sunway Resort Hotel & SPA, Petaling Jaya 72 16 - 26 September Satu kajian kepuasan pelanggan telah dilaksanakan bagi mendapatkan maklumbalas terhadap prestasi perkhidmatan yang disediakan oleh Cybersecurity Malaysia. 13 September Peperiksaan CISSP dan SSCP telah diadakan di Universiti Tenaga Nasional (UNITEN), Bangi, Selangor. 14 - 17 Ogos Pameran Kesedaran Internet di Minggu Sains, Teknologi dan Inovasi (MISTI) Sabah 2008 26 Ogos Lawatan Ke Institut Kajian Strategik Dan Antarabangsa (ISIS) Malaysia 10 September Ceramah yang bertajuk ‘Ancaman Keselamatan ICT Pada Masa Kini’ telah disampaikan di Kementerian Pertahanan kepada seramai 210 orang kakitangan organisasi tersebut. 09 September Seminar Kesedaran Keselamatan Siber ini berlangsung sempena lawatan dari Institut Perguruan Bahasa Melayu Malaysia ke CyberSecurity Malaysia. SEPTEMBER 2008 ___________________________________ 28 Ogos 2008 Hari Rekreasi Kakitangan CyberSecurity Malaysia 25 – 27 Ogos Latihan Teknikal Untuk Bank Negara Malaysia - Network Security, Mobile Banking & Wireless Security diadakan di Bilik Latihan, CyberSecurity Malaysia Pelan Pengurusan Krisis Siber Kebangsaan a. 19 Ogos : Mesyuarat Jawatankuasa Kawal Selia pelan telah diadakan di Pusat Pengurusan Operasi Negara, MKN, Putrajaya. b. 25 Ogos : Mesyuarat Jawatankuasa Pemandu 21- 23 Ogos Mesyuarat dan bengkel untuk Pasukan Petugas Operasi (PPO) bil 4/2008 (siri 9) membincangkan tentang cara membanteras laman web dan blog yang melanggar undang-undang negara, di Nexus Resort Karambunai, Kota Kinabalu, Sabah. 18 - 21 Ogos Ceramah Kesedaran Digital Forensik, di Universiti Utara Malaysia, Sintok, Kedah. 4 - 8 dan 11 - 13 Ogos Seminar CISSP & SSCP, berlangsung di Bilik Latihan, CyberSecurity Malaysia. 11 Ogos Mesyuarat Jawatankuasa Teknikal Bagi Kajian Kelemahan & Kelompongan Undang-Undang Malaysia Dalam Menghadapi Cabaran Di Persekitaran Siber 1 – 3 Ogos Mengambil bahagian dalam pameran MOSTI, Regatta Sarawak OGOS 2008 ___________________________________ Julai Menjayakan Minggu Sains & Teknologi ASEAN Aktiviti Sepanjang Tahun 2008 6 – 10 Oktober CyberSecurity Malaysia telah mewakili Malaysia dan merupakan ahli yang aktif dalam Kumpulan Kerja ISO/IEC SC27 di Cyprus. OKTOBER 2008 ___________________________________ 26 September Kami menganjurkan seminar School Cyber Safe Programme berlangsung di Pejabat Pelajaran Daerah Hulu Langat, Selangor. 19 - 25 September Kami menghadiri Persidangan 9th International Common Criteria Conference, Common Criteria Executive Subcommittee (CCES) and Common Criteria Management Committee (CCMC) Meetings anjuran IT Security Certification Center (ITSCC), Badan Pensijilan Korea Selatan. 19 September CyberSecurity Malaysia membantu Kementerian Perdagangan Dalam Negeri dan Hal Ehwal Pengguna (KPDNHEP) menjalankan siasatan forensik digital ke atas sebuah syarikat perkhidmatan jualan dalam talian di Puchong. 19 September CyberSecurity Malaysia telah memulakan projek komuniti dengan mengadakan lawatan ke Rumah Anakanak Yatim dan warga miskin Bait Al-Amin, Parit, Perak. 18 September CyberSecurity Malaysia turut serta menjayakan program ”Network Security Awareness” yang dianjurkan oleh Politeknik Seberang Perai, Pulau Pinang. 15 September Pameran anjuran MOSTI dan IBM di mana kami turut mengambil bahagian telah berlangsung di One World Hotel, Bandar Utama. Kuala Lumpur. 3-7 November Kursus ISO 27001:2005 - Information Security Management System IRCA Registered Lead Auditor Course yang dihadiri oleh pegawai-pegawai dari CyberSecurity Malaysia telah diadakan di Bilik Latihan, BSI Management Systems Malaysia Sdn Bhd, Kuala Lumpur. NOVEMBER 2008 ___________________________________ 28 – 29 Oktober Sesi Professional Talk oleh Dr Bradley Jensen telah dianjurkan oleh Center for Advance Software Engineering University Technology Malaysia (CASE UTM) dan Microsoft Corporation. Program Kesedaran Keselamatan Siber a. 13 Oktober : menyediakan Latihan Pengurusan Sains & Teknologi bagi para Penyelidik di Pertubuhan Negara-Negara Persidangan OIC, di Legend Hotel b. 15 Oktober : CyberSecurity Malaysia telah dijemput untuk mengadakan taklimat kesedaran Information Security Management System (ISMS) dan berkongsi pengalaman mengenai aktiviti pelaksanaan dan pensijilan ISO/IEC 27001:2005 kepada para pekerja Agency Remote Sensing Malaysia. c. 28 – 29 Oktober : CyberSecurity Malaysia telah dijemput oleh Sri Lanka Computer Emergency Response Team (SLCERT) untuk memberi latihan amali Penetration Testing sempena minggu Keselamatan Siber Sri Lanka. 22 - 24 Oktober CyberSecurity Malaysia menyertai The Meridien 2008 Conference di Singapura yang bertemakan “Meridian Connecting and Protecting” 16 Oktober Sambutan Hari Raya Kakitangan CyberSecurity Malaysia 27– 28 November FORUM ICT4ALL TUNIS + 3 Pameran di Hammamet, Tunisia 25 – 27 November Ceramah Pengurusan Keselamatan Perlindungan Maklumat telah diadakan di Kompleks Jabatan Perdana Menteri, Putrajaya. 27 Nov Kejohanan Bowling Kakitangan CyberSecurity Malaysia 25 November CyberSecurity Malaysia telah dijemput untuk memberikan ceramah berkenaan Digital Forensik kepada Jabatan Perikanan, Sungai Petani. 12 – 13 November Kursus Kesedaran Siber selama dua hari ini telah diadakan di CyberSecurity Malaysia. 24 November 2008 Ketua Setiausaha Negara (KSN), Y.Bhg Tan Sri Mohd. Sidek bin Hj Hassan julung kalinya telah melawat CyberSecurity Malaysia. Lawatan ini turut dihadiri oleh Ketua Setiausaha MOSTI, Ketua Pengarah MAMPU serta pegawai-pegawai kanan dari MAMPU. 12 -15 November CyberSecurity Malaysia telah menyertai pameran MISTI-MOSTI yang telah diadakan di Perlis. 10 - 25 November 2008 Program Pensijilan Professional Critical Infrastructure Protection (PCIP) yang pertama di Malaysia 3 – 7 November Program Latihan Forensik Komputer satu program komprehensif anjuran bersama Bank Negara Malaysia dan CyberSecurity Malaysia. 73 25 Disember CyberSecurity Malaysia telah dijemput untuk menjadi ahli di dalam Kumpulan Kerja Projek “Economic Research Institute for ASEAN and East Asia ERIA. Ia turut disertai oleh Singapura, Thailand, Korea Selatan, Vietnam, China dan Jepun. 18 – 19 Disember Jabatan Pengurusan Keselamatan & Amalan Terbaik CyberSecurity Malaysia melaksanakan ujian kesedaran Information Security Management System (ISMS) kepada staf CyberSecurity Malaysia. 18 Disember CyberSecurity Malaysia telah dijemput untuk mengendalikan Program Kesedaran Keselamatan Komputer anjuran Bank Pembangunan Malaysia Berhad. 15 – 16 Disember CyberSecurity Malaysia ini telah menganjurkan Bengkel Pembangunan Modul ”CyberSAFE in Schools” yang dihadiri oleh 25 orang guru daripada sekolah rendah dan menengah daripada Pejabat Pelajaran Daerah Hulu Langat. 9 – 14 Disember CyberSecurity Malaysia telah menyertai persidangan High Technology Crime Investigation Association (HTCIA) Asia Pacific di Universiti Hong Kong. 12 Disember Sebanyak 14 organisasi dari 13 negara ahli Asia Pacific Computer Emergency Response Team (APCERT) telah mengambil bahagian di dalam latihan kecemasan siber pada tahun ini. DISEMBER 2008 ___________________________________ 28 November Kami menganjurkan ceramah Digital Forensik anjuran Suruhanjaya Syarikat Malaysia. 70 17 April Kempen Pelan Pengurusan Siber Kebangsaan (NCCMP) 16 April 2008. Lawatan kerja Pegawai-Pegawai Kerajaan Antarabangsa ke CyberSecurity Malaysia 14 - 18 April Mesyuarat Jawatankuasa Teknikal Mengenai Teknologi Maklumat – Teknik Keselamatan (ISO/IEC/ JTC1/SC27) 3 April Badan Persijilan Nasional bagi Skim Penilaian dan Pensijilan Keselamatan ICT Berdasarkan MS-ISO / IEC 15408 1 - 2 April Mesyuarat Pasukan Petugas dan Persidangan OIC-CERT di Tunisia APRIL 2008 ___________________________________ 22 Mac – 19 April Latihan pemulihan data dan teknik membaiki hard disk di Myung Institute of Technology, Korea. 16 - 18 Mac Latihan Serbuan (Raid) anjuran Kementerian Perdagangan Dalam Negeri dan Hal Ehwal Pengguna (KPDNHEP) untuk prosedur forensik digital di Sungai Petani, Kedah. d. Membentangkan laporan mengenai Pembangunan Skim Common Criteria di Malaysia, Aktiviti membangunkan Pusat Vulnerability Assessment Malaysia dan Membangunkan Program Aplikasi Web dan Secure Coding semasa Bengkel Keselamatan Produk dan Perkhidmatan ICT di persidangan APECTEL Tokyo pada 24 Mac 2008 Mei Pembentangan laporan / kertas kerja dan menghadiri Perbincangan Keselamatan Siber a. Bengkel External Review telah diadakan pada 7 Mei 2008 di Palace of Golden Horses, Kuala Lumpur. b. Pada 6 – 11 Mei 2008 pegawai CyberSecurity Malaysia menghadiri Persidangan Mobile Forensics World 2008 di Purdue University, Chicago, 29 Mei Mesyuarat Dasar Keselamatan Siber Nasional bagi Policy Thrust 2: Legislative & Regulatory Framework Pusat Konvensyen Antarabangsa Putrajaya, Putrajaya. 20 – 22 Mei Program INFOSEC.my. Program berteraskan keselamatan siber, CEOs telah dirasmikan oleh Y.B Timbalan Menteri Sains, Teknologi dan Inovasi, Tuan Hj Fadillah Yusof. Programprogram ini telah diadakan di Hotel J.W. Marriot, Kuala Lumpur. 6 Mei Pembangunan Standard Pengurusan Kesinambungan Perniagaan (Business Continuity Management) Peringkat Kebangsaan MEI 2008 ___________________________________ 5 Jun 2008 YB Timbalan Menteri MOSTI mendengar taklimat Forensik Digital CyberSecurity Malaysia JUN 2008 ___________________________________ 27 Mei Lawatan 20 pendakwa raya dari Kursus Institut Latihan Kehakiman dan Perundangan (ILKAP). 24 Mei - 22 Jun DATA RECOVERY TRAINING Data Recovery training telah diadakan di Myung Information Technologies (MIT), Korea 23 - 31 Mei Pameran sempena Sambutan Pesta Kaamatan di Kota Marudu, Sabah pada 23 – 25 Mei dan di Panampang pada 30 & 31 Mei 2008. 22 Mei Kunjungan hormat oleh Encik Saisana Prathoumvan, Encik Syyang Chertoi, Encik Khampouy Outhaphone dari National Authority of Posts and Telecommunication, Laos serta Encik Abdul Rahman A. Al-Friah dari Communications and IT Commission (CITC), Arab Saudi. 16 Mei Kunjungan hormat oleh Encik Belhassen Zouari dari National Security for Computer Security, Tunisia, Dr. Seyed Jalal Sadatian dari Boshra Strategic Management Group, Iran serta Encik Hassan Rajbari dari Kedutaan Iran. 22-23 April Lawatan Kerja ke InformationTechnology Promotion Agency (IPA), JEPUN 24 April Lawatan Pertama Menteri Sains, Teknologi dan Inovasi Ke Cybersecurity Malaysia c. Mengadakan latihan “Penyiasatan Penipuan Kad Kredit” untuk pasukan Polis Maldives pada 10 - 12 Mei 2008. 18 April Mesyuarat meja bulat Ketua Pegawai Maklumat bagi prasarana kritikal maklumat negara (CNII CIO Roundtable) Aktiviti Sepanjang Tahun 2008 23 Jun Mesyuarat Dengan Microsoft, Seattle, Washington, USA 19 Jun Menganjurkan Bengkel Pendedahan dan Penyelarasan Program ICTL Sekolah Menengah, di Pejabat Pelajaran Hulu Langat. 18 Jun Lawatan dari Maktab Polis Di Raja, Kuala Kubu Baharu. 13 Jun Mesyuarat Jawatankuasa Teknikal Bil 1/2008 di Pusat Konvensyen Antarabangsa Putrajaya. 12 -13 Jun Menghadiri Seminar Asia-Pacific Trustmark Alliance di Hanoi, Vietnam. 12 Jun Pembangunan Standard Kesinambungan Pengurusan Urusan (BCM) Di Peringkat Kebangsaan. 11 Jun Mesyuarat Pelan Pengurusan Krisis Siber Kebangsaan (NCCMP), di Hotel Palace of the Golden Horses, Kuala Lumpur. 9-12 Jun International Cryptology Workshop and Conference 2008 (Cryptology 2008), diadakan di Pusat Dagangan Dunia Putra (PWTC) 9 – 11 Jun Menghadiri Seminar ISS World Asia Pacific di Singapura bertajuk Intelligence Support Systems for Lawful Interception, Criminal Investigations and Intelligence Gathering. 6 Jun Kajian Kelemahan & Kelompongan Undang-Undang Malaysia Untuk Menghadapi Cabaran Di Persekitaran Siber Latihan Dan Kesedaran Keselamatan Internet a. 4 Julai 2008 : Mesyuarat Penyelaras Makmal Komputer Sekolah – Sekolah Daerah Hulu Langat b. 8 Julai : Pameran “Cyber Security” dan Ceramah “Cyber Security Awareness” Sempena Minggu Pusat Sumber Sekolah Menengah Taman Jasmin 2, Kajang Selangor 8 - 11 Julai Persijilan Iso/Iec 27001:2005 Certification: Audit Peringkat 2 JULAI 2008 ___________________________________ 28-29 Jun Mesyuarat National Computer Security and Incident Response Team (NCSIRT) 2008 26-27 Jun International Conference of Digital Evidence 2008 “Forensik Digital di Malaysia” di International Conference of Digital Evidence 2008 bertempat di Vintners Hall, London United Kingdom. 26 - 27 Jun Seminar Apec “Protection of Cyberspace From Terrorist Use And Attacks” anjuran oleh Kementerian Luar Negara dan Perdagangan Korea Selatan yang berlangsung di Seoul, Korea Selatan. 26 Jun Sesi perbincangan mengenai Isu-Isu Regulatori / Penguatkuasaan, Teknikal dan Dasar bertempat di Pusat Konvensyen Antarabangsa Putrajaya. 25 June Attended the FIRST Annual Conference and AGM 2008 in Vancouver, Canada 24 Jun Mesyuarat Network Monitoring SIG 71 Pelan Pengurusan Krisis Siber Kebangsaan a. 7 Julai : Bengkel ‘Desktop Walkthrough’ Prosedur Tindakbalas, Komunikasi dan Penyelarasan pengurusan Krisis Siber Negara b. 21 Julai : Taklimat Latih Amal berlangsung di Dewan Persidangan MKN Putrajaya. c. 24 Julai : Latih Amal Krisis Siber 2008 (X-Maya) 28 Julai Seminar Technical IT Security, anjuran Fakulti Kejuruteraan Universiti Malaya; membincangkan dua topik utama. i. Web Habits & Hacker-Defence ii. Wireless Penetration Testing Toolkit for Practical Security Professionals 21 Julai - 2 Ogos Lawatan kerja kelima perunding bagi projek pembangunan MyCC. 17-18 Julai Mesyuarat “Regional Asia Information Security Exchange (RAISE) Forum di Hotel Istana, Kuala Lumpur 17 Julai Taklimat bersama YB Timbalan Menteri MOSTI bersempena dengan RAISE Forum 2008, di Hotel Istana Kuala Lumpur. 17 Julai Seminar Standard Keselamatan Maklumat, di Hotel Istana Kuala Lumpur. 16 Julai Program Kerjasama : Suruhanjaya Tenaga Dan Cybersecurity Malaysia – Bengkel Keselamatan Siber SCADA/DCS yang diadakan di Hotel JW Marriot, Kuala Lumpur. c. 14-15 Julai : Kursus Security Awareness, berlangsung di Makmal Latihan CyberSecurity Malaysia. 68 9 – 14 Disember CyberSecurity Malaysia participated in the High Technology Crime Investigation Association (HTCIA) Asia Pacific Conference at the Hong Kong University. DECEMBER 2008 ___________________________________ 15 – 16 Disember CyberSecurity Malaysia conducted CyberSAFE in Schools module development workshop which was attended by 25 teachers from primary and secondary schools within the Hulu Langat District Education Department. 12 December Fourteen organisations from 13 member countries of the Asia Pacific Computer Emergency Response Team (APCERT) took part in the Cyber Emergency Drill conducted during the year. 25 December CyberSecurity Malaysia was invited to be a member in the Economic Research Institute for ASEAN and East Asia (ERIA) project Working Group. The membership consists of Singapore, Thailand, South Korea, Vietnam, China and Japan. 18 - 19 December Security Management & Best Practices Department of CyberSecurity Malaysia carried out Information Security Management System (ISMS) awareness test for CyberSecurity Malaysia employees 18 December CyberSecurity Malaysia was invited to conduct a Computer Security Awareness Programme organised by Bank Pembangunan Malaysia Berhad. 24 November Secretary General, Y.Bhg Tan Sri Mohd. Sidek bin Hj Hassan visited CyberSecurity Malaysia for the first time. He was accompanied by Secretary General of MOSTI, Director General of MAMPU as well as senior officers from MAMPU. Activities Throughout 2008 28 - 29 Februari Bengkel Pelan Tindakan Dasar Keselamatan Siber Kebangsaan (NCSP) di Miri Marriott Resort & Spa FEBRUARI 2008 ___________________________________ 28 Januari Mesyuarat peneraju teras bagi persediaan Bengkel Pelan Tindakan Dasar Keselamatan Siber Kebangsaan (NCSP) Pembentangkan laporan/kertas kerja dan penganjuran program seminar/pensijilan keselamatan siber a. Menghadiri Forensics Speaker Identification Lab , Agnition S.L di Madrid, Sepanyol, pada 8 Januari 2008 hingga 12 Januari 2008. b. Membentangkan kertas kajian Internet & Computer Related Offences : The Malaysian Perspective di Persidangan Niseko: Internet Law for Professional yang berlangsung di Niseko, Hokkaido, Jepun pada 14 – 17 Januari 2008. c. Menghadiri The Fourth Annual IFIP WG 11.9 International Conference on Digital Forensics pada 27 - 31 Januari 2008 di Kyoto, Jepun. 25 Januari Cadangan penubuhan kerjasama Pasukan Tindakan Kecemasan Komputer (CERT) di kalangan Negara-Negara Pertubuhan Persidangan Islam (OIC) bersama pihak Kementerian Luar Negeri 15 Januari Perbincangan mengenai Pelan Pengurusan Krisis Siber Kebangsaan (NCCMP) JANUARI 2008 ___________________________________ Sepanjang bulan Februari Membentangkan laporan/kertas kerja dan menganjurkan program seminar/ pensijilan keselamatan siber a. CyberSecurity Malaysia dengan kerjasama Majlis Keselamatan Negara (MKN) telah menganjurkan taklimat tentang inisiatif melindungi Prasarana Kritikal Maklumat Negara (CNII) dan pendedahan awal terhadap Dasar Keselamatan Siber Kebangsaan (NCSP) kepada ketua sektor CNII (sector leads) pada 12 Februari 2008 dan 25 Februari 2008. b. Melawat Shell Refining Co. (SRC) di Port Dickson, Negeri Sembilan pada 13 Februari 2008 untuk mengkaji operasi dan sistem keselamatan maklumat yang digunakan. c. Menganjurkan bengkel Technical Writing di Palace of Golden Horses pada 27-28 Februari 2008. d. Menjalankan Peperiksaan Profesional CISSP & SSCP pada 23 Februari 2008. e. Menganjurkan Ceramah Security Landscape in Malaysia pada 20 Februari 2008. f. Menyertai Program Perkampungan Sains, Teknologi dan Pendidikan di Dewan Tun Razak, Baling Kedah pada 13-17 Februari 2008. 25 - 26 Februari Menghadiri Mesyuarat Business Dialogue on Electronic Commerce (GBDE) Business Steering Committee (BSC) yang pertama 2008 18 - 20 Februari ITU Regional Cybersecurity Forum di Doha, Qatar. 14 - 15 Februari CyberSecurity Malaysia menghadiri mesyuarat pertama Asian Common Criteria Scheme Owner di Security Certification Center, Seoul, Korea Selatan. Aktiviti Sepanjang Tahun 2008 69 Membentangkan laporan/kertas kerja dan menganjurkan program seminar/ pensijilan keselamatan siber a. Membentangkan kertas kerja bertajuk E-Government Implementation: Security Challenges and Issues di UiTM, Shah Alam pada 12 March 2008 dalam usaha memberi kesedaran mengenai Keselamatan Maklumat. b. Menganjurkan Bengkel Wireless Security bersempena Internet Convergence Conference and Exhibition 2008 (ICCE 2008) di Sheraton Subang Jaya, kepada Ketua Pegawai Keselamatan Maklumat, Pengurus Keselamatan IT dan Pengurus Network/Administrator pada 13 Mac 2008. c. Membentangkan kertas kerja berkenaan Forensik Komputer: Cabaran dan Peluang di: t UiTM Shah Alam pada 14 Mar 2008; t UiTM Ipoh pada 19 Mar 2008; t HELP University College pada 26 Mac 2008 Sepanjang bulan Mac Kempen Pelan Pengurusan Siber Kebangsaan (NCCMP) 10-12 Mac Mesyuarat Agung Tahunan dan Persidangan Pasukan Tindakan Kecemasan Komputer Asia Pasifik (APCERT) - di Intercontinental Grand Stanford, Hong Kong MAC 2008 ___________________________________ g. Menyertai MOHEX 2008 di Mid Valley Exhibition Centre pada 23-24 Februari 2008. 66 6 – 10 October CyberSecurity Malaysia represented Malaysia and was an active member of the ISO/IEC SC27 Working Group in Cyprus OCTOBER 2008 ___________________________________ 26 September We organised the School Cyber Safe Programme seminar held at the Hulu Langat Education Department 19 – 25 September We participated at the 9th International Common Criteria Conference, Common Criteria Executive Sub-Committee (CCES) and Common Criteria Management Committee (CCMC) Meetings organised by the IT Security Certification Centre (ITSCC), a South Korean Certification Body 19 September CyberSecurity Malaysia rendered its assistance to the Ministry of Domestic Trade and Consumer Affairs to conduct a digital forensics investigation on an online sale company in Puchong 19 September CyberSecurity Malaysia initiated a community project by organising a visit to Rumah Anak-anak Yatim dan Warga Miskin Bait Al-Amin, Parit, Perak 18 September CyberSecurity Malaysia participated in the ‘Network Security Awareness’ programme organised by Politeknik Seberang Perai, Pulau Pinang 28 – 29 October A Professional Talk session by Dr Bradley Jensen, organised by the Centre for Advance Software Engineering University Technology Malaysia (CASE UTM) and Microsoft Corporation 22 – 24 October CyberSecurity Malaysia participated in the Meridien 2008 Conference in Singapore, themed ‘Meridien Connecting and Protecting’ 15 October CyberSecurity Malaysia was invited to briefing on Information Security Management System (ISMS) awareness and share its experience in ISO/IEC 27001:2005 implementation and certification to the Agency Remote Sensing Malaysia's employees. 13 October provided Science and Technology Management Training for researchers of OIC member countries held at the Legend Hotel 16 Oktober Staff Hari Raya Celebration Activities Throughout 2008 3 – 7 November Staff of CyberSecurity Malaysia attended the ISO 27001:2005 – Information Security Management System IRCA Registered Lead Auditor Course which was held at the Training Room of BSI Management Systems Malaysia Sdn Bhd, Kuala Lumpur NOVEMBER 2008 ___________________________________ 28 – 29 October CyberSecurity Malaysia was invited by the Sri Lankan Computer Emergency Response Team (SLCERT) to provide technical training on Penetration Testing in conjunction with the Sri Lankan Cyber Security Week 27– 28 November FORUM ICT4ALL TUNIS + 3 Exhibition in Hammamet, Tunisia 28 November We delivered a talk on Digital Forensics organised by the Companies Commission of Malaysia (CCM). 27 November A visit by teachers from schools under the Hulu Langat District Education Department to CyberSecurity Malaysia. 25 – 27 November A talk on Information Protection Security Management was held at the Prime Minister’s Department Complex, Putrajaya. 25 November CyberSecurity Malaysia was invited to deliver a talk on Forensics Digital to the Fishery Department, Sungai Petani, Kedah. 12 – 13 November A two day Cyber Security Awareness course was held at CyberSecurity Malaysia. 3 – 7 November Computer Forensics Training Programme, a comprehensive programme was co-organised by Bank Negara Malaysia and CyberSecurity Malaysia. 27 November Staff Bowling Competition 10 - 25 November The first Professional Critical Infrastructure Protection (PCIP) a certification programme in Malaysia 12 -15 November CyberSecurity Malaysia participated ted in the MISTI-MOSTI exhibition in Perlis. 67 64 8 July Cyber Security exhibition and Cyber Security Awareness talk in conjunction with the Resource Centre Week of Sekolah Menengah Taman Jasmin 2, Kajang, Selangor 7 July ‘Desktop Walkthrough’ workshop: Response Procedures, Communication and Coordination and National Cyber Crisis Management 4 July School Computer Lab Coordination Meeting – for schools within Hulu Langat District July a. Participated in the ASEAN Science & Technology Week b. Security Awareness course was held at CyberSecurity Malaysia’s Training Lab JULY 2008 ___________________________________ AUGUST 2008 ___________________________________ 28 July Technical IT Security seminar organised by the Engineering Faculty of University of Malaya discussed two major topics: i. Web Habits & Hacker-Defence ii. Wireless Penetration Testing Tool Kit for Practical Security Professionals 24 July Practical training for Cyber Crisis 2008 (X-Maya) 21 July – 2 August The fifth consultant working visit for MyCC development project 21 July Practical training briefing was held at the Putrajaya MKN Convention Hall 17 – 18 July The Regional Asia Information Security Exchange (RAISE) Meeting was conducted at Hotel Istana, Kuala Lumpur 1 – 3 August Took part at the MOSTI Exhibition Regatta, Sarawak 17 July Information Security Standard seminar was held at Hotel Istana, Kuala Lumpur 16 July The Energy Commission and CyberSecurity Malaysia conducted a collaborative programme – Cyber Security SCADA/DCS workshop at the J.W. Marriot Hotel, Kuala Lumpur 8 – 11 July ISO/IEC 27001:2005 Certification: Second Level Audit 17 July A briefing session with the Deputy Minister of MOSTI, was held in conjunction with the RAISE Forum 2008, at Hotel Istana, Kuala Lumpur Activities Throughout 2008 25 – 27 August Technical training for Bank Negara Malaysia – Network Security, Mobile Banking & Wireless Security was held at the Training Room of CyberSecurity Malaysia 26 August A visit to the Institute of Strategic and International Studies (ISIS) Malaysia 21 – 23 August Meeting and workshop for Operations Task Force (OTF) No. 4/2008 (9th series) discussed on methods of curbing web sites and blogs contravening the nation’s laws, was held at Nexus Resort Karambunai, Kota Kinabalu 18 - 25 August The National Cyber Crisis Management Plan a. 18 August: Plan Monitoring Committee meeting was held at the Operations Management Centre, MKN, Putrajaya b. 25 August: Steering Committee Meeting 18 – 21 August We conducted a talk on Digital Forensics Awareness at Universiti Utara Malaysia, Sintok, Kedah 14 – 17 August We took part at the Internet Awareness exhibition in conjunction with the Sabah Science, Technology and Innovation Week (MISTI) 2008 11 August Technical Committee Meeting to study Weaknesses and Vacuums of Malaysian Laws in Addressing Challenges in Cyber Space 4 - 8 & 11 - 13 August The CISSP & SSCP seminars were held at the Training Room of CyberSecurity Malaysia 10 September A talk entitled ‘Current ICT Security Threats’ was delivered at the Defence Ministry for 210 of its staff 9 September A seminar on Cyber Security Awareness was held in conjunction with the visit by a delegation from Institut Perguruan Bahasa Melayu Malaysia to CyberSecurity Malaysia SEPTEMBER 2008 ___________________________________ 28 August CyberSecurity Malaysia Personnel Recreational Day 65 16 – 26 September A Customer Satisfaction Study was conducted to solicit feedbacks on service performance provided by CyberSecurity Malaysia 15 September An exhibition organised by MOSTI and IBM, in which we were one of the participants, was held at One World Hotel, Bandar Utama, Kuala Lumpur 14 September CyberSecurity Malaysia was called to assist in a digital forensics investigation conducted by the Companies Commission of Malaysia (SSM) 13 September CISSP and SSCP examinations were held at Universiti Tenaga Nasional (UNITEN), Bangi, Selangor 22 August tation ceremony at Sunway Resort Hotel & SIRIM-Industry Awards 2008 presentation Spa, Petaling Jaya 62 16 May Courtesy visits by Mr Belhassen Zouri from the National Security for Computer Security, Tunisia, Dr Seyed Jalal Sadatian from the Boshra Strategic Management Group, Iran and Mr Hassan Rajbari from the Iranian Embassy 6 May Business Continuity Management Standard Development at national level May Presented reports/working papers and organised cyber seminar programmes/ security certifications a. The External Review workshop was held on 7 May 2008 at the Palace of Golden Horses, Kuala Lumpur b. From 6 to 11 May, officials from CyberSecurity Malaysia attended the Mobile Forensics World Conference 2008 at the Purdue University, Chicago c. Conducted “Credit Card Fraud Investigation” training for Maldives Police Force from 10 to 12 May MAY 2008 ___________________________________ 22-23 April A working visit to the Information Technology Promotion Agency (IPA), Japan 16 April Working visit by foreign government officers to CyberSecurity Malaysia 29 May The National Cyber Security Policies Meeting for Policy Thrust 2: Legislative and Regulatory Framework was held at the Putrajaya International Convention Centre, Putrajaya 22 May Courtesy visits by Mr Saisana Prathoumvan, Mr Syyang Chertoi, and Mr Khampouy Outhaphone from the National Authority of Posts and Telecommunication, Laos and Mr Abdul Rahman A. Al-Friah from the Communication and IT Commission (CITC), Saudi Arabia 25 May - 22 June Data Recovery Forensics training at the Myung Institute of Technology (MIT), Seoul, Korea 23 - 31 May Participated in an exhibition in conjunction with the Keamatan Festival in Kota Marudu and Penampang, Sabah. 27 May A visit by 20 public prosecutors who attended a course at Institut Latihan Kehakiman dan Perundangan (ILKAP) 20 – 22 May The INFOSEC.my, a cyber security based programme for CEOs was officially launched by the Science, Technology and Innovation Deputy Minister, Tuan Hj Fadillah Yusof, at the J.W. Marriot Hotel in Kuala Lumpur Activities Throughout 2008 12 – 13 June Attended the Asia Pacific Trustmark Alliance held in Hanoi, Vietnam 12 June Business Continuity Management (BCM) standard development at national level 11 June The National Cyber Crisis Management Plan (NCCMP) was held at the Palace of Golden Horses, Kuala Lumpur 9-12 June International Cryptology Workshop and Conference 2008 (Cryptology 2008) was held at the Putra World Trade Centre (PWTC) 9 – 11 June Attended the ISS World Asia Pacific seminar entitled Intelligence Support Systems for Lawful Interception, Criminal Investigations and Intelligence Gathering which was held in Singapore 6 June A review on Weaknesses & Vacuums in Malaysian Laws in Addressing Challenges in the Cyber Space 5 June The Deputy Minister of Science, Technology and Innovation made an official visit to CyberSecurity Malaysia JUNE 2008 ___________________________________ 28 - 29 June The National Computer Security and Incident Response Team (NCSIRT) 26 - 27 June An APEC seminar on “Protection of Cyberspace from Terrorist Use and Attacks” organised by the Ministry of Foreign Affairs and the South Korean Trades was held in Seoul, South Korea 26 June A discussion session on Regulatory/ Enforcement, Technical, and Policy Issues was held at the Putrajaya International Convention Centre 63 26 - 27 June Presented a working paper entitled “Forensics Digital in Malaysia” at the International Conference of Digital Evidence 2008 at Vinters Hall, London, United Kingdom 25 June Attended the FIRST Annual Conference and AGM 2008 in Vancouver, Canada 24 June A meeting was held with Network Monitoring SIG 23 June A meeting was held with Microsoft Corporation in Seattle, Washington, USA 19 June Conducted ICT Programme Exposure and Coordination workshop for Secondary Schools within the Hulu Langat Education Office 18 June A visit by trainees from Maktab Polis DiRaja, Kuala Kubu Baru 13 June Technical Committee Meeting No. 1/2008 was held at the Putrajaya International Centre 60 February Presented reports/working papers and organised cyber seminar programmes/ security certifications a. In collaboration with the National Security Council (NSC), CyberSecurity Malaysia organised a briefing session on Critical National 14 – 15 February CyberSecurity Malaysia attended the first Meeting of the Asian Common Criteria Scheme Owner which was held at the Security Certificate Centre, Seoul, South Korea FEBRUARY 2008 ___________________________________ 28 January Core Leaders Meeting in preparation for the Cyber Security Policies Action Plan Workshop (NCSP) 25 January Proposal to jointly establish a Computer Emergency Response Team (CERT) between member countries of the Organisation of Islamic Conference (OIC) and the Foreign Affairs Ministry 15 January Official launching of the National Cyber Crisis Management Plan (NCCMP) Presented reports/working papers and organised cyber seminar programmes/ security certifications a. Attended the Forensics Speaker Identification Lab, Agnition S.L in Madrid, Spain from 8 to 12 January, 2008 b. Presented a study paper on Internet & Computer Related Offences: the Malaysian Perspective, at the Niseko Conference: Internet Law for Professionals held in Niseko, Hokkaido, Japan from 14 to 17 January, 2008 c. Attended the Fourth Annual IFIP WG 11.9 International Conference on Digital Forensics from 27 to 31 January, 2008, in Kyoto, Japan JANUARY 2008 ___________________________________ g. f. e. d. c. b. Information Infrastructure (CNII) protection initiatives which gave initial exposure on National Cyber Security Policies (NCSP) for CNII sector leads on 12 February and 25 February 2008 A visit to Shell Refining Co. (SRC) in Port Dickson, Negeri Sembilan on 13 February 2008 to study information security operations and systems in use at the company Organised a Technical Writing Workshop at the Palace of Golden Horses on 27 – 28 February 2008 Conducted the CISSP & SSCP Professional Examination on 23 February 2008 Organises a talk on Security Landscape in Malaysia on 20 February 2008 Participated in the Science, Technology and Education Village Programme held at Dewan Tun Razak in Baling, Kedah from 13 to 17 February 2008 Participated in the MOHEX 2008 at the Mid Valley Exhibition Centre from 23 to 24 February 25 – 26 Februay We were one of the participants at the Business Dialogue Meeting on Electronic Commerce (GBDE) of the first Business Steering Committee (BSC) in 2008 18 – 20 February ITU Regional Cybersecurity Forum in Doha, Qatar 28 – 29 February The National Cyber Security Policies (NCSP) Action Plan Workshop held at Miri Marriott Resort & Spa Activities Throughout 2008 Presented reports/working papers and organised cyber seminar programmes/ security certifications a. Presented a working paper titled E-Government Implementation: Security Challenges and Issues, at UiTM, Shah Alam on 12 March 2008 in its effort to create awareness on Information Security b. Organised Wireless Security workshop in conjunction with the Internet Convergence Conference and Exhibition 2008 (ICCE 2008) at the Sheraton Subang Jaya on 13 March 2008 for Chief Information Security Officers, IT Security Managers, and Network Users/ Administrators c. Paper presentation on Computer Forensics: Opportunities and Challenges at: t 6J5.4IBI"MBNPO.BSDI 2008 t 6J5.*QPIPO.BSDI t )&-16OJWFSTJUZ$PMMFHFPO March 2008 d. Presented reports on the Development of Common Criteria Scheme in Malaysia, development activities for Vulnerability Assessment in Malayisa and Development of Web Application Programme and Secure Coding during the ICT Products and Services Security workshop at the 37th APECTEL in Tokyo on 24 March 2008 March The National Cyber Crisis Management Plan (NCCMP) 10 – 12 March Annual General Meeting and the Asia Pacific Computer Emergency Response Team (APCERT) conference held at the Grand Stanford, Hong Kong MARCH 2008 ___________________________________ 61 18 April Chief Information Officers Round Table Meeting for the National Critical Information Infrastructure (NCII) (CNII CIO Roundtable) 17 April The National Cyber Crisis Management Plan (NCCMP) 14 – 18 April Technical Committee Meeting on Information Technology – Security Techniques (ISO/IEC/ JTC/SC27) 3 April The National Certification Body for the MS-ISO/IEC 15408 ICT-based d Security Evaluation and Certification n Scheme 24 April The Minister of Science, Technology and Innovation made his first visit to CyberSecurity Malaysia 1-2 April The Task Force Meeting and OICCERT Conference in Tunisia APRIL 2008 ___________________________________ ___ 22 March – 19 April Data recovery and hard disc repair technique training was held at the Myung Institute, South Korea 16 – 18 March A Raid Mock organised by the Ministry ry of Domestic Trade and Consumer Affairs airs to impart knowledge on digital forensic sic procedures was held in Sungai Petani, i, Kedah 58 Aktiviti Sepanjang Tahun ACTIVITIES THROUGHOUT THE YEAR 59 Semua Pengarah telah menghadiri Program Latihan para Pengarah Korporat (“CDTP”) yang telah diadakan pada 18 Mac dan 17 Jun 2008 di CCM. MESYUARAT AGUNG TAHUNAN (AGM) Mesyuarat Agung Tahunan merupakan forum utama untuk berdialog dan berinteraksi dengan Ahli-ahli CyberSecurity Malaysia yang terdiri daripada Kementerian Kewangan (Diperbadankan) “”MOF (Inc.) dan MOSTI. Ahli-ahli diberikan peluang dan masa untuk mengemukakan soalan mengenai perkara dalam agenda mesyuarat agung tahunan yang diadakan. Notis mesyuarat dan laporan tahunan dihantar kepada Ahli-ahli CyberSecurity Malaysia sekurang-kurangnya 21 hari sebelum tarikh mesyuarat menurut Tataurusan Pertubuhan CyberSecurity Malaysia. The Directors have attended the Corporate Directors Training Programme (“CDTP”) which were held on 18 March and 17 June 2008 at CCM. ANNUAL GENERAL MEETING (AGM) The Annual General Meeting represents the principal forum for dialogue and interaction with Members of CyberSecurity Malaysia namely the Ministry of Finance (Inc.) “”MOF (Inc.) and MOSTI. Members are accorded both the opportunity and time to raise questions on the items on the agenda of the general meeting. The notice of meeting and annual report is sent out to the Members of CyberSecurity Malaysia at least 21 days before the date of the meeting in accordance with the Articles of Association of CyberSecurity Malaysia. 56 The Board is of the view that the system of internal controls in place for the year under review and up to the date of issuance of the annual report and financial statements is sufficient to safeguard the interests of the stakeholders, clients, regulators and employees, and CyberSecurity Malaysia’s assets. The internal risk control and management programmes prescribed by the Board include policies and procedures on risk and control by identifying and assessing the risks faced, and in the design, operation and monitoring of suitable internal controls to mitigate and control these risks. The Board has, through the Management, carried out the ongoing process of identifying, evaluating and managing of the key operational and financial risks confronting CyberSecurity Malaysia. The Board embarked on a review of the existing risk control and risk management, implementing and entrenching the risk management culture and functions within CyberSecurity Malaysia. The Board is responsible for CyberSecurity Malaysia’s system of internal controls and its effectiveness. However, such a system is designed to manage CyberSecurity Malaysia’s risks within an acceptable risk profile, rather than eliminate the risk of failure to achieve the policies and business objective of CyberSecurity Malaysia. The prescribing and maintenance of a system of internal controls, however, provides reasonable assurance of effective and efficient operations, and compliance with laws and regulations, as well as with internal procedures and guidelines. 57 Lembaga Pengarah berpendapat bahawa sistem kawalan dalaman yang tersedia pada tahun yang ditinjau dan sehingga tarikh penerbitan laporan tahunan dan penyata kewangan ini adalah mencukupi untuk menjaga kepentingan para pemegang kepentingan, pelanggan, penguatkuasa peraturan dan kakitangan serta aset CyberSecurity Malaysia. Program kawalan dan pengurusan risiko dalaman yang ditetapkan oleh Lembaga Pengarah termasuk dasar dan prosedur mengenai risiko dan kawalan dengan mengenalpasti serta menilai risiko yang dihadapi dan merangka operasi dan pemantauan kawalan dalaman yang sesuai bagi mengawas serta mengawal semua risiko ini. Melalui Pengurusan, Lembaga Pengarah, telah menjalankan satu proses berterusan untuk mengenalpasti, menilai dan mengurus risiko operasi dan kewangan utama yang berhadapan dengan CyberSecurity Malaysia. Ia dilaksanakan dengan menyemak kawalan dan pengurusan risiko sedia ada, melaksana dan menerapkan budaya dan fungsi pengurusan risiko ke dalam CyberSecurity Malaysia. Lembaga Pengarah bertanggungjawab terhadap sistem kawalan dalaman CyberSecurity Malaysia dan juga keberkesanannya. Walau bagaimanapun, sistem sedemikian direka untuk mengurus risiko CyberSecurity Malaysia dalam had profil risiko yang boleh diterima, bukannya menghapus risiko kegagalan mencapai dasar dan objektif perniagaan CyberSecurity Malaysia. Walau bagaimanapun, penetapan dan pengekalan sebuah sistem kawalan dalaman mampu menyediakan jaminan berpatutan tentang keberkesanan dan kecekapan operasi dan pematuhan kepada undang-undang dan peraturan serta prosedur dan garis panduan dalaman. KAWALAN DALAMAN DAN PENGURUSAN RISIKO Para Pengarah digalakkan supaya menghadiri ceramah, program latihan dan seminar untuk mengemaskini diri mereka dengan perkembangan terbaru berkaitan industri di mana CyberSecurity Malaysia beroperasi. Directors are encouraged to attend talks, training programmes and seminars to update themselves on new developments related to the industry in which CyberSecurity Malaysia is operating. INTERNAL CONTROL AND RISK MANAGEMENT PENDIDIKAN BERTERUSAN PARA PENGARAH CONTINUING EDUCATION OF DIRECTORS 54 Y.Bhg. Dato’ Abdul Hanan bin Alang Endut, Chairman of the CyberSecurity Malaysia is not subject to retirement since he is representing MOSTI. Lt. Col. (R) Husin Hj Jazri, being the President/Chief Executive Officer is subject to retirement in accordance with his tenure of service with the CyberSecurity Malaysia and the terms and conditions applicable thereto. Puan Rubaiah Bte Hj Hashim who is due to retirement by rotation in 2008 has tendered her retirement letter pursuant to Articles 49 and 51of the Articles of Association of CyberSecurity Malaysia. She offers herself for re-election as a Director and will be considered for approval by the Members of CyberSecurity Malaysia at the Third Annual General Meeting 2009. Members of the Board who represents the Ministry of Science, Technology and Innovation (“MOSTI”) are not subject to retirement. However, other Members of the Board are to retire by rotation upon the expiry of their terms of directorship. One-third of the Members of the Board for the time being shall retire each year by rotation, or if the number is not a multiple of three (3) then the nearest to one third shall retire. The Member of the Board to retire in every year shall be those who have been longest in office since their last election, but as between persons who became a Member of the Board on the same day, those to retire shall (unless they otherwise agree among themselves) be determined by lot. APPOINTMENT, RETIREMENT BY ROATION AND RE-ELECTION OF THE BOARD MEMBERS As at the end of the financial year 2008, six (6) Board Meetings were held. Minutes of every Board meeting are circulated to all Directors for their perusal prior to confirmation of the minutes at the following Board meeting. The agenda for every Board meeting, together with comprehensive management reports, proposal papers and supporting documents, are furnished to all Directors for their perusal well in advance of the Board meeting date, so that the Directors have ample time to review matters to be deliberated at the Board meeting and to facilitate informed decision making by the Directors. Board meetings are held regularly, whereby reports on the progress of CyberSecurity Malaysia’s business and operations and minutes of meeting of Board Committees are tabled for review by Members of the Board. At these Board meetings, the Members of the Board also evaluate business and operational propositions and corporate proposals that require to be approved by the Board owing to internal or regulatory requirements, or because of significant financial impact on CyberSecurity Malaysia. 55 Y.Bhg. Dato’ Hanan bin Alang Endut, Pengerusi CyberSecurity Malaysia tidak tertakluk kepada persaraan kerana beliau mewakili MOSTI. Lt. Col. (B) Husin Hj Jazri, sebagai Presiden/Ketua Pegawai Eksekutif pula tertakluk kepada persaraan menurut tempoh perkhidmatan beliau dengan CyberSecurity Malaysia dan terma serta syarat yang berkaitan dengannya. Puan Rubaiah Bte Hj Hashim yang sudah sampai tempoh bersara mengikut giliran pada tahun 2008 telah menghantar surat persaraan beliau berhubung Tataurusan 49 dan 51 dalam Tataurusan Pertubuhan CyberSecurity Malaysia. Beliau menawarkan diri untuk dipilih semula sebagai Pengarah dan akan dipertimbangkan untuk kelulusan para Ahli CyberSecurity Malaysia di Mesyuarat Agung Tahunan Ketiga yang berlangsung pada tahun 2009. Ahli-ahli Lembaga Pengarah yang mewakili Kementerian Sains, Teknologi dan Inovasi (“MOSTI”) tidak tertakluk kepada persaraan. Walau bagaimanapun, Ahli-ahli lain dalam Lembaga Pengarah perlu bersara mengikut giliran selepas tamat tempoh memegang jawatan pengarah mereka. Satu pertiga daripada Ahli-ahli Lembaga Pengarah buat masa ini akan bersara setiap tahun mengikut giliran atau jika bilangan tersebut bukan dalam gandaan tiga (3), angka yang terdekat kepada satu pertiga akan bersara. Ahli-ahli Lembaga Pengarah yang bersara setiap tahun adalah ahli yang paling lama memegang jawatan sejak pemilihan sebelumnya, tetapi sebagai orang antara yang menjadi seorang Ahli Lembaga Pengarah pada hari yang sama, mereka bersara akan (kecuali mereka sebaliknya bersetuju di kalangan mereka) ditentukan melalui pemilihan. PELANTIKAN, PERSARAAN MENGIKUT GILIRAN DAN PEMILIHAN SEMULA AHLIAHLI LEMBAGA PENGARAH Pada akhir tahun kewangan 2008, CyberSecurity Malaysia telah mengadakan enam (6) Mesyuarat Lembaga Pengarah. Minit setiap mesyuarat Lembaga Pengarah dihantar kepada semua Pengarah untuk penelitian mereka sebelum mengesahkan minit tersebut di mesyuarat Lembaga Pengarah yang berikutnya. Agenda bagi setiap mesyuarat Lembaga Pengarah, bersama dengan laporan pengurusan, kertas cadangan serta dokumen sokongan yang komprehensif diberikan kepada semua Pengarah untuk penelitian mereka terlebih dahulu sebelum tarikh mesyuarat Lembaga Pengarah supaya Pengarah berkenaan mempunyai masa yang mencukupi untuk menyemak perkara-perkara yang akan dibincangkan di mesyuarat Lembaga Pengarah dan untuk memudahkan para Pengarah membuat keputusan yang termaklum. Mesyuarat Lembaga Pengarah diadakan secara kerap, di mana laporan mengenai kemajuan perniagan dan operasi serta minit mesyuarat Jawatankuasa Lembaga Pengarah CyberSecurity Malaysia dibentangkan untuk disemak oleh Ahli-ahli Lembaga Pengarah. Di mesyuarat Lembaga Pengarah ini, Ahli-ahli Lembaga Pengarah turut menilai cadangan perniagan dan operasi serta cadangan korporat yang memerlukan kelulusan Lembaga Pengarah kerana ia telah ditetapkan oleh keperluan dalaman atau keperluan peraturan atau kerana ia memberi kesan kewangan yang ketara ke atas CyberSecurity Malaysia. MESYUARAT LEMBAGA PENGARAH DAN BEKALAN MAKLUMAT KEPADA LEMBAGA PENGARAH Profil ahli-ahli Lembaga Pengarah sedia ada dibentangkan di muka surat 14 hingga 15 dalam Laporan Tahunan ini. The profiles of the current Members of the Boards are set out on pages 14 to 15 of the Annual Report. BOARD MEETINGS AND SUPPLY OF INFORMATION TO THE BOARD Lembaga Pengarah dibantu sepenuhnya dan secara berkesan dalam pengurusan harian CyberSecurity Malaysia oleh Presiden/Ketua Pegawai Eksekutif serta pasukan pengurusan beliau. The Board is fully and effectively assisted in the day-to-day management of CyberSecurity Malaysia by the President/Chief Executive Officer and his management team. Lembaga Pengarah CyberSecurity Malaysia dengan sukacitanya melaporkan bahawa pada tahun kewangan yang ditinjau, CyberSecurity Malaysia terus melaksanakan amalan tadbir urus korporat yang memuaskan dalam mengurus dan menerajui hala tuju perkembangan CyberSecurity Malaysia, iaitu dengan menerima pakai isi kandungan dan semangat prinsip sepertimana yang diperlukan oleh Kod Malaysia mengenai Tadbir Urus Korporat (“Kod”). The Board of the CyberSecurity Malaysia is pleased to report that for the financial year under review, CyberSecurity Malaysia has continued to apply good corporate governance practices in managing and directing the affairs of CyberSecurity Malaysia, by adopting the substance and spirit of the principles advocated by the Malaysian Code on Corporate Governance (“the Code”). 52 At least half of the total composition of the Members of the Board must be from the government sector and are to be appointed by the Minister of Science, Technology and Innovation. The remaining members may be from the commercial or other relevant sectors are elected by the members of CyberSecurity Malaysia at its General Meeting. There are currently five (5) members of the Board. All members of the Board are elected with the prior approval of the Minister of Domestic Trade and Consumer Affairs (MDTCA). The Board consists of members of high calibre, with good leadership skills and vastly experienced in their own fields of expertise which enable them to provide strong support towards the effective discharge of the duties and responsibilities of the Board. They fulfill their role by the exercise of independent judgement and objective participations in the deliberations of the Board bearing in mind the interests of stakeholders, employees, customers, and the many communities in which CyberSecurity Malaysia conduct its business. COMPOSITION OF BOARD The Board’s other main duties include regular oversight of CyberSecurity Malaysia’s operations and performance and ensuring that the infrastructure, internal controls and risk management processes are well in place and assess and manage the business risks of CyberSecurity Malaysia. The Board also oversees the operations and business of CyberSecurity Malaysia by requiring regular periodic operational and financial reporting by the management, in addition to prescribing minimum standards and establishing policies on the management of operational risks and other key areas of CyberSecurity Malaysia’s activities. The Board considers in depth, and if thought fit, approves for implementation key matters affecting CyberSecurity Malaysia which include matters on action plans and annual budget, major expenditures, acquisition and disposal of assets, human resources policies and performance management. The Board also reviews the action plans that are implemented by the Management to achieve business and operational targets. The Board maps out and reviews CyberSecurity Malaysia’s strategic plans on an annual basis so as to align CyberSecurity Malaysia’s operational directions and activities with the goals of its establishment by the Government of Malaysia. 53 Sekurang-kurangnya setengah daripada jumlah komposisi Ahli-ahli Lembaga Pengarah hendaklah terdiri daripada sektor kerajaan dan dilantik oleh Menteri Sains, Teknologi dan Inovasi. Ahli-ahli selebihnya diambil dari kalangan sektor perdagangan atau sektor lain yang berkaitan yang dipilih oleh Ahli-ahli CyberSecurity Malaysia di Mesyuarat Agungnya. Kini terdapat lima (5) orang ahli yang mengganggotai Lembaga Pengarah. Semua ahli Lembaga Pengarah dipilih dengan kelulusan terlebih dahulu daripada Menteri Perdagangan Dalam Negeri dan Hal Ehwal Pengguna (MPDNHEP). Lembaga Pengarah terdiri daripada para ahli yang sangat berkaliber, mempunyai kemahiran, kepimpinan dan berpengalaman luas dalam bidang kepakaran masing-masing yang membolehkan mereka menyediakan sokongan kukuh terhadap pelaksanaan tugas dan tanggungjawab Lembaga Pengarah secara berkesan. Mereka menjalankan peranan dengan melaksanakan pertimbangan secara bebas dan menyertai secara bermatlamat, dalam perbincangan Lembaga Pengarah sambil pada masa yang sama, menjaga kepentingan pemegang kepentingan, pekerja, pelanggan serta pelbagai komuniti di mana CyberSecurity Malaysia menjalankan perniagaannya. KOMPOSISI LEMBAGA PENGARAH Tugas-tugas lain Lembaga Pengarah termasuk mengawasi secara kerap operasi dan prestasi CyberSecurity Malaysia serta memastikan supaya infrastruktur, kawalan dalaman dan proses pengurusan risiko sudah tersedia dan menilai serta mengurus risiko perniagaan CyberSecurity Malaysia. Lembaga Pengarah juga mengawasi operasi dan perniagaan CyberSecurity Malaysia dengan meminta pengurusan menghantar laporan operasi dan kewangan secara berkala dengan kerap, selain menetapkan piawaian minimum serta menggubal dasar berkenaan pengurusan risiko operasi dan bidang-bidang utama lain dalam aktiviti yang dijalankan oleh CyberSecurity Malaysia. Lembaga Pengarah menimbang secara mendalam dan jika difikirkan sesuai, meluluskan untuk pelaksanaan perkara-perkara utama yang memberi kesan kepada CyberSecurity Malaysia termasuk perkara-perkara berkenaan pelan tindakan dan bajet tahunan, perbelanjaan utama, pembelian dan penjualan aset, dasar sumber manusia dan prestasi pengurusan. Lembaga Pengarah turut menyemak pelan tindakan yang dilaksanakan oleh Pengurusan untuk mencapai sasaran perniagaan dan operasi. Lembaga Pengarah merangka dan menyemak pelan strategik CyberSecurity Malaysia setiap tahun bagi menyelaras hala tuju operasi serta aktiviti CyberSecurity Malaysia supaya selaras dengan tujuan penubuhannya oleh Kerajaan Malaysia. TANGGUNGJAWAB LEMBAGA PENGARAH PENYATA TADBIR URUS KORPORAT STATEMENT OF CORPORATE GOVERNANCE BOARD RESPONSIBILITIES Tadbir Urus Korporat Corporate Governance -FHBM TUBUVUPSZ SFHVMBUPSZ MFHJTMBUJWF BOE contractual obligation and requirements in supporting CyberSecurity Malaysia’s business operation’s shall be met. *OGPSNBUJPOTFDVSJUZTIBMMCFNBOBHFEUISPVHI CyberSecurity Malaysia’s information security risk assessment methodology. This shall include the criteria for risk acceptable level of risk. t t 50 $ZCFS4FDVSJUZ.BMBZTJBTJOGPSNBUJPOBTTFUTJO which all types of information reside shall be protected from all threats, whether internal or external, deliberate or accidental. t "OZ FNQMPZFFT GPVOE UP IBWF WJPMBUFE UIJT policy or its supporting policies, procedures and guidelines shall be subjected to disciplinary actions as stipulated in the CyberSecurity Malaysia Scheme of Services. $ZCFS4FDVSJUZ .BMBZTJB *4.4 1PMJDZ TIBMM CF reviewed annually by Information Security Management Committee to ensure its applicability and relevance. t t &BDI FNQMPZFF TIBMM BEIFSF UP $ZCFS4FDVSJUZ Malaysia ISMS Policy and its supporting policies, procedures and guidelines. t AVAILABILITY CyberSecurity Malaysia shall ensure that all information is always available to support its business operations and continue to operate with minimal disruptions to achieve its corporate mission and thus realising its vision. POLICY STATEMENT &BDI FNQMPZFF TIBMM CF SFTQPOTJCMF JO protecting all information and respective information assets against unauthorized access, disclosure, modification, destruction and interference, as well as executing all relevant processes and activities. t INTEGRITY CyberSecurity Malaysia shall ensure that all information produced, kept and distributed by CyberSecurity Malaysia have absolute integrity. "MM NBOBHFST TIBMM CF EJSFDUMZ SFTQPOTJCMF GPS implementing CyberSecurity Malaysia ISMS Policy within their units, and for adherence by their staff. t "OZ SFMBUFE QBSUJFT JODMVEJOH WFOEPST contractors and third party users shall only have access to CyberSecurity Malaysia information as stipulated in a non-disclosure agreement (NDA) with CyberSecurity Malaysia. 1PMJDJFTQSPDFEVSFTBOEHVJEFMJOFTOPUMJNJUFE to information security shall be made available to support CyberSecurity Malaysia ISMS Policy. t t CONFIDENTIALITY CyberSecurity Malaysia shall ensure that all information is safeguarded with appropriate controls to preserve its confidentiality. CyberSecurity Malaysia’s objective of managing information security according to the requirements in the ISO/IEC 27001:2005 is to achieve an overall information security assurance through the preservation of confidentiality, integrity and availability. OBJECTIVE CyberSecurity Malaysia Information Security Management System Policy ISMS Policy Statement Aset maklumat CyberSecurity Malaysia yang menempatkan semua jenis maklumat perlu dilindungi daripada semua jenis ancaman, sama ada dalaman mahupun luaran, sengaja atau tidak sengaja. Kesemua kewajipan dan keperluan undangundang, berkanun, peraturan, perundangan dan kontrak yang menyokong perniagaan CyberSecurity Malaysia perlu sentiasa dipenuhi. Sekuriti maklumat perlu diuruskan melalui kaedah penilaian risiko sekuriti maklumat CyberSecurity Malaysia. Ini meliputi kriteria bagi tahap risiko yang boleh diterima. t t t PENYATA DASAR KETERSEDIAAN CyberSecurity Malaysia bertekad untuk memastikan bahawa semua maklumat yang tersedia bagi menyokong operasi perniagaannya dan terus beroperasi dengan gangguan yang minimum demi mencapai misi korporatnya dan seterusnya merealisasi wawasannya. KEWIBAWAAN CyberSecurity Malaysia bertekad untuk memastikan bahawa semua maklumat yang dikeluarkan, disimpan dan disebarkan oleh CyberSecurity Malaysia mempunyai kewibawaan muktamad. KERAHSIAAN CyberSecurity Malaysia bertekad untuk memastikan bahawa semua maklumat terjamin dengan kawalan yang sesuai untuk mengekalkan kerahsiaannya. Objektif CyberSecurity Malaysia mengurus keselamatan maklumat berdasarkan keperluan ISO/ IEC27001:2005 adalah untuk mencapai jaminan sekuriti maklumat menyeluruh melalui pengekalan kerahsiaan, kewibawaan dan ketersediaan. OBJEKTIF Mana-mana kakitangan yang didapati melanggar dasar ini atau dasar, prosedur dan garis panduan sokongannya boleh dikenakan tindakan disiplin seperti yang digariskan dalam Skim Perkhidmatan CyberSecurity Malaysia. Dasar ISMS CyberSecurity Malaysia akan dikaji setiap tahun oleh Jawatankuasa Pengurusan keselamatan Maklumat bagi memastikan kebolehlaksanaannya dan relevan. t t 51 Setiap kakitangan perlu mematuhi Dasar ISMS CyberSecurity Malaysia dan dasar, prosedur dan garis panduan sokongannya. Semua kakitangan perlu bertanggungjawab untuk melindungi semua maklumat dan aset maklumat masing-masing daripada akses yang tidak dikenali, pendedahan, pengubahsuaian, kemusnahan dan pencerobohan, serta melaksanakan semua proses dan aktiviti yang berkaitan. Mana-mana pihak berkaitan termasuk vendor, kontraktor dan pengguna pihak ketiga hanya akan mempunyai akses kepada maklumat CyberSecurity Malaysia sepertimana yang digariskan dalam perjanjian melarang pendedahan (NDA) dengan CyberSecurity Malaysia. Semua pengurus perlu bertanggungjawab secara langsung terhadap pelaksanaan Dasar ISMS CyberSecurity Malaysia dalam unit mereka, dan memastikannya dipatuhi oleh kakitangan mereka. Dasar, prosedur dan garis panduan tidak terhad kepada keselamatan maklumat semata-mata, malah ia perlu tersedia untuk menyokong Dasar ISMS CyberSecurity Malaysia. t t t t t Dasar Sistem Pengurusan Sekuriti Maklumat CyberSecurity Malaysia Penyata Dasar ISMS 48 1. ASIA PACIFIC COMPUTER EMERGENCY RESPONSE TEAM (APCERT) www.apcert.org t 4FCVBIQMBUGPSNTFSBOUBVZBOHEJBOHHPUBJQBTVLBOEBSJFLPOPNJEJSBOUBV"TJB1BTJGJLEJNBOB kebanyakan mereka terdiri daripada Pasukan Tindakbalas Kecemasan Komputer (“CERT”) masingmasing yang menyelaras dan bekerjasama untuk mencegah, mengesan dan bertindak terhadap sebarang insiden komputer yang dilaporkan dan juga turut menggerakkan aktiviti yang bertujuan untuk menambah baik kemampuan pengendalian insiden. 1. ASIA PACIFIC COMPUTER EMERGENCY RESPONSE TEAM (APCERT) www.apcert.org t "SFHJPOBMQMBUGPSNDPOTJTUJOHPGBUPUBMPGNFNCFSUFBNTGSPNFDPOPNJFTJOXIJDINBKPSJUZ are National CERTs from within Asia Pacific Regions who coordinate and collaborate in prevention, detection and responding to computer incident reports as well as initiate activities related to enhancement of incident handling capabilities. 6. GLOBAL BUSINESS DIALOGUE ON ELECTRONIC COMMERCE (GBDE) www.gbd-e.org t &TUBCMJTIFE JO +BOVBSZ (#%F JT TQFBSIFBEFE CZ XPSME SFOPXOFE $&0 UP BTTJTU JO UIF development of global policy framework for emerging online economy and convene dialogue on related issues. 5. COMMON CRITERIA (CC) www.commoncriteriaportal.org t "OJOUFSOBUJPOBM4UBOEBSE*40*&$ GPSDPNQVUFSTFDVSJUZTDSVUJOZQSPDFTTQSPWJEJOHTUSJOHFOU quality processes, evaluation and assurance on any computer security products. 4. REGIONAL ASIA INFORMATION SECURITY EXCHANGE (RAISE) t "GPSVNUIBUQSPWJEFTBQMBUGPSNGPSTIBSJOHPGLOPXMFEHFBOEFYQFSJFODFTEFQMPZFEGPSBEPQUJPO within the region in order to develop international security standards broadcasted effectively within the Asia Region. 3. INTERNATIONAL INFORMATION SYSTEMS SECURITY CERTIFICATION CONSORTIUM, INC (ISC)² https://www.isc2.org t *4$JTSFTQPOTJCMFGPSNBJOUBJOJOHUIF*4$ ¤$#,¥BDPNQFOEJVNPGUIFJOEVTUSZCFTUQSBDUJDFTGPS information security including Certified Information Systems Security Professionals (CISSPs) and Systems Security Certified Practitioners (SSCPs). 49 6. GLOBAL BUSINESS DIALOGUE ON ELECTRONIC COMMERCE (GBDE) www.gbd-e.org t %JUVCVILBOQBEB+BOVBSJ(#%FEJUFSBKVJPMFI,FUVB1FHBXBJ<FLVUJG%VOJBZBOHUFSLFNVLB bagi membantu membangunkan polisi rangka kerja global untuk pembangunan ekonomi secara atas talian dan menganjurkan dialog ke atas isu-isu yang berkaitan. 5. COMMON CRITERIA (CC) www.commoncriteriaportal.org t 4BUV 4UBOEBSE "OUBSBCBOHTB *40*&$ CBHJ QSPTFT QFOFMJUJBO LFTFMBNBUBO LPNQVUFS ZBOH menetapkan proses penelitian kualiti yang ketat, penilaian dan pengesahan ke atas produk keselamatan komputer. 4. REGIONAL ASIA INFORMATION SECURITY EXCHANGE (RAISE) * Sebuah forum yang menyediakan asas bagi perkongsian pengetahuan dan pengalaman yang disebar dan digunapakai di seluruh rantau Asia dengan tujuan untuk membangunkan standard keselamatan antarabangsa yang akan dikongsi secara efektif di kalangan negara rantau Asia. 3. INTERNATIONAL INFORMATION SYSTEMS SECURITY CERTIFICATION CONSORTIUM, INC (ISC)2 https://www.isc2.org t *4$CFSUBOHHVOHKBXBCVOUVLNFOHFLBMLBO*4$ $#,¥TFCVBIHBCVOHBOBNBMBOUFSCBJLJOEVTUSJ di dalam bidang keselamatan maklumat termasuklah “Certified Information Systems Security Professionals (CISSP) dan “Systems Security Certified Practitioners (SSCP)”. 2. FORUM OF INCIDENT RESPONSE SECURITY TEAM (FIRST) www.first.org t '*345NFSVQBLBOQFOFSBKVEVOJBEJEBMBNUJOEBLCBMBTJOTJEFOEFOHBONFOHHBCVOHLBOLVNQVMBO keselamatan ICT dan CERT dari sektor komersil, pendidikan, dan kerajaan dengan matlamat utama untuk menyemai kerjasama dan koordinasi di dalam pengesanan pencegahan insiden komputer, bertindak secara berkesan dan berkongsi maklumat di kalangan ahli dan masyarakat. USAHASAMA STRATEGIK. CyberSecurity Malaysia tidak bersendirian di dalam usaha melindungi orang ramai dari ancaman siber. Jalinan rakan pengetahuan strategik kami merangkumi usahasama dan perkongsian maklumat secara global dengan agensi dan badan profesional seperti: SMART PARTNERSHIPS. CyberSecurity Malaysia is not alone in our quest to protect the public against cyber corruption. Our bridge of strategic technical and knowledge partners encompass a global collaboration and information sharing with renowned agencies and professional bodies such as: 2. FORUM OF INCIDENT RESPONSE & SECURITY TEAMS (FIRST) www.first.org t '*345 JT UIF HMPCBM MFBEFS JO JODJEFOU SFTQPOTF UIBU BTTFNCMF *$5 TFDVSJUZ UFBNT BOE $&35T GSPN commercial, education and government institutions with the main goal of fostering cooperation and coordination in incident detection, prevention, effective response and information sharing amongst members and the public. Rakan Pengetahuan dan Teknikal Technical and Knowledge Partners 46 Corporate Planning & Strategy Department and Internal Audit Department / Jabatan Perancangan Korporat & Strategi dan Jabatan Juruaudit Dalaman Procurement Department Jabatan Perolehan Cyber Technology Research (CTR) Department Jabatan Penyelidikan Teknologi Siber 47 Some of the personnel under Chief Technology Officer (CTO)'s Office Division Beberapa Pegawai dari Bahagian Pejabat Ketua Pegawai Teknologi Information Technology Department Jabatan Teknologi Maklumat Legal & Secretarial Department Jabatan Perundangan dan Kesetiausahaan The CEO with Admin personnel and secretaries. Ketua Pegawai Eksekutif bersama kakitangan pentadbiran dan setiausaha-setiausaha Corporate Services Division Bahagian Perkhidmatan Korporat Warga Korporat CyberSecurity Malaysia CEO's Office Division Bahagian Pejabat Ketua Pegawai Eksekutif CyberSecurity Malaysia's Corporate Citizens Selain itu, CyberSecurity Malaysia merupakan sebuah pusat peperiksaan bertauliah bagi program pensijilan SANS Institute dan BCI. Bilangan pekerja pengetahuan di Malaysia kini telah bertambah hasil daripada Program Perkhidmatan Latihan Profesional yang ditawarkan oleh CyberSecurity Malaysia. Sebelum program ini dimulakan, negara mempunyai hanya seramai 200 orang tenaga profesional keselamatan siber yang bertauliah pada tahun 2005. Program ini telah berjaya menambah bilangan itu kepada 799 orang profesional pada bulan Disember 2008. In addition, CyberSecurity Malaysia is the authorised examination centre for SANS Institute and BCI certification programs. The number of knowledge workers in Malaysia has increased through CyberSecurity Malaysia’s Professional Training Services Program. Before the program started, there were only 200 certified cyber security professionals in 2005. This program has increased the number to 799 by December 2008. 44 Outreach and awareness programs also include the eSecurity portal that was developed to provide information on cyber security for three target groups; Kids / teenagers, Parents / end-users and Organisations, which is also the brand name used for our awareness portal http://www.esecurity.org.my and our quarterly awareness newsletter called CyberSAFE. We provide continuous outreach and awareness programs in order to increase the national awareness level on cyber security and have thus far organised twelve (12) awareness programs nationwide and conducted 45 school programs. Apart from that, we have also organised INFOSEC.my seminar, which was attended by over 800 participants. All these programs and campaigns were achieved within a span of three years from year 2006 to year 2008. In ncreasing cyber security awareness programs to the public is the key factor in our daily aacctivities because the internet has drastically changed the lifestyle of Malaysians. Be it wh hile providing our products or services, CyberSecurity Malaysia tries it's best to make th he public aware and understand about cyber safety. 45 Program membina perhubungan dan kesedaran turut meliputi portal eSecurity yang dibangunkan bagi menyediakan maklumat mengenai keselamatan siber untuk tiga kumpulan sasaran; iaitu Kanak-kanak/ remaja, Ibu bapa/pengguna akhir dan Organisasi. Ia juga merupakan jenama bagi portal kami yang boleh dilawati di http://www.esecurity.org.my dan buletin kesedaran kami iaitu CyberSAFE yang dikeluarkan setiap tiga bulan. Kami menyediakan program perhubungan dan kesedaran berterusan untuk meningkatkan tahap kesedaran di peringkat negara mengenai keselamatan siber dan oleh yang demikian, sehingga kini kami telah menganjurkan dua belas (12) program kesedaran dan 45 program sekolah di seluruh negara. Selain itu, kami turut menganjurkan INFOSEC.my.seminar yang telah dihadiri oleh lebih 800 orang peserta. Semua program dan kempen yang dianjurkan ini berjaya mencapai sasarannya dalam tempoh tiga tahun bermula dari tahun 2006 hingga 2008. Meningkatkan program kesedaran keselamatan siber kepada orang awam secara berterusan merupakan salah satu faktor penting dalam kehidupan seharian kami kerana internet telah mengubah cara hidup rakyat Malaysia dengan drastik. CyberSecurity Malaysia beriltizam untuk memupuk kesedaran dan pemahaman di kalangan orang ramai mengenai keselamatan siber, sama ada ketika menyediakan perkhidmatan mahupun produknya. 2. Capaian dan Kesedaran Perkongsian Maklumat: t Information Security Local Interest Group (INFOSEC.my). t Information Security Special Interest Group (INFOSEC.my SIG). Information Sharing: t Information Security Local Interest Group (INFOSEC.my). t Information Security Special Interest Group (INFOSEC.my SIG). 2. Outreach and Awareness Program Pembinaan Keekapan dan Kesedaran pula meliputi: t Business Continuity Management t Common Criteria t Digital Forensics t Incident Response and Handling t ISO 27001 t Mobile Banking t Network Security t Security Essential t Security Policy Development t Web Application Security t Wireless Communication t Wireless Security Competency Building and Awareness Programes: t Business Continuity Management t Common Criteria t Digital Forensics t Incident Response and Handling t ISO 27001 t Mobile Banking t Network Security t Security Essential t Security Policy Development t Web Application Security t Wireless Communication t Wireless Security 42 Professional certification programs from the International Information System Security Certification Consortium, Inc., (ISC)²: t Certified Information Systems Security Professional (CISSP). t Systems Security Certified Practitioner (SSCP). The list of programs offered by CyberSecurity Malaysia includes: Training & Outreach Team Pasukan Latihan & Capaian As a body entrusted to ensure the security of cyberspace in Malaysia, our expertise and services are widely needed to provide training and advice on developing Computer Emergency Response Team (CERT), Information Security Management System (ISMS), Business Continuity Management (BCM), Wireless technology, Penetration Testing, SCADA, and Digital Forensics. 43 Program pensijilan profesional daripada International Information System Security Certification Consortium, Inc., (ISC)²: t Certified Information Systems Security Professional (CISSP) t Systems Security Certified Practitioner (SSCP) Senarai program yang ditawarkan oleh CyberSecurity Malaysia meliputi: Sebagai sebuah badan yang diamanahkan untuk memastikan keselamatan ruang angkasa siber di Malaysia, kepakaran dan perkhidmatan kami amat diperlukan bagi menyediakan latihan dan nasihat untuk membangunkan Pasukan Tindakan Kecemasan Komputer (CERT), Sistem Pengurusan Keselamatan Maklumat (ISMS), Pengurusan Kesinambungan Perniagaan (BCM), teknologi tanpa wayar, Ujian Penembusan, SCADA dan Forensik Digital. Evolusi pengetahuan merupakan salah satu kriteria kritikal yang diberikan keutamaan oleh CyberSecurity Malaysia. Kami bertekad untuk melahirkan sebuah “Generasi Pengetahuan” yang mampu memahami serta mengendali evolusi ancaman keselamatan siber yang sentiasa berubah. CyberSecurity Malaysia menyediakan “Perkhidmatan Latihan Profesional” bagi meningkatkan bilangan profesional keselamatan siber di Malaysia. 1. Perkhidmatan Latihan Profesional 1. Professional Training Services Knowledge Evolution is one of the critical criteria given priority by CyberSecurity Malaysia. Our aim is to create a “Knowledge Generation” capable of understanding and handling the ever changing evolution of cyber security threats. CyberSecurity Malaysia provides “Professional Training Services” in order to increase the number of cyber security professionals in Malaysia. LATIHAN DAN CAPAIAN Wawasan NSCP adalah “Infrastruktur Maklumat Negara (CNII) Malaysia yang selamat, berdaya tahan dan mandiri. Berteraskan budaya keselamatan, ia akan menggalakkan kestabilan, kesejahteraan sosial dan mencipta kekayaan.” Untuk merealisasi wawasan ini, kementerian, penguatkuasa peraturan, dan organisasi CNII negara perlu bekerjasama secara tersusun di bawah garis panduan NC3. The NCSP’s vision is “Malaysia’s Critical National Information Infrastructure (CNII) shall be secure, resilient and self-reliant. Infused with a culture of security it will promote stability, social well being and wealth creation”. To realize this vision, ministries, regulators and organizations of the country's CNII must work together in a coordinated fashion under the guidance of the NC3 TRAINING AND OUTREACH Jabatan PIC bertekad untuk membantu kerajaan berhubung pelaksanaan Dasar Keselamatan Siber Negara (NCSP). CyberSecurity Malaysia telah diberi mandat untuk melaksanakan dasar di bawah bidang kuasa Kementerian Sains, Teknologi dan Inovasi (MOSTI). Bagi memudahkan tugas tersebut, PIC merupakan secretariat bersama-sama MOSTI bagi Jawatankuasa Penyelarasan Keselamatan Siber Nasional (NC3), sebuah jawatankuasa peringkat kebangsaan untuk mengawal selia pelaksanaan NCSP. Jawatankuasa ini dipengerusikan oleh Ketua Setiausaha MOSTI. Sebagai sekretariat, PIC menyediakan panduan kepada pelaksana dari segi nasihat dan hala tuju masa hadapan. 3. Penyelarasan Pelaksanaan Dasar (PIC) Dalam menyedia dan mengeluarkan laporan sedemikian, penyelidikan mengenai ancaman siber yang sedia ada dan akan timbul dilakukan melalui internet. Berasaskan kepada maklumat yang dikumpul, analisis, arah aliran dan cadangan dikeluarkan dan dilaporkan kepada pemegang kepentingan. Ia akan membantu pemegang kepentingan membuat keputusan secara termaklum semasa merumus dasar dan garis panduan untuk melaksanakan inisiatif keselamatan maklumat negara. PIC department is dedicated to assisting the government in realizing the National Cyber Security Policy (NCSP). CyberSecurity Malaysia has been given the mandate to implement the policy under the purview of the Ministry of Science, Technology and Innovation (MOSTI). In order to facilitate such work, PIC is the co-secretariat along with MOSTI for the National Cyber Security Coordination Committee (NC3), a national level committee that oversees the implementation of NCSP. This committee is chaired by the Secretary General of MOSTI. As the secretariat, PIC provides guidance to the implementers in term of advice and way forwards. 3. Policy Implementation Coordination (PIC) In developing and producing such reports, researches on existing and emerging cyber threats on the internet are conducted. Based on the information gathered, analysis, trends and proposals are generated and reported to the stakeholders. This assisted the stakeholders to be more informed in the course of making decisions, formulating policies and developing guidelines for the country’s information security initiatives. the development and management of a project for the Study of Malaysian Cyber Laws to Face Challenges in the Cyber Environment; the establishment of the OIC-CERT (Organization of the Islamic Conference – Computer Emergency Response Team) collaboration which assisted the OIC member countries to establish or strengthen their cyber security capabilities; the establishment of a strategic collaboration between CyberSecurity Malaysia and international agencies such as the Information-technology Promotion Agency (IPA), Japan and ITU-D; presentation of strategic papers at international conferences such as the NISEKO Japan,, OIC-CERT, FIRST and ITU-D Conferences; involvement in strategic workshops such as the National Cyber Security Crisis Management Plan under Majlis Keselamatan Negara and the Cyber Law Review under MOSTI; and providing feedbacks to ministerial documentations on cyber security matters. 40 CMR is responsible to provide Cyber Security Malaysia’s stakeholders with periodic reports pertaining to the development and issues in the areas of cyber security. In meeting the stakeholders’ expectations, CMR prepares ministerial papers such as Memorandum Jemaah Menteri, Nota Jemaah Menteri and official feedbacks to Parliament inquiries. In addition this department provides reports on cyber security incidents and potential cyber threats of the country to the Ministry of Science, Technology and Innovation. 2. Cyber Media Research (CMR) vi. v. iv. iii. ii. i. Initiatives undertaken by SPR at national and global level include: SPR spearheads new initiatives in cyber security by developing proposals and undertaking policy research. The department is also responsible for managing projects to establish new cyber security initiatives such as collaborations with the relevant local and international parties and implementation of cyber security technologies. This is done through researches on information security which lead to the development of strategic papers i.e. white papers, proposals, and reports. These documents have assisted CyberSecurity Malaysia’s stakeholders as well as management make informed decisions. In addition, SPR also provides strategic advices and feedbacks to stakeholders’ inquiries on cyber security matters. 1. Strategic Policy Research (SPR) The Cyber Security Research & Policy Division is divided into three departments: CYBER SECURITY RESEARCH AND POLICY Cyber Security Research & Policy Division / Bahagian Dasar dan Penyelidikan Keselamatan Siber pembangunan dan pengurusan projek bagi Kajian Undang-Undang Siber Malaysia bagi Menghadapi Cabaran di Persekitaran Siber; pengwujudan OIC-CERT (Pasukan Tindakan Kecemasan Pertubuhan Persidangan Negara-Negara Islam) yang membantu negara-negara ahli OIC untuk mewujud atau mengukuhkan lagi keupayaan keselamatan siber mereka menjalin permuafakatan strategik antara CyberSecurity Malaysia dan agensi-agensi antarabangsa seperti Information-technology Promotion Agency (IPA) dari Jepun dan ITU-D; membentangkan kertas kerja strategik di persidangan antarabangsa seperti Persidangan NISEKO Jepun, OIC-CERT, FIRST dan ITU-D; penglibatan dalam bengkel-bengkel strategik seperti Pelan Pengurusan Krisis Keselamatan Siber Negara di bawah Majlis Keselamatan Negara dan Semakan Undang-Undang Siber di bawah MOSTI; dan menyediakan maklumbalas kepada dokumen kabinet berhubung keselamatan siber. 41 CMR bertanggungjawab menyediakan laporan secara berkala kepada pemegang kepentingan CyberSecurity Malaysia berhubung perkembangan dan isu dalam bidang berkaitan keselamatan siber. Untuk memenuhi jangkaan pemegang kepentingannya, CMR ditugas untuk menyediakan kertas kabinet seperti Memorandum Jemaah Menteri, Nota Jemaah Menteri dan maklum balas rasmi kepada pertanyaan yang diterima di Parlimen. Di samping itu, jabatan ini menyediakan laporan mengenai insiden keselamatan siber dan kemungkinan ancaman siber terhadap negara kepada Kementerian Sains, Teknologi dan Inovasi. 2. Penyelidikan Media Siber (CMR) vi. v. iv. iii. ii. i. Inisiatif yang dijalankan oleh SPR di peringkat tempatan dan global termasuk: SPR menerajui usaha baru dalam keselamatan siber dengan menggariskan cadangan keselamatan dan menjalan penyelidikan dasar. Jabatan ini juga bertanggungjawab mengendalikan projek untuk mewujudkan inisiatif keselamatan sekuriti baru seperti kerja sama dengan pihak-pihak berkenaan di dalam dan luar negeri dan pelaksanaan teknologi keselamatan siber. Ini dilasakanakan melalu penyelidikan terhadap keselamatan maklumat yang mendorong kepada penyediaan kertas strategik iaitu kertas putih, cadangan dan laporan. Dokumen ini akan membantu pemegang kepentingan dan pengurusan CyberSecurity Malaysia membuat keputusan yang lebih termaklum. Di samping itu, SPR juga menyediakan nasihat dan maklum balas dasar strategik bagi menjawab sebarang pertanyaan pemegang kepentingan mengenai perkara berkaitan keselamatan siber. 1. Penyelidikan Dasar Strategik (SPR) Bahagian Dasar dan Penyelidikan Keselamatan Siber terbahagi kepada tiga jabatan: DASAR DAN PENYELIDIKAN KESELAMATAN SIBER MyVAC also conducts a review of client’s existing VA report and provide our expert advise. MyVAC can provide internal and external penetration testing to verify the findings. t MyCB, a department within CyberSecurity Malaysia, is responsible for carrying out certification and for overseeing the day-to-day operations of the Malaysian Common Criteria Evaluation and Certification (MyCC) Scheme. 38 The development of MyCC Scheme is very important to fulfil the requirement to be recognised as CCRA Authorising Participant where Malaysian certified products and systems will be recognized by other CCRA participant countries. Therefore, MyCB is responsible in ensuring for the successful transition from consuming to authorising membership. Key milestone for the MyCC Scheme development phase is planned to be achieved in 2010. MyCC Scheme is a systematic process for evaluating and certifying the security functionality of ICT products and systems against defined criteria or standards. MyCC Scheme mission is to increase Malaysia’s competitiveness in quality assurance of information security based on the Common Criteria (CC) standard. In addition, consumers’ confidence towards Malaysian ICT products and systems will be increased. In order to ensure that high standards of competence and impartiality are maintained, and that consistency is achieved, MyCC Scheme is operated by MyCB. MyCC Team / Pasukan MyCC Malaysia has been successfully accepted as the consuming member by the Common Criteria Recognition Arrangement (CCRA) on 28 March 2007. CCRA is an international standard for gaining recognition and assurance in ICT products and systems, and as of March 2009, there are 26 countries participating in CCRA. Following this acceptance as a consuming member of CCRA, in October 2008, the government officially appointed CyberSecurity Malaysia as the sole certification body for the evaluation and certification scheme based on MS ISO/ IEC 15408: 2005 Information Technology – Security Techniques – Evaluation Criteria for IT Security. This certification body is named Malaysian Common Criteria Certification Body (MyCB). MALAYSIA COMMON CRITERIA CERTIFICATION BODY (MyCB) For Off-Site service, MyVAC provides the relevant cyber security assessment report through conducting simulation assessment of current settings/configurations with relevant CNII sectors.The “Off-site” service provides the external penetration testing in verifying the vulnerabilities for clients’ network and systems via internet. t MyVAC conducts vulnerability assessment at the client’s place. We use the “Defense-in-depth approach in ensuring the technical controls are taken care. The scopes offered include but not limited to : Network architecture review, Network & Wireless, Server/host operating systems, web-applications, database and penetration testing. A comprehensive Vulnerability Assesement (VA) report will be prepared for clients to remediate their vulnerabilities. t MyVAC turut menjalankan kajian ke atas laporan VA sedia ada pelanggan dan menyediakan nasihat pakar kami. MyVAC boleh menyediakan ujian penemubusan dalaman dan luaran untuk mengesahkan penemuan tersebut. 39 Pembangunan Skim MyCC sangat penting untuk memenuhi keperluan yang diiktiraf sebagai Peserta Sah CCRA kerana produk dan sistem dari Malaysia yang disahkan akan turut diiktiraf oleh negara-negara peserta CCRA. Justeru, tanggungjawab MyCB adalah untuk memastikan kejayaan peralihan daripada keahlian bertaraf pengguna kepada penguatkuasa. Mercutanda penting bagi fasa pembangunan Skim MyCC ini dirancang akan dicapai pada tahun 2010. Skim MyCC adalah proses sistematik bagi penilaian dan pensijilan fungisan keselamatan produk dan sistem ICT berasaskan kepada kriteria atau piawaian tertentu. Misi Skim MyCC adalah untuk mempertingkatkan tahap daya saingan Malaysia dalam jaminan kualiti keselamatan maklumat berdasarkan kepada piawaian Kriteria Bersama (CC). Di samping itu, ia juga bermatlamat untuk mempertingkatkan keyakinan para pengguna terhadap produk dan sistem ICT Malaysia. Bagi memastikan supaya piawaian yang tinggi dalam kecekapan dan kesaksamaan dikekalkan serta konsisten, Skim MyCC dikendalikan oleh MyCB. MyCB adalah sebuah jabatan di dalam CyberSecurity Malaysia, bertanggungjawab untuk menjalankan persijilan dan menyelia operasi harian Skim Penilaian dan Pensijilan Kriteria Bersama Malaysia (MyCC). Malaysia telah diterima sebagai ahli pengguna oleh Perjanjian Pengiktirafan Kriteria Bersama (CCRA) pada Mac 2007. CCRA adalah piawaian antarabangsa untuk mendapatkan jaminan dalam keselamatan dan sistem produk ICT dan sehingga Mac 2009 sebanyak 26 buah negara menjadi ahli CCRA. Berikutan penerimaan ini, pada Oktober 2008, kerajaan secara rasmi telah melantik CyberSecurity Malaysia sebagai badan pensijilan tunggal bagi skim penilaian dan pensijilan berdasarkan kepada MS ISO/IEC 15408:2005 Teknologi Maklumat – Teknik Keselamatan – Kriteria Penilaian bagi Keselamatan IT. Badan pensijilan ini dinamakan Badan Pensijilan Kriteria Bersama Malaysia (MyCB). BADAN PENSIJILAN KRITERIA BERSAMA MALAYSIA (MyCB) Bagi perkhidmatan "di luar tapak", MyVAC menyediakan laporan penilaian keselamatan siber berkaitan dengan menyediakan penilaian simulasi penetapan/konfigurasi semasa dengan sektor CNII yang berkenaan. Perkhidmatan “di luar tapak” menyediakan ujian penembuasan luaran bagi mengesahkan kelemahan rangkaian dan sistem pelanggan melalui internet. t Bagi menyediakan perkhidmatan di tapak, MyVAC mengkaji Laporan Audit CNII yang berkaitan dan mengesyorkan cadangan keselamatan siber tambahan yang diperlukan. Terdapat dua (2) jenis perkhidmatan “di tapak” iaitu: For On-Site service, MyVAC reviews the relevant CNII’s Audit Report and acknowledges additional cyber security recommendations. Two (2) types of “On-site” services provided by MyVAC are as follows: MyVAC menyediakan penilaian kelemahan di tempat pelanggan. Kami menggunakan pendekatan Pertahanan-secara-terperinci” bagi memastikan kawalan teknikal diberi perhatian. Skop yang ditawarkan termasuk tetapi tidak terhad kepada: Kajian seni bina rangkaian, Rangkaian & Tanpa Wayar, Sistem Pelayan/operasi hos, aplikasi web, pangkalan data dan ujian penembusan. Satu laporan Penilaian Kelemahan (VA) akan disediakan untuk pelanggan bagi memperbaiki setiap kelemahan mereka. MyVAC menyediakan khidmat nasihat penaksiran keselamatan siber dengan menawarkan penaksiran gangguan “di tapak” dan “di luar tapak” bagi sektor CNII berkaitan. 2.2 PUSAT PENILAIAN KELEMAHAN (MyVAC) MyVAC provides cyber security assessment service by offering “on-site” and “off-site” vulnerability assessments for the relevant CNII sectors. 2.2 MALAYSIA VULNERABILITY ASSESSMENT CENTER (MyVAC) 36 MySEF carries out ICT security evaluations, independently of the IT developers, products or protection profiles. The evaluation is conducted against the Common Criteria (CC) (MS-ISO/IEC 15408) and the Common Evaluation Methodology (CEM) (MS-ISO/IEC 18405). The evaluation of products against the CC establishes a level of confidence that the security functionality of these products is correctly implemented and the assurance measures applied to these ICT products are appropriate. The evaluation process examines the design of the product, the environment in which it was developed, the delivery process, the guidance documentation, how it was tested, and includes a search for vulnerabilities. Consumers of ICT security products may use the results of evaluations to determine whether these ICT products fulfill their security needs. 2.1 MALAYSIA ICT SECURITY EVALUATION FACILITIES (MySEF) Services provided by Security Assurance Department are as follows: Security Assurance Department Jabatan Perkhidmatan Jaminan Keselamatan Security Assurance also aims to improve the security posture of the Critical National Information Infrastructure (CNII) sectors through security assessments and to improve the nation’s ability in mitigating cyber threats and exploitation due to information systems and technology vulnerabilities. Security Assurance, a department within CyberSecurity Malaysia, has responsibility for providing expert services in ICT security products and systems evaluation based on the Common Criteria (ISO/IEC 15408). Its objective is to promote a safe and reliable computing environment through the provision of assured ICT security products and systems. Evaluation services are necessary to provide confidence in the security capabilities of ICT products and systems in defending against the ICT threats. Apart from providing protection; CyberSecurity Malaysia is also responsible for wealth creation from the services provided. 2. Security Assurance Services Other than what has been mentioned above, SMBP had successfully developed the National Cyber Crisis Management Plan in collaboration with Majlis Keselamatan Negara (MKN), with the objectives of providing a coordination platform in managing national cyber crisis. One of SMBP’s main activities is to contribute towards Standard development in areas of information security; both locally (with Standards Malaysia) and internationally (with ISO). SMBP had continuously been providing contributions on standards development through the Technical Committee on Information Security (TC5) and Technical Committee for BCM (TC-BCM). CyberSecurity Malaysia through SMBP had continuously been given the trust to chair the Technical Working Group (WG4), a core group that handles Security Controls and Services. SMBP had successfully pushed through the acceptance of ISO Information Security Standard proposal on “Guideline for Identification, Collection and/or Acquisition and Preservation of Digital Evidence” with the objective to ensure right procedure is globally accepted in the international court of law. 2 37 MySEF menjalankan penilaian keselamatan ICT bebas terhadap pemaju, produk atau profil keselamatan ICT. Penilaian ini dikendalikan dengan membandingkan profil perlindungan Kriteria Bersama (CC) (MS-ISO/IEC 15408) dan Kaedah Penilaian Bersama (CEM) (MS-ISO/IEC 18405). Penilaian produk berbanding CC mewujudkan tahap keyakinan bahawa fungsi keselamatan produk tersebut telah dilaksanakan dengan tepat dan langkah jaminan yang diaplikasi kepada produk tersebut juga telah dilakukan dengan sewajarnya. Proses penilaian ini meneliti rekabentuk produk tersebut, persekitaran di mana ia dibangunkan, proses penyerahan, dokumentasi panduan dan cara ia diuji dan termasuk meneliti kelemahannya. Pengguna produk keselamatan ICT boleh menggunakan keputusan penilaian yang diperolehi bagi menentukan sama ada produk ICT tersebut memenuhi ataupun tidak memenuhi keperluan keselamatannya. 2.1 KEMUDAHAN PENILAIAN KESELAMATAN ICT MALAYSIA (MySEF) Berikut adalah perkhidmatan yang disediakan oleh Jabatan Jaminan Keselamatan: Jaminan Keselamatan juga menyasar untuk mempertingkatkan kerangka keselamatan dalam Infrastruktur Maklumat Negara Yang Kritikal (CNII) melalui penilaian keselamatan dan mempertingkatkan kemampuan negara dalam mengawal ancaman dan eksploitasi siber disebabkan oleh kelemahan sistem maklumat dan teknologi. Jaminan Keselamatan adalah sebuah jabatan dalam CyberSecurity Malaysia yang bertanggungjawab menyediakan perkhidmatan kepakaran yang melibatkan penilaian produk dan sistem keselamatan ICT berasaskan Kriteria Bersama (ISO/IEC 15408). Ia bermatlamat menggalakkan persekitaran komputer yang selamat dan berwibawa melalui penyediaan produk dan sistem keselamatan ICT yang terjamin. Perkhidmatan penilaian diperlukan untuk memberi keyakinan terhadap keupayaan produk dan sistem ICT yang mampu bertahan daripada sebarang ancaman ICT. Selain daripada penyediaan perlindungan; CyberSecurity Malaysia juga bertanggungjawab terhadap penciptaan kekayaan yang terhasil daripada perkhidmatan yang disediakan. Perkhidmatan Jaminan Keselamatan Selain daripada yang dinyatakan di atas, SMBP juga berjaya membangunkan Pelan Pengurusan Krisis Siber Negara dengan kerjasama Majlis Keselamatan Negara (MKN), yang bermatlamat untuk menyediakan platform dalam menguruskan krisis siber negara. Salah satu aktiviti utama SMBP adalah untuk menyumbang kepada pembangunan Piawaian dalam bidang keselamatan maklumat; sama ada di dalam (Piawaian Malaysia) mahupun di luar negeri (ISO). SMBP telah menyumbang idea melalui Jawatankuasa Teknikal mengenai Keselamatan Maklumat (TC5) dan Jawatankuasa Teknikal untuk BCM (TC-BCM). CyberSecurity Malaysia melalui SMBP terus diberi kepercayaan untuk mempengerusikan Kumpulan Kerja Teknikal (WG4), kumpulan teras yang mengendalikan Kawalan Keselamatan dan Perkhidmatan. SMBP berjaya mendorong penerimaan awal cadangan Piawaian Keselamatan Maklumat ISO mengenai “Garis Panduan bagi Pengenalpastian, Pengumpulan dan/atau Pengambilan dan Pemeliharaan Bukti Digital” dengan matlamat untuk memastikan bahawa prosedur yang betul diterima di mahkamah antarabangsa. 34 Security Managemant & Best Practices Department Jabatan Pengurusan Keselamatan dan Amalan Terbaik Therefore, it was only natural that SMBP coordinated the efforts to implement ISMS in CyberSecurity Malaysia, until we successfully obtained the ISMS certification in July 2008. We are one of the only two leading organizations in Malaysia so far, that went through a full ISMS certification for the whole organization. Usually, only a certain department such as the IT Department goes through ISMS certification process. Through SMBP, we are promoting the ISMS, which conforms to the ISO/IEC 27001:2005 standard, and encouraging other organizations to get a full certification. Our Security Management and Best Practices Services offer expert advice in information security management and best practices, focusing on Information Security Management System (ISMS) and Business Continuity Management (BCM). Apart from these two specialized areas, SMBP has also been developing information security guidelines and best practices for ICT community. With these guidelines in order, we aim to share our expertise and knowledge to organisations and the public in creating a sustainable and resilience information environment through awareness, training and expert advice. 1. Security Management and Best Practices (SMBP) SECURITY QUALITY MANAGEMENT SERVICES 2008 has been a great year and we would like to use this achievement as the stepping-stone for more successes in the years to come. DFD will tirelessly and continuously look for ways to improve the service delivery processes to our stakeholders. Our DFD also assisted varsities and colleges such as UiTM, UUM, UTM and UIA with course module development, part-time lecturing, student internship programs and research programs at postgraduate level. We did this to help produce more graduates in digital forensics arena; and we were told that our efforts have begun to payoff, as more students have enrolled in digital forensics related courses. Other highlights in 2008 were the initiation of the groundwork to get the profession of Digital Forensics Analyst of CyberSecurity Malaysia to be endorsed under the provisions of Section 399 of the Criminal Procedure Code (CPC). Other notable achievements in 2008 were attaining international visibility whereby a few of our analysts were invited to present at international conferences. Also, three of our analysts were accepted to be members of the International High Technology Crime Investigation Association (HTCIA). In addition, we have successfully produced and distributed to LEA and RB our very own Digital Forensics Live CD and Pocket Guide for Digital Forensics First Responders. And became a member of the technical working group (TWG25) to develop MS ISO 17025 (document examination for forensics science testing) and working group (WG4) to develop ISO standard for guidelines for identification, collection and/or acquisition and preservation of digital evidences. 35 Justeru, SMBP merupakan pihak yang paling sesuai menyelaras usaha melaksanakan ISMS di CyberSecurity Malaysia, sehingga kami berjaya memperolehi persijilan pada Julai 2008. Kami merupakan salah sebuah daripada hanya dua buah organisasi peneraju di Malaysia sehingga kini, yang berjaya melepasi pensijilan ISMS bagi seluruh organisasi. Lazimnya, hanya sebuah jabatan seperti Jabatan IT yang melaksanakan proses pensijilan ISMS. Melalui SMBP, kami mempromosi ISMS yang selaras dengan standard ISO/IEC 27001:2005 dan menggalakkan organisasi lain untuk mendapatkan pensijilan penuh. Pengurusan Keselamatan dan Amalan Terbaik menawarkan nasihat pakar dalam pengurusan keselamatan maklumat dan amalan terbaik keselamatan dengan memfokus terhadap Sistem Pengurusan keselamatan Maklumat (ISMS) dam Pengurusan Kesinambungan Perniagaan (BCM). Selain daripada dua fungsi khusus ini, SMBP juga telah membangunkan garis panduan sekuriti maklumat dan amalan terbaik dalam mmberi panduan kepada organisasi-organisasi dan komuniti ICT. Dengan berkuatkuasanya garis panduan ini, kami berhasrat untuk berkongsi kepakaran dan pengetahuan kami dengan organisasi dan orang ramai dalam mewujudkan persekitaran maklumat yang mapan dan berdaya tahan melalui kesedaran, latihan dan nasihat pakar. 1. Pengurusan Keselamatan dan Amalan Terbaik (SMBP) PERKHIDMATAN PENGURUSAN KUALITI KESELAMATAN Tidak syak lagi tahun 2008 merupakan tahun hebat buat kami dan kami ingin menggunakan kejayaan ini sebagai batu loncatan untuk mencapai lebih banyak kejayaan pada tahun-tahun akan datang. DFD bertekad akan terus berusaha mencari jalan untuk mempertingkatkan proses penyampaian perkhidmatannya kepada para pemegang kepentingan. DFD kami juga telah membantu universiti dan kolej seperti UiTM, UUM, UTM dan UIA dalam membangun modul kursus, memberi syarahan sambilan, program latihan sambil belajar penuntut dan program penyelidikan di peringkat lepasan ijazah. Kami melakukan usaha ini untuk menghasilkan lebih ramai graduan dalam arena forensik, dan kami dimaklumkan bahawa usaha kami sudah mula membuahkan hasil apabila lebih ramai penuntut kini mendaftar dalam kursus berkaitan dengan forensik digital. Kejayaan penting lain yang dicapai pada tahun 2008 adalah inisiatif asas untuk mendapatkan pengesahan bahawa Penganalisis Forensik Digital CyberSecurity Malaysia termasuk di bawah Seksyen 399 Kod Kanun Acara Jenayah (CPC). Kejayaan yang tidak kurang pentingnya dicapai pada tahun 2008 adalah kemampuan memperolehi perhatian antarabangsa apabila beberapa orang penganalisis kami dijemput untuk menghadiri persidangan antarabangsa. Tiga orang penganalisis kami juga telah diterima menjadi ahli Persatuan Siasatan Jenayah Teknologi Tinggi (HTCIA). Selain itu, kami berjaya mengeluarkan dan mengedar kepada APU dan BPP CD Secara Langsung Forensik Digital dan Panduan untuk Pemaklum Pertama Forensik Digital. Kami juga merupakan ahli kumpulan kerja teknikal (TWG25) untuk membangunkan MS ISO 17025 (dokumen peperiksaan untuk ujian sains forensik) dan kumpulan kerja (WG4) untuk membangunan piawaian ISO bagi garis panduan pengenalpastian, pengumpulan dan/atau pengambilalihan dan pemuliharaan bukti digital. 32 11 8 5 12 14 11 25 10 23 GRAPH 3 / GERAF 3 Monthly Statistic for DF Cases Statistik Bulanan untuk Kes DF 0 15 FEB JAN 20 APR MAR/MAC 27 MEY/MAI 30 JUL JUN 29 9 15 13 16 9 18 23 32 SEP AUG/OGOS 41 NOV OCT/OKT 40 17 21 DEC/DIS 137 105 91 48 49 58 20 41 30 13 5 45 GRAPH 4 / GERAF 4 Yearly Statistic for DF Cases Statistik Tahunan untuk Kes DF 0 50 100 150 200 116 2002 250 2003 160 2004 300 2005 60 2006 Data Recovery Pemerolehan Semula Data 2007 Digital Forensics Forensik Digital Year 2008 was also a remarkable year as we have successfully established a series of technical labs such as data recovery lab (with class-100 clean booth facility), mobile phone forensics lab, audio & video forensics lab and research lab. On top of that, we also produced more professionally certified analysts from SANS Institute to cater for the industry’s ever-increasing demand. A total of seven digital forensics analysts have been certified with internationally recognized professional certification namely SANS GCFA. DFD’s achievement is recognized as a benchmark by the Malaysian government and thus our expertise is sought by the LEA and RB venturing to replicate our holistic model of digital forensics capacity development. With a fine blend of rookies, experienced, skilled and resourceful team of 21 digital forensics analysts, DFD has built a model track record of achievement dedicated towards producing digital forensics investigation and examination of the highest quality. Between 2002 and 2008, we have assisted LEA and RB with 812 cases. Our forensics analysts have also appeared in courts as expert witness. In 2008, our Digital Forensics team handled a total of 297 cases, which was an increase by approximately 35% compared to the previous year. The cases were referred to us by various law enforcement agencies (LEA) and regulatory bodies (RB) such as PDRM, KDRM, MCMC, SSM, SC, KPDN&HEP, SPRM, and JPJ. The vision of the Digital Forensics Department (DFD) of CyberSecurity Malaysia is “to be a national centre of reference and excellence in digital forensics with ASCLD/LAB-International accreditation”. The year 2008 was another successful year for the department albeit being one of the most challenging years since its inception in 2002. DFD continued to extend its services to assist the Malaysian government and regulatory bodies in criminal and civil cases involving digital evidences. 2. Digital Forensics - CyberCSI™ 2008 2 Statistik bagi Kes Forensik Digital adalah seperti yang ditunjukkan dalam geraf 3 dan 4 di sebelah: 33 Tahun 2008 juga merupakan tahun yang memberangsangkan kerana kami berjaya mewujudkan satu siri makmal teknikal seperti makmal pemerolehan semula data (dengan kemudahan class-100 clean booth), makmal forensik telefon mudah alih, makmal forensik audio & video dan makmal penyelidikan. Di samping itu, kami juga telah menghasilkan lebih ramai penganalisis bertauliah profesional dari Institut SANS untuk memenuhi permintaan industri yang sentiasa mengalami peningkatan pemintaan. Seramai tujuh penganalisis forensik digital telah diberi sijil yang diiktiraf di peringkat antarabangsa iaitu SANS GCFA. Pencapaian DFD diiktiraf sebagai ukuran oleh Kerajaan Malaysia dan ini menyebabkan kepakaran kami diperlukan untuk membantu APU dan BPP yang cuba untuk menggunakan model keseluruhan pembangunan kapasiti forensik digital. Dengan gabungan tenaga kerja baru, berpengalaman, mahir dan gigih dalam pasukan forensik seramai 21 orang, DFD telah membina sebuah model rekod kejayaan yang dikhususkan untuk menghasilkan penyiasatan dan pemeriksaan forensik digital yang berkualiti terbaik. Antara tahun 2002 hingga 2008, kami telah membantu APU dan BPP dalam 812 kes. Penganalisis forensik kami turut hadir ke perbicaraan di mahkamah sebagai saksi pakar. Pada tahun 2008, pasukan Forensik Digital kami telah mengendalikan sejumlah 297 kes, meningkat lebih kurang 35% berbanding tahun sebelumnya. Kes-kes timbul daripada pelbagai agensi penguatkuasa undang-undang (APU) dan badan penguatkuasa peraturan (BPP) seperti PDRM, Kastam DiRaja Malaysia (KDRM), Suruhanjaya Komunikasi dan Multimedia (MCMC), Suruhanjaya Syarikat Malaysia (SSM), Suruhanjaya Sekuriti (SC), Kementerian Perdagangan Dalam Negeri & Hal-Ehwal Pengguna (KPDN&HEP), Suruhanjaya Pencegahan Rasuah Malaysia (SPRM) dan Jabatan Pengangkutan Jalan. Wawasan Jabatan Forensik Digital (DFD) CyberSecurity Malaysia adalah “untuk menjadi pusat rujukan dan kecemerlangan negara dalam forensik digital dengan akreditasi Antarabangsa ASCLD/LAB”. Tahun 2008 merupakan satu lagi tahun cemerlang bagi jabatan ini walaupun ia menghadapi pelbagai cabaran sejak penubuhannya pada tahun 2002. DFD terus memberikan perkhidmatannya untuk membantu kerajaan Malaysia dan juga badan penguatkuasa peraturan dalam kes-kes jenayah dan sivil yang melibatkan bukti digital. Forensik Digital - CyberCSI™ 30 Network Security Monitoring Training at the APCERT Conference in Hong Kong and at the Forum of Incident Response & Security Team (FIRST) Technical Colloquium (TC) or “FIRST-TC” in Tokyo. Distributed Honeypot Training for Higher Learning Institution and ISPs. Incident Handling Workshops for local organizations. A National Cyber Exercise - MyCERT co-ordinated the cyber exercises with participation from local agencies. ASEAN CERT Incident Drill 2008 (ACID) - MyCERT participated as a player in the drill organized by SingCERT. APCERT Cyber Exercise 2008 - MyCERT assisted in the co-ordination of the drill with AusCERT. APCERT Conference, Hong Kong APTLD Meeting, Kuala Lumpur CNCERT Conference, China TF-CSIRT Meeting 2008, Norway APECTEL 38, Peru OIC-CERT Meeting, Tunisia To add to the long list of 2008 achievements, MyCERT was given the privilege to host the IRC server for APCERT. This new communication platform was introduced to encourage more discussions and collaborations between teams. Also, a video dramatizing the sequence of events simulated in the APCERT Cyber Exercise 2007 was produced in May 2008. The video has been extensively used to educate and explain to the public on the importance of emergency readiness and regional collaboration in mitigating security incidents. With the permission of the APCERT steering committee, the video was first released at World Cyber Security Summit in Kuala Lumpur. MyCERT, via its parent organization, CyberSecurity Malaysia, signed two MoUs in 2008 with the Tunisian CERT (CERT-TCC) and the Indonesia Security and Incident Response Team on Internet Infrastructure (ID-SIIRTI). In addition to the MoUs, MyCERT had also become a member of the Anti-Phishing Working Group and the Honeynet Project. MyCERT was also one of the sponsors for Sri Lanka CERT (SLCERT) to become a member of Forum of Incident Response & Security Team (FIRST). In addition, MyCERT also sponsored a CSIRT for a multinational organization based in Malaysia for FIRST membership. In Malaysia, MyCERT conducted more than 21 presentations at seminars and conferences. Some of the topics covered are malware analysis, deploying distributed honeynet, and network security trends. Other than that, alerts, advisories and publications such as MyCERT’s quarterly report are available at MyCERT's website, http//www.mycert.org.my/ t t t t t t MyCERT was also invited to speak at seminars and conferences in 2008. The followings are some of the international conferences where MyCERT had participated as speaker: t t t The cyber-exercises participated by MyCERT are as follows: t t t The workshops or hands-on training conducted by MyCERT in 2008 include: MyCERT had participated and organized both national and international events throughout the year. On the local scene, MyCERT had been engaged to conduct trainings and talks in the area of incident handling, malware analysis, and security trends for different kinds of audience. At the International stage, MyCERT was also invited to seminars and conferences to share insights and case studies on a variety of security related topics. Latihan Pemantauan Keselamatan Rangkaian di Persidangan APCERT di Hong Kong dan di Forum of Incident Response & Security Team (FIRST) Technical Colloquium (TC) atau ”FIRST-TC” di Tokyo. Menjalankan Latihan Honeypot bagi Institusi Pengajian Tinggi dan ISP. Bengkel Pengendalian Insiden untuk organisasi tempatan. Latihan Siber Nasional - MyCERT menyelaraskan latihan siber dengan penyertaan daripada agensi-agensi tempatan. Latihan Insiden ASEAN CERT 2008 (ACID) - MyCERT mengambil bahagian sebagai peserta dalam latihan anjuran SingCERT, Latihan Siber APCERT 2008 - MyCERT membantu dalam penyelarasan latihan dengan AusCERT. Persidangan APCERT, Hong Kong Mesyuarat APTLD, Kuala Lumpur Persidangan CNCERT, China Mesyuarat TF-CSIRT 2008, Norway APECTEL 38, Peru Mesyuarat OIC-CERT, Tunisia 31 Sebagai tambahan kepada pelbagai kejayaan yang dicapai pada tahun 2008, MyCERT telah diberi penghormatan untuk menjadi hos pelayan IRC bagi APCERT. Platform komunikasi baharu ini diperkenalkan untuk menggalakkan lebih banyak perbincangan dan usahasama antara pasukan. Sebuah video yang memaparkan turutan peristiwa yang disimulasi dalam Latihan Siber APCERT 2007 juga telah dikeluarkan pada bulan Mei 2008. Video tersebut digunakan untuk mendidik dan menerangkan kepada orang ramai berhubung kepentingan kesediaan menghadapi saat kecemasan dan permuafakatan serantau dalam menangani insiden keselamatan. Atas kebenaran jawatankuasa pemandu APCERT, video tersebut telah disiarkan buat pertama kali pada Persidangan Keselamatan Siber Dunia di Kuala Lumpur. MyCERT, melalui organisasi induknya, CyberSecurity Malaysia, telah menandatangani dua MoU pada tahun 2008 dengan Tunisia CERT (CERT-TCC) dan Pasukan Keselamatan dan Tindakan Insiden Indonesia berhubung Infrastruktur Internet (ID-SIIRTI). Selain MoU tersebut, MyCERT juga merupakan ahli Kumpulan Kerja Anti Penyamaran (Phishing) dan Projek Honeynet. MyCERT juga merupakan salah satu penaja bagi Sri Lanka CERT (SLCERT) dan ahli FIRST. Selain itu, MyCERT turut menaja CSIRT untuk sebuah organisasi multi-nasional yang berpangkalan di Malaysia untuk keahlian Forum of Incident Response & Security Team (FIRST). Di Malaysia, MyCERT menjalankan lebih 21 pembentangan dalam seminar dan persidangan. Antara topik yang dibentangkan termasuk analisis perisian berbahaya, melancarkan pengagihan honeynet dan arah aliran keselamatan rangkaian. Di samping itu, pelbagai amaran, khidmat nasihat dan penerbitan seperti laporan suku tahunan MyCERT boleh didapati di laman web MyCERT di http//www.mycert.org.my/ t t t t t t MyCERT turut dijemput untuk menyampaikan ceramah di beberapa seminar dan persidangan pada tahun 2008. Berikut adalah antara persidangan peringkat antarabangsa yang disertai oleh MyCERT sebagai penceramah: t t t Latihan siber yang disertai oleh MyCERT adalah seperti berikut: t t t Bengkel atau latihan secara langsung yang dijalankan oleh MyCERT pada tahun 2008 termasuk: MyCERT telah mengambil bahagian dan menganjurkan beberapa acara peringkat kebangsaan dan antarabangsa pada sepanjang tahun. Di dalam negara, MyCERT telah dipertanggungjawabkan untuk mengadakan latihan dan ceramah dalam bidang berkaitan pengendalian insiden, analisis perisian berbahaya dan arah aliran keselamatan bagi audiens yang berbeza. Di peringkat antarabangsa, MyCERT turut dijemput ke pelbagai seminar dan persidangan untuk berkongsi maklumat dan kajian kes berhubung pelbagai topik berkaitan keselamatan. 28 350 SEP APR OCT/OKT 1,37 2006 AUG/OGOS JUL 915 2004 912 2003 JUN 625 2002 MEY/MAI 860 2001 MAR/MAC 527 1999 FEB 196 1998 JAN 81 1997 GRAPH 2 / GERAF 2 Yearly Incident Statistics / Statistik Insiden Tahunan 0 347 2000 500 754 2005 1,000 2007 1,500 1,038 GRAPH 1 / GERAF 1 2008 Monthly Incident Statistics / Statistik Insiden Bulanan 2008 0 50 100 150 200 250 300 NOV Harassment Gangguan Fraud Penipuan Hack Treat Ancaman Penggodam Malicious Code Kod xx Denial-of-Services xx Perkhidmatan Intrusion Pencerobohan The year 2008 abuse statistics and incidents chart are as shown below: Our log reported that 2123 incidents were referred to MyCERT in 2008. Generally, the security incidents are categorized as intrusion, malicious code, fraud, harassment and spam. Abuse statistics and trends are available on MyCERT website, where quarterly incident handling reports for year 1999 to 2008 can be viewed at http : // www. mycert.org.my/ en/services/ statistic/ mycert/ 2008/ main/ detail/ 566/ index. html DEC/DIS 2008 MyCERT Department Jabatan MyCERT Statistik salahguna dan insiden pada tahun 2008 ditunjukkan dalam geraf 1 dan 2 di sebelah : 29 Log kami melaporkan sebanyak 2123 insiden telah dirujuk kepada MyCERT pada tahun 2008. Secara amnya, insiden keselamatan dikategorikan sebagai pencerobohan, kod berbahaya, penipuan, gangguan dan spam. Statistik dan arah aliran penyalahgunaan boleh didapati di laman web MyCERT di mana laporan pengendalian insiden dari tahun 1999 hingga 2008 boleh didapati di: http:// www.mycert.org. my/ en/ services/ statistic/ mycert/ 2008/ main/ detail/ 566/ index.html 26 In dealing with these incidents, collaboration and coordination with various parties such as law enforcement agencies, corporate IT departments and legal departments were also sought to resolve the attacks. In 2008, MyCERT received reports indicating a growing number of targeted attacks such as defacements, online frauds and identity thefts. Frauds and intrusion related incidents made up about 78% of total incidents handled, while incidents involving malware (in particular botnet command and control, drop sites, and bot infection) were also significant. Majority of the cases for frauds were of phishing in nature. On the other hand, spam related incidents continued to grow in manifolds and dynamically subverting filters as well as employing various social engineering techniques. 1. MyCERT – Cyber 999™ CYBER EMERGENCY SERVICES TRAINING & OUTREACH 1. Professional Training & Certification 2. Outreach and Awareness Program CYBER SECURITY STRATEGIC RESEARCH & POLICY 1. Strategic Policy Research 2. Cyber Media Research 3. Policy Implementation Coordination MALAYSIA COMMON CRITERIA CERTIFICATION BODY (MyCB) SECURITY QUALITY MANAGEMENT SERVICES 1. Security Management & Best Practices 2. Security Assurance Services t Malaysia ICT Security Evaluation Facilities (MySEF) t Malaysia Vulnerability Assessment Center (MyVAC) CYBER EMERGENCY SERVICES 1. MyCERT – Cyber 999™ 2. Digital Forensics - CyberCSI™ To effectively carry our roles in securing the cyber space, CyberSecurity Malaysia has various offerings that can be categorized into five areas of expertise or core services, namely: The mere existence of CyberSecurity Malaysia is an assurance to individual internet users as well as business establishments that there is an agency overseeing the well-being of the Malaysian cyber space. Our existence also complements the MSC Malaysia initiative, by providing assurance to foreign ICT companies that wish to set up operations here in Cyberjaya under the MSC Malaysia Scheme that there is an agency tasked with securing the country’s cyber space on a full time basis. Operations Review 27 Dalam menangani insiden-insiden sebegini, usaha sama dan penyelarasan dengan pelbagai pihak seperti agensi penguatkuasa undang-undang, jabatan IT korporat dan jabatan-jabatan perundangan juga dilakukan untuk menyelesaikan masalah serangan tersebut. Pada tahun 2008, MyCERT menerima laporan mengenai peningkatan dalam serangan bersasaran seperti pengubahan, penipuan online dan kecurian identiti. Insiden berkaitan penipuan dan pencerobohan meliputi kira-kira 78% daripada keseluruhan insiden yang dikendalikan, manakala jumlah insiden melibatkan perisian berbahaya (khususnya arahan dan kawalan botnet, laman drop, dan jangkitan bot) juga mencatat angka yang tinggi. Sebahagian besar kes penipuan adalah berbentuk penyamaran. Pada masa yang sama, insiden berkaitan spam juga terus melonjak dan berupaya menghindari saringan secara dinamik serta menggunakan pelbagai teknik kejuruteraan sosial. 1. MyCERT – Cyber 999™ PERKHIDMATAN KECEMASAN SIBER LATIHAN & MENDEKATI PELANGGAN 1. Latihan & Pensijilan Profesional 2. Program Mendekati dan Kesedaran Pelanggan PENYELIDIKAN & DASAR KESELAMATAN SIBER 1. Penyelidikan Dasar Strategik 2. Penyelidikan Media Siber 3. Penyelarasan Pelaksanaan Dasar BADAN PENSIJILAN KRITERIA BERSAMA MALAYSIA (MyCB) PERKHIDMATAN PENGURUSAN KUALITI KESELAMATAN 1. Pengurusan & Amalan Terbaik Keselamatan 2. Perkhidmatan Jaminan Keselamatan t Malaysia ICT Security Evaluation Facilities (MySEF) t Malaysia Vulnerability Assessment Center (MyVAC) PERKHIDMATAN KECEMASAN SIBER 1. MyCERT – Cyber 999™ 2. Forensik Digital - CyberCSI™ Bagi menjalankan peranan kami menjamin kesejahteraan di ruang angkasa siber, CyberSecurity Malaysia menawarkan pelbagai perkhidmatan yang boleh dikategorikan dalam lima bidang kepakaran teras; iaitu: Penubuhan CyberSecurity Malaysia adalah bertujuan untuk menjamin pengguna internet individu serta khalayak perniagaan bahawa terdapat sebuah agensi yang bertanggungjawab untuk memantau keselamatan angkasa siber Malaysia. Kewujudan kami juga melengkapi inisiatif MSC Malaysia, dengan menyediakan jaminan kepada syarikat-syarikat ICT asing yang ingin membina pangkalan operasi di Cyberjaya di bawah Skim MSC Malaysia bahawa terdapat sebuah agensi yang dipertanggungjawabkan untuk menjamin keselamatan ruang angkasa siber negara sepenuh masa. Ulasan Operasi 24 CyberSecurity Malaysia berbesar hati kerana dianugerahi dengan BrandLaureate - SME Chapter Award di bawah kategori Penjenamaan Korporat ICT. Anugerah tersebut telah disampaikan oleh Menteri Kewangan Kedua Tan Sri Nor Mohamed Yakcop kepada En. Zahri Yunos, Ketua Pegawai Operasi CyberSecurity Malaysia. CyberSecurity Malaysia is proud to be conferred with The BrandLaureate - SMEs Chapter Award under the Corporate Branding, ICT category. The award was presented by the Second Finance Minister, Tan Sri Nor Mohamed Yakcop to En. Zahri Yunos, Chief Operating Officer of CyberSecurity Malaysia. Chief Executive Officer CyberSecurity Malaysia Lt Col Husin Bin Jazri (Retired) CISSP Moving forward - we will continue to carry out our strategic roles in implementing the National Cyber Security Policy and overseeing the e-security aspect of the nation towards reducing vulnerability of ICT systems and networks. However, our focus for the coming years would be to reach out to the individuals out there – the internet users – who blogs, socialize, do business, and conduct commercial transactions over the internet. We will intensify our programs aimed at nurturing a culture of cyber security amongst us, ordinary people, who desires freedom of expressions in a safe and secure cyberspace. In November 2008, we had a pleasant surprise when the Asia Pacific BrandLaureate - which is known as the Grammy Awards for branding nominated us for the SME BrandLaureate – ICT category. CyberSecurity Malaysia is proud to have won the Best Brand in Internet Security Award for 2008. A Customer Satisfaction Survey (CSS) that we conducted in September 2008 - with the objective to gauge the overall satisfaction climate with regard to our service level and professionalism - revealed an 81% customer satisfaction rating. This rating will be our baseline for 2009, which means we will have to work harder to exceed this high expectation. Our outreach and collaboration activities include speaking and partipating at the national and international front. Among others, we were invited as speakers at the National Institute of Public Administration (INTAN), the Judicial and Legal Training Institute (ILKAP), the Asia Pacific Computer Emergency Response Team (APCERT), More on our achievements and milestones are mentioned in other sections of this annual report, particularly in the “Operations Review” section where we describe our offerings and what have been achieved under each of our core service offerings. Ketua Pegawai Eksekutif CyberSecurity Malaysia Lt Col Husin Bin Jazri (Bersara) CISSP 25 Sebagai langkah menuju ke hadapan, kami akan terus memainkan peranan strategik untuk melaksanakan Dasar Keselamatan Siber Nasional (NCSP) dan mengawasi aspek e-keselamatan negara ke arah mengurangkan tahap mudah terjejas sistem dan rangkaian ICT. Walau bagaimanapun, fokus kami dalam tempoh beberapa tahun akan datang adalah untuk sampai kepada lebih ramai individu di luar sana – para pengguna internet – menulis blogs, bersosial, mengendalikan urusan perniagaan dan menjalankan urusniaga secara komersial melalui internet. Kami akan memperhebatkan program kami yang bertujuan memupuk budaya keselamatan siber di kalangan kita semua iaitu orang biasa yang inginkan kebebasan bersuara di ruang siber secara lebih sihat dan selamat. Pada bulan November 2008, kami telah dikejutkan dengan satu berita gembira apabila Asia Pacific BrandLaureate, sebuah anugerah seumpama Grammy Awards bagi jenama, telah mencalonkan kami sebagai SME BrandLaureate – untuk kategori ICT. CyberSecurity Malaysia berasa bangga kerana berjaya muncul sebagai pemenang Jenama Terbaik bagi kategori Keselamatan Internet pada tahun 2008. Kami telah menjalankan satu Kaji Selidik Kepuasan Pelanggan (KSKP) pada bulan September 2008 dengan matlamat untuk mengukur iklim kepuasan secara keseluruhan berkaitan tahap perkhidmatan dan sikap profesionalisma. Kajian tersebut menunjukkan bahawa kami telah berjaya memberi 81% kadar kepuasan kepada para pelanggan. Penarafan ini akan dijadikan asas rujukan pada tahun 2009, di mana kami akan bekerja dengan lebih tekun lagi untuk mengatasi tahap pencapaian semasa. Program menjalin perhubungan dan aktiviti permuafakatan yang kami jalankan termasuk kuliah dan penyertaan di dalam pelbagai acara baik di peringkat nasional mahupun antarabangsa. Antara lain, kami telah diundang sebagai penceramah di Institut Tadbiran Awam Negara (INTAN), Institut Latihan Kehakiman dan Perundangan (ILKAP), the Asia Pacific Computer Emergency Response Team (APCERT). Butiran mengenai pencapaian dan mercutanda kami diterangkan dengan lebih lanjut di beberapa bahagian lain dalam laporan tahunan ini, terutamanya dalam “Ulasan Operasi” di mana tawaran dan pencapaian yang kami telah catatkan di bawah setiap tawaran perkhidmatan utama kami. 22 In 2008, we also represented Malaysia as a member in the Economic Research Institute of ASEAN and East Asia (ERIA) information security project. The project is managed by Japan. This collaboration creates opportunity for active participation in programs relating to cyber security and enhances visibility and networking opportunity for CyberSecurity Malaysia. Another important milestone is when the government appointed CyberSecurity Malaysia in October 2008, as the sole Certification Body for the evaluation and certification scheme based on MS ISO/IEC 15408: 2005 Information Technology – Security Techniques – Evaluation Criteria for IT Security. This certification body is named Malaysian Common Criteria Certification Body (MyCB). And what does this mean to the man in the street? Through MyCC Scheme, we can evaluate and later certify the development of ICT products by looking at various factors. These include the development environment, life-cycle, user guidance, as well as conducting testing and assessments. Furthermore, CyberSecurity Malaysia is also able to review the source code of software to test for vulnerabilities. All in all, MyCC will ensure that Malaysian-made ICT products are secure and effective by evaluating and then certifying the functionality, integrity, and quality of security functions built into ICT applications or systems. And in July 2008, I am proud to report that upon satisfying all the requirements for Information Security Management System (ISMS), we were awarded the ISMS ISO/IEC 27001 certification. We successfully went through a full ISMS certification for the whole organization, using internal resources. A notable achievement is that CyberSecurity Malaysia has been voted for the second time as the chair of the Asia Pacific Computer Emergency Response Team (APCERT) for the year 2008 (we were also voted to chair APCERT in 2007). This is a remarkable achievement given the fact that APCERT is an organization comprising 21 Computer Emergency Response Teams (CERTs) from 15 economies within the Asia Pacific region, which includes developed countries such as Japan, South Korea and Australia. We were officially incorporated in March 2007 with our current name “CyberSecurity Malaysia” as a not-for-profit company limited by guarantee, under the purview of the Ministry of Science, Technology & Innovation (MOSTI). We can say that 2008 is only our second year of carrying out those two strategic mandates mentioned above. Time flew too fast for us in 2008, and I am glad to have this opportunity to stop and look back at what we have achieved throughout the year. 23 Pada tahun 2008, kami turut mewakili Malaysia sebagai sebuah anggota projek keselamatan maklumat Economic Research Institute of ASEAN dan East Asia (ERIA). Projek ini dikendalikan oleh Jepun. Permuafakatan ini menerbitkan peluang untuk menarik penyertaan secara aktif ke dalam pelbagai program berkaitan keselamatan siber serta mempertingkatkan peluang dilihat dan mewujudkan rangkaian kepada CyberSecurity Malaysia. Satu lagi mercutanda penting yang dicapai ialah pelantikan CyberSecurity Malaysia oleh kerajaan pada bulan Oktober 2008, sebagai satu-satunya Badan Pensijilan untuk skim penilaian dan pensijilan berasaskan MS ISO/ IEC 15408: 2005 Information Technology – Security Techniques – Evaluation Criteria for IT Security. Badan pensijilan ini dikenali sebagai Badan Pensijilan Kriteria Bersama Malaysia (MyCB). Apakah kepentingannya kepada orang ramai? Melalui Skim MyCC, kami boleh menilai dan kemudian memberi pensijilan pembangunan produk ICT dengan melihat kepada pelbagai faktor. Ini meliputi persekitaran pembangunan, kitar hayat, panduan pengguna serta pengendalian dan penaksiran ujian. Selain itu, CyberSecurity Malaysia juga mampu menyemak kod sumber perisian untuk menguji daya tahan gangguannya. Secara keseluruhan, MyCC akan memastikan supaya produk ICT buatan Malaysia adalah selamat dan berkesan dengan menilai dan kemudian mensijil fungsian, kewibawaan dan kualiti fungsi keselamatan yang dibina di dalam aplikasi atau sistem ICT. Saya berasa bangga untuk melaporkan bahawa pada bulan Julai 2008, selepas memenuhi seIuruh keperluan Sistem Pengurusan Keselamatan Maklumat (ISMS), kami telah dianugerahkan dengan pensijilan ISMS ISO/IEC 27001. Kami juga berjaya melaksanakan pensijilan ISMS sepenuhnya bagi seluruh organisasi. Pemilihan CyberSecurity Malaysia sebagai Pengerusi Asia Pacific Computer Emergency Response Team (APCERT) buat kali kedua pada tahun 2008 (kami juga dipilih untuk mempengerusikan APCERT pada tahun 2007) merupakan satu pencapaian yang sangat membanggakan. Pencapaian ini sungguh bermakna kerana APCERT adalah sebuah organisasi yang terdiri daripada 21 Pasukan Tindakbalas Kecemasan Komputer (CERTs) dari 15 buah negara di rantau Asia Pasifik, merangkumi negara-negara maju seperti Jepun, Korea Selatan dan Australia. Kami diperbadankan secara rasmi pada bulan Mac 2007 dengan menggunakan nama kami sekarang, “CyberSecurity Malaysia” sebagai sebuah syarikat bukan keuntungan, dengan jaminan berhad dan diletakkan di bawah kawalselia Kementerian Sains, Teknologi & Inovasi (MOSTI). Tahun 2008 hanyalah tahun kedua kami dalam melaksanakan dua mandat strategik yang disebutkan di atas. Memang masa berlalu begitu pantas pada tahun 2008 dan saya berasa bangga untuk mengimbas kembali pelbagai kemajuan yang telah dicapai sepanjang tahun tersebut. 20 Lt Col Husin Bin Jazri (Retired) Chief Executive Officer / Ketua Pegawai Eksekutif CISSP Matlamat strategik CyberSecurity Malaysia telah dirangka selaras dengan pendekatan ekonomi berteraskan inovasi yang mana inovasi yang didorongi oleh teknologi diseimbangkan dengan inovasi yang didorongi oleh pasaran. CyberSecurity Malaysia's strategic goals have been developed in line with the innovation-led economy approach that strikes the balance between technology-driven and market-driven innovation. Sepuluh (10) tahun selepas itu, kami melalui satu lagi proses transformasi daripada NISER menjadi agensi keselamatan siber nasional yang diamanah untuk melaksanakan dua mandat yang amat penting iaitu (1) membantu kerajaan melaksanakan Dasar Keselamatan Siber Nasional (NCSP) yang diterima pakai oleh kerajaan pada tahun 2006; dan (2) untuk mengawasi aspek e-keselamatan negara. Masa berlalu begitu pantas, lebih-lebih lagi jika tempoh yang dilalui itu merupakan detik-detik yang menyeronokkan. Sambil mengimbas prestasi yang dicatatkan pada tahun 2008, ia mengingatkan saya kembali ke tahun 1997, di mana kami memulakan operasi sebagai sebuah unit kecil di bawah MIMOS Berhad yang dibarisi oleh lima orang kakitangan sahaja. Ketika itu kami dikenali sebagai Malaysian Computer Emergency Response Team (MyCERT) dan tiga (3) tahun kemudian kami mengorak langkah lebih jauh ke hadapan dan dikenali sebagai National ICT Security & Emergency Response Centre (NISER). Perutusan Ketua Pegawai Eksekutif Then, ten (10) years later, we were again transformed from NISER to become the national cyber security agency entrusted with two very important mandates, namely (1) to assist the government in implementing the National Cyber Security Policy (NCSP) which was adopted by the government in 2006; and (2) to oversee the e-security aspect of the nation. Time flies, people often say. More so, if we are having fun. Looking back at y unit our performance in 2008, reminds me how we started in 1997 as a tiny nown under MIMOS Berhad with only five employees. Back then we were kn as the Malaysian Computer Emergency Response Team (MyCERT) and three (3) years later we grew up to become the National ICT Security & Emerg gency Response Centre (NISER). Foreword by the CEO 21 18 Jawatankuasa Pengurusan n Managementt e Committee Roshdi holds a Bachelor Degree in Business Studies (Marketing) Hons from University Technology MARA (UiTM) and a Diploma in Agribusiness from University Putra Malaysia (UPM). Responsible for all corporate planning and strategy matters, Roshdi is the secretariat for the Management Committee (MC) of CyberSecurity Malaysia. Jailany has an LL. B (Hons) from the University of Malaya. He is an Advocate and Solicitor of the High Court of Malaya and also a Licensed Company Secretary. Jailany is responsible for all Legal and Secretarial matters of the company and in advising the management on legal and company secretarial matters. Roshdi memiliki Ijazah Sarjana Muda Pengajian Perniagaan (Pemasaran) dengan Kepujian dari Universiti Teknologi MARA (UiTM) dan Diploma Perniagaan Pertanian dari Universiti Putra Malaysia (UPM). Roshdi bertanggungjawab ke atas perkara berkaitan strategi dan perancangan korporat syarikat dan merupakan Setiausaha Jawatankuasa Pengurusan bagi CyberSecurity Malaysia. Ketua, Jabatan Perancangan Korporat dan Strategi Ketua, Jabatan Perundangan dan Kesetiausahaan/Setiausaha Syarikat Jailany memiliki LL. B (Kepujian) dari Universiti Malaya. Beliau merupakan Peguambela dan Peguamcara di Mahkamah Tinggi Malaya dan juga merupakan seorang Setiasauaha Syarikat Berlesen. Jailany bertanggungjawab ke atas semua perkara berkaitan Perundangan dan Kesetiausahaan syarikat dan memberikan khidmat nasihat kepada pihak pengurusan di atas perkara berkaitan perundangan dan kesetiausahaan syarikat. Head, MyCERT Department Head, Corporate Planning and Strategy Department Department/ Company Secretary Adli berkelulusan Sarjana Sains Komputer dalam Kejuruteraan Perisian. Sebagai Ketua Pasukan Tindakbalas Kecemasan Komputer Malaysia (MyCERT), beliau menerajui operasi harian perkhidmatan pengendalian insiden Cyber999 CyberSecurity Malaysia dan pembangunan Sistem Amaran Awal Siber. Adli juga terlibat dalam pelbagai inisiatif sekuriti rangkaian global seperti Forum Pasukan Tindakan Insiden (FIRST), Pasukan Tindakbalas Kecemasan Komputer Asia Pasifik (APCERT), Kumpulan Kerja Anti-Phishing (APWG) dan Projek Honeynet. Adli has a MSc. Computer Science in Software Engineering. As the Head of the Malaysia Computer Emergency Response Team (MyCERT), he leads the daily operations of CyberSecurity Malaysia’s Cyber999 incident handling service and the development of the Cyber Early Warning Systems. Adli is also involved in various global network security initiatives such as the Forum of Incident Response Teams (FIRST), the Asia Pacific Computer Emergency Response Team (APCERT), the Anti-Phishing Working Group (APWG) and the Honeynet Project. Ketua, Jabatan MyCERT Adli bin Abd Wahid Roshdi Roshd bin Hj Ahmad Jailany bin Jaafar 19 Anwer memiliki ijazah Sarjana Muda Sains jurusan Kejuruteraan Aero Angkasa dari Embry-Riddle Aeronautical University, Daytona Beach, Florida. Dengan 20 tahun pengalaman luas dalam industri Teknologi Maklumat (IT), kemahiran Anwer meliputi Perancangan Sumber Perusahaan, Pengurusan Rantaian Bekalan, Proses Penjuruteraan Semula Perniagaan, peraturan telekomunikasi Malaysia, jalur lebar tanpa wayar, dan perdagangan elektronik. Anwer holds a Bachelor of Science degree in Aeronautical Engineering from Embry-Riddle Aeronautical University, Daytona Beach, Florida. With 20 years of extensive experience in the Information Technology (IT) industry; Anwer’s skillsets encompass Enterprise Resource Planning, Supply Chain Management, Business Process Re-engineering, Malaysian telecommunications regulation, wireless broadband, and electronic commerce. Aswami is a GIAC Certified Forensics Analyst (GCFA), and a Certified Ethical Hacker (CEH). He is holding a degree in Electronics Engineering from University of Liverpool, United Kingdom; and a Master in Management from Universiti Malaya. Aswami had managed more than 500 digital forensics investigations and handled computer related crimes with various law enforcement agencies/ regulatory bodies in Malaysia and ICT system/product audit. Aswami adalah seorang Penganalisis Forensik Bertauliah GIAC (GCFA) dan Penggodam Beretika Bertauliah (CEH). Beliau berkelulusan Kejuruteraan Elektronik dari University of Liverpool, United Kingdom; dan Sarjana Pengurusan dari Universiti Malaya. Aswami telah menguruskan lebih daripada 500 penyiasatan forensik digital dan berpengalaman mengendalikan kes jenayah membabitkan komputer dengan pelbagai agensi penguatkuasa undangundang/badan peraturan di Malaysia dan audit sistem / produk ICT. Ketua, Jabatan Pembangunan Perniagaan Head, Business Development Department Moh Mohamed hamed Anwer bin Mohamed Yusoff Ketua, Jabatan Forensik Digital Head, Digital Forensics Department Asw Aswami Fadillah bin Mohd Ariffin Ketua Pegawai Eksekutif (CEO) Lt Col Husin bin Jazri (Retired) 16 Husin memiliki Ijazah Sarjana Sains (Kepujian) Keselamatan Maklumat dari Royal Holloway University of London, United Kingdom, Ijazah Sarjana Pengurusan Perniagaan dari Universiti Putra Malaysia (UPM) dan Ijazah Sarjana Muda Sains Kejuruteraan Awam dari University of Hartford, Connecticut, Amerika Syarikat. Husin juga memiliki pensijilan profesional Certified Information Systems Security Professional (CISSP), dan beliau merupakan ahli lembaga pengarah International Information Systems Security Certification Consortium, Inc. (ISC)2 (semenjak tahun 2006), serta ahli kepada Lembaga Penasihat Asia bagi (ISC)2, dan juga Pengerusi kepada Persatuan Keselamatan IT Malaysia (2003 – 2007). Husin juga menjadi Pengerusi kepada Jawatankuasa Penasihat Vokasional Malaysia – Teknologi Komunikasi dan Maklumat (ICT), Jabatan Pembangunan Kemahiran, Kementerian Sumber Manusia; dan Naib Presiden kepada Persatuan Penyelidikan Kriptologi Malaysia (MSCR), Institut Penyelidikan Matematik, Universiti Putra Malaysia (UPM). Husin holds an MSc (with distinction) in Information Security from the Royal Holloway University of London, UK, a Master in Business Administration from University Putra Malaysia (UPM) and a BSc in Civil Engineering from University of Hartford, Connecticut, USA. Husin is a Certified Information Systems Security Professional (CISSP). He is a member of the Board of the International Information Systems Security Certification Consortium, Inc. (ISC)2 (since 2006), a member of the (ISC)2 Asian Advisory Board, and the Chairman of the Malaysian IT Security Association (2003 – 2007). Husin is also the Chairman of the Malaysian Vocational Advisory Committee – Information and Communication Technology (ICT), Department of Skills Development, Ministry of Human Resources; and Vice President of the Malaysian Society for Cryptology Research (MSCR), Institute for Mathematical Research, University Putra Malaysia (UPM). Jawatankuasa Pengurusan Management Committee Zahri berkelulusan Sarjana Sains Kejuruteraan Elektrik dari Universiti Teknologi Malaysia (UTM) dan Sarjana Muda Sains dalam bidang Sains Komputer dari Fairleigh Dickinson University, New Jersey, AS. Beliau memiliki Pensijilan Associate Business Continuity Professional (ABCP) dari Disaster Recovery Institute International (DRII), AS. Zahri terlibat secara aktif dalam penubuhan Panel Pakar (POE) NISER dan Pasukan TindabalasKecemasan Komputer Pertubuhan Persidangan Negara-negara Islam (OIC-CERT), yang telah banyak memberi manfaat kepada negara. Zahri has an MSc in Electrical Engineering from Universiti Teknologi Malaysia (UTM) and a BSc in Computer Science from Fairleigh Dickinson University, New Jersey, USA. He is a certified Associate Business Continuity Professional (ABCP) by the Disaster Recovery Institute International (DRII), USA. Zahri is actively involved in the establishment of NISER’s Panel of Experts (POE) and the Organisation of Islamic Conference-Computer Emergency Response Team (OIC-CERT), which have benefited the nation at large. Iskandar memiliki Ijazah Sarjana Muda Kesusasteraan Inggeris dari University of Massachusetts, Amherst, Amerika Syarikat, Diploma Pendidikan dari Universiti Teknologi Malaysia (UTM) dan Diploma Analisis Pelaburan Malaysia (RIIAM) dan Royal Melbourne Institute of Technology (RMIT). Beliau mengetuai enam jabatan di Bahagian Pejabat Ketua Pegawai Eksekutif, iaitu: Strategi & Perancangan Korporat, Acara Korporat, Perhubungan Awam dan Protokol, Penjenamaan Korporat & Perhubungan Media, Sumber Manusia, Latihan, dan Capaian. Iskandar has a Bachelor Degree in English Literature from the University of Massachusetts, Amherst, USA, a Diploma in Education from University Technology Malaysia (UTM) and a Diploma in Investment Analysis from the Research Institute of Investment Analysis Malaysia (RIIAM) and the Royal Melbourne Institute of Technology (RMIT). He leads six departments within the purview of CEO’s office division, namely: Corporate Planning & Strategy, Corporate Events, PR & Protocol, Corporate Branding & Media Relations, Human Resources, Training, and Outreach. Pengarah, Pejabat CEO Director, CEO’s Office Chief Operating Officer (COO) Ketua Pegawai Operasi (COO) Noor Iskandar Hashim bin Noor Zahri bin Yunos Mohd Shamir adalah graduan Ijazah Sarjana Muda Sains Kejuruteraan Awam dari University of Missouri – Kansas City, Amerika Syarikat. Beliau kini mengetuai tiga jabatan di CyberSecurity Malaysia iaitu Penyelidikan Dasar Strategik, Koordinasi Pelaksanaan Dasar, dan Penyelidikan Media Siber. Mohd Shamir graduated from the University of Missouri – Kansas City, USA, with a BSc in Civil Engineering. He is now leading three departments under CyberSecurity Malaysia namely the Strategic Policy Research, the Policy Implementation Coordination, and the Cyber Media Research. Ketua, Bahagian Dasar dan Penyelidikan Keselamatan Siber and Policy Division Mohd Shamir bin Hashim 17 Mohd Roslan memiliki Ijazah Sarjana Muda Sains Kejuruteraan Awam dari University Hartford, Connecticut, Amerika Syarikat, Diploma Lanjutan Analisis Sistem dari Universiti Teknologi MARA (UiTM), dan Sijil Keselamatan dan Kesihatan Pekerjaan Kebangsaan (NIOSH). Beliau mengetuai empat jabatan iaitu Kewangan, Keselamatan Fizikal dan Pentadbiran, Perolehan, dan Pusat Sumber Ilmiah. Mohd Roslan holds a BSc in Civil Engineering from University of Hartford, Connecticut, USA, a Post Graduate Diploma in System Analysis from University Technology MARA (UiTM), and a Certificate in Safety and Health from the National Institute of Occupational Safety and Heath (NIOSH). He leads four departments namely the Finance, the Admin and Physical Security, the Procurement, and the Knowledge Resource Centre. Ketua, Bahagian Khidmat Korporat Moh Roslan Mohd bin Ahmad 14 Internal Auditor / Juruaudit Dalaman Abd Rouf bin Mohammed Sayuti Company Secretary / Setiausaha Syarikat Jailany bin Jaafar DIRECTOR / Pengarah CHAIRMAN / Pengerusi Dato’ Abdul Hanan adalah Ketua Setiausaha Kementerian Sains, Teknologi dan Inovasi, Malaysia (MOSTI) sejak 15 Mei 2006. Beliau memiliki Ijazah Sarjana Muda Ekonomi dari Universiti Malaya, Sarjana Pengurusan Perniagaan dari Syracuse University, Amerika Syarikat, dan telah menghadiri Program Pengurusan Lanjutan di Universiti Harvard, Amerika Syarikat. Beliau telah berkhidmat dengan Kerajaan Malaysia semenjak tahun 1974. Selain itu, beliau juga mempunyai pengalaman luas di dalam pentadbiran badan korporat melalui kapasiti beliau sebagai ahli Lembaga Pengarah di beberapa Syarikat Berkaitan Kerajaan (GLC). Husin merupakan Ketua Pegawai Eksekutif, CyberSecurity Malaysia dan juga antara Pengarah yang pertama semenjak penubuhan Pusat Tindakbalas Kecemasan dan Keselamatan ICT Kebangsaan atau NISER (sebelum ianya dikenali sebagai CyberSecurity Malaysia). Beliau memiliki Sarjana Sains di dalam bidang Keselamatan Maklumat dari Royal Holloway University of London, United Kingdom dan Sarjana Pengurusan Perniagaan dari Universiti Putra Malaysia (UPM). Husin is the Chief Executive Officer of CyberSecurity Malaysia and also one of the first Directors since the incorporation of National ICT Security and Emergency Response Centre of NISER (former name of CyberSecurity Malaysia). He holds a MSc in Information Security from the Royal Holloway University of London, UK and a Master in Business Administration from Universiti Putra Malaysia (UPM). Lt Col Husin bin Jazri (Retired) Dato' Abdul Hanan bin Alang Endut Dato’ Abdul Hanan is the Secretary General of the Ministry of Science, Technology and Innovation, Malaysia (MOSTI) since 15th May 2006. He has a degree in Economics from the University of Malaya, a Master in Business Administration from Syracuse University, USA, and has attended the Advanced Management Program in Harvard University, USA. He has served the Government of Malaysia in various capacity since 1974. His expertise among others; are in the fields of financial management, public administration and human resources management. He is also a member of the Board of Directors for a number of Government Link Corporations (GLC). Ahli Lembaga Pengarah Board Members Md. Shah merupakan Setiausaha Bahagian, Bahagian Dasar Keselamatan Siber dan Angkasa, Majlis Keselamatan Negara, Jabatan Perdana Menteri. Beliau memiliki Ijazah Sarjana Muda Sains di dalam bidang Kejuruteraan Elektrikal dari Connecticut State University, Amerika Syarikat. Md. Shah is the Under Secretary of the Cyber and Space Security Policy Division, National Security Council of the Prime Minister’s Department. He has a BSc in Electrical Engineering from the Connecticut State University, USA. DIRECTOR / Pengarah Ir. Md. Shah Nuri bin Md. Zain 15 Rubaiah merupakan Setiausaha Bahagian, Bahagian Infrastruktur, Aplikasi dan Teknologi, bagi Sektor Komunikasi, Kementerian Tenaga, Air dan Komunikasi. Beliau memiliki Ijazah Sarjana Muda Sains (Kepujian) Matematik dan Aplikasi IT dari University of Wales Institute of Science and Technology, United Kingdom. Rubaiah is the Under Secretary of the Infrastructure, Applications and Technology Division, Communication Sector, Ministry of Energy, Water and Communications. She has a BSc. (Hon) Mathematics and IT Applications from the University of Wales Institute of Science and Technology, UK. DIRECTOR / Pengarah Rubaiah Bte Hj Hashim 12 CHAIRMAN CyberSecurity Malaysia Dato’ Abdul Hanan bin Alang Endut I am also indebted to the previous Chairman and the rest of the Board Members for their contributions for the betterment of CyberSecurity Malaysia in the past year. My heartfelt appreciation also goes to the Management and the staff of CyberSecurity Malaysia for their tireless efforts and dedication towards the success and excellence of the organisation. May CyberSecurity Malaysia continue to flourish and prosper to become a globally recognised National Cyber Security Reference and Specialist Centre! On behalf of the Board, I would like to express my gratitude to the Ministry of Science, Technology & Innovation (MOSTI), the Ministry of Finance and other relevant government bodies which have given their supports and contributions to CyberSecurity Malaysia in 2008. I would also like to dedicate our special thanks to our international affiliates for their continuous commitment in assisting CyberSecurity Malaysia’s participation to develop a secure cyberspace. Acknowledgements Since its inception in 2005, CyberSecurity Malaysia was entrusted to assist the government in implementing the NCSP to ensure that our CNII are well protected. Subsequently, action plans were drafted for a smooth flow of the NCSP agenda. It has been quite a demanding journey throughout the year of 2008. I am pleased to announce that CyberSecurity Malaysia has played a vital role in coordinating the efforts to ensure the successful implementation of the NCSP. Driven by the ambition to have a positive development of the ICT sectors and at the same time, to secure Malaysia’s Critical National Information Infrastructure (CNII), the Government has undertaken a number of initiatives to achieve these objectives. One of the initiatives is the formation of the National Cyber Security Policy (NCSP). NCSP was developed by the Ministry of Science, Technology & Innovation (MOSTI) to combine efforts at national level for the enhancement of Malaysia’s CNII security. The NCSP recognizes the critical and highly dependent nature of the nation’s information infrastructure and aims to develop a comprehensive framework and programmes that ensure the effectiveness of information security controls over vital assets. PENGERUSI CyberSecurity Malaysia Dato’ Abdul Hanan bin Alang Endut Saya juga berasa amat terhutang budi kepada Pengerusi terdahulu dan seluruh Anggota Lembaga Pengarah atas sumbangan mereka untuk memperbaiki dan memperkukuhkan CyberSecurity Malaysia pada tahun lepas. Penghargaan setulus ikhlas tidak saya lupakan kepada seluruh Pengurusan dan kakitangan CyberSecurity Malaysia atas usaha dan dedikasi tanpa berbelah bahagi mereka ke arah kejayaan dan kegemilangan organisasi ini. Didoakan semoga CyberSecurity Malaysia terus berkembang maju menjadi sebuah Pusat Rujukan dan Pakar Keselamatan Siber Negara yang disegani di peringkat global. 13 Saya bagi pihak Lembaga Pengarah, ingin mengucapkan setinggi-tinggi penghargaan kepada Kementerian Sains, Teknologi & Inovasi (MOSTI), Kementerian Kewangan dan pelbagai badan kerajaan lain yang telah memberi sokongan dan sumbangan mereka kepada CyberSecurity Malaysia pada tahun 2008. Saya juga ingin menyampaikan ucapan jutaan terima kasih kepada rakan kita di peringkat antarabangsa atas komitmen berterusan mereka membantu penglibatan CyberSecurity Malaysia dalam usaha mewujudkan alam siber yang lebih selamat. Penghargaan Sejak diperkenalkan pada tahun 2005, CyberSecurity Malaysia telah diamanahkan untuk membantu kerajaan menjayakan pelaksanaan NCSP bagi memastikan CNII kita dilindungi sepenuhnya. Justeru, pelbagai pelan tindakan telah dirangka bertujuan untuk melancarkan agenda NCSP ini. Tidak dapat dinafikan bahawa tahun 2008 merupakan satu tahun yang agak sukar, namun saya dengan sukacitanya ingin mengumumkan bahawa CyberSecurity Malaysia telah berjaya memainkan peranan penting dalam menyelaras usaha bagi memastikan kejayaan pelaksanaan NCSP. Didorong oleh cita-cita untuk mencapai pembangunan positif dalam sektor ICT dan pada masa yang sama, menjamin kerahsiaan Infrastruktur Maklumat Negara Yang Kritikal (CNII), Kerajaan telah mengambil beberapa inisiatif untuk merealisasi matlamat tersebut. Salah satu daripadanya adalah pengwujudan Dasar Keselamatan Siber Negara (NCSP). NCSP yang dibangunkan oleh Kementerian Sains, Teknologi & Inovasi (MOSTI) bertujuan untuk menggabungkan segenap usaha di peringkat negara bagi mempertingkatkan lagi tahap keselamatan CNII Malaysia. NCSP menyedari kepentingan dan harapan negara terhadap infrastruktur maklumat negara dan ia berhasrat ingin membangunkan sebuah rangka kerja serta program komprehensif yang dapat memastikan keberkesanan kawalan keselamatan maklumat terhadap aset penting negara. 10 YBhg. Dato' Abdul Hanan bin Alang Endut Chairman / Pengerusi Tahun 2008 mencatatkan beberapa pencapaian cemerlang kepada CyberSecurity Malaysia The year 2008 marks a number of significant achievements by CyberSecurity Malaysia Sejak Malaysia memulakan usaha memperkukuhkan binaan infrastruktur maklumat dan komunikasinya yang mana salah satu matlamat utamanya adalah untuk menerajui Malaysia menjadi sebuah negara maju, kita telah menyaksikan perkembangan membanggakan ke arah mencapai objektif tersebut. Namun pada masa yang sama, usaha tersebut mendepani pelbagai cabarannya yang tersendiri; sama ada positif seperti perubahan besar dari segi teknologi atau kesan negatif seperti ancaman penggodam dari serata pelosok dan sudut dunia yang telah menguji kemampuan tenaga kerja kita, tahap kepakaran dan juga kelengkapan infrastruktur kita. Walau bagaimanapun, saya dengan rasa besar hati ingin memaklumkan bahawa Malaysia berjaya membuktikan kemampuan menangani sebarang bentuk cabaran setanding dengan negara-negara maju. Kemajuan pesat di persekitaran kita mewujudkan keadaan mencabar yang perlu kita hadapi pada tahun lepas. Walau bagaimanapun, dedikasi berserta dengan pengalaman luas yang kami miliki, kemahiran yang tinggi dan sumber yang dilengkapi; CyberSecurity Malaysia berjaya mencatatkan prestasi membanggakan untuk menangani pelbagai cabaran tersebut dan saya dengan sukacitanya ingin membentangkan mengenainya dalam Laporan Tahunan CyberSecurity Malaysia bagi tahun kewangan 2008 di bawah. Penyata Pengerusi Since Malaysia embarked on building its strong information and communication infrastructure with one of the primary aims was to spearhead Malaysia into becoming a developed nation, we have witnessed a significant progress towards realizing this objective. Nonetheless, at the same time, there were impending challenges; either positive ones such as rapid change of technology or negative consequences, such as threat of hackers from any nooks and corners of the world which had tested the ability of our workforce, level of expertise and infrastructure adequacy. However, I am proud to acknowledge that Malaysia had successfully proven its capability in addressing any forms of challenges at par with developed nations. Rapid development within our surroundings has created challen nging circumstances which we had to confront in the past year. Neverthelesss, our dedication coupled with our vast experience, strong expertise and wellequipped resources; CyberSecurity Malaysia had successfully reco orded ed to impressive performance to address those challenges which I am please present in the CyberSecurity Malaysia Annual Report for financial year ending 2008 below. Chairman’s Statement 11 8 WE STRIVE TO BE TRUSTWORTHY Everything we do is focused on one primary goal – you. We are here to safeguard your needs and interests and that of the community. In doing so, we hope to gain your trust and confidence. WE ARE PROACTIVE We take the initiative to be forward thinking and progressive when confronting problems in our work, for we know that in our industry, there is just no other way to do things. WE ARE RESPONSIVE Befitting our calling of keeping our cyberspace safe and secure, we make sure we step up when challenges arise, no matter the complexity, nature of problem or who calls in. WE ARE PASSIONATE We take pride in our work, and our cooperation with all clients. Working together, we truly believe we can secure our nation’s cyber security. WE SUPPORT EACH OTHER Each and every single staff here plays a role in helping you solve your problem. We share our expertise and experience so that you enjoy the benefits and skills of every single one of us. Beyond the technical world we operate in, a critical factor in our success is relationships-ties between ourselves and our clients, and ties between everyone at CyberSecurity Malaysia. This is what drives us towards excellence. Relationships WE ARE EFFECTIVE In order to maintain the highest level of service to you, we strive to deliver accurate advice and reliable service every single time. WE SPECIALIZE To ensure you gain maximum benefit from working with us, we do only the best, so that you are assured we won’t be sidetracked by issues that might hinder our performance. WE ARE RESOURCEFUL We understand that one solution never fits all. Your situation will always be specific to your own organization, as such we are always practical and innovative when solving a problem so that we can deliver solutions that are personalized for you. In delivering our services to you, we adopt values that inform our approach and ensure our professionalism in carrying out our Work. Service SERVICE, QUALITY AND RELATIONSHIPS We aim to do this through three main areas of focus: WE ARE IMPARTIAL No matter how big or small a problem or case might be, we handle it impartially. We will provide fair and unbiased support, advice and information without discrimination of prejudice. We strive to always reach for higher levels of quality in service, for we understand that this is the only way to ensuring that we remain at the forefront of the industry. Our vision is to be a globally recognized National Cyber Security Reference and Specialist Centre by 2020. To make this a reality, we intend to make you, our client, the number one consideration in everything that we do. Janji Kami Kepada Anda Quality Our Promise to You KAMI BERSEDIA UNTUK BERTINDAK Sesuai dengan matlamat kami untuk menjadikan ruang siber anda selamat dan terlindung, kami memastikan bahawa kami sentiasa bersedia untuk menangani sebarang permasalahan, tidak kira bagaimana sukar dan kompleks, di dalam pelbagai keadaan dan tidak kira siapa pun yang memanggil. KAMI PROAKTIF Kami sentiasa mengambil inisiatif untuk berfikiran maju ke hadapan dan progresif apabila menangani permasalahan semasa melaksanakan tugasan, kerana kami mengetahui bahawa di dalam industri ini, hanya inilah prinsip pelaksanaan tugasan yang diterima. KAMI BERINOVASI Kami memastikan bahawa satu kaedah penyelesaian tidak semestinya sesuai bagi semua permasalahan. Setiap organisasi mempunyai permasalahannya sendiri yang unik, oleh itu kami sentiasa bersikap praktikal dan inovatif apabila menyelesaikan sebarang permasalahan yang berciri peribadi khusus kepada anda. Semasa menyampaikan perkhidmatan kepada anda, kami akan menerapkan nilai-nilai berinformasi berkaitan dengan kaedah tatakerja kami dan akan sentiasa memastikan tahap profesionalisma diaplikasikan semasa kami melaksanakan tugasan tersebut. Perkhidmatan PERKHIDMATAN, KUALITI DAN PERHUBUNGAN Kami berhasrat untuk melaksanakannya dengan memberikan tumpuan kepada tiga bidang yang penting iaitu: Untuk menjadikan impian ini satu realiti, kami berhasrat untuk menjadikan anda, Pelanggan Kami, sebagai keutamaan di dalam setiap aktiviti kami. Visi kami adalah untuk menjadi Pusat Rujukan Keselamatan Siber Kebangsaan yang diiktiraf di persada antarabangsa dan menjadi Pusat Kecemerlangan Kepakaran menjelang tahun 2020. Piagam Pelanggan Client Charter 9 KAMI BOLEH DIPERCAYAI Segala aktiviti kami bermatlamatkan kepada -anda. Kami berada di sini untuk menjamin keselamatan dan kepentingan anda dan orang ramai. Di dalam melaksanakan matlamat ini, kami berharap agar anda boleh memberikan sepenuh kepercayaan dan keyakinan kepada kami. KAMI MENJIWAI Kami berbangga dengan tugasan yang kami lakukan dan kerjasama yang kami hulurkan keapda pelanggan. Dengan usahasama yang padu kami yakin akan berupaya untuk menjamin keselamatan ruangan siber negara kita. KAMI BEKERJASAMA Setiap seorang daripada warga kerja kami memainkan peranan di dalam menangani permasalahan anda. Kami berkongsi kemahiran dan pengalaman agar anda dapat menikmatan faedah daripada kepakaran yang kami miliki. Di sebalik dunia teknikal di mana kami beroperasi, salah satu faktor yang menjadi tunggak kejayaan kami ialah Perhubungan dan Ikatan yang terjalin di antara kami dengan pelanggan dan ke semua warga kerja CyberSecurity Malaysia. Ianya merupakan teras yang memacu kami ke arah kejayaan. Perhubungan KAMI CEKAP Demi memastikan dan mengekalkan tahap perkhidmatan yang terbaik untuk anda, kami sentiasa berusaha untuk menyampaikan maklumat dan nasihat secara tepat dan memberikan perkhidmatan yang dipercayai pada setiap masa. KAMI PAKAR Kami memastikan anda mendapat manfaat yang maksimum semasa berurusan, kerana kami pakar di dalam bidang ini, jadi anda pastinya tidak akan dipesongkan oleh isu-isu yang boleh menggugat prestasi kami. KAMI ADIL Tidak kira bagaimana besar atau kecil sesuatu permasalahan itu, kami akan menanganinya dengan adil. Kami akan memberikan sokongan secara adil dan saksama, memberikan khidmat nasihat dan informasi tanpa diskriminasi atau prejudis. Kami sentiasa berusaha untuk mencapai tahap yang lebih tinggi di dalam penyampaian mutu perkhidmatan kami, kerana kami memahami bahawa ini sahaja caranya untuk sentiasa menjadi yang terunggul di dalam industri ini. Kualiti 6 increase public awareness of our specialised cyber services. improve customer satisfaction. 6 To 7 To Mengukuhkan kepercayaan dan keyakinan untuk menggunakan 2 Memantapkan kedudukan Malaysia di persada keselamatan siber dunia. Menyuburkan kesedaran orang ramai terhadap perkhidmatan siber khas kami. Memperbaiki tahap kepuasan pelanggan. Menggalakkan pengwujudan pasukan kerja yang bersikap positif, tenaga kerja 5 6 7 8 9 Meluaskan kesedaran ke seluruh negara terhadap keselamatan siber. 4 untuk mencapai objektif teras. Mendapatkan dana yang mencukupi dan digunakan secara efektif yang berinovasi dan semangat berpasukan yang teguh. Memastikan bilangan profesional keselamatan siber yang mencukupi. 3 pelbagai produk dan kepakaran. Meningkatkan tahap kesediaan keselamatan siber negara. obtain adequate fund and effectively use them to meet core objectives. 1 9 To 8 To empowered work teams with positive attitude, innovative workforce and strong teamwork. promote strengthen the position of Malaysia globally in cyber security. 5 To 7 April 2006 05 20 07 20 The Government appointed CyberSecurity Malaysia as the sole Certification Body for the evaluation and certification scheme based on MS ISO/IEC 15408: 2005 Information Technology – Security Techniques – Evaluation Criteria for IT Security. This certification body is named Malaysian Common Criteria Certification Body (MyCB). Kerajaan telah melantik CyberSecurity Malaysia sebagai Badan Persijilan tunggal untuk skim penilaian dan persijilan berasaskan kepada MS ISO/IEC 15408: 2005 Teknologi Maklumat – Teknik Keselamatan – Kriteria Penilaian Bagi Keselamatan IT. Badan Persijilan ini dikenali sebagai Badan Persijilan Kriteria Bersama Malaysia (MyCB). 08 October/Oktober 2008 CyberSecurity Malaysia was certified in Information Security Management System (ISMS), ISO/IEC 27001:2005 CyberSecurity Malaysia telah mendapat pensijilan ISO/IEC 27001:2005 iaitu standard Pengurusan Keselamatan Sistem Maklumat (ISMS). 25 July/Julai 2008 CyberSecurity Malaysia was officially launched by the Prime Minister of Malaysia during the NITC Meeting 1/2007 at Cyberjaya. CyberSecurity Malaysia telah dilancarkan secara rasmi oleh Perdana Menteri Malaysia semasa Mesyuarat NITC 1/2007 di Cyberjaya. 20 August/Ogos 2007 NISER was officially renamed CyberSecurity Malaysia and registered with the Companies Commission of Malaysia (CCM). NISER secara rasmi diberi nama baru sebagai CyberSecurity Malaysia dan didaftar dengan Suruhanjaya Syarikat Malaysia (SSM). 30 March/Mac 2007 06 20 08 20 As part of MIMOS Berhad’s rationalisation exercise, the Malaysian Cabinet decided for NISER to be separated from MIMOS, and established as a Company Limited by Guarantee, owned by the Government of Malaysia, under the purview of MOSTI. Sebagai sebahagian daripada langkah rasionalisasi MIMOS Berhad, Kabinet Malaysia telah memutuskan supaya NISER diasingkan daripada MIMOS, dan beroperasi sebagai sebuah Syarikat Berhad mengikut Jaminan, yang dimiliki oleh Kerajaan Malaysia, di bawah kawal selia MOSTI. To address the growing cyber threats in critical areas, the National Information Technology Council (NITC) Meeting 1/2006 agreed that the National Cyber Security Policy (NCSP) be adopted, with NISER to begin the transformation process to become the Malaysian Cyber Security Centre and given the additional mandate to assist the government in implementing the NCSP. Bagi menangani ancaman siber yang semakin membimbangkan di bidang-bidang kritikal, Mesyuarat Majlis Teknologi Maklumat (NITC) 1/2006 bersetuju bahawa Dasar Keselamatan Siber Negara (NCSP) perlu diterima pakai, dengan NISER memulakan proses transformasi untuk menjadi Pusat Keselamatan Siber Malaysia dan diberi mandat tambahan untuk membantu kerajaan melaksanakan NCSP. How H ow We We G Get et H et Here ere / LLangkah ang ngkaah hK Kami ami 01 20 raise national awareness in cyber security. 4 To 98 19 ensure adequate number of cyber security professionals. 3 To 97 19 NISER was officiated by the then Deputy Prime Minister, YAB Dato’ Seri Abdullah Ahmad Badawi. NISER telah dirasmikan oleh Timbalan Perdana Menteri ketika itu, YAB Dato’ Seri Abdullah Ahmad Badawi. increase trust and confidence in using indiggenous products and expertise. 2 To 28 September 2005 10 April 2001 enhance the state of cyber security readineess of the nation. 1 To STRATEGIC GOALS / MATLAMAT STRATEGIK National ICT Security and Emergency Response Centre (NISER) was born when the National IT Council (NITC) directed an agency to be formed to address ICT security issues in Malaysia. MyCERT became a part of NISER. Pusat Keselamatan dan Tindakbalas Kecemasan ICT Negara (NISER) telah lahir apabila Majlis IT Negara (NITC) mengarahkan sebuah agensi dibentuk bagi menangani isu keselamatan ICT di Malaysia. MyCERT menjadi sebahagian daripada NISER. 24 January/Januari 1998 The Malaysian Computer Emergency Response Team (MyCERT) was established to address computer security issues amongst Malaysian internet user. Pasukan Tindakbalas Kecemasan Komputer Malaysia (MyCERT) ditubuhkan untuk menangani isu keselamatan komputer di kalangan pengguna internet Malaysia. 13 January/Januari 1997 4 Creating and Sustaining a Safer Cyberspace to Promote National Sustainability, Social Well-Being and Wealth Creation. Dikemudi oleh wawasannya, misi CyberSecurity Malaysia dipandu oleh naluri rasa tanggungjawab untuk melindungi kepentingan negara dalam mewujud dan mengekalkan alam siber yang lebih selamat; di mana ketersediaan, kewibawaan, keaslian, kerahsiaan dan tiada kecenderungan dikekalkan. Alam siber yang selamat dan terjamin adalah sesuai untuk urusan kerajaan, perdagangan dan juga individu. Semua keadaan ini menggalakkan produktiviti, kemapanan, keharmonian sosial dan kesejahteraan, serta penciptaan kekayaan negara. Misi Kami : Mewujud dan Mengekalkan Alam Siber yang Lebih Selamat bagi Menggalakkan Kemapanan, Kemakmuran Sosial dan Penciptaan Kekayaan Negara. CyberSecurity Malaysia bertekad untuk mencapai kedudukan global sebagai Pusat Pakar Keselamatan Siber, sambil menangani keperluan keselamatan maklumat di Malaysia. Ia beriltizam untuk menjadi majikan pilihan dan penyedia perkhidmatan pilihan yang dihormati di dalam dan di luar industri keselamatan maklumat serta oleh sektor awam dan swasta. CyberSecurity Malaysia menerajui pembangunan kepakaran dan pemerolehan teknologi terkini dalam keselamatan maklumat. Ia memastikan bahawa perkhidmatan khusus ditawarkan pada tahap tertinggi dan sentiasa mengatasi jangkaan. Visi Kami : Untuk Menjadi Sebuah Pusat Rujukan dan Pakar Keselamatan Siber Negara Yang Diiktiraf di Peringkat Global Menjelang 2020. Guided by its vision, CyberSecurity Malaysia’s mission is driven by the sense of responsibility to protect the national interest in creating and sustaining a safer cyberspace; where information availability, integrity, authenticity, confidentiality, and non-repudiation are preserved. A safe and secure cyberspace is conducive for governmental, commercial and individual transaction. Altogether, these promote productivity, national sustainability, social harmony and well-being, as well as wealth creation. Our Mission : PROACTIVE: Taking prompt action to accomplish objectives; anticipate challenges and identify solutions; taking action to achieve goals beyond what is required SAKSAMA: Memberikan pertimbangan, nasihat dan membuat keputusan berdasarkan kepada ciri-ciri profesionalisma yang tinggi, tidak berat sebelah dan berasaskan kepada fakta serta rasional yang jelas; sentiasa mengelakkan sebarang kepentingan peribadi atau konflik kepentingan PROAKTIF: Mengambil tindakan segera untuk menyelesaikan objektif; menjangka cabaran dan mengenalpasti penyelesaian; mengambil tindakan untuk mencapai matlamat mengatasi apa yang diperlukan DIPERCAYAI: Mengekalkan kelaziman sosial, etika dan organisasi; mematuhi kod p pp p etika profesional. p tatalaku dan prinsip-prinsip Nilai Teras Kami adalah untuk Menjadi Penyedia Perkhidmatan Pakar dalam Keselamatan Siber Yang Dipercayai, Saksama dan Proaktif. IMPARTIAL: Provide judgement, advice and make decision with high professionalism, unbiased and based on clear facts and rationale; devoid of any personal or conflict of interest of conduct and professional ethical principles Our Core Values are being a Trusted, Impartial, and Proactive Specialist Service Provider in Cyber Security. TRUSTED: Maintaining social, ethical, and organization norms; firmly adhering to codes Our Vision : To be a Globally Recognized, National Cyber Security Reference and Specialist Centre by 2020. CyberSecurity Malaysia aspires to achieve a global standing as the Cyber Security Specialist Centre, whilst addressing the information security needs of Malaysia. It aims to be the employer of choice and the service provider of choice that gains respects from within and outside the information security industry as well as from the public and private sectors. CyberSecurity Malaysia leads in the development of expertise and acquisition of the latest technologies in information security. It ensures that its specialised services are of the highest standard, and continuously exceeds expectations. WHAT WE BELIEVE IN / KEYAKINAN KAMI OUR DIRECTION / HALATUJU KAMI 5 2 Resolution 2 Resolution 3 2. To re-elect Puan Rubaiah binti Hj Hashim who retires by rotation pursuant to Articles 49 and 51 of the Company’s Articles of Association and who, being eligible, offers herself for re-election; 3. To-reappoint Messrs Azman, Wong & Salleh as Auditors of the Company and to authorize the Directors to fix their remuneration; To be valid the proxy form duly completed must be deposited at the Registered Office of the CyberSecurity Malaysia at Level 7, Sapura@Mines, No 7, Jalan Tasik, The Mines Resort City, Seri Kembangan 43300 Selangor Darul Ehsan, Malaysia not less than forty-eight (48) hours before the time for holding the meeting. The instrument appointing a proxy shall be in writing under the hand of the appointor or his attorney duly authorised in writing or if the appointor is a body corporate, either under seal or under hand of the officer or attorney duly authorised. A proxy need not be a member of the CyberSecurity Malaysia PROVIDED that a member shall not be entitled to appoint a person who is not a member as his proxy unless that person is an advocate, an approved company auditor or a person approved by the Registrar of Companies. NOTES: Selangor 11 June 2009 JAILANY BIN JAAFAR (LS8843) Company Secretary BY ORDER OF THE BOARD 4. To approve the payment of the Directors’ accumulated monthly allowances Resolution 4 for the financial year ended 31 December 2008. ________________________________________________________________________________________ AS SPECIAL BUSINESS To consider and, if thought fit, pass the following resolution: 1. Untuk menerima Penyata Kewangan Telah Diaudit bagi tahun kewangan berakhir 31 Disember 2008 dan Laporan Pengarah dan Juruaudit mengenainya. Resolusi 3 Resolusi 2 Resolusi 1 Borang proksi yang telah dilengkapkan sewajarnya mestilah dihantar ke Pejabat Berdaftar CyberSecurity Malaysia di Aras 7, Sapura@Mines, No. 7, Jalan Tasik, The Mines Resort City, Seri Kembangan 43300 Selangor Darul Ehsan, Malaysia tidak lewat dari empat puluh lapan (48) jam sebelum masa untuk mesyuarat diadakan. Suratcara pelantikan proksi hendaklah secara bertulis dengan ditandatangani oleh pelantik atau peguam beliau yang telah diberi kuasa sewajarnya secara bertulis atau jika pelantik tersebut merupakan sebuah badan korporat, sama ada di bawah meterai atau tandatangan pegawai atau peguam yang telah diberi kuasa sewajarnya. Seorang proksi tidak semestinya ahli CyberseSecurity Malaysia dengan SYARAT bahawa seseorang ahli hendaklah tidak layak untuk melantik seseorang yang bukan ahli sebagai proksi beliau melainkan individu tersebut adalah seorang peguam, seorang juruaudit syarikat yang diluluskan atau seorang individu yang telah diluluskan oleh Pendaftar Syarikat. NOTA: Selangor 5 Jun 2009 JAILANY BIN JAAFAR (LS8843) Setiausaha Syarikat ATAS ARAHAN LEMBAGA 4. Untuk meluluskan pembayaran Elaun Bulanan Terkumpul Pengarah bagi tahun Resolusi 4 kewangan berakhir 31 Disember 2008. _________________________________________________________________________________________ SEBAGAI URUSAN KHAS Untuk mempertimbangkan dan, jika difikirkan sesuai, meluluskan Resolusi Biasa berikut:- 3. Untuk melantik semula Tetuan Azman, Wong & Salleh sebagai Juruaudit Syarikat dan membenarkan Pengarah-Pengarah untuk menetapkan imbuhan mereka. 2. Untuk memilih semula Puan Rubaiah binti Hj. Hashim yang bersara mengikut giliran menurut Tataurusan 49 dan 51 Tataurusan Pertubuhan Syarikat dan, oleh kerana layak, menawarkan diri beliau untuk pemilihan semula. SEBAGAI URUSAN BIASA Resolution 1 1. To receive the Audited Financial Statements for the financcial year ended 31 December 2008 together with the Reports of thee Directors and Auditors thereon; DENGAN INI DIBERITAHU BAHAWA Mesyuarat Agung Tahunan Ketiga CYBERSECURITY MALAYSIA akan diadakan selaras dengan Resolusi Pekeliling Ahli menurut Akta 20 Tataurusan Pertubuhan Syarikat pada atau sebelum 26 Jun 2009 untuk melaksanakan urusan-urusan berikut: _________________________________________________________________________________________ NOTICE IS HEREBY GIVEN THAT the Third Annual General Meeting of CYBERSECURITY MALAYSIA will be held by way of Members’ Circular Resolution pursuantt to Article 20 of the Company’s Articles of Association on or before 26 June 2009 to transact the followin ng businesses:______________________________________________________ ____________________________________ AS ORDINARY BUSINESS Notis Mesyuarat Agung Tahunan Notice of Annual General M Meeting 3 ii Seumpama binaan lego, binaan keselamatan pintar ciptaan CyberSecurity Malaysia melambangkan sistem pengawasan dan perisai keselamatan terbaik yang mampu melindungi alam siber daripada sebarang penyusupan dan pencerobohan yang tidak diingini. Keunikan ciri dan prestasinya yang sudah terserlah sejak penubuhannya lagi telah melonjakkan kedudukan organisasi sebagai peneraju di pasaran. Melangkahlah ke ruang siber dengan perasaan selamat dan sentosa untuk memanfaatkan kreativiti, kecekapan dan produktiviti yang anda boleh nikmati tanpa sebarang batasan. Selamat dan Yakin di Ruang Siber Resembling a lego construct, CyberSecurity Malaysia’s smartly built security tool epitomises the best ever mitigation and shield system against any uninvited encroachments and infiltrations. Its unique attributes and performance had since its inception, contributed to the organisation’s leadership position in the game plan. Feel safe and secured against any security challenges as you stride ahead into a virtual space of unlimited creativity, efficiency and productivity. For Safe and Secured Cyberspace Cover Rationale Rasional Muka Hadapan Notice of the Third Annual General Meeting Notis Mesyuarat Agung Tahunan Ketiga Our Direction Halatuju Kami What We Believe In Keyakinan Kami Strategic Goals Matlamat Strategik How We Get Here Langkah Kami Client Charter Piagam Pelanggan Chairman's Statement Penyata Pengerusi Board Members Ahli Lembaga Pengarah Management Committee Jawatankuasa Pengurusan Foreword by the CEO Perutusan Ketua Pegawai Eksekutif Operations Review Ulasan Operasi CyberSecurity Malaysia's Corporate Citizen Warga Korporat CyberSecurity Malaysia Technical and Knowledge Partners Rakan Pengetahuan dan Teknikal ISMS Policy Statement Penyata Dasar ISMS Corporate Governance Tadbir Urus Korporat Activities Throughout 2008 Aktiviti Sepanjang Tahun 2008 Financial Report Laporan Kewangan Proxy Form Borang Proxy ii 02 04 05 06 07 08 10 14 16 21 26 46 48 50 52 60 76 99 Kandungan CONTENTS 1