comparison knowledge between public universities and...
TRANSCRIPT
Abstract-The knowledge on the Information Security Management System (ISMS) are important before develop the policy for public universities and hospitals in Lembah Klang. This research is to know the knowledge ISMS and awareness of the Information Technology (IT) office in implementing the ISMS. The
questionnaire is distributed to Information Technology (IT) office that in charge of the Security Policy. From the result it show that public universities are more awareness than hospitals. This show that public universities have the highest level of awareness and most of the public universities are from the lecturer and updated information on the security
Index Terms—ISMS, policy ISO 27001:2013, public
universities, hospitals
I. INTRODUCTION
There is a heightened awareness of the need to protect not
only employees and company property, but the information
and systems that are crucial to continuous daily business
function. With the increased attention to e-security, it only
follows that countermeasures such as firewalls and Intruder
Detection System will see an increase in sales as well. The danger, however, is in identifying only existing problems
within the network, while ignoring weaknesses or potential
security related issues and risks. In order to address all areas
of security concerned, businesses need to approach it more
holistically to cover network security, personnel, physical
and environment security, and business continuity This
approach includes prescribing to recognized certification
standards – a security policy of sorts that can help
organizations measure their security policies and procedures
against universally accepted codes of practice. Building a
security system without a plan is like building a house
without a blueprint. Therefore, certification standards laid, would provide the framework around which an organization
can create its security strategy and develop security best
practices.
B. Definition in Terms
Information Security Management System
An Information Security Management System (ISMS) is
a systematic approach to managing sensitive information so
that it remains secure. Information security does not end at
implementing the latest firewall, or hiring a 24 hour sub
contracted security firm. Instead, the overall approach to
Information Security and integration of different security initiatives need to be managed in order for each element to
be most effective. That is where an Information Security
1,2
Faculty Science and Technology, Universiti Sains Islam Malaysia,
Negeri Sembilan, Malaysia
Management System comes in - it allows coordinating your
security efforts effectively. (Web-Site Bsiameticas, 2005)
ISO27001
ISO27001 is a standard setting out the requirements for an Information Security Management System. It helps identify,
manage and minimize the range of threats to which
information is regularly subjected. (Web-Site Bsiameticas,
2005) ISO27001:2005 is organized into 11 sections: Security
Policy, Organization Information Security, Asset
Management, Human Resources Security, Physical and
Environmental Security, Communications and Operations
Management, Access Control, Information Systems
Acquisition, Development and Maintenance, Information
Security Incident Management, Business Continuity
Management, Compliance
Security Management
Information Security Management needs a paradigm shift
in order to successfully protect information assets.
Organizations must change to the holistic management of
information security, requiring a well-established
Information Security Management System (ISMS). An
ISMS addresses all aspects in an organization that deals with
creating and maintaining a secure information environment.
For an organizational management to manage a cost-effective
in the information security the use of ISMS is loaded. It can
also help with the assessment of the trustworthiness of an
organization’s information security arrangements by other organization. Moreover ISMS constitutes of an intelligent
mixes of aspects such as policies, standards, guidelines, and
codes-of-practice, technology, and human issues, legal and
ethical issues. Ideally organizations should choose for a
combination of these different aspects in establishing an
ISMS. The initial combination of all the aspects might by a
bridge too far when embarking on the establishment of an
ISMS, forcing organizations to take a “phased” approach.
One approach that can be used is ISO27001:2005 to be
implementing the security controls in contained in a standard
such as ISO 17799:2005. In this case information security is
driven from a management process point of view and referred to as “process security”. Another approach that also
complements or adds to process security is to use certified
products in the IT infrastructure environment when possible.
The approach here focuses on technical issues and is referred
to as “Security Product”. (Eloff & Eloff, 2003). Many of the
information security technological models applied in the past
have not worked as it expected. For instance, while the
information security technology products rapidly improved
the information security incidents double every year
indicating clearly that something is going wrong and that
technology alone cannot be the answer to a lot of the
Comparison Knowledge between Public Universities and
Hospitals in Lembah Klang towards Information Security
Management System (ISMS)
1Waidah Ismail,
2Najwa Hayaati Mohd Alwi
Int'l Journal of Computing, Communications & Instrumentation Engg. (IJCCIE) Vol. 2, Issue 1 (2015) ISSN 2349-1469 EISSN 2349-1477
http://dx.doi.org/10.15242/IJCCIE.IAE0715007 12
information security problems. Such as, to arrest this
problem the international market is embarking on the
management information security model proposed by
ISO27001:2005 and sees this as a successful way forward to
improve the information security. One important element in
these standards is by considering information security not
only as a requirement of the data processing or information
systems department but also to view it as a requirement
relevant to all parts of the organization. From this perspective, all areas within an organization must be involved
in the information security processes, and this requires a
management oriented model. Hence management, among
other things, needs quantitative data to measure the “return of
investment” of their engagement.
II. METHODOLOGY
The information gathering was done by questionnaire. In the questionnaire involve of three parts which are a)
knowledge of the ISMS b) Policy exists in the public
University and hospital and lastly c) The compliance of the
ISO 27001:2013. This paper only concentrate on the
knowledge of the ISMS in the public universities and hospital
in Lembah Klang. Figure 1 show the follow chart of the
methodology which we review on the ISMS implementation.
We performed data collection for seven public universities
and eight hospitals, but the feedback we received five from
public universities and seven from hospitals in Lembah
Klang. Then we performed the data analysis then finding
their knowledge in ISMS. We cannot disclosed the Public Universities and Hospital name due to security reasons. We
will mentions as Public Universities as A to E and Hospital as
F to L. We choose both IPTA and Hospital Universities
because both of the environments are equally important.
Fig. 1 Flow chart of the Methodology
Research Instrument
We perform a set of questionnaire and distributed to Head
of Information Technology in the IT Department. The Head
of Information Technology will assign to a staff which
related to Data Center section
Methods of data analysis
The method of data analysis employed in this study is in
the form of descriptive manner. After collecting the data,
analysis of the data is done by calculating compliance issues
by a calculation of the percentage. Based on the outcome,
this research will then summarizes the challenge in complying with ISMS and identify the compliance of the
Universities involved and extend of its effectiveness the
percentage based on the standard ISO27001:2013.
III. RESULT AND DISCUSSION
A. Awareness of ISMS between Public Universities and Hospital
This section will explain on the awareness among ISMS
between Public Universities and Hospital.
Figure 2 show the awareness level of ISMS between Public
Universities and Hospital Universities. Public Universities
aware the existing of ISMS and Hospital Universities did not
aware on the ISMS. Since only one Hospital did not aware on
the ISMS. He did not answer all the question in part a. All the
correspondent agree that when implement the ISMS can
prevent the security breaches
Fig. 2 Awareness of ISMS
In the Figure 3, show that Universities aware on the
existing of new policy ISO 27001:2013 but at Hospital only
one aware existing on the policy. This is because most of the
Universities in creating or awareness of the policy will
involve by lecturer. Lecturer have the latest knowledge in
research and help the Universities on the level of the
awareness ISMS.
Fig. 3 Awareness on the ISO 27001: 2013
Figure 4, show the knowledge on the ISMS, Hospital and Universities aware from Mampu (Government Agency).
Universities aware on the Seminar which is the reliable
source rather Internet. Both have equally one that awareness
of ISMS are from the Internal Auditor.
0
2
4
6
Universities Hospital
Awareness ISMS
Yes
No
0
2
4
6
Universities Hospital
ISO 27001:2013
Yes
No
Int'l Journal of Computing, Communications & Instrumentation Engg. (IJCCIE) Vol. 2, Issue 1 (2015) ISSN 2349-1469 EISSN 2349-1477
http://dx.doi.org/10.15242/IJCCIE.IAE0715007 13
Fig. 4 Awareness ISMS from outside
B. Policies and Procedures
In this section explained the policies and procedure exist in
the Universities and Hospital.
In the Figure 5 show that Universities and Hospital have
their own policy and procedure. Most of the hospital and
Universities have policies on Security. It show Information
Technology people aware on the policies on security.
Fig. 5 Implement the policy and procedure
The figure 6, show the both University and Hospital
implement their policy based on the ISO 27001:2005. But
from the Figure 3, they did not aware on the latest policy ISO
27001:2013.
Fig. 6Implement the ISO 27001:2005
IV. CONCLUSION
As for the conclusion, the correspondence in the
Universities and Hospital aware the important of ISMS and
should implement it. They have implement some of the
policy in their environment. But the top management should
gave the encouragement on implementing the ISMS. By
implementing the ISMS, they agree will prevent the security
breaches but need the support from top management.
ACKNOWLEDGEMENT
We would like to thank you Universiti Sains Islam
Malaysia grant no. PPP/UTG-0213/FST/30/12213
REFERENCES
[1] Ang, B L. 2001. “Tech criteria for lean times”. ComputerWorld. (2).
November. pp 25 – 26.
[2] BS7799. 2002. “British Standard 2002, Preparing for BS7799
Certification”. British: BS7799.
[3] Caralli. A. R and Wilson, R, W 2003 “ The Challenges of Security
Management”Chamber, J. 26th July 2005.
http://www.cisco.com/en/US/about/security/intelligence/05_07_securi
ty-culture.html.
[4] Dr. Brewer. D. 2002. “Spotlight on Incidents” The 7799 International
user Group (IUG). ISMS Journal. Issues 1, October 2002.
[5] Eloff, J & Eloff, M. 2003. “Information Security Management – A
New Paradigm”. SAICSIT. pp. 130 – 136.
[6] Jalil, A. S “ISMS Seminar – ISO/IEC 17799:2005 – Past, Present and
Future” (Slide). Malaysia Niser.
[7] Johnstone. D. 2003. “Promoting Information Security in Hong Kong”
The BS7799 International user Group (IUG). ISMS Journal. Issues 2,
Feb 2003.
[8] Johnstone, D 2002 :”BS7799-2 Inception to Certification” –
Presentation slide.
[9] Kadam, A. 1 August 2005. “Are you a Security Organization?”.
http://www.networkmagazineindia.com/200211/security2.shtml.
[10] Malaysia. 2006. Unit Pemodenan Tadbiran & Perancangan
Pengurusan Malaysia, Jabatan Perdana Menteri. Dasar Keselamatan
ICT MAMPU. Versi. 4.0.
[11] Malaysia. MAMPU website. 20 June 2006 www. mampu.gov.my.
[12] Pattison F. 2004 “7799 History lesson Part 1” ISMS Journal. Issues 5,
Nov 2004
[13] Schwalbe, K. 2004. “Information Technology Project Management”.
Third Edition. n.pl.: Thomson Course Technology.
[14] Sreeraj Gopinathan. 2005. “ Understanding ISO27001” Tech & U
About and Beyond ICT. New Straits Times. Pg 12. 24 July Weil, S. 18
July 2005. “How ITIL Can Improve Information
Security”.http://www.securityfocus.com/infocus/1815
0
5
Awareness ISMS from outside
Universities
Hospital
0
2
4
6
8
Hospital
Universities
0
5
UniversitiHospital
Based on 27001:2005
Yes No
Int'l Journal of Computing, Communications & Instrumentation Engg. (IJCCIE) Vol. 2, Issue 1 (2015) ISSN 2349-1469 EISSN 2349-1477
http://dx.doi.org/10.15242/IJCCIE.IAE0715007 14