ICT Security Management Handbook For Schools

IA
MIN
YS
IS
LA
RY
T
A
OF M
E D U C ATI O N
ICT SECURITY
MANAGEMENT
HANDBOOK
Educational Technology Division

Ministry of Education
October 2005
ISBN : 983-3244-27-0
FIRST EDITION: OCTOBER 2005
Copyright © 2005 Educational Technology Division,

All rights reserved, except for educational purposes with

no commercial interests. No part of this publication may
be produced transmitted in any form or by any means,
electronics or mechanical including photocopying,
recorded or by any information storage or retrieval
system, without prior permission from the Director-General
of Education, Ministry of Education Malaysia.
Published by
Infrastructure and Repository Sector
Smart Educational Development
Pesiaran Bukit Kiara
50604 Kuala Lumpur
Tel : 603-2098 7768/6245
Fax : 603-2098 6242
Contents
Contents
Background ...................................................................... v
Foreword ....................................................................... vi
Preface ........................................................................... vii
Introduction .................................................................. viii
1 Acceptable Internet And E-Mail Usage .................... 1
1.1 Introduction ....................................................... 1
1.2 Purpose ..............................................................1
1.3 Responsibilities ....................................................1
1.4 Internet Usage .................................................... 2
1.5 E-Mail ............................................................... 4
2 Choosing Quality Passwords .................................... 7
2.1 Introduction ...................................................... 7
2.2 Purpose ............................................................ 7
2.3 Responsibilities ................................................. 7
2.4 Compromise Of Passwords .................................. 8
2.5 General Password Rules ...................................... 8
2.6 Password Composition Rules ............................... 9
2.7 Changing And Reusing Of Passwords ................... 10
3 Physical Security For The ICT Infrastructure ........ 11
3.1 Introduction .................................................... 11
3.2 Purpose .......................................................... 11
3.3 Responsibilities ................................................ 11
3.4 Working In ICT Infrastructure ............................ 11
4 Mobile Computing ................................................. 14
4.1 Introduction ..................................................... 14
iii
Contents
4.2 Purpose ........................................................... 14

4.3 Responsibilities ..................................................14
4.4 Use Of Mobile Computing Devices ........................ 15
4.5 Physical Security ................................................15
4.6 Configuration Changes ....................................... 16
4.7 Connecting Mobile Computing Devices To Unsecured
Networks ......................................................... 17
5 Information Classification And Handling ................ 18
5.1 Introduction ...................................................... 18
5.2 Purpose ............................................................18
5.3 Responsibilities ..................................................18
5.4 Scope Of Coverage ............................................ 19
5.5 Information Classification ....................................19
5.6 Information Handling ..........................................20
Glossary ......................................................................... 27
References ..................................................................... 31
Enquiries ........................................................................ 31
Contributors ................................................................... 32
iv
Contents
Background
Background
The ICT Security Management Handbook is a new

handbook, updated and adapted from the Smart School
Security Management Policies and Procedures Version 1.0
published under the Smart School Pilot Project in the year
2000. The original document was first reviewed in 2001.
Users of the first and second editions of this handbook will

realise that the text has been completely revised; a major
part of the revision being the separation of the content
into two new documents, one for the School ICT
Coordinators and another for other users.
This ICT Security Management Handbook is based on the

ICT security management information contained in the
Malaysian Public Sector Management of Information &
Communications Technology Security Handbook published
by MAMPU.
v
Contents
Director-General of Education Malaysia
Foreword
I would like to congratulate the Handbook

Committee, coordinated by the Educational
Technology Division, for their dedication in
completing this informative handbook. Their
commitment in the preparation of this handbook is
highly commended.
This handbook is meant to give thorough and

concise guidelines on ICT Security Management. It
is hoped that the guidelines and procedures listed
are useful to all readers.
I would also like to thank all teachers involved for

their invaluable contribution to this handbook, an
important contribution to the ICT landscape of
schools.
(DATO’ DR. HJ. AHAMAD BIN SIPON)

Director-General of Education
Malaysia
vi
Contents
Preface
This handbook gives a brief overview on ICT

Security Management for all schools in Malaysia.
This handbook is meant to be a useful source of

reference for all schools in implementing effective
ICT security management. Although there can be no
guarantee for absolute security within an
international electronic works environment, using
the guidelines in this handbook should mitigate
many of the risks to which ICT-based systems are
exposed.
I wish to congratulate the committee and all others

involved in producing this handbook.
(DATO’ HJ. YUSOFF BIN HARUN)

Director
vii
Introduction
Contents
Introduction
This handbook has been adapted from the Malaysian

Public Sector Management of Information &
Communications Technology Security Handbook produced
by MAMPU, and the Smart School Security Management
Policies and Procedures Version 1.0 produced by the
Smart School Pilot Project Team of the Ministry Of
Education.
The content is arranged according to topics to help users

practise security management systematically and effectively.
The content in each topic has been arranged in such a
manner that the steps listed are easy to follow and provide
comprehensive guidance to ICT security management.
Each topic in this handbook starts with an introduction and

purpose followed by guidelines which provide an overview of
ICT security management. Using these guidelines, users
should be able to practise ICT security effectively.
The ICT Security Management Handbook will help widen the

reader’s knowledge and create awareness in ICT security
management.
A glossary is included for better understanding of the

content.
viii
1 Acceptable Internet And E-Mail Usage
1.1 Introduction
The advancement of information and communications

technology (ICT) allows information to be sent and
received rapidly. This facility has brought the Internet
and electronic mail (e-mail) usage to the rise.
Electronic communication is now being used widely
as the alternative medium for sharing information.
However, uncontrolled usage of Internet and e-mail
services may expose us to various security threats.
Hence, security protection needs to be in place to
ensure confidentiality, integrity and availability of
information.
1.2 Purpose
The purpose of this section is to outline the

acceptable use of Internet and e-mail services in
schools. These rules should be put in place to
protect all residents of schools. Inappropriate use
may expose schools to risks, including virus attacks,
compromise of network systems and services, and
legal issues.
1.3 Responsibilities
All school residents who are given access to the

school ICT system are required to comply with the
rules and regulations contained this section.
1
1.4 Internet Usage
1) The school electronic communication system or

ICT facilities are generally used for facilitating
and improving the administration and operations
of the school. Users should be aware that the
data they create and the system they use
remain the property of the Government of
Malaysia.
2) Web surfing should be restricted to work-related
matters or other purposes as authorised by the
School Head.
3) Users are advised to verify the integrity and
accuracy of materials downloaded from the
Internet. These materials have to be scanned to
ensure that they are free from malicious codes.
4) Materials downloaded from the Internet (e.g.
software) should be vetted to avoid infringement
of copyrights. Users should quote references of
all Internet materials used.
5) Information to be uploaded to the Internet
should be reviewed by the School ICT
Coordinator and authorised by the School
Head.
6) Only authorised officers are allowed to
participate in online public forums such as
newsgroups or bulletin boards. Users who
participate in such forums should exercise good
judgement on the information shared as they
represent the public image of the school,
Ministry of Education and the Government of
Malaysia.
2
7) Users are prohibited from the following:

a) Violating the rights of any person or
company protected by copyright, trade
secret, patent or other intellectual
property, or similar laws of regulations,
i n c l u d i n g , b u t n o t l i m i t e d t o, t h e
installation or distribution of pirated
software that are not appropriately licensed
for use by the school.
b) Uploading, downloading, storing or using
unlicensed software.
c) Uploading, downloading, or sending files
greater than 2Mb that may paralyse the
computer network system and pre-empt
other official activities.
d) Preparing, uploading, downloading and
storing speeches, images or other materials
that may:
i) be constructed as sexual, ethnic and
racial harassment;
ii) cause chaotic situations of any form
such as rumour mongering, defamation
or instigation; and
iii) tarnish the reputation of the school,
Ministry of Education or the
Government of Malaysia.
e) Engaging in non-work related activities
(commercial, political or others) which
interfere with staff productivity and
consume more than a trivial amount of
resources such as:
i) online chatting; and
3
ii) download, storing and using entertainment

software such as those for playing
games, videos or songs.
f) Engaging in criminal activities such as
spreading of materials involving gambling,
weaponry and terrorism.
g) Misusing online public forums such as
newsgroups and bulletin boards.
8) Users are not allowed to engage in unauthorised
online activities such as hacking, sniffing,
hijacking or giving fraudulent information.
1.5 E-Mail
1) E-mail allows users to communicate with each
other in the form of electronic messages. The
usage of e-mail is getting more prevalent as it
allows more effective two-way communication.
2) All residents of a school are given e-mail
accounts for the purpose of official
correspondence. An example of an e-mail
address is name@moe.edu.my.
3) The usage of e-mail service is subject to the
rules stipulated in this section and the School
ICT Coordinator has the right to revoke such
usage if users do not comply with the rules.
4) E-mail is one of the official communication
channels within the school. As such, it has to be
composed with caution. For example, using
upper case is not encouraged as it is considered
inappropriate. Users are advised to compose
e-mail using simple, courteous and correct
language. Users should ensure that the subject
corresponds with the content of the e-mail.
4
5) All official correspondence have to be sent via

the official e-mail account. Users should ensure
that the recipient’s e-mail address is correctly
entered prior to sending the e-mail. The carbon
copy (cc) can be used, should there be a need
to send the e-mail to other recipients. However,
a blind carbon copy (bcc) is not encouraged.
6) Users are not allowed to send e-mail
a t t a c h m e n t s t h a t a r e g r e a t e r t h a n 2 M b.
Appropriate compression utilities such as WinZip
should be used to reduce the size of the
attachment.
7) Users should refrain from opening e-mail from
unknown or suspicious senders.
8) Users should scan all attachments prior to
opening.
9) All e-mail is not encrypted by default. Users are
prohibited from sending sensitive information
unless it has been first encrypted. Please refer
to Information Handling Procedure for details.
10) Users should verify the identity of users with
whom they communicate and exchange
information via e-mail. This is to protect
information from any form of misuse.
11) All official e-mail sent or received should be
archived accordingly. The user is encouraged to
archive the e-mail in other storage media, such
as diskettes, for safety reasons.
5
12) Unimportant e-mail that is no longer needed or

has no archival value should be deleted.
13) Users are prohibited from the following:
a) sharing e-mail accounts;
b) using fake accounts and purporting to be
valid senders;
c) using e-mail for commercial or political
purposes;
d) sending or owning materials that are
against the law or cause sexual, ethnic or
racial harassment;
e) spamming; and
f) introducing or spreading malicious codes
such as virus, worms and Trojan horses
that will disrupt the network.
6
2 Choosing Quality Passwords
2.1 Introduction
Passwords are one of the principal means of

validating a user’s authority to access a computer
system. Therefore, users should be aware of their
responsibilities in maintaining effective access
controls particularly regarding the use of passwords.
Given the number of passwords that one has to
keep track, it is crucial that the passwords selected
are easy to remember and follow good security
p ra c t i c e s . T h i s s e c t i o n p r ov i d e s s o m e g o o d
password security practices that all school users are
expected to follow.
2.2 Purpose
The main purpose of this section is to ensure that the

registered school users follow the best practices in
using and selecting passwords for all application and
network systems to which they have access.
All school residents who are given access to the

school ICT system should comply with the guidelines
stipulated in this section.
7
2.4 Compromise Of Passwords
Over time, passwords may be compromised in many

ways. The following are some examples where
passwords are compromised.
1) Users share them with friends or co-workers.
2) Written passwords are exposed to others.
3) Passwords are guessed, either by other users or
security diagnostic software.
4) The servers that store passwords are
compromised, and their passwords are accessed
by intruders.
5) Transmitted passwords are compromised and
recorded by an intruder.
6) Users are tricked into providing their passwords
to intruders via a social engineering effort.
2.5 General Password Rules

1) Passwords are to be kept strictly confidential and
are not to be shared. Do not disclose your
password to anyone at any time.
2) Do not write your password down or leave it
unsecured.
3) Do not leave a computer session unattended
unless it is locked and password-protected.
Never leave a computer idle for long periods
of time - shut it down and reboot when
necessary.
8
4) If you suspect that anyone has gained access to

your password, contact the School ICT
C o o r dinator immediately to request for a
password reset.
5) After three (3) unsuccessful attempts to enter
the password, the user shall be disallowed from
using the system for a particular time period.
Intervention of the School ICT Coordinator will
be required to reset the password.
2.6 Password Composition Rules
One of the primary weaknesses of passwords is that

they may be guessed. While a user may give up after
guessing ten or a hundred possible passwords, there
is software which could easily try millions of
combinations and break the particular password.
Good password composition rules are as follows:
1) To combat password guessing attack, users are
advised to pick hard-to-guess passwords.
2) Users are required to choose their passwords
from the widest set of characters, subject to the
constraints of the possible systems where those
passwords reside.
3) Pa s s w o r d s s h o u l d b e a t l e a s t e i g h t ( 8 )
characters long and contain alphanumeric
characters (e.g. p@S5w07D).
9
2.7 Changing And Reusing Of Passwords

1) All default passwords should be changed during
the first log on.
2) To limit the possibility of passwords being
compromised, a practical solution is to change
them regularly, at most every 180 days, and
preferably more frequently.
3) Users should not reuse old passwords, as they
may have already been compromised.
4) Reuse of a user’s last four passwords should be
avoided altogether.
10
3 Physical Security For The ICT Infrastructure
3.1 Introduction
Physical security is the first layer of defence in any

ICT security architecture. The need to physically
protect assets from real or perceived threats cannot
be overlooked or mitigated by other security
disciplines. There is no substitute for good physical
security control.
3.2 Purpose
The purpose of these guidelines is to prevent

unauthorised access, damage and interference to the
ICT Infrastructure that could result in disruption or
damage to the school information asset.
All school residents who are given access to the ICT

Infrastructure are required to observe these
guidelines.
3.4 Working In ICT Infrastructure

1) All computing facilities provided by the school
are used for facilitating the daily operations and
learning activities of the school residents.
Therefore, only authorised users such as
teachers, students and staff of the school are
allowed to use these computing facilities.
11
Third parties (or non-school residents) who wish

to use such facilities should be authorised by the
School Head.
2) Visitors or users to the computer laboratory,
media centre and access centre should log their
names, date, time and duration of access in the
log book.
3) All students using the computer laboratory
should be accompanied by a teacher. Students
who need to use the computers in the computer
laboratory without supervision of the teacher
should obtain permission from authorised
personnel.
4) After school hours, access to the computer
laboratory must be controlled and monitored.
5) Third parties such as vendors who provide
maintenance service to the equipment should
be escorted or supervised at all times while in the
ICT infrastructure.
6) Doors and windows to the computer laboratory
should be locked when unattended.
7) No food and drinks are allowed in the ICT
infrastructure.
8) Visitors or users to the computer laboratory
should take off their shoes (if necessary) to
ensure cleanliness of the place.
9) Users should shut down the system properly to
prevent computer damage.
10) Users should log off the system to prevent
unauthorised users from accessing the
system.
12
11) Users should keep the ICT infrastructure clean

and tidy at all times.
12) U s e r s a r e n o t a l l o w e d t o b r i n g o u t a n y
e q u i p ment or devices which belong to the
school. Anyone found stealing or attempting to
steal will be subject to disciplinary action.
13) Users are not allowed to relocate the equipment
(e.g. switching of monitors), repair the faulty
equipment or change the configuration of the
system without authorisation by the School ICT
Coordinator or authorised school personnel.
14) Users should report to the School ICT
Coordinator or assigned school personnel when
they notice security incidents or potential
security incidents. These include incidents such
as break-ins, thefts, and hardware and software
failures.
15) Users should prevent computer overheating by
not covering the computer monitor vents.
16) All facilities such as air conditioners and lights
should be properly used. Users are required to
switch on these facilities when using the
computer laboratory. Similarly, these facilities
should be switched off after use.
13
4 Mobile Computing
4 Mobile Computing
4.1 Introduction
Technological advancement has made mobile

computing devices available to a wide audience and
these devices are gradually used for easy access. The
prevalence of mobile computing devices has opened
up various security risks that could compromise the
confidentiality, integrity and availability of
information. The very nature of mobile computing
devices means that they are at a greater risk of theft
over their less portable counterparts. The latter are
normally located in secure premises with good
physical security, whereas mobile computing devices
normally reside outside an organisation’s physical
security perimeter. This section aims to establish a
procedural guidance to be observed by users of
mobile computing devices.
4.2 Purpose
This section is established to ensure information and

physical securities when using mobile computing
devices.
All school residents who use mobile computing

devices for processing school information are required
to adhere to the guidelines outlined in this section.
14
4 Mobile Computing
4.4 Use Of Mobile Computing Devices

1) The use of personal mobile computing devices
such as laptops, tablet PCs, palmtops and smart
phones for processing school information is
prohibited unless they have been first authorised
by the school administrator and configured with
necessary security controls such as anti-
malicious software or personal firewall under the
guidance of the School ICT Coordinator.
2) Third party mobile computing devices (owned by
contractors or vendors) should not be connected
to the school network or granted access without
first being authorised by the school
administrator and configured with necessary
security controls under the guidance of the
School ICT Coordinator. This is to prevent virus
infection of the school network.
3) All Ministry of Education owned mobile
computing devices should be installed with
necessary security controls such as anti-
malicious software before they are released to
the users. Such devices should be automatically
configured to receive security updates from the
server.
4) Use of mobile computing devices is subject to
Acceptable Internet and E-mail Usage.
4.5 Physical Security
1) Mobile computing devices should be physically

protected against thefts especially when left in
cars and other forms of transport, hotel rooms,
conference centres and meeting places.
15
4 Mobile Computing
2) Mobile computing devices carrying important,

sensitive or confidential information should not
be left unattended and where possible, should be
physically locked.
3) It is important that when such devices are used
in public places, care should be taken to avoid
the risk of accidental disclosure of information to
unauthorised persons.
4) Mobile users should report to the School ICT
Coordinator or school administrator immediately
for any damage and loss of Ministry of Education
assets.
5) The movement of all mobile computing devices
owned by the Ministry of Education should be
recorded.
4.6 Configuration Changes

1) Users should not change the configuration or
system settings of mobile computing devices
supplied by the Ministry of Education except for
official and authorised purposes such as
configuring the network settings (IP address,
DNS address, etc.) based on the existing
network environment.
2) Mobile computing devices supplied by the
Ministry of Education should not be altered in
any way (e.g. processor upgrade, memory
expansion or extra circuit boards). If any
changes in software or hardware are required,
the users should seek authorisation from the
School ICT Coordinator. Only the School ICT
Coordinator is allowed to make such changes.
16
4 Mobile Computing
4.7 Connecting Mobile Computing Devices To

Unsecured Networks
1) The school network is a protected environment
within which mobile computing devices are
well protected against infection by malicious
software and regular deployment of security
updates. Networks outside the perimeter of the
school, whether through a wireless local area
network at an airport or a broadband Internet
connection at home, are considered unsecured
networks. In this sort of environment, the
device is connected directly to the Internet with
none of the protections like firewalls in place.
This exposes the device to a great range of
threats, including direct attacks from entities on
the Internet, whether they be users or
malicious codes.
2) U s e r s s h o u l d r e f ra i n f r o m c o n n e c t i n g t o
u n s e c u r e d n e t w o r k s a s t h i s m ay e x p o s e
sensitive information to unauthorised parties.
3) If such connection is deemed necessary, users
may consider encrypting sensitive information to
prevent unauthorised disclosure. Data encryption
offers the best protection against the
dissemination of sensitive information from lost
or stolen devices. Information protected by
strong, well implemented, encryption techniques
can be rendered useless to a thief.
17
5 Information Classification And Handling
5.1 Introduction
Information must be handled accordingly to ensure

the confidentiality, integrity and availability of the
information is not compromised. Information
classification and handling activities are performed to
safeguard national secrets. Often classified
information is kept (or should be kept) segregated
from each other. The possible impact on schools and
the Ministry of Education of disclosure or alteration of
information varies with the type of information.
Hence, the effort and cost warranted for protection
against these risks varies accordingly. Some basis is
therefore required to determine which security
measures are applicable to different types of
information.
5.2 Purpose
The main purpose of this section is to provide

guidelines for the classification of information and the
appropriate set of procedures for information handling
in accordance with the classification scheme defined.
All school residents who are given access to

classified information are required to comply with
this section.
18
5.4 Scope Of Coverage
All school information is bound by this section

irrespective of:
1) the way information is represented (written,
spoken, electronic or other forms);
2) the technology used to handle the information
(e.g. file cabinets, fax machines, computers and
local area networks);
3) the location of information (e.g. in the office,
computer lab or server room); and
4) the lifecycle of information (e.g. origin, entry
into a system, processing, dissemination,
storage and disposal).
5.5 Information Classification
A c c o r d i n g t o t h e g o v e r n m e n t ’s A r a h a n
Keselamatan, information is classified into five
levels:
1) Public: Official documents/information available
for public knowledge, viewing or usage.
2) Restricted: Official documents/information
excluding those classified as Top Secret, Secret
or Confidential but required to be provided with
a security measure level. Refer to Table 1:
Information Handling.
3) Confidential: Official documents/information
if exposed without authorisation, even
though it does not endanger national security
- could have an impact on national interest
or dignity, the activity of the government or
19
the individual; would cause embarrassment

or difficulty to the current administration;
and would benefit foreign authorities.
4) Secret: Official documents/information if
exposed without authorisation would endanger
national security, cause substantial loss/damage
to the national interest or dignity; and would
provide substantial benefit to foreign
authorities.
5) Top Secret: Official documents/information if
exposed without authorisation would cause
extreme loss/damage to the nation.
5.6 Information Handling
1) The asset owner should determine the

classification of information.
2) The handling of the information in any form
depends on the classification of the information
defined by the asset owner.
3) Sufficient security measures for classified
information are required to protect the
confidentiality, integrity and availability of the
information.
4) The existing or planned operating procedures
should consider all users who are allowed to
view classified information.
5) Users should have knowledge of those who
may endanger the security of classified
information and must abide by the guidelines
or procedures to prevent those people from
viewing it.
20
6) Adequate authorisation and access control

should be implemented:
a) to prevent unauthorised people from
viewing classified information;
b) as classified information would depend on
the level of classification;
c) so that the School ICT Coordinator and
information owner can determine the
access rights of users who have access to
classified information.
7) The following provides the information handling
guide for each lifecycle of the information,
starting from its creation until destruction.
21
22
Table 1: Information Handling
Top Secret Secret Confidential Restricted Public
Labelling
Electronic 1) Labelled as ‘Top Secret’ or ‘Secret’ or ‘Confidential’ or Not
Media ‘Restricted’. required
Labelling
Hardcopy 1) Labelled as ‘Top Secret’ or ‘Secret’ or ‘Confidential’ or Not

Labelling ‘Restricted’ on the front and back covers, and every page of the required
document. See Arahan Keselamatan – Clause 48-52.
2) Labelled with a reminder. See Arahan Keselamatan – Clause
53.
Reference The owners of the respective information should work together with Not
the school’s administrative personnel to define the reference number required
for each document produced.
Storage
Storage on Encrypted where applicable or other compensating controls such as Not
Fixed Media access controls, password management and other network controls. required
Storage on Encrypted where applicable or other compensating controls such as Not
Exchangeable access controls, password management and other network controls. required
Media
Physical 1) Strong room or safe with 1) Cabinet (iron). No special
Storage locks. storage
2) See Arahan Keselamatan –
required
2) Work in progress can be Clause 58 – 60.
kept in cabinet (iron) with
locks.
Clause 58 – 60.
Sending/Transmission /Processing
Sending 1) Acknowledgement on receipt of document (2 copies) needs to Not
documents be prepared. required
2) Mail packaging for documents carried securely:
a) Only one (1) envelope with marking, reference number,
name and address.
b) The envelope must be sealed.
3) Mail packaging for documents carried unsecurely:
a) Two (2) envelopes required.
b) Internal envelope with marking, reference number, name
and address;
c) External envelope with name and address and it must be
23
24
sealed.
4) See Arahan Keselamatan – Clause 61 – 65.
Faxing 1) Not allowed. No
/Telephone restriction
2) See Arahan Keselamatan – Clause 66.
/Telegraph
Carrying 1) Written approval from the 1) Written approval from Head No
Documents Secretary General of the of Department is required. restriction
Out from the Ministry of Education.
Office
2) See Arahan Keselamatan – Clause 67.
Clause 67.
Sending via 1) Encryption where applicable. Not

Public Network required
Copying 1) Authorisation from information owner is required. No
restriction
2) Tracking on the number of copies issued is required.
3) See Arahan Keselamatan – Clause 55-57.
Release to Third Parties
Release to 1) Not to be released to other countries without the approval of the Ordinary
Third Parties Government of Malaysia. trash
2) Release to third parties should be restricted based on the need
for such access and is authorised by the information owner.
3) Release to press is not allowed without approval from the
information owner.
Granting of Access Rights
Granting of 1) Access rights are granted by the information owner No
Access Rights restriction
2) The access control is to be implemented by the School ICT
Coordinator.
Disposal
Physical 1) Not allowed unless explicitly instructed by the information Ordinary
Disposal owner. Total destruction must be performed. trash
2) Disposal must be logged.
3) Document must be shredded.
Electronic Secure delete. Ordinary
Disposal delete
25
26
Loss of Documents /Information
Reporting of 1) Loss of documents/information should be reported immediately Not
loss to the school administrator within 24 hours. required
2) An investigation should be warranted to estimate the impact of
such losses. If necessary, a report to external parties such as
the police should be made.
Glossary
GLOSSARY
Alphanumeric Consist of the union of the set of alphabetic

characters characters and the set of numeric
characters.
Availability This is the effect on the system and/or
the organisation that would result from
deliberate or accidental denial of the
asset’s use. If a mission-critical system is
unavailable to its end users, the
organisation’s mission may be affected.
Loss of system functionality and
operational effectiveness, for example,
may result in loss of productive time, thus
impeding the end users’ performance of
their functions in supporting the
organisation’s mission.
Broadband A type of data transmission in which a
single medium (wire) can carry several
channels at once.
Confidentiality This is the effect on the system and/or
the deliberate, unauthorised or
inadvertent disclosure of the asset. The
effect of unauthorised disclosure of
confidential information can result in loss
of public confidence, embarrassment, or
legal action against the organisation.
E-mail Short for electronic mail, one or many, the
transmission of messages over
communication networks.
Encryption The translation of data into a secret text
of gibberish that is not readable to
unauthorised parties.
27
Glossary
Exchangeable Material used to store data that can be

media taken out of a machine. Examples include
floppy disc, magnetic tape and compact
disc.
Firewall A system designed to prevent
unauthorised access to or from a private
network.
Fixed media Mass storage in which the material that
holds data is a permanent part of the
device. Example includes hard drive.
Information Individual/Division/Department/Unit who/
owner whom is referred to as the proprietor of
an asset.
Integrity This is the effect on the system and/or
the deliberate, unauthorised or inadvertent
disclosure of the asset. The effect of
unauthorised disclosure of confidential
information can result in loss of public
confidence, embarrassment, or legal
action against the organisation.
Internet A global network connecting millions of
computers.
Local Area A network of computers confined within a
Network small area such as an office building or
school.
Malicious code A programme of piece of code that is
loaded onto the computer without the
owner’s knowledge and runs against the
owner’s wishes. Example include virus,
worm and Trojan horse.
Malicious A programme or piece of code that is
software loaded onto the computer without the
owner’s knowledge and runs against the
owner’s wishes. Example include virus,
28 worm and Trojan horse.
Glossary
Mobile Portable-computing devices that can

Computing connect by cable, telephone wire, wireless
transmission, or via any Internet
connection to any network infrastructure
and/or data systems. Examples of mobile
computing devices include notebooks,
palmtops, laptops and mobile phones.
Password One of the means of user authentication.
Password contains a series of characters
entered by the users to gain access to
the system.
School ICT A person who is appointed by the school
Coordinator to be in charge of management and
coordination of the school ICT
infrastructure.
Secure delete Assure the total wipe out of magnetically
recorded information.
Social In the field of computer security, social
Engineering engineering is the practice of obtaining
confidential information by manipulation
of legitimate users.
Spam Electronic junk mail or more generally
referred as unsolicited e-mail.
Trojan horse A Trojan Horse portrays itself as
something other than what it is at the
point of execution. While it may advertise
its activity after launching, this
information is not apparent to the user
beforehand. A Trojan Horse neither
replicates nor copies itself, but causes
damage or compromises the security of
the computer. A Trojan Horse must be
sent by someone or carried by another
program and may arrive in the from of a
joke program or software of some sort.
The malicious functionality of a Trojan
Horse may be anything undesirable for a
computer user, including data destruction 29
Glossary
or compromising a system by providing a

means for another computer to gain
access, thus bypassing normal access
controls.
Users Residents of schools who are using the
ICT facilities provided. For example,
teachers, students, clerks, administrators
and others.
Virus A virus is a program or code that
replicates itself onto other files with which
it comes in contact; that is, a virus can
infect another programme, boot sector,
partition sector, or a document that
supports macros, by inserting itself or
attaching itself to that medium. Most
viruses only replicate, though many can
do damage to a computer system or a
user’s data as well.
Wireless A method of communication that uses
radio waves to transmit data between
devices.
Worm A worm is a programme that makes and
facilitates the distribution of copies of
itself; for example, from one disk drive to
another, or by copying itself using e-mail
or another transport mechanism. The
worm may do damage and compromise
the security of the computer. It may
arrive via exploitation of system
vulnerability or by clicking on an infected
e-mail.
30
Glossary
References
1) Malaysian Public Sector Management of Information &
Communications Technology Security Handbook
(MyMIS).
2) Pekeliling Kemajuan Pentadbiran Awam Bilangan 1
Tahun 2003 - Garis Panduan Mengenai Tatacara
Penggunaan Internet Dan Mel Elektronik Di Agensi-
agensi Kerajaan.
3) Buku Arahan Keselamatan.
4) Prosedur dan Dasar Pengurusan Keselamatan
Sekolah Bestari Versi 2.0.
Enquiries
Enquiries about this document should be directed to:
Director
Ministry Of Education
Pesiaran Bukit Kiara
50604 Kuala Lumpur
(Attn : Infrastructure and Repository Sector)
Tel.: 03-2098 7768/6245

Fax: 03-2098 6242
E-mail: sir@moe.edu.my
31
Glossary
CONTRIBUTORS
ADVISOR
Dato’ Haji Yusoff bin Harun Director

EDITORIAL BOARD
Khalidah binti Othman Educational Technology Division

Chan Foong Mae Educational Technology Division
Anthony Gerard Foley Educational Technology Division
Haji Mohd Azman bin Ismail Educational Technology Division

Mohd Arifen bin Naim Educational Technology Division
Yap Ley Har Educational Technology Division
Junainiwati binti Mohd Deris Educational Technology Division

Roimah binti Dollah Educational Technology Division
Nik Fajariah binti Nik Mustaffa Educational Technology Division
Rozina binti Ramli SMK Aminuddin Baki, Kuala Lumpur

Nirmal Kaur SMK Victoria, Kuala Lumpur
Mohd Hisham bin Abdul Wahab SMK(L) Methodist, Kuala Lumpur
Ab. Aziz bin Mamat Sekolah Seri Puteri, Selangor

Abd Aziz bin Mohd Hassan SMK USJ 8, Selangor
Widiana binti Ahmad Fazil SMK Pandan Jaya, Selangor
Rogayah binti Harun Kolej Tunku Kurshiah, Negeri Sembilan

Mohd Zali bin Zakri SM Sains Tuanku Jaafar, Negeri Sembilan
Jaya Lakshmi a/p Mutusamy SMK(A) Persekutuan Labu, Negeri Sembilan
Azmi bin Abdul Latiff SMK(A) Persekutuan Labu, Negeri Sembilan

Haji Zulkiflee bin A. Rahman SM Teknik Muar, Johor
Daud bin Yusof SMK Buluh Kasap, Johor
32

ICT Security Management Handbook For Schools

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

ICT Security Management Handbook For Schools

Diunggah oleh

Hak Cipta:

Format Tersedia

IA

Educational Technology Division

FIRST EDITION: OCTOBER 2005

Copyright © 2005 Educational Technology Division,

All rights reserved, except for educational purposes with

4.2 Purpose ........................................................... 14

The ICT Security Management Handbook is a new

Users of the first and second editions of this handbook will

This ICT Security Management Handbook is based on the

Director-General of Education Malaysia

I would like to congratulate the Handbook

This handbook is meant to give thorough and

I would also like to thank all teachers involved for

(DATO’ DR. HJ. AHAMAD BIN SIPON)

Educational Technology Division

This handbook gives a brief overview on ICT

This handbook is meant to be a useful source of

I wish to congratulate the committee and all others

(DATO’ HJ. YUSOFF BIN HARUN)

This handbook has been adapted from the Malaysian

The content is arranged according to topics to help users

Each topic in this handbook starts with an introduction and

The ICT Security Management Handbook will help widen the

A glossary is included for better understanding of the

1 Acceptable Internet And E-Mail Usage

The advancement of information and communications

The purpose of this section is to outline the

All school residents who are given access to the

1.4 Internet Usage

1) The school electronic communication system or

7) Users are prohibited from the following:

ii) download, storing and using entertainment

5) All official correspondence have to be sent via

12) Unimportant e-mail that is no longer needed or

2 Choosing Quality Passwords

Passwords are one of the principal means of

The main purpose of this section is to ensure that the

All school residents who are given access to the

2.4 Compromise Of Passwords

Over time, passwords may be compromised in many

2.5 General Password Rules

4) If you suspect that anyone has gained access to

2.6 Password Composition Rules

One of the primary weaknesses of passwords is that

2.7 Changing And Reusing Of Passwords

3 Physical Security For The ICT Infrastructure

Physical security is the first layer of defence in any

The purpose of these guidelines is to prevent

All school residents who are given access to the ICT

3.4 Working In ICT Infrastructure

Third parties (or non-school residents) who wish

11) Users should keep the ICT infrastructure clean

Technological advancement has made mobile

This section is established to ensure information and

All school residents who use mobile computing

4.4 Use Of Mobile Computing Devices

4.5 Physical Security

1) Mobile computing devices should be physically

2) Mobile computing devices carrying important,

4.6 Configuration Changes

4.7 Connecting Mobile Computing Devices To

5 Information Classification And Handling

Information must be handled accordingly to ensure