SISTEM PERAKAUNAN

BERKOMPUTER STANDARD UNTUK

KERAJAAN NEGERI (SPEKS)
INFORMATION SECURITY
POLICIES
SPEKS-POL-01

Version 1.0
March 2006

SPEKS Information Security Policies

Table of Contents

DOCUMENT IDENTIFICATION ........................................................................ iii

DOCUMENTATION UPDATE CONTROL LOG ....................................................... iv
I.

Introduction.................................................................................... 1

II.

SPEKS Policy Statement, Objectives and Security Principles......................... 1

III.

Documentation Hierarchy ................................................................... 6

IV.

SPEKS Operational Framework ............................................................. 6

V.

SPEKS Information Security Policies......................................................10

1.0

Security Management ........................................................................ 10

2.0

3.0

4.0

5.0

6.0

7.0

8.0

9.0

10.0

1.1

Purpose and Scope................................................................... 10

1.2

Policy Statement..................................................................... 10

Personnel and Safe Computing ............................................................. 11

2.1

Purpose and Scope................................................................... 11

2.2

Policy Statement..................................................................... 11

Logical Access Controls ...................................................................... 12

3.1

Purpose and Scope................................................................... 12

3.2

Policy Statement..................................................................... 12

Physical and Environmental Control ....................................................... 13

4.1

Purpose and Scope................................................................... 13

4.2

Policy Statement..................................................................... 13

Installation Management .................................................................... 14

5.1

Purpose and Scope................................................................... 14

5.2

Policy Statement..................................................................... 14

Computer Operations ........................................................................ 15

6.1

Purpose and Scope................................................................... 15

6.2

Policy Statement..................................................................... 15

Configuration, Patch and Change Management .......................................... 16

7.1

Purpose and Scope................................................................... 16

7.2

Policy Statement..................................................................... 16

Problem Management ........................................................................ 17

8.1

Purpose and Scope................................................................... 17

8.2

Policy Statement..................................................................... 17

Application Development and Application Improvement Programs ................... 18

9.1

Purpose and Scope................................................................... 18

9.2

Policy Statement..................................................................... 18

Network Protection .......................................................................... 19

10.1

Purpose and Scope................................................................... 19

Ref No.: SPEKS-POL-01

Version: 1.0
Date : March 2006

(i)

SPEKS Information Security Policies

Table of Contents

10.2
11.0

12.0

13.0

14.0

Policy Statement..................................................................... 19

Perimeter Logical Protection ............................................................... 20

11.1

Purpose and Scope................................................................... 20

11.2

Policy Statement..................................................................... 20

Computer Virus and Malware Protection and Detection ................................ 21

12.1

Purpose and Scope................................................................... 21

12.2

Policy Statement..................................................................... 21

Business Continuity Plan..................................................................... 22

13.1

Purpose and Scope................................................................... 22

13.2

Policy Statement..................................................................... 22

Compliance .................................................................................... 23
14.1

Purpose and Scope................................................................... 23

14.2

Policy Statement..................................................................... 23

DEFINITIONS ...........................................................................................24

Ref No.: SPEKS-POL-01

Version: 1.0
Date : March 2006

(ii)

SPEKS INFORMATION SECURITY POLICIES

DOCUMENT IDENTIFICATION

DOCUMENT NAME:

Sistem
Perakaunan
Berkomputer
Standard Untuk Kerajaan Negeri
(SPEKS) Information Security Policies

REFERENCE NO:

SPEKS-POL-01

VERSION NO:

1.0

DATE CREATED:

March 2006

Ref No.: SPEKS-POL-01

Version: 1.0
Date : March 2006

(iii)

SPEKS INFORMATION SECURITY POLICIES

DOCUMENTATION UPDATE CONTROL LOG

No.

Date

Ref No.: SPEKS-POL-01

Version: 1.0
Date : March 2006

Section Affected

Description of Change

(iv)

SPEKS INFORMATION SECURITY POLICIES

I.

Introduction
This document, the Sistem Perakaunan Berkomputer Standard Untuk Kerajaan
Negeri (SPEKS) Information Security Policies, provides the policies that should be
followed by the Management and Staff associated with the use, support and
management of SPEKS in the Bendahari Negeri (BN) and Pusat Tanggungjawab (PTJ).

II.

SPEKS Policy Statement, Objectives and Security Principles

SPEKS Security Policy Statement
1. It is the policy of the State Office that while information assets and
computer equipment and other materials associated with the complete
information life cycle related to SPEKS should be provided to enable
employees of State Office and relevant third parties to satisfactorily
complete their duties, these assets should be subject to adequate controls
to protect them from accidental or intentional loss, unauthorised access,
unauthorised manipulation or unauthorised disclosure;
2. Controls implemented should be appropriate to the value of the asset and
its risk exposure. Security can be described as the state or situation that is
free from risks that cannot be accepted or tolerated;
3. This SPEKS Information Security Policy Statement will form the basis from
which specific SPEKS Information Security Policies are developed;
4. Adherence to the SPEKS Information Security Policy will assure an
acceptable level of protection from security incidences and the response to
security incidences and minimise the consequences of security weaknesses
and incidents, should they occur;
5. The SPEKS Information Security Policy prescribes the consistent and
regimented good practices within the operating environment governing
SPEKS. This ensures consistent procedures which are then traceable for the
purpose of recovery from incidences as well as to provide learning aimed at
instituting a culture of continuous improvement and robust security
practices throughout the whole organisation in the use of SPEKS;

Ref No.: SPEKS-POL-01

Version: 1.0
Date : March 2006

SPEKS INFORMATION SECURITY POLICIES

6. Security implementation is as good as the weakest link. Technologies can be

hardened or acquired or improved to enhance security. The human element
will then form the biggest variable that will make the difference between a
robustly implemented security environment and one that is weak and
subject to the simplest of exposures; and
7. The SPEKS Information Security Policy covers the protection of all forms of
electronic information to ensure security of the information and its
availability to all authorised users. The main features of information
security are as follows:
a. Confidentiality

information

cannot

be

disclosed

without

authorisation or allowed to be accessed without permission;

b. Integrity data and information must be accurate, complete and
current. It can only be changed by authorised means;
c. Non-repudiation the source of data and information must be valid
and irrefutable;
d. Authenticity data and information must be guaranteed authentic;
and
e. Availability data and information must be accessible to authorised
users when required.
8. The

SPEKS

Information

Security

Policy

should

then

minimise

the

uncertainties, guesswork and inconsistencies in the management and use of

SPEKS so as to ensure an acceptable targeted level of security governing
SPEKS.

Ref No.: SPEKS-POL-01

Version: 1.0
Date : March 2006

SPEKS INFORMATION SECURITY POLICIES

SPEKS Security Policy Objectives

The security policy objectives are as follows:
1. To provide the minimum guiding principles for the secure and proper
management, use and operation of the SPEKS application;
2. To indicate the necessary organisational preparatory prerequisites in terms
of organisation functions, manpower capabilities, facilities and mechanisms
for the proper operation and administration of SPEKS;
3. To provide policy guidance on corrective action in the event of security
breach or severe non compliance;
4. To provide the necessary interfaces between the parties that are involved
in the support of SPEKS and the implementation of changes to the SPEKS
application and the guidance for the State to accept the changes made to
the SPEKS application; and
5. To provide avenue for continuous improvement and update to the security
management and administration of SPEKS.
SPEKS Security Principles
The principles upon which the SPEKS Security Policy is based are as follows:
1. Access on a Need-to-know Basis
Access to ICT assets are given for specific purposes and limited to certain
users on a need-to-know basis only. This means access will only be given if
user roles and functions require that information;
2. Minimum Access Rights
User access rights are given at the minimum level which is to read and/ or
view only. Special clearance is needed to allow users to create, store,
update, change or delete any data or information;
3. Accountability
Users are accountable for all their actions towards SPEKS ICT assets;
Ref No.: SPEKS-POL-01
Version: 1.0
Date : March 2006

SPEKS INFORMATION SECURITY POLICIES

4. Separation of duties
The duties of record creation and corrections must be segregated from the
duty of approval of such records. Separation of duties also means the act of
separating the operations and network teams;
5. Auditing
The purpose of this activity is to identify security incidents or situations that
threaten security. Therefore, ICT assets such as computers, servers, routers,
firewalls and networks must implement audit trail;
6. Recovery and Continuity
Process must be in place to prevent significant or prolonged system
disruption. In the event when such disruptions do occur, there must be plans
for recovery and continuity of SPEKS related operations within an acceptable
timeframe; and
7. Compliance
SPEKS Security Policy must be read, understood and complied with to
prevent any breach against it which could threaten SPEKS security.
SPEKS Security Policy Scope
Compliance to the SPEKS Information Security Policies will be compulsory to the
extent that the management and handling of information and the ICT facilities as
well as peripheral equipment, forms and materials in the complete information life
cycle activity related to SPEKS are within the control of the management of State
Office. In this context the complete information life cycle covers the PTJs and the
BN Offices.
The policies are a high level collection of directives that govern how information
assets, are managed, protected and distributed within State Office and the PTJs.
The implementation of these policies is mandatory and State Offices must have a
action plan in place to ensure full compliance.
In general where there are existing Government policies, instructions, guidelines and
procedures, these will take precedence over the respective elements mentioned in
Ref No.: SPEKS-POL-01
Version: 1.0
Date : March 2006

SPEKS INFORMATION SECURITY POLICIES

this SPEKS Information Security Policy document. The exception is in areas where
specific higher security measures are enforced in the SPEKS Information Security
Policy in areas where the classification of the assets or the operating area are of the
level that specifically require higher security measures than that specified in the
Government policies, instructions, guidelines and procedures.
Related Documents for Reference
The following are the related documents that have already been in place and should
be referred to as preceding documents:
1. MyMIS Garis Panduan Pengurusan Keselamatan ICT Sektor Awam Malaysia;
2. Akta Keselamatan;
3. Akta Rahsia Rasmi 1972;
4. Akta Acara Kewangan 1957;
5. Akta Kawasan Larangan dan Tempat Larangan 1959;
6. Pekeliling Am Bil 3 Tahun 2000 Rangka Dasar Keselamatan Teknologi
Maklumat dan Komunikasi Kerajaan;
7. Pekeliling Am Bil 1 2001 Mekanisme Pelaporan Insiden Keselamatan
Teknologi Maklumat dan Komunikasi (ICT);
8. Akta Jenayah Komputer 1997;
9. Akta Tandatangan Digital 1997;
10. Pekeliling Kemajuan Pentadbiran Awam Bil.1 Tahun 2003 Garis Panduan
Mengenai Tatacara Penggunaan Internet dan Mel Elektronik di Agensiagensi Kerajaan; and
11. Arahan Perbendaharaan.

Ref No.: SPEKS-POL-01

Version: 1.0
Date : March 2006

SPEKS INFORMATION SECURITY POLICIES

III.

Documentation Hierarchy
This document, the SPEKS Information Security Policy, is derived from the SPEKS
Information Security Policy and Standards document that governs the information
security management, operation and use of SPEKS. This is created for easy reference
on the governing policies.
The SPEKS Common Information Security Procedures contains the common
procedures for implementation based on the SPEKS Information Security Policies and
Standards.
Senior Management will find the SPEKS Information Security Policies document
sufficient for an understanding of overall governing policy while the management
and officers involved in the daily information security management, operation and
use of SPEKS will need to refer to all these documents for guidance.
The above document relationships are depicted in the following chart:

SPEKS Information
Security Policies and
Standards

SPEKS Information
Security Policies
(Policies extracted out from the
Primary Document for easy
reference)

(Primary Document)

SPEKS Common
Information Security
Procedures
(Procedures Document)

IV.

SPEKS Operational Framework

The SPEKS application was developed under a project managed by JANM for uniform
implementation throughout all the States (except Sabah and Sarawak). Due to
criticality of the system to the State operations, a common release of the SPEKS
application will be provided for use throughout the States covered. This will have the
dual advantage of ease of application maintenance and consistency of usage
throughout the State Government and between State Governments.

Ref No.: SPEKS-POL-01

Version: 1.0
Date : March 2006

SPEKS INFORMATION SECURITY POLICIES

Consequently this SPEKS Security Policy document will be the guiding document for
adherence and enforcement in order to ensure the proper and secure use of the
system. Senior Management in State Governments must ensure that the SPEKS
Security Policies are enforced and necessary corrective or disciplinary actions should
be taken in the event of severe non adherence or non compliance.
Responsibilities
It is the duty of all employees of the State Office and third parties providing services
to, or acting as agents of the State Office to:
1. Take all necessary precautionary measures to safeguard the information
that they create, receive or control, as well as the facilities that they use;
2. Comply with the SPEKS Information Security Policies;
3. Promptly report all security incidents to the management to ensure that
appropriate actions are taken; and
4. Diligently use the SPEKS information assets and supporting ICT facilities for
its intended and authorised purpose and nothing more; as use of such assets
and facilities for other than the intended and authorised purpose will
constitute a violation to policy that may result in appropriate disciplinary
action.
Implementation of the SPEKS Information Security Policies is the responsibility of line
Management and shall be monitored by State SPEKS Implementation Committee
(Jawatankuasa Pelaksanaan SPEKS Negeri), State Internal Audit and Jabatan Audit
Negara as External Auditor.
The responsibility for implementing the SPEKS Common Information Security
Procedures lies with the Pegawai Pengawal/ Ketua Jabatan.
Key Support Relationships
SPEKS application support and maintenance continue to be provided by JANM. JANM
will manage the application bug fixing and patch release and any enhancements
request from the States. The State Offices are the users of the SPEKS application and
each State Office will have their own complete SPEKS application and hardware
installed and will provide first level support to the State Offices.
Ref No.: SPEKS-POL-01
Version: 1.0
Date : March 2006

SPEKS INFORMATION SECURITY POLICIES

All State Offices are expected to have one common version of SPEKS with the
appropriate patch releases implemented so that JANM will be able to render the
appropriate support to the State Offices.
Issues of common interest e.g. training and refresher training for State users,
Frequently Asked Questions and Help Documentation will be centrally coordinated
through JANM.
State Offices may have specific requirements from time to time that are unique to
the particular State. JANM is expected to moderate and control the development of
such requirements so that a common version usable across all States is always
achieved to enable the application to be effectively supported.
Unless qualified otherwise, the term SPEKS system referred in this document covers
the SPEKS application hardware and software as well as all peripheral equipment and
activities that handle a part of the information life cycle related to SPEKS. This
includes the payment vouchers and invoices and the people operating SPEKS.
Updates and Maintenance of Documents
The SPEKS Information Security Policies and Standards (and this derived document,
SPEKS Information Security Policies), and the SPEKS Common Information Security
Procedures documents are subject to document control.
The responsibility for updates and corrections to these documents lies with Jabatan
Akauntan Negara Malaysia (JANM) upon instruction or endorsement by the SPEKS
Steering Committee.
State Offices are not expected to modify these documents. Any request and
suggestions for modification or changes must be directed to JANM as follows:
Name

Seksyen Khidmat Perunding

Address

Aras 6, Blok 2G1A, Kompleks Kewangan, Presint 2, 62594,

Putrajaya

Telephone No. :

03-8882 1183

Facsimile No.

03-8882 1043

E-mail

[email protected]

Ref No.: SPEKS-POL-01

Version: 1.0
Date : March 2006

SPEKS INFORMATION SECURITY POLICIES

Terminology
Unless specific reference is made to Jabatan Akauntan Negara Malaysia (JANM) or
the Bendahari Negeri (BN) or the Pusat Tanggungjawab (PTJ), the term State Office
or State Offices used in this document refers to the BNs and PTJs and other related
organisations that are managing or using SPEKS in the States in Malaysia.
The PKN/BN also has the Unit Teknologi Maklumat (UTM) to provide the necessary
ICT support to the SPEKS application. The WAN network infrastructure in most States
is managed by the Pusat Komputer /Bahagian Teknologi Maklumat/Unit Teknologi
Maklumat of the Pejabat Setiausaha Kerajaan Negeri (SUK) with few exceptions.

Ref No.: SPEKS-POL-01

Version: 1.0
Date : March 2006

SPEKS INFORMATION SECURITY POLICIES

V.

SPEKS Information Security Policies

1.0

Security Management
1.1

Purpose and Scope

The purpose of the 'Security Management Policy and Standard' is to establish
an Information Security Management structure managing and using SPEKS
which is appropriately defined, with agreed responsibilities, authorities and
inter-relationships.
This Policy applies to SPEKS information system covering the complete
information life cycle and information processing facilities related to SPEKS
within the control of State Office.

1.2

Policy Statement
All employees using, administering or managing SPEKS will be given
designated responsibilities in the management and use of SPEKS as defined
in the SPEKS Security Management Standards. Employees must adhere to
their scope of responsibilities defined and must report to the Jawatankuasa
Pelaksanaan SPEKS Negeri through their respective Ketua Jabatan/ Pegawai
Pengawal, any exceptions or shortcomings or areas that may not have an
identified process owner.

Ref No.: SPEKS-POL-01

Version: 1.0
Date : March 2006

10

SPEKS INFORMATION SECURITY POLICIES

2.0

Personnel and Safe Computing

2.1

Purpose and Scope

Personnel and Safe Computing Policy and Standards related to ICT Security
is developed to minimise the risk of human error, theft, fraud or misuse of
SPEKS ICT facilities.
The Personnel and Safe Computing Policy and Standards applies to all
employees of State Offices involved in the usage, operations and
management of SPEKS; and should be applied in conjunction with existing
Government-wide and State Office specific personnel/ human resource
policies.

2.2

Policy Statement
All employees of State Offices should be briefed of their responsibilities
towards the proper use of ICT facilities and enforcement of ICT Security. All
employees must familiarise themselves with the ICT Security Policies and to
comply with the relevant procedures that relate to their work and
obligations and also to practice and promote safe computing practices.
Employees must familiarise with the standard operating procedures in the
use of SPEKS and must provide feedback on any discrepancies found in the
operation of SPEKS, or in the potential anomalies or misuse of privileges in
using SPEKS by other employees.

Ref No.: SPEKS-POL-01

Version: 1.0
Date : March 2006

11

SPEKS INFORMATION SECURITY POLICIES

3.0

Logical Access Controls

3.1

Purpose and Scope

The purpose of the Logical Access Controls Policy and Standard is to
enforce the segregation of incompatible duties by ensuring that individuals
can only access data and perform administrative and processing functions to
which they have been authorised, and to be accountable for the access given
to them.
The Logical Access Controls Policy and Standard establishes guidelines
which apply to the information systems and information processing facilities
within the control of the State Offices.

3.2

Policy Statement
Access to SPEKS and related facilities should be controlled, taking into
account State Office policies for information dissemination and entitlement
(such as the "need to know" and "least rights" principle), and any contractual
or legal requirements to protect access to data or services.
Staff assigned specific privileges and accesses to SPEKS facilities must ensure
that they work within their authorised privileges and responsibility and to
report to their Ketua Jabatan/Pegawai Pengawal when their job function
(and hence their access privileges) changes.

Ref No.: SPEKS-POL-01

Version: 1.0
Date : March 2006

12

SPEKS INFORMATION SECURITY POLICIES

4.0

Physical and Environmental Control

4.1

Purpose and Scope

The Physical and Environmental Control Policy establishes guidelines for
obtaining a minimum level of physical protection for information processing
facilities and business premises.
This Policy and Standard applies to the information systems and information
processing facilities within the control of State Office.

4.2

Policy Statement
Information processing facilities should be physically protected from security
threats and environmental hazards.

Protection of information processing

facilities is necessary in order to reduce the risk of unauthorised access to

data and to safeguard against loss or damage. In addition, attention should
also extend to equipment location, disposal, as well as supporting facilities
such as the electrical supply and power and network cabling infrastructure.

Ref No.: SPEKS-POL-01

Version: 1.0
Date : March 2006

13

SPEKS INFORMATION SECURITY POLICIES

5.0

Installation Management
5.1

Purpose and Scope

The purpose of the Installation Management Policy and Standards is to
ensure that the SPEKS system software and hardware are managed in a
consistent and controlled manner.
This Policy and Standard applies to the SPEKS information processing
facilities within the control of State Office.

5.2

Policy Statement
System software and hardware should be managed in a controlled and
consistent manner for the application systems to operate in a controlled
manner. All new hardware and software installations and upgrades are to be
planned formally and notified to all interested parties ahead of the proposed
installation date. Information Security requirements for new installations are
to be circulated for comment to all interested parties, well in advance of
installation.

Ref No.: SPEKS-POL-01

Version: 1.0
Date : March 2006

14

SPEKS INFORMATION SECURITY POLICIES

6.0

Computer Operations
6.1

Purpose and Scope

The Computer Operations Policy and Standards provide guidelines to
ensure that the SPEKS operational procedures are documented and adhered
to.
This Policy and Standard applies to all information systems and information
processing facilities and peripherals of SPEKS within the control of the State
Office.

6.2

Policy Statement
Data Owner must ensure the proper management and operation of all SPEKS
information processing facilities and to minimise system disruptions. The
Computer Operations practices should ensure that the objectives of
confidentiality, integrity and availability are being met. This includes
segregation of incompatible duties, logging and review of key activities and
backup and recovery procedures are in place in the event of an emergency.

Ref No.: SPEKS-POL-01

Version: 1.0
Date : March 2006

15

SPEKS INFORMATION SECURITY POLICIES

7.0

Configuration, Patch and Change Management

7.1

Purpose and Scope

The Configuration, Patch and Change Management Policy establishes a
framework for maintaining a continuous record of the status of State
Offices hardware and software items related to SPEKS. This is to ensure
that changes to State Offices systems are implemented in a controlled
environment and in a consistent manner. It also provides a means of
identifying and controlling the individual components/ configuration items
that together constitute SPEKS system.
The Policy and Standard applies to the SPEKS system and its associated
tools, forms and materials within the information life cycle related to SPEKS
that are within the control of the State Office.

7.2

Policy Statement
Changes to systems including patches should be applied in a controlled
manner so that the proper functioning, stability and security of systems are
not compromised. In addition, this Policy also ensures that changes to
systems are only implemented on the basis of formal requests and plans
authorised by management and that continued compatibility of all
components is maintained.

Ref No.: SPEKS-POL-01

Version: 1.0
Date : March 2006

16

SPEKS INFORMATION SECURITY POLICIES

8.0

Problem Management
8.1

Purpose and Scope

The 'Problem Management Policy' aims to establish a formal method of
managing problems so that all the problems are logged, investigated and
resolved in a timely and appropriate manner.
This Policy and Standard applies to the SPEKS information systems and
information processing facilities within the control of State Office. This
Policy and Standard does not address procedures for recording and
controlling problems in the Application Development and Application
Improvement Programs Lifecycle, which fall within JANMs domain.

8.2

Policy Statement
The Data Owner must ensure that all system and operational problems are
logged and resolved in a controlled and proper manner. All logged problems
should be reviewed by management on a periodic basis and all outstanding
problems should be followed up and resolved in a timely manner.
Every employee must adopt proper usage and safe computing practices as
advised by the State Office from time to time and to report problems and
unusual incidents including virus or worm attacks, system performance
degradation or any security compromises that affect or potentially affect
confidentiality, integrity and availability.

Ref No.: SPEKS-POL-01

Version: 1.0
Date : March 2006

17

SPEKS INFORMATION SECURITY POLICIES

9.0

Application Development and Application Improvement Programs

9.1

Purpose and Scope

The Application Development and Application Improvement Programs Policy
and Standard ensures that Application Development and Application
Improvement Programs, implementation and maintenance are done in a
consistent and structured manner so that enhancements to SPEKS
functionality, or addition or enhancement of security and controls features
are incorporated or integrated with SPEKS correctly.
As the second level support and corrections and improvements to SPEKS is
provided by JANM, (whether with the assistance of a third party or not), this
Policy will guide the enforcement of the quality and security practices in the
implementation of such corrections and improvements to SPEKS.
The Application Development and Application Improvement Programs Policy
and Standard is the baseline by which the Application Development and
Application Improvement Programs lifecycle is applied. The methods, tools
or techniques by which this lifecycle is carried out are not addressed in this
document.

9.2

Policy Statement
Application developed and maintained for SPEKS must always follow a
formalised development process and must be maintained and supported with
the appropriate change control, configuration management and patch
release management program in place. Appropriate controls must be built
into the application to ensure that the integrity and confidentiality of
information entered, processed and stored are adequately protected.

Ref No.: SPEKS-POL-01

Version: 1.0
Date : March 2006

18

SPEKS INFORMATION SECURITY POLICIES

10.0 Network Protection

10.1

Purpose and Scope

The Network Protection Policy and Standard ensures that the use of the
network and its components including PCs are adequately managed,
controlled and monitored.
This Policy and Standard establishes guidelines to manage:

Network security including restrictions on access, assurance of data

integrity and confidentiality during transmission, identification and
authentication of users;

Network resilience including the controls assuring availability of

redundant network components; and

Installation

and

maintenance

of

the

network

and

data

communications hardware and software.

The Network Protection Policy and Standard applies to SPEKS related
network and information processing facilities within the control of State
Office.
10.2

Policy Statement
Access to LAN and WAN for the SPEKS system should be controlled and
restricted to authorised users. The use, resilience and bandwidth of the
network should be based on the requirements of SPEKS. Data transmitted
should be protected against loss; corruption or repetition; and unauthorised
disclosure or modification.
Where the network is shared with other services and applications, the
Network Service Provider must ensure that performance and availability
targets for the running of SPEKS application are being met.

Ref No.: SPEKS-POL-01

Version: 1.0
Date : March 2006

19

SPEKS INFORMATION SECURITY POLICIES

11.0 Perimeter Logical Protection

11.1

Purpose and Scope

The Perimeter Logical Protection Policy aims to protect State Offices
information resources residing on corporate network from unauthorised
external access via the Internet or from unauthorised access from within the
corporate network. The Perimeter Logical Protection Policy and Standard
should be read in conjunction with the Section 3 - Logical Access Controls
Policy and Standard, Section 7 - Configuration, Patch and Change
Management Policy and Standard and Section 10 - Network Protection
Policy and Standard.
The Perimeter Logical Protection Policy and Standard establishes standards
that apply to the firewall systems protecting SPEKS servers. It also includes
Intrusion Detection System or Intrusion Protection System which should be
implemented if the risk situation warrants it and as advised by System
Provider.

11.2

Policy Statement
Perimeter Logical Protection must be implemented to protect the internal or
closed network from the external public network. The design and
implementation and maintenance of the firewalls systems must be
implemented with appropriate screening and detection policies to ensure
protection from vulnerabilities that will be publicly available from time to
time.

Ref No.: SPEKS-POL-01

Version: 1.0
Date : March 2006

20

SPEKS INFORMATION SECURITY POLICIES

12.0 Computer Virus and Malware Protection and Detection

12.1

Purpose and Scope

The Computer Virus and Malware Protection and Detection Policy defines
the virus and malware detection and prevention measures to prevent the
introduction of computer viruses or malicious/ unauthorised programs to
system environments.
This Policy and Standard establishes guidelines which apply to the SPEKS
information systems and information processing facilities within the control
of State Office.

12.2

Policy Statement
Virus and malware detection and prevention measures and appropriate user
awareness procedures must be formally implemented and enforced. Only
software with the appropriate software licenses can be used on State Office
SPEKS equipment and unauthorised or unlicensed software is strictly
prohibited. Files from outside of the office must be screened for viruses and
malware before copying onto State Office SPEKS PCs and Servers.

Ref No.: SPEKS-POL-01

Version: 1.0
Date : March 2006

21

SPEKS INFORMATION SECURITY POLICIES

13.0 Business Continuity Plan

13.1

Purpose and Scope

The 'Business Continuity Plan' defines the requirements for a formal
information contingency plan for SPEKS. It provides guidelines for the State
Office to continue information processing operation under adequate security
protection in the event of extended computer disruption.
This Policy and Standard applies to SPEKS information system and
information processing facilities within the control of State Office.

13.2

Policy Statement
A Business Continuity Plan must be developed and maintained to ensure
continuity of SPEKS related business processes which are supported by SPEKS
application,

SPEKS

related

hardware

and

network

and

operational

procedures. The plan must be tested to ensure that the procedures and the
recovery process are capable of providing the required level and timeliness
of support to the critical business processes surrounding SPEKS.
Employees computers should only be used for doing normal operation and
processes and should not store any critical data and files that are required
for recovery.

Ref No.: SPEKS-POL-01

Version: 1.0
Date : March 2006

22

SPEKS INFORMATION SECURITY POLICIES

14.0 Compliance
14.1

Purpose and Scope

The Compliance Policy and Standard defines the controls and measures for
the following:

To avoid breaches of any criminal and civil law, statutory, regulatory

or contractual obligations and of any security requirements;

To ensure compliance of systems and practices with SPEKS

Information Security Policies and Standards; and

To maximise the effectiveness of security implementation and to

minimise interference to/ from the system audit process.

This Policy and Standard establishes guidelines which apply to the SPEKS
information processing facilities, operational procedures and business
processes which are within the control of the State BN Office.
14.2

Policy Statement
The design, operation, use and management of information systems may be
subject to statutory, regulatory and contractual security requirements.
Advice on specific legal requirements should be sought from the
Governments legal advisers, or suitably qualified legal practitioners.
The security policies, standards and procedures governing the SPEKS
application and information handled by SPEKS should be regularly reviewed.

Ref No.: SPEKS-POL-01

Version: 1.0
Date : March 2006

23

SPEKS INFORMATION SECURITY POLICIES

DEFINITIONS
1. Policies
Policies are high-level statements that must be communicated to people inside, and
in some cases outside, the organization. A policy is typically a document that
outlines specific requirements or rules that must be met. In the information/
network security realm, policies are usually point-specific, covering a single area.
Policies are higher-level requirement statements than standards, although both types
of management instructions require compliance.
2. Standards
Standards provide specific technical requirements. A standard is typically collections
of system-specific or procedural specific requirements that must be met by
everyone.
While policies are intended to last for up to five years or more, standards are only
intended to last a few years. Standards will need to be changed considerably more
often than policies because the manual procedures, organizational structures,
business processes, and information systems technologies mentioned in standards
change so rapidly.
3. Guidelines
A guideline is typically a collection of system specific or procedural specific
suggestions for best practice. They are not requirements to be met, but are
strongly recommended.
4. Procedures
Procedures are sometimes called operating procedures or department operating
procedures. Procedures are specific operational steps that are used to complete a
task or achieve a goal. Often this is specific to the application and its specific
infrastructural equipment and departmental workflow processes. However along side
with this policy and standards, only the common procedures will be produced as
others will fall under the SPEKS applications Standard Operating Procedures which
provides step by step information how the SPEKS application is to be used.
Ref No.: SPEKS-POL-01
Version: 1.0
Date : March 2006

24

SPEKS INFORMATION SECURITY POLICIES

The example that follows illustrates the difference between a policy, standard,
guideline and procedure:

A policy would describe the need to manage logical access control to

authorised personnel;

A standard would define the minimum activity that must be performed in

order to properly manage the access control activity. (Note that depending
on the area and requirements, standards may or may not be produced);

A guideline would suggest the best way to manage the activity of logical
access control. (Note that depending on the area and requirements,
guidelines may or may not be produced); and

A procedure would describe how to manage the access control activity and
equally important is to maintain the appropriate records to ensure
compliance to the policy.

Ref No.: SPEKS-POL-01

Version: 1.0
Date : March 2006

25