Security conference to shine spotlight on risk and compliance
By Gabey Goh October 18, 2012
- Cyber Security Malaysia Awards, Conference and Exhibition (CSM-ACE) 2012 set to take place from Nov 6-7
- Main aim to raise awareness and benefits of securing security certification for local ICT products and services
CYBER Security Malaysia has launched the Cyber Security Malaysia Awards, Conference and Exhibition (CSM-ACE) 2012, set to take place from Nov 6-7 in conjunction with the World Innovation Forum Kuala Lumpur (WIFKL) 2012.
Cyber Security Malaysia (CSM) is the national cyber security specialist under the Ministry of Science, Technology and Innovation (MOSTI).
Themed ‘Cyber Security Risk & Compliance for Economic Transformation,' the event aims to provide a platform for government agencies and increase the awareness of mandatory compliance of information security standards.
CSM acting chief executive officer Zahri Yunos (pic, center) said the key objective for CSM-ACE 2012 is to nurture a strong culture of cyber security awareness, especially among information and communications technology (ICT) users particularly in the Critical National Information Infrastructure (CNII) sectors.
There are 10 CNII sectors under the National Cyber Security Policy: National Defense & Security, Banking & Finance, Information & Communication, Energy, Transportation, Water, Health Services, Government, Emergency Services and Food & Agriculture.
According to CSM, the alarming rise of premeditated attacks such as distributed denial-of-service (DDoS) attacks and advanced persistent attacks (APT) with potentially catastrophic effects to interdependent network and information systems across the globe has demanded that significant attention be paid to protection initiatives.
Cost of certification
Cyber security has been identified as a potential sector for growth under the National Transformation Program (NTP). Razman Azrai Zainudin (above pic, right), CSM's vice president of Corporate Planning & Strategy, said that one way of achieving this growth was via the adoption and promotion of security standards.
Razman highlighted the Malaysian Common Criteria Evaluation and Certification (MyCC) Scheme, which evaluates and certifies the security functionality within ICT products against ISO/IEC 15408 standard which is known as Common Criteria (CC).
The methodology used in the evaluation is also a recognized standard known as Common Evaluation Methodology (CEM) or ISO/IEC 18045.
“Malaysia is the only country in the region which currently offers this, and it is a cheaper process to undergo due to the currency exchange rate versus getting the certification in countries such as the United States or United Kingdom,” he said, adding that queries have been received from companies overseas seeking to apply for certification.
Razman reported that there are currently 21 local companies which have undergone and been granted CC certification for their products, but there are still many companies with eligible products that have yet to apply for certification.
He also added that the current state of proper documentation for IT products remains lacking in the country.
When asked why so few local companies have applied for certification, Razman pointed to a couple of reasons.
“First I believe is the fact that the MyCC scheme is still quite low profile, as we only launched it in 2010. The second and bigger barrier is the cost factor,” he said.
During the initial rollout of the MyCC Scheme, the government had set aside funds to subsidize local companies who wished to get certified, however the ‘promotion’ is no longer in place.
While the certification fees vary, CSM shared that the ballpark figure for Evaluation Assurance Level 1 is about RM100,000 and for Level 2 RM200,000 and so on.
Azman said a large portion of the cost goes towards maintaining the Malaysian Security Evaluation Facility (MySEF), whose main responsibility is to carry out security evaluations against agreed standards in an independently accredited environment.
“To keep our globally recognized certification, we must comply with yearly audits of the facility along with training for staff to conduct the evaluation and certification process,” he added.
However both Azman and Zahri stressed that while the cost of certification may be high, the long term benefits to companies will justify the initial investment.
The benefit of certification with a globally recognized standard, Azman said, was the ability to market products and solutions to a global market, easing the due diligence process with procurement departments.
Zahri added that through the adoption and compliance of cyber security standards; the nation's cyber risks are mitigated thus fueling economic activities such as the job creation and business opportunities.
“We want to educate and strengthen Malaysia’s self-reliance in terms of technology standards and compliance,” he said.
In line with the mission of increasing the awareness of security certification, a pavilion with will be set up at the CSM-ACE 2012 exhibition to highlight local companies which have secured Common Criteria (ISO15408) certificates via MyCC.
The two-day event forms part of the NTP under the Strategic Reform Initiative (SRI) to conduct trade events and business match-making opportunities. Zahri said the agency did not monitor business transactions for CSM-ACE 2012 and added that main focus was on raising the profile of security issues.
The conference portion of the event features three tracks: Governance, Standards & Compliance, Technical and Business Continuity Management.
Speakers include managing director of BAE Detica South East Asia Richard Watson; Fortinet's regional director for South-East Asia Datuk George Chang; Malaysian Communications and Multimedia Commission (MCMC) senior director Lt Col Asmuni Yusof (R); and Md Shah Nuri Zain, Under Secretary Cyber & Space Security Division., National Security Council, Prime Minister's Department.
ICT Infrastructure solutions provider HeiTech Managed Services is the official partner for the Business Continuity Management track
Fong Chiok Hin (above pic, left), director of Disaster Recovery & Infrastructure Management for HeiTech, said that globally, especially after the September 11 attacks, the topic of disaster recovery has been growing in importance for many companies.
“However, in Malaysia when it comes to disaster recovery readiness, we have a long way to go,” he said.
The focus of the track will be on showcasing to attendees what can happen in the event of a disaster with a look at the business impact of the floods in Thailand and the tsunami in Japan in 2011.
“Business continuity and disaster recovery is of paramount concern to organizations, not only because of the potential loss of information and data but also the detrimental impact it will have on the business,” Fong added.
Over 300 delegates from around the region are expected to attend CSE-ACE 2012, slated to be held at Double Tree Hilton Kuala Lumpur from Nov 6-7. For more information, click here.