Glossary
| No. | Type of Malicious | Descriptions |
|---|---|---|
| 1 | XSS |
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. When a malicious script is injected into the code of an otherwise trusted website, allowing potentially sensitive user data such as cookies to be accessed. |
| 2 | SQL Injection |
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. A successful SQL injection exploit can extract sensitive information like read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system |
| 3 | Clickjacking |
Clickjacking is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information. The attacker can take control of the user computer which can turn system features on and off, such as enabling your microphone and camera when a Javascript prompt asks for permission to access this information. It could also pull location data from your computer or other details that could facilitate future crimes. |
| 4 | High | Expose to the vulnerability, quite easy to penetrate and compromise, need a skill to perform the attack |
| 5 | DDoS |
A Distributed Denial-of-Service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. A DDoS attack uses more than one unique IP address or machines, often from thousands of hosts infected with malware Simply, the attack will exhaust network resources unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. |
| 5 | Credential Stuffing |
Credential stuffing is a type of cyberattack in which stolen account credentials, typically consisting of lists of usernames and/or email addresses and the corresponding passwords, are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application |
| 6 | Social Engineering |
Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. These human hacking scams lure unsuspecting users into exposing data, spreading malware infections, or giving access to restricted systems. |
Compliance Mapping
NIST
| Compliance | Best Practises | Recommend Document | |
| Policy & Procedure | AC - Access Control AT - Awareness & Training AU - Audit & Accountability CA - Assessment, Authorization & Monitoring CM - Configuration Management CP - Contigency Planning IA - Identification & Authentication IR - Incident Response MA - Maintenance PE - Physical & Environmental Protection PL - Planning PM - Project Management PS - Personnel Security PT - PII Processing & Transparency RA - Risk Assessment SA - System & Services Acquisition SC - System & Communication Protection SI - System & Information Integrity SR - Supply Chain Risk Management | The organization shall determine duties and areas of responsibility to avoid conflict for unauthorized or unintentional modification or misuse the organization asset. Information security shall be addressed in project management regardless of the type of the project | Information Security Policy |
| Management Involvement | PM - Project Management | All information security responsibilities shall be defined and allocated. | Organization Chart Definition of Security Roles and Responsibilities List of Interested Parties, Legal and Other Requirements Mobile Device Policy Teleworking Policy |
| Human Resource Security | PS - Personnel Security | Background verification checks on all candidate for employment shall be carried out accordance with relevant laws, regulations and ethics. The contractual agreements with employees and contractors shall state their and the organizations responsibilities for information security. Management shall require all employees and contractors to apply information security accordance to established policies | Human Resource Procedure Human Resource Handbook Job Application Form Employee Application Form |
| Asset Management | CP - Contigency Planning | The organization shall identify organizational assets to ensure that information receives an appropriate level of protection in accordance with its improtance to the organization | Information Classification and Handling Procedure Media Handling Procedure Asset Inventory List Information/Media Removal Form |
| Risk Management | RA - Risk Assessment | The organization shall define and apply information security risk assessment process to ensure the information security management system can achieved its intended outcomes. | Risk Assessment and Risk Treatment methodology Risk Treatment Plan Risk Assessment Report |
| Access Control | AC - Access Control | The organization shall limit access to information and information processing facilities for safeguarding their authentication information. | Access Control Policy Password Policy Access Register Form |
| Operations | CA - Assessment, Authorization, and Monitoring | The organization need to establish proper IT Operation Procedure. All the access and backup need to be recorded. | Operating procedures for IT management Change Management Process Change Management Form Logs of user activities, exceptions, and security events Logs of System Administrator & System user activities, exceptions, faults and security events Security Metrics Operation Form |
| Cryptography | SC - System & Communication Protection | The organization shall ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. | Cryptography policy |
| Communication Security | SC - System & Communication Protection | Network access between staff and visitor need to be separated The organization must use email disclaimer in email footer for information transfer security | Information Transfer Policy |
| Application Security | SA - System & Services Acquisition SC - System & Communication Protection SI - System & Information Integrity | The organization shall ensure that information security is designed and implemented within development lifecycle of information systems. | Secure Development Policy Secure System Engineering Principles User Acceptance Testing |
| Incident Management | SC - System & Communication Protection | The organization shall established procedures to ensure a quick, effective and orderly response to information security events and weaknesses. | Incident management procedure Incident Response Form |
| Business Continuity | IR - Incident Response | The organization need to stablish proper backup to ensure information secured and business can continue | Business continuity procedures |
| Physical & Enivironmental Security | IR - Incident Response | The organization shall prevents an unauthorized physical access to the organizations information that can lead to loss, damage, theft or compromise of assets and interuption to the organizations information | Clear desk and clear screen policy Visitor Logbook |
| Supplier Management | PE - Physical & Environmental Protection | The organization shall maintain and agreed level of information security and service delivery in line with supplier agreements to ensure protection of the organization assets. | NDA Template SLA Agreement Contractor Performance Evaluation Form |
| Awareness & Training | SR - Supply Chain Risk Management | All employees of the organization, where relevant, contractors shall receive appropriate awareness education and traing and regular update in organizational policies and procedures as relevant for their job function | Training Request Form Security Metric Awareness Form Evidence Competence |
| Compliance | AT - Awareness & Training | List out all Malaysia Act that organization need to follow: - Personal Data Protection Act - Minimum Wages Order - Contract Act - Employee Provident Fund - Employee Social Security The policy and procedure need to be reviewed periodically by the organization. | Statutory, regulatory, and contractual requirements All policy and procedure |
ISO 27001: 2013
| Compliance | Best Practises | Recommend Document | |
| Policy & Procedure | A5 Information Security Policies (masukkan sub) | The organization shall determine duties and areas of responsibility to avoid conflict for unauthorized or unintentional modification or misuse the organization asset. Information security shall be addressed in project management regardless of the type of the project | Information Security Policy |
| Management Involvement | Clause 4 Context of the Organization Clause 5 Leadership A6 Organization of Information Security | All information security responsibilities shall be defined and allocated. | Organization Chart Definition of Security Roles and Responsibilities List of Interested Parties, Legal and Other Requirements Mobile Device Policy Teleworking Policy |
| Human Resource Security | A7 Human Resource Security | Background verification checks on all candidate for employment shall be carried out accordance with relevant laws, regulations and ethics. The contractual agreements with employees and contractors shall state their and the organizations responsibilities for information security. Management shall require all employees and contractors to apply information security accordance to established policies | Human Resource Procedure Human Resource Handbook Job Application Form Employee Application Form |
| Asset Management | A8 Asset Management | The organization shall identify organizational assets to ensure that information receives an appropriate level of protection in accordance with its improtance to the organization | Information Classification and Handling Procedure Media Handling Procedure Asset Inventory List Information/Media Removal Form |
| Risk Management | Clause 6 Planning | The organization shall define and apply information security risk assessment process to ensure the information security management system can achieved its intended outcomes. | Risk Assessment and Risk Treatment methodology Risk Treatment Plan Risk Assessment Report |
| Access Control | A9 Access Control | The organization shall limit access to information and information processing facilities for safeguarding their authentication information. | Access Control Policy Password Policy Access Register Form |
| Operations | Clause 8 Operation A12 Operations Security | The organization need to establish proper IT Operation Procedure. All the access and backup need to be recorded. | Operating procedures for IT management Change Management Process Change Management Form Logs of user activities, exceptions, and security events Logs of System Administrator & System user activities, exceptions, faults and security events Security Metrics Operation Form |
| Cryptography | A10 Cryptography | The organization shall ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. | Cryptography policy |
| Communication Security | A13 Communication Security | Network access between staff and visitor need to be separated The organization must use email disclaimer in email footer for information transfer security | Information Transfer Policy |
| Application Security | A14 System acquisition, development & maintenance | The organization shall ensure that information security is designed and implemented within development lifecycle of information systems. | Secure Development Policy Secure System Engineering Principles User Acceptance Testing |
| Incident Management | A16 Information security incident management | The organization shall established procedures to ensure a quick, effective and orderly response to information security events and weaknesses. | Incident management procedure Incident Response Form |
| Business Continuity | A17 Information security aspects of BCM | The organization need to stablish proper backup to ensure information secured and business can continue | Business continuity procedures |
| Physical & Enivironmental Security | A11 Physical and environmental security | The organization shall prevents an unauthorized physical access to the organizations information that can lead to loss, damage, theft or compromise of assets and interuption to the organizations information | Clear desk and clear screen policy Visitor Logbook |
| Supplier Management | A15 Supplier relationships | The organization shall maintain and agreed level of information security and service delivery in line with supplier agreements to ensure protection of the organization assets. | NDA Template SLA Agreement Contractor Performance Evaluation Form |
| Awareness & Training | Clause 7 Support | All employees of the organization, where relevant, contractors shall receive appropriate awareness education and traing and regular update in organizational policies and procedures as relevant for their job function | Training Request Form Security Metric Awareness Form Evidence Competence |
| Compliance | Clause 9 Performance Evaluation | List out all Malaysia Act that organization need to follow: - Personal Data Protection Act - Minimum Wages Order - Contract Act - Employee Provident Fund - Employee Social Security The policy and procedure need to be reviewed periodically by the organization. | Statutory, regulatory, and contractual requirements All policy and procedure |
KPKT
| Compliance | Best Practises | Recommend Document | |
| Policy & Procedure | 5.3.6 Information Security | The organization shall determine duties and areas of responsibility to avoid conflict for unauthorized or unintentional modification or misuse the organization asset. Information security shall be addressed in project management regardless of the type of the project | Information Security Policy |
| Management Involvement | 5.2 Organization requirement | All information security responsibilities shall be defined and allocated. | Organization Chart Definition of Security Roles and Responsibilities List of Interested Parties, Legal and Other Requirements Mobile Device Policy Teleworking Policy |
| Human Resource Security | Background verification checks on all candidate for employment shall be carried out accordance with relevant laws, regulations and ethics. The contractual agreements with employees and contractors shall state their and the organizations responsibilities for information security. Management shall require all employees and contractors to apply information security accordance to established policies | Human Resource Procedure Human Resource Handbook Job Application Form Employee Application Form | |
| Asset Management | 5.3.6 (ii) Guidelines / SOP for Critical Asset 5.3.6 (x) Information classification | The organization shall identify organizational assets to ensure that information receives an appropriate level of protection in accordance with its improtance to the organization | Information Classification and Handling Procedure Media Handling Procedure Asset Inventory List Information/Media Removal Form |
| Risk Management | 5.3.1 Risk Management 5.3.2 IT Operation - Defence, Security, Capacity Planning Lampiran 1(b) – 8(a) Risk Management | The organization shall define and apply information security risk assessment process to ensure the information security management system can achieved its intended outcomes. | Risk Assessment and Risk Treatment methodology Risk Treatment Plan Risk Assessment Report |
| Access Control | 5.3.5 Access Control 5.3.6 (vii) Remote access with Multi Factor Authentication Lampiran 1(b) – 8(d) Access Control Lampiran 1(b) – 8(e) Application with multi factor authentication | The organization shall limit access to information and information processing facilities for safeguarding their authentication information. | Access Control Policy Password Policy Access Register Form |
| Operations | 5.3.2 IT Operation - Defence, Security, Capacity Planning 5.3.6 (ii) Guidelines / SOP for Critical Asset 5.3.6 (ix) Audit Log and Log Retention 5.3.6 (xi) Latest OS and application (server hardening) 5.3.6 (v) Penetration test to System and Network Lampiran 1(b) - 7 Data retention Lampiran 1(b) – 8(c) Security Posture Assessment (SPA) | The organization need to establish proper IT Operation Procedure. All the access and backup need to be recorded. | Operating procedures for IT management Change Management Process Change Management Form Logs of user activities, exceptions, and security events Logs of System Administrator & System user activities, exceptions, faults and security events Security Metrics Operation Form |
| Cryptography | 5.1.3 Digital Signature – PKI based 5.3.3 Cryptography | The organization shall ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. | Cryptography policy |
| Communication Security | Lampiran 1(b) - 3(b) Domain info Lampiran 1(b) - 3(c) Server location Lampiran 1(b) - 7 Data retention | Network access between staff and visitor need to be separated The organization must use email disclaimer in email footer for information transfer security | Information Transfer Policy |
| Application Security | 5.3.1 System development Lampiran 1(b) - 8(b) Functional Test & Performance Test | The organization shall ensure that information security is designed and implemented within development lifecycle of information systems. | Secure Development Policy Secure System Engineering Principles User Acceptance Testing |
| Incident Management | 5.3.7 Continuous Monitoring / Incident Reporting / Business Continuity & Disaster Recovery | The organization shall established procedures to ensure a quick, effective and orderly response to information security events and weaknesses. | Incident management procedure Incident Response Form |
| Business Continuity | 5.3.7 Continuous Monitoring / Incident Reporting / Business Continuity & Disaster Recovery | The organization need to stablish proper backup to ensure information secured and business can continue | Business continuity procedures |
| Physical & Enivironmental Security | 5.3.6 (iii) Physical security | The organization shall prevents an unauthorized physical access to the organizations information that can lead to loss, damage, theft or compromise of assets and interuption to the organizations information | Clear desk and clear screen policy Visitor Logbook |
| Supplier Management | 5.3.3 Supplier Management – PDPA Compliance | The organization shall maintain and agreed level of information security and service delivery in line with supplier agreements to ensure protection of the organization assets. | NDA Template SLA Agreement Contractor Performance Evaluation Form |
| Awareness & Training | All employees of the organization, where relevant, contractors shall receive appropriate awareness education and traing and regular update in organizational policies and procedures as relevant for their job function | Training Request Form Security Metric Awareness Form Evidence Competence | |
| Compliance | 5.4 KPKT Audit Lampiran 1(b) – 8(g) Internal Audit as ISMS compliance Lampiran 1(b) – 8(h) Risk management towards interoperability, scalability and sustainability Lampiran 1(b) – 8(f) Digital Certificates from SKMM Licensed Certification Bodies Lampiran 1(b) – 9 Personal Data Protection | List out all Malaysia Act that organization need to follow: - Personal Data Protection Act - Minimum Wages Order - Contract Act - Employee Provident Fund - Employee Social Security The policy and procedure need to be reviewed periodically by the organization. | Statutory, regulatory, and contractual requirements All policy and procedure |
RMIT
| Compliance | Best Practises | Recommend Document | |
| Policy & Procedure | Part B: 8 - Governance Part B: 9 - Technology Risk Management Part B: 10 - Technology Operations Management Part B: 11 - Cybersecurity Management Part B: 12 - Technology Audit Part B: 13 - Internal Awareness & Training | The organization shall determine duties and areas of responsibility to avoid conflict for unauthorized or unintentional modification or misuse the organization asset. Information security shall be addressed in project management regardless of the type of the project | Information Security Policy |
| Management Involvement | Part B: 8 Governance - Responsibilities of the Board of Directors Part B: 8 Governance - Responsibilities of the senior management | All information security responsibilities shall be defined and allocated. | Organization Chart Definition of Security Roles and Responsibilities List of Interested Parties, Legal and Other Requirements Mobile Device Policy Teleworking Policy |
| Human Resource Security | Part B:: 8 Governance - Responsibilities of the senior management | Background verification checks on all candidate for employment shall be carried out accordance with relevant laws, regulations and ethics. The contractual agreements with employees and contractors shall state their and the organizations responsibilities for information security. Management shall require all employees and contractors to apply information security accordance to established policies | Human Resource Procedure Human Resource Handbook Job Application Form Employee Application Form |
| Asset Management | Part B: 11- Cybersecurity Management - Data Loss Prevention (DLP) Appendix 1 - Storage and Transportation of Sensitive Data in Removable Media | The organization shall identify organizational assets to ensure that information receives an appropriate level of protection in accordance with its improtance to the organization | Information Classification and Handling Procedure Media Handling Procedure Asset Inventory List Information/Media Removal Form |
| Risk Management | Part B: 9 Technology Risk Management Part C: 15 Assessment & Gap Analysis Appendix 7 Risk Assessment Report | The organization shall define and apply information security risk assessment process to ensure the information security management system can achieved its intended outcomes. | Risk Assessment and Risk Treatment methodology Risk Treatment Plan Risk Assessment Report |
| Access Control | Part B: 10 - Technology Operations Management - Access Control Part B: 10 - Technology Operations Management - Security of Digital Services Appendix 3 Control Measures on Internet Banking | The organization shall limit access to information and information processing facilities for safeguarding their authentication information. | Access Control Policy Password Policy Access Register Form |
| Operations | Part B: 11 - Cybersecurity Management - Cybersecurity operations Part B: 10 - Technology Operations Management - Patch and End-of-Life System Management Appendix 2 Control Measures on Self-service Terminals (SSTs) Appendix 5 Control Measures on Cybersecurity Appendix 7 Risk Assessment Report | The organization need to establish proper IT Operation Procedure. All the access and backup need to be recorded. | Operating procedures for IT management Change Management Process Change Management Form Logs of user activities, exceptions, and security events Logs of System Administrator & System user activities, exceptions, faults and security events Security Metrics Operation Form |
| Cryptography | Part B: 10 - Technology Operations Management - Cryptography Appendix 2 Control Measures on Self-service Terminals (SSTs) | The organization shall ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. | Cryptography policy |
| Communication Security | Part B: 10 - Technology Operations Management - Network Resilience | Network access between staff and visitor need to be separated The organization must use email disclaimer in email footer for information transfer security | Information Transfer Policy |
| Application Security | Part B: 10 - Technology Operations Management - System Development & Acquisition Appendix 4 Control Measures on Mobile Application and Devices | The organization shall ensure that information security is designed and implemented within development lifecycle of information systems. | Secure Development Policy Secure System Engineering Principles User Acceptance Testing |
| Incident Management | Part B: 11- Cybersecurity Management - Cyber Response & Recovery | The organization shall established procedures to ensure a quick, effective and orderly response to information security events and weaknesses. | Incident management procedure Incident Response Form |
| Business Continuity | Part B: 11- Cybersecurity Management - Cyber Response & Recovery | The organization need to stablish proper backup to ensure information secured and business can continue | Business continuity procedures |
| Physical & Enivironmental Security | Part B: 10 - Technology Operations Management - Data Centre Resilience | The organization shall prevents an unauthorized physical access to the organizations information that can lead to loss, damage, theft or compromise of assets and interuption to the organizations information | Clear desk and clear screen policy Visitor Logbook |
| Supplier Management | Part B: 10 - Technology Operations Management - Third Party Service Provider Management Appendix 9 Supervisory Expectations on External Party Assurance | The organization shall maintain and agreed level of information security and service delivery in line with supplier agreements to ensure protection of the organization assets. | NDA Template SLA Agreement Contractor Performance Evaluation Form |
| Awareness & Training | Part B: 13 Internal Awareness and Training | All employees of the organization, where relevant, contractors shall receive appropriate awareness education and traing and regular update in organizational policies and procedures as relevant for their job function | Training Request Form Security Metric Awareness Form Evidence Competence |
| Compliance | Part B: 12 Technology Audit | List out all Malaysia Act that organization need to follow: - Personal Data Protection Act - Minimum Wages Order - Contract Act - Employee Provident Fund - Employee Social Security The policy and procedure need to be reviewed periodically by the organization. | Statutory, regulatory, and contractual requirements All policy and procedure |
PCI DSS 3.2.1
| Compliance | Best Practises | Recommend Document | |
| Policy & Procedure | Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 12: Maintain a policy that addresses information security for all personnel | The organization shall determine duties and areas of responsibility to avoid conflict for unauthorized or unintentional modification or misuse the organization asset. Information security shall be addressed in project management regardless of the type of the project | Information Security Policy |
| Management Involvement | Requirement 12: Maintain a policy that addresses information security for all personnel | All information security responsibilities shall be defined and allocated. | Organization Chart Definition of Security Roles and Responsibilities List of Interested Parties, Legal and Other Requirements Mobile Device Policy Teleworking Policy |
| Human Resource Security | Requirement 12: Maintain a policy that addresses information security for all personnel | Background verification checks on all candidate for employment shall be carried out accordance with relevant laws, regulations and ethics. The contractual agreements with employees and contractors shall state their and the organizations responsibilities for information security. Management shall require all employees and contractors to apply information security accordance to established policies | Human Resource Procedure Human Resource Handbook Job Application Form Employee Application Form |
| Asset Management | Requirement 9: Restrict physical access to cardholder data. | The organization shall identify organizational assets to ensure that information receives an appropriate level of protection in accordance with its improtance to the organization | Information Classification and Handling Procedure Media Handling Procedure Asset Inventory List Information/Media Removal Form |
| Risk Management | Requirement 11: Regularly test security systems and processes. | The organization shall define and apply information security risk assessment process to ensure the information security management system can achieved its intended outcomes. | Risk Assessment and Risk Treatment methodology Risk Treatment Plan Risk Assessment Report |
| Access Control | Requirement 12: Maintain a policy that addresses information security for all personnel | The organization shall limit access to information and information processing facilities for safeguarding their authentication information. | Access Control Policy Password Policy Access Register Form |
| Operations | Requirement 5: Use and regularly update anti-virus software or programs Requirement 9: Restrict physical access to cardholder data. Requirement 10: Track and monitor all access to network resources and cardholder data. Requirement 11: Regularly test security systems and processes. | The organization need to establish proper IT Operation Procedure. All the access and backup need to be recorded. | Operating procedures for IT management Change Management Process Change Management Form Logs of user activities, exceptions, and security events Logs of System Administrator & System user activities, exceptions, faults and security events Security Metrics Operation Form |
| Cryptography | Requirement 4: Encrypt transmission of cardholder data across open, public networks | The organization shall ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. | Cryptography policy |
| Communication Security | Requirement 1: Install and maintain a firewall configuration to protect cardholder data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 10: Track and monitor all access to network resources and cardholder data. | Network access between staff and visitor need to be separated The organization must use email disclaimer in email footer for information transfer security | Information Transfer Policy |
| Application Security | Requirement 6: Develop and maintain secure systems and applications Requirement 11: Regularly test security systems and processes. | The organization shall ensure that information security is designed and implemented within development lifecycle of information systems. | Secure Development Policy Secure System Engineering Principles User Acceptance Testing |
| Incident Management | Requirement 3: Protect stored cardholder data Requirement 12: Maintain a policy that addresses information security for all personnel | The organization shall established procedures to ensure a quick, effective and orderly response to information security events and weaknesses. | Incident management procedure Incident Response Form |
| Business Continuity | Requirement 12: Maintain a policy that addresses information security for all personnel | The organization need to stablish proper backup to ensure information secured and business can continue | Business continuity procedures |
| Physical & Enivironmental Security | Requirement 9: Restrict physical access to cardholder data. | The organization shall prevents an unauthorized physical access to the organizations information that can lead to loss, damage, theft or compromise of assets and interuption to the organizations information | Clear desk and clear screen policy Visitor Logbook |
| Supplier Management | Requirement 12: Maintain a policy that addresses information security for all personnel | The organization shall maintain and agreed level of information security and service delivery in line with supplier agreements to ensure protection of the organization assets. | NDA Template SLA Agreement Contractor Performance Evaluation Form |
| Awareness & Training | Requirement 12: Maintain a policy that addresses information security for all personnel | All employees of the organization, where relevant, contractors shall receive appropriate awareness education and traing and regular update in organizational policies and procedures as relevant for their job function | Training Request Form Security Metric Awareness Form Evidence Competence |
| Compliance | Requirement 3: Protect stored cardholder data | List out all Malaysia Act that organization need to follow: - Personal Data Protection Act - Minimum Wages Order - Contract Act - Employee Provident Fund - Employee Social Security The policy and procedure need to be reviewed periodically by the organization. | Statutory, regulatory, and contractual requirements All policy and procedure |
PCI DSS 4.0
| Compliance | Best Practises | Recommend Document | |
| Policy & Procedure | Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know Requirement 12: Support Information Security with Organizational Policies and Programs | The organization shall determine duties and areas of responsibility to avoid conflict for unauthorized or unintentional modification or misuse the organization asset. Information security shall be addressed in project management regardless of the type of the project | Information Security Policy |
| Management Involvement | Requirement 12: Support Information Security with Organizational Policies and Programs | All information security responsibilities shall be defined and allocated. | Organization Chart Definition of Security Roles and Responsibilities List of Interested Parties, Legal and Other Requirements Mobile Device Policy Teleworking Policy |
| Human Resource Security | Requirement 12: Support Information Security with Organizational Policies and Programs | Background verification checks on all candidate for employment shall be carried out accordance with relevant laws, regulations and ethics. The contractual agreements with employees and contractors shall state their and the organizations responsibilities for information security. Management shall require all employees and contractors to apply information security accordance to established policies | Human Resource Procedure Human Resource Handbook Job Application Form Employee Application Form |
| Asset Management | Requirement 9: Restrict Physical Access to Cardholder Data | The organization shall identify organizational assets to ensure that information receives an appropriate level of protection in accordance with its improtance to the organization | Information Classification and Handling Procedure Media Handling Procedure Asset Inventory List Information/Media Removal Form |
| Risk Management | Requirement 11: Test Security of Systems and Networks Regularly | The organization shall define and apply information security risk assessment process to ensure the information security management system can achieved its intended outcomes. | Risk Assessment and Risk Treatment methodology Risk Treatment Plan Risk Assessment Report |
| Access Control | Requirement 12: Support Information Security with Organizational Policies and Programs | The organization shall limit access to information and information processing facilities for safeguarding their authentication information. | Access Control Policy Password Policy Access Register Form |
| Operations | Requirement 5: Protect All Systems and Networks from Malicious Software Requirement 10: Log and Monitor All Access to System Components and Cardholder Data Requirement 11: Test Security of Systems and Networks Regularly | The organization need to establish proper IT Operation Procedure. All the access and backup need to be recorded. | Operating procedures for IT management Change Management Process Change Management Form Logs of user activities, exceptions, and security events Logs of System Administrator & System user activities, exceptions, faults and security events Security Metrics Operation Form |
| Cryptography | Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks | The organization shall ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. | Cryptography policy |
| Communication Security | Requirement 1: Install and maintain network security controls Requirement 2: Apply Secure Configurations to All System Components | Network access between staff and visitor need to be separated The organization must use email disclaimer in email footer for information transfer security | Information Transfer Policy |
| Application Security | Requirement 6: Develop and Maintain Secure Systems and Software Requirement 11: Test Security of Systems and Networks Regularly | The organization shall ensure that information security is designed and implemented within development lifecycle of information systems. | Secure Development Policy Secure System Engineering Principles User Acceptance Testing |
| Incident Management | Requirement 3: Protect Stored Account Data Requirement 12: Support Information Security with Organizational Policies and Programs | The organization shall established procedures to ensure a quick, effective and orderly response to information security events and weaknesses. | Incident management procedure Incident Response Form |
| Business Continuity | Requirement 12: Support Information Security with Organizational Policies and Programs | The organization need to stablish proper backup to ensure information secured and business can continue | Business continuity procedures |
| Physical & Enivironmental Security | Requirement 9: Restrict Physical Access to Cardholder Data | The organization shall prevents an unauthorized physical access to the organizations information that can lead to loss, damage, theft or compromise of assets and interuption to the organizations information | Clear desk and clear screen policy Visitor Logbook |
| Supplier Management | Requirement 12: Support Information Security with Organizational Policies and Programs | The organization shall maintain and agreed level of information security and service delivery in line with supplier agreements to ensure protection of the organization assets. | NDA Template SLA Agreement Contractor Performance Evaluation Form |
| Awareness & Training | Requirement 12: Support Information Security with Organizational Policies and Programs | All employees of the organization, where relevant, contractors shall receive appropriate awareness education and traing and regular update in organizational policies and procedures as relevant for their job function | Training Request Form Security Metric Awareness Form Evidence Competence |
| Compliance | Requirement 3: Protect Stored Account Data | List out all Malaysia Act that organization need to follow: - Personal Data Protection Act - Minimum Wages Order - Contract Act - Employee Provident Fund - Employee Social Security The policy and procedure need to be reviewed periodically by the organization. | Statutory, regulatory, and contractual requirements All policy and procedure |
What is Security Header?
Headers are part of the HTTP specification, defining the metadata of the message in both the HTTP request and response. While the HTTP message body is often meant to be read by the user, metadata is processed exclusively by the web browser and has been included in HTTP protocol since version 1.0.
Why is Security Header Important?
User will only see a graphical interface on any website (no.1 and no.4 in the graphic), but between your browser and web server, the HTTP Request and HTTP Response (no. 2 and no.3 in the graphic) play an important role. While request, the good web server should include proper security header in HTTP response to ensure the connection is secure and intact.
What is SSL?
SSL is a HTTP with Secure Socket Layer implemented or HTTPS. The Primary reason why SSL is used is to keep sensitive information sent across the Internet encrypted so that only the intended recipient can access it. This is important because the information you send on the Internet is passed from computer to computer to get to the destination server.
Why is SSL Important?
The primary reason why SSL is used is to keep sensitive information sent across the Internet encrypted so that only the intended recipient can access it. This is important because the information you send on the Internet is passed from computer to computer to get to the destination server.
