KUALA LUMPUR, Feb 23 — Communications and Digital Minister Fahmi Fadzil has recommended regular security reviews of government systems and applications such as MyJPJ that handle Malaysians’ personal data.
He said these reviews should be carried out by the agencies that owns the apps and systems, to ensure that they were secure and not at risk of being compromised.
“Ensure applications built through product safety assessment process and get certification based on the international standard Common Criteria ISO/IEC 15408;
“Make an assessment of the security level of the application ecosystem to identify vulnerabilities in the hardware and software through Vulnerability Assessment and Penetration Testing (VAPT), and implement an Information Security Management System (ISMS) based on the international standard ISO/IEC27001.
“This helps information security management to be implemented holistically and efficiently by identifying risks at every aspect of the life cycle and data/information ecosystem,” Fahmi said.
He added that the ISMS is also a mechanism that can ensure overall information and data security governance, increase resilience, maintain availability, and guarantee continuity in the service delivery system.
He was responding to Barisan Nasional’s (BN) Ayer Hitam MP Datuk Seri Wee Ka Siong who raised possibility of personal data leaks in the MyJPJ application.
Fahmi the pointed out that the MyJPJ app is owned by the Road Transport Department (JPJ), a government agency, which was exempt from the Personal Data Protection Act 2010.
“In this regard, any critical system that includes information (electronic) assets, networks, functions, processes, facilities and services in the information and communication technology (ICT) environment that is important to the country and has the potential to impact national defence, security, the country's economic stability, the country's image, the government's ability to function, public health and safety as well as individual privacy are categorized as Critical National Information Infrastructure (CNII).
“CNII is regulated by the National Cyber Security Agency (NACSA) which is an agency under the National Security Council (MKN). A total of 11 sectors have been identified as CNII sectors including the transport sector,” he said.
He added that this initial assessment is also made based on existing technologies and known threats.
“Security issues found during the evaluation were also analysed and described in a report,” Fahmi said.
