Malaysia’s Cyber Security Act 2024 (Act 854) has significantly elevated the cybersecurity standards for National Critical Information Infrastructure (NCII) entities. To ensure compliance and safeguard sensitive information, organizations must implement robust cybersecurity policies. This article provides a comprehensive guide to designing and implementing effective cybersecurity policies aligned with Act 854.
3 Key Steps to Designing Effective Cybersecurity Policies:
1. Comprehensive Risk Assessment
- Identify Critical Assets: Determine the organization’s most valuable assets, including systems, data, and infrastructure.
- Assess Threats and Vulnerabilities: Conduct a thorough risk assessment to identify potential threats like cyberattacks, data breaches, and insider threats.
- Prioritize Risks: Rank risks based on their potential impact and likelihood of occurrence.
2. Policy Development and Implementation
- Policy Framework: Establish a comprehensive cybersecurity policy framework that covers all aspects of information security, including: Access Control: Implement strong access controls to limit unauthorized access to sensitive systems and data. Data Protection: Develop policies to protect sensitive data, including data classification, encryption, and secure data handling practices. Incident Response: Create a detailed incident response plan to effectively respond to security breaches. Business Continuity and Disaster Recovery: Implement measures to ensure business continuity and minimize downtime in the event of a cyberattack.
- Employee Awareness and Training: Conduct regular cybersecurity awareness training to educate employees about best practices, such as: Strong password hygiene Phishing and social engineering awareness Secure remote work practices Data handling and privacy
3. Continuous Monitoring and Improvement
- Security Monitoring: Implement robust security monitoring tools to detect and respond to threats in real-time.
- Regular Reviews and Updates: Conduct periodic reviews of cybersecurity policies and procedures to ensure they remain effective and aligned with evolving threats.
- Incident Response Testing: Conduct regular incident response simulations to assess the organization’s preparedness and identify areas for improvement.
Compliance with Act 854
To ensure compliance with Act 854, NCII entities need to:
- Appoint Information Security Officers in charge: Designate a CISO responsible for overseeing cybersecurity strategy and compliance and at least 2 office at working levels.
- Conduct Regular Cybersecurity Assessments: Perform regular assessments to identify vulnerabilities and potential threats.
- Implement Strong Access Controls: Enforce strong access controls to protect sensitive information.
- Data Protection and Privacy: Implement measures to protect personal data and comply with data protection regulations.
- Incident Response and Reporting: Establish effective incident response procedures and promptly report security breaches to relevant authorities.
- Cybersecurity Awareness and Training: Conduct regular cybersecurity awareness training for employees.
Conclusion
By following these guidelines and adhering to the requirements of Act 854, NCII entities can significantly enhance their cybersecurity posture and protect their critical infrastructure. Remember, cybersecurity is an ongoing process that requires continuous vigilance and adaptation to evolving threats.