Archive for November, 2008

Some of the article reviews I wrote which are relevant to Information Security Management.

[1] IT Security in the USA, Japan and China : A Study on Initiatives and Trends within Policy, R&D, Industry and Technology.

Original article   Article Review

[2] Managing Security Threats and Vulnerabilities for Small to Medium Enterprises

Original article   Article Review

[3] National Cybersecurity Policy & Implementation for Government of Indonesia

Original article   Article Review

[4] Certifying Information Security Management System

Original article   Article Review


Read Full Post »

Last month of 2008

Wow, haven’t blogged for really long time. Moreover, I deleted last few posts during the exam period which contained too much whining and complaining due to exam stress. So this blog is actually is even more outdated than it should be !

There’s about a month left before the end of the year. I am rather clueless as to how to finish the year interestingly. One or two achievements at something will be great. Climb a mountain? Develop a computer program?

I have started going to the gym again after few months of inactivity. My parents and sisters keep bringing up the issue of me paying RM3000 for 3 years gym membership, and seem to be too keen to prove that it was a bad action. Anyway, today and yesterday, I woke up early enough to make time for 45 minutes of gym before going to work. It feels really great 🙂

Also, I bought Korean for Dummies and Hiragana workbook. I dont plan to start learning Korean just yet as I am still working on Katakana and Hiragana of Japanese writing. It may be a bad habit, but I buy books always few months in advance before I start reading them. The presence of new books gives me a sense of urgency to finish whatever I am doing, so that I can start reading them. Weird but true.

Things to achieve before end of the month.

  1. Reduce my weight to 69kg
  2. Improve stamina and determination to last a 10km jogging
  3. Memorize and be fluent with Hiragana and Katakana
  4. Refresh memory on 500 Chinese Hanzi.

By hook or by crook or by book, I need to achieve something before end of the year !

Read Full Post »

Back up

Businesses and organization now depend on Information Technology heavily. However, there are too many threats that could cause damage and harm to information as an asset.

Should these businesses and organizations back down from these threats, or should they back up?

The answer is obvious. They must back up. In this context, it means businesses and organizations must constantly back up information and data which are considered valuable to them. This could be customer data, trade secret, intellectual property, software, multimedia files and so on. Creating back up means creating copies of these data, so that if the original data is damaged or corrupted, it can be restored to previous state from the backup. This ensures continuity of operations. In fact, backup has been recognized as an important element in Information Security Management System as outlined in ISO27000 series.

Backup process is more than choosing Save As… in Microsoft Word. For businesses and organizations, data is usually very large in size hence require large capacity  storage media. Backup process must be automated, and must be done periodically. For this purpose, there are three main backup strategies that could be implemented, full backup, differential backup and incremental backup.

Full backup

Here, all information and data are copied into the backup. This is the easiest strategy, but might be costly in terms of processing and time when the data is too large.

For example,

          Original copy : I love chicken wings.

          Full backup : I love chicken wings.

          Changes to original copy : I love chicken wings and spaghetti.

          Full backup : I love chicken wings and spaghetti.

Differential backup

When data is too large for full backup, this strategy can be adopted instead. Here, only changes to data since the last full backup are stored. Thus, when data loss occurs, the original copy can be restored from the full backup file, and the differential backup file. This strategy reduces the need for frequent full backup which can be an expensive operation.

For example,

          1) Original copy : I love chicken wings

              Full backup : I love chicken wings

          2) Changes to original copy : I love chicken wings and spaghetti

              Full backup : I love chicken wings

              Differential backup : and spaghetti

          3) Changes to original copy : I love chicken wings and spaghetti but not fish

              Full backup : I love chicken wings

              Differential backup : and spaghetti but not fish

Incremental backup

This strategy requires that changes to data since the last backup or the last incremental backup are recorded into separate files. Hence, we will have many incremental backup files, which must be kept in sequence.

For example,

          1) Original copy : I love chicken wings

              Full backup : I love chicken wings

          2) Changes to original copy : I love chicken wings and spaghetti

              Full backup : I love chicken wings

              Incremental backup : and spaghetti

          3) Changes to original copy : I love chicken wings and spaghetti but not fish

              Full backup : I love chicken wings

              Incremental backup : and spaghetti

              Incremental backup 2 : but not fish

There are other important considerations than choosing the strategy when planning a backup. The type of media storage, and where to store these media must be decided carefully. Backup media must be stored away from original copies to ensure they are not subject to same risk i.e. fire, natural disaster, power outage etc. Prime Minister and Deputy Prime Minister rarely be seen together, not because they hate each other but to avoid being subject to same risk. Same principle applies to backup !

Read Full Post »


Just now, a manager level executive called for my help to change the desktop resolution of her superior’s computer. I went with her to the cubicle, and two other people were already there. As I was right-clicking the desktop to navigate to Properties, one of them said, “we can leave this to the Go expert.”

Haha, couldn’t help being proud 🙂 Calling me a Go expert was certainly an overration, but I accept it nonetheless haha..

Apart from that, my boss seems to be thinking that I have a side-business and countless think I am doing PhD, instead of Masters. I cant be bothered to correct all these. Well, it does not hurt being overrated anyway.

Read Full Post »

For the past two days, I have been reading Internet scholarly materials on non-technical issues relating to Information Security. What I initially thought to be a boring subject (in contrast to computer security technicals) is slowly  proving otherwise.

One of the study papers I read was titled “IT Security in the USA, Japan and China : A Study on Initiatives and Trends within Policy, R&D, Industry and Technology“, developed by Swedish Institute for Growth Policy Studies. This paper was written with objective to provide input to Vinnova regarding different trends of importance for the funding of IT security R&D, Swedish formulation of IT and innovation policy. The study paper was released in 2005, ran up to 100 pages but worth reading from front to back. The gem of this paper is the insight into the initiatives and concerns of the three leading world powers: USA, Japan and China and how they strategise to improve IT security.

United States of America (USA)

In the USA, IT security is not given high priority in comparison to other Homeland Security issues. This is reflected by annual federal budget in which cyber security R&D is allocated only 200 million USD when the total budget for Homeland Security was 10 billion USD. This is probably because IT incidents very rarely involves casualties. However, there has been significant investments by private entities.

Increased cybersecurity could be managed by industrial initiatives or by increased government regulation. To IT industry, regulation could be a threat to the development, and general market-based approaches are more preferable. This leads to resistance in the US by several large companies within IT industry to any kind of major government cyber security initiatives which have an impact on policy formulation. Meeting regulation requirements can also be a burden to businesses which naturally are more concerned with profit making rather than worrying about compliance.

There has been continual development in legislation framework since early 1996 by the passing of new security, accountability and privacy related Acts by the Congress. While these Acts are non IT-specific, it has great implications for companies from information security aspect. Among these acts are:

Act Compliance Cost (2005)
Sarbanes-Oxley Act  USD 6.1 billion
Gramm-Leach-Billey Act USD 1.3 billion
Health Insurance Portability and Accountability Act USD 3.7 billion

In brief, Sarbanes-Oxley Act (SOX) requires information security to be employed to ensure the effectiveness of internal controls over financial reporting. It was introduced in 2002 to protect investors and shareholders by ensuring the integrity of financial and forcing corporate officials to take full responsibility for public disclosures required under the law. SOX was created in response to highly controversial financial fraud cases relating to companies such as Enron and WorldCom in 2002. The Act came into full enforcement in early 2005.

Whereas Gramm-Leach-Billey Act (GLBA) requires financial institutions to ensure confidentiality, integrity and security of customer information i.e. name, social security number, income and credit card history. The Health Insurance Portability and Accountability Act (HIPAA) instead governs privacy, security and electronic transactiosn for healthcare providers.


In contrast to USA, Japan gives high priority to IT Security. This can be seen from their commitment to local development and partnership in international arena. For example, on September 9, 2003 Japan made an agreement with USA that the two countries should embrace their roles as global leaders to create a “culture of security”. Japan also had an agreement with European Union since 2004 which includes initiatives to make the internet more secure by sharing perspectives, policy thinking and spam fighting. Collaborations with neighbouring China and Korea were also established for standardization of high-speed network and joint experimental trials.

The strong commitment of Japan government to promotion of IT can be reflected in their initiative to introduce IT Strategic Headquarter in the cabinet office led by Prime Minister Jonichiro Koizumi himself, with participation of all ministers and eight additional non-government experts. The headquarter has the task to promote and advanced Japanese information and telecommunication network society.


IT Security policy in China was born much later than USA or Japan, but has been receiving attention from the Chinese government since the publish of Preliminary Suggestions on the Strengthening of IT Security in 2003 by State Council Informatization Office. The document which has now been renamed “Document 27 of the State Council”, is partly confidential as it includes the aspect of national security.

China’s strategy for building the nation’s IT security protection system adheres to two main principles :

  1. Active defending (jiji fangyu)
  2. All direction prevention (zonghe fangfan)

These two principles in tandem mean that the whole society should understand that IT security is common responsibility of everyone i.e. government, enterprises, private persons and hence must take active defence measures by constant development of processes and technologies.

At the moment, China has a lot to worry about with regard to IT Security. As outlined by Mr. Gu Jianguo, Deputy Director General of Public Information Net Security Inspection Bureau of the Ministry of Public Security, some of Chinese IT infrastructure weaknesses are (NS 2005C) :

  1. Weak fundamental backup capability and infrastructure of IT security
  2. Some of core technologies are still not totally controlled by China
  3. Very slow IT security research and development and industrialization of security products

China however is placing a lot of importance on IPv6 development and infrastructure and aim to be the largest IPv6 network in the future. IPv6 is Internet Protocol version 6, which is a large improvement to current widely deployed IPv4 in terms of security and address space. It has been said that Stanford University has more IPv4 address than China (some call it myth and claim this had been debunked).

Well, 100-page study is too much to summarise, but above much I could do. I dont know where Malaysia stands in IT security in aspect of development, research, policy and legislation. What I know is if our IT infrastructure are not secured against cyber attacks, and there is no extensive legislation to punish wrongdoers, we can expect criminality to move into digital realm fast. Many businesses, government agencies, organizations and financial institutions are dependent on IT technology. Hence, if IT infrastructures and processes are not secured, we can only expect these operations to be the same. Disastrous !

Reference :

IT Security in the USA, Japan and China : A Study on Initiatives and Trends within Policy, R&D, Industry and Technology

Read Full Post »

The Joy of Tea

One more week before my exam. Nervous nervous.

I will sit for Information Security Management System (ISMS) paper coming Saturday. It’s the same day for Malaysia selection tournament for Three Country tournament 😦 . Of course, I will go for my exam ! I am already in enough “trouble” for missing few classes because of World Mind Sport Games.

Anyway, I am glad that from now on, my study will be accompanied by a cup of Chinese tea. 🙂 Mom bought me a nice teapot and gave me her old teacup. I can now peacefully drink the Oolong tea that I bought in Beijing recently.

I feel a bit old doing all these, but I really enjoy tea very much. Cant wait for my exams to be over and start studying Go with tea. Sometimes, a simple life can be so much a great pleasure.

This few weeks, I have to be truly strong and calm mentally, and of course, disciplined.


Read Full Post »