Introduction
MyISGRC is a web-based application developed as a digital tool. The Malaysian Information Security Governance, Risk Management And Compliance web application (MyISGRC App) was developed under the Cyber Security Development Project for Public Sector (CSDeP).
MyISGRC applications include the Questionnaire Components, Technical Verification Reports, MyISGRC Results and Information Security Improvement Recommendations to assist agencies in managing information security in accordance with the requirements of the Public Sector Cyber Security Framework (RAKKSSA).
The MyISGRC concept refers to the three (3) specific integrated approaches:
- Governance – including information security and information security framework (eg policies, procedures, controls and organizational structures) used for managing the security of agency information;
- Risk Management – identify, manage, and mitigate the risks potentially affecting agency operations; and
- Compliance – meets the required regulations, or the government’s mandate for information security.
These three elements play an important role in managing the security of agency information adapted in the MyISGRC App with justification as follows:
- Governance focuses on information security management that should be addressed by top management of the organization. Activities in the elements of Governance require top management to make a complete and timely decision; and
- Compliance with various rules by agencies involves a very high cost. Accordingly, compliance must adopt a risk-based approach. This will enable the agency to focus on the most important issues, regulations or laws of an agency.
Objectives / Purpose
The objectives of Malaysian Information Security Governance, Risk Management and Compliance (MyISGRC) are to assess the current state of information security health of Public Sector Agencies thus, allowing their managements to make an informed business decisions and also to help managing the information security threats and challenges faced by the agencies. Thus, it improves the agencies’ preparedness towards information security.
MyISGRC is an assessment tool for agencies to measure availability and initiatives in governance, risk management and information security compliance in addressing information security issues & problems. MyISGRC combines self-assessment and the technical validation exercise which covers the vulnerability scanning for three main areas i.e. host, network and wifi. As for the self-assessment part, there are five (5) major components in MyISGRC namely Governance, Risk Management, Competence and Culture, Technical Operations and Physical Security. Under each component, a comprehensive assessment is conducted to determine the maturity and compliance of the agency on information security governance, risk management and compliance to standards and related regulations.
Based on the results of the assessment produced by MyISGRC, the management of the agency can understand the current state of agency information security level and identify current gaps. This can help the management to decide, plan and execute appropriate actions to fill-in the gap, and improve the readiness of the agency in overall information security management. For example, they can focus more on an area that is still weak in managing the agency’ information security and arrange for resource planning or specific information security programme.
References (Circulars / Guidelines / Presentation Papers)
Presentation paper – CAPAM 2018 International Innovations Awards (IIA)
Contact Information
Officers who manage advisory services on MyISGRC are as follows:
- Mrs. Norfizah binti Mat Nor
Principle Assistant Director
No. Tel: 03-8872 7411
E-mail: norfizah@mampu.gov.my - Mrs. Haslinda binti Mat Akhir
Senior Assistant Director
No. Tel: 03-8872 3155
E-mail: haslinda@mampu.gov.my
Updated 01.07.2019