Post on 19-Jan-2020
PORTAL SOA
PEMBUKTIAN DOKUMEN
DAN FAIL ISMS
Disediakan oleh
Pasukan Sekretariat ISMS
Clause
No.Control Tiltle Control
Applicabili
ty
(Y/N)
Reasonforselection
Reference JustificationRR SR/BP RAR
A.5 Information security policies
A.5.1 Management direction for information security
Objective: To provide management direction and support for information security in accordance with business requirements and
relevant laws and regulations.
A.5.1.1
Policiesfor
information
security
Control
Aset of policies for
information security shall
be defined,approved by
management, published
and communicated to
employees and relevant
external parties.
Y / /
● Dasar Keselamatan ICT
MBPJ Versi 3.2 yang telah
diluluskan dalam Minit
Mesyuarat MKSP pada 30
Mei 2019
● Surat Akuan Pematuhan
Kakitangan Dasar
Keselamatan ICT Majlis
Bandaraya Petaling Jaya
● Surat Akuan Pematuhan
Pihak Ketiga Dasar
Keselamatan ICT Majlis
Bandaraya Petaling Jaya
● Taklimat Dasar
Keselamatan ICT Kepada
Kakitangan dan Pembekal
● Paparan pada portal
● Edaran Buletin IT
DKICT merupakan dasar
untuk memaklumkan
peraturan yang perlu
dipatuhi, tanggungjawab
warga kerja MBPJ ke atas
aset ICT yang perlu
dilindungi dan peraturan
ini juga perlu dipatuhi oleh
pihak ketiga bagi
mengurangkan risiko dan
ancaman.
Pengesahan dinyatakan
dalam dokumen Manual
ISMS
Clause
ControlTiltle Control Applicabili
ty
Reasonforselectio
n
Reference Justification
A.5.1.2
Review of
the policies
for
information
security
Control
The policies for information
security shall be reviewed
at planned intervals or if
significant changes occur
to ensure their continuing
suitability, adequacy and
effectiveness.Y / /
● DKICT Versi 3.2
● DKICT 010103
Penyelenggaraan
Dasar
Dasar ini dikaji
semula sekurang-
kurangnya oleh
ICTSO sekali
setahun.
DKICT telah
dikemaskini kepada
versi 3.2 dan
diluluskan dalam
Mesyuarat Kajian
Semula Pengurusan
A.6 Organization of information security
A.6.1 Internal organization
Objective : To establish a management framework to initiate and control the implementation and operation of information security
within the organization.
A.6.1.1
Information
Security roles
and
responsibilities
Control
All information security
responsibilities shall be defined
and allocated.
Y /
● DKICT Perkara 02
Keselamatan Organisasi
● DKICT Perkara 04
Keselamatan Sumber
Manusia
● Mesyuarat
Jawatankuasa
Kemasyarakatan,
Perkhidmatan, Korporat
& Teknologi Maklumat
● CIO
● ICTSO
● Jawatankuasa Kerja
ISMS
● Fail Meja
● Nota Serah Tugas &
Surat (Tanggung Kerja)
Memastikan calon
atau pihak ketiga yang
dilantik mematuhi
peraturan keselamatan
aset ICT yang telah
ditetapkan sebelum,
semasa dan selepas
perkhidmatan.
Clause
ControlTiltle Control Applicabili
ty
Reasonforselectio
n
Reference Justification
• Fail Meja
• Nota Serah Tugas &
Surat
(TanggungKerja)
A.6.1.2Segregation
of duties
Control
Conflicting duties and
areas of responsibility shall
be segregated to reduce
opportunities for
unauthorized or
unintentional modification
or mis use of the
organization’s assets.
Y /
● DKICT 060104 –
Pengasingan Tugas Dan
Tanggungjawab
● Carta Organisasi, MPK
dan Fail Meja
Bagi mengurangkan risiko
penyalahgunaan kuasa
dan memudahkan
pembahagian tugasan.
A.6.1.3Contact with
authorities
Control
Appropriate contacts with
relevant authorities shall be
maintained.
Y /
● Senarai nama dan
nombor telefon yang
boleh dihubungi sekiranya
berlaku kecemasan di
Pusat Data
● Maklumat kontraktor
untuk dihubungi
sekiranya berlaku insiden
di Bilik Kawalan Pusat
Data.
Bagi memudahkan
pegawai terlibat
dihubungi sekiranya
berlaku kecemasan.
Clause
ControlTiltle Control Applicabili
ty
Reasonforselectio
n
Reference Justification
A.6.1.4
Contact with
special
interest
groups
Control
Appropriate contacts with
special interest groups or
other specialist security
forums and professional
associations shall be
maintained.
Y /
● Menyertai
Technology Update
(TU) bagi anti-virus.
● SUK
● Mesyuarat
Kemajuan PSICT
bersama PBT.
● Bengkel Kajian
Semula PSICT.
Untuk memastikan
pemahaman
tentang
persekitaran
keselamatan
maklumat terkini
dan lengkap.
Melaksanakan ISMS
dan PSICT bagi PBT.
Clause
ControlTiltle Control Applicabilit
y
Reasonforselectio
n
Reference Justification
A.6.1.5
Information
security in
project
management
Control
Information security shall be
addressed in project
management, regardless of the
type of the project.
Y /
● Mesyuarat Jawatankuasa
Kecil ICT
● Surat Akuan Pematuhan
Pihak Ketiga Dasar
Keselamatan ICT Majlis
Bandaraya Petaling Jaya
● Akuan Keselamatan
Kontraktor (Lampiran A/B)
● Minit Mesyuarat Kick off
Bagi memastikan isu
keselamatan ICT
dikenalpasti dan
dimaklumkan kepada
pihak
pengurusan.
A.6.2 Mobile devices and teleworking
Objective:To ensure the security of teleworking and use of mobile devices.
A.6.2.1Mobile device
policy
Control
A policy and supporting security
measures shall be adopted to
manage the risks introduced by
using mobile devices.
Y /
● DKICT 070601 Peralatan
Mudah AlihKawalan ini memastikan
keselamatan ICT di MBPJ
berkenaan kemudahan ini.
A.6.2.2 Teleworking
Control
A policy and supporting security
measures shall be implemented
to protect information accessed,
processed or stored at
Y
/
● Permohonan Penggunaan
VPN (MBPJ-ISMS-P3-003)
Penggunaan FortiSSLVPN
Client untuk capaian Virtual
Private Network (VPN) bagi
rangkaian dalaman MBPJ.
Tergunapakai pada
kakitangan IT sahaja
berdasarkan skop.
Clause
ControlTiltle Control Applicabilit
y
Reasonforselection Reference Justification
A.6.2.2 Teleworking
Control
A policy and supporting
security measures shall be
implemented to protect
information accessed,
processed or stored at
teleworking sites.
Y
/
Permohonan
Penggunaan
VPN(MBPJ-ISMS-P3-003)
Penggunaan Forti SSL
VPN
Client untuk capaian
Virtual Private
Network (VPN) bagi
rangkaian dalaman
MBPJ.
Tergunapakai pada
kakitangan IT sahaja
berdasarkan skop.
Clause
ControlTiltle Control Applicabili
ty
Reasonforselectio
n
Reference Justification
A.7 Human resource security
A.7.1 Prior to employment
Objective : To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they
are considered.
A.7.1.1 Screening
Control
Background verification checks
on all candidates for employment
shall be carried out in accordance
with relevant laws, regulations
and ethics and shall be
proportional to the business
requirements, the classification of
the information to be accessed
and the perceived risks.
Y /
● Pekeliling Perkhidmatan
Bab ‘A’
● DKICT 020201 Keperluan
Keselamatan Kontrak
dengan Pihak Ketiga
● Surat Tawaran Pelantikan
● Akta Rahsia Rasmi 1972
(Perakuan Kakitangan)
● Surat Akuan Pematuhan
Kakitangan Dasar
Keselamatan ICT Majlis
Bandaraya Petaling Jaya
● Surat Akuan Pematuhan
Pihak Ketiga Dasar
Keselamatan ICT Majlis
Bandaraya Petaling Jaya
Pemeriksaan verifikasi
latar belakang semua
pekerja dan pihak ketiga
dalam melaksanakan
tanggungjawab serta
perkhidmatan di MBPJ.
Clause
ControlTiltle Control Applicabili
ty
Reasonforselectio
n
Reference Justification
A.7.1.2
Terms and
Conditions of
employment
Control
The contractual agreements
with employees and
contractors shall state their and
the organization’s
responsibilities for information
security.
Y /
● DKICT 040101
Tanggungjawab
Keselamatan Semasa
Dalam Perkhidmatan
● Surat Tawaran
Pelantikan
● Surat Akuan
Pematuhan Kakitangan
Dasar Keselamatan ICT
Majlis Bandaraya
Petaling Jaya
● Surat Akuan
Pematuhan Pihak
Ketiga Dasar
Keselamatan ICT Majlis
Bandaraya Petaling
Jaya
● Akuan Keselamatan
Kontraktor (Lampiran
A/B)
● Kontrak Perjanjian
Semua terma dan
syarat pelantikan
dipersetujui oleh
kakitangan dan pihak
ketiga.
Clause
ControlTiltle Control Applicabilit
y
Reasonforselectio
n
Reference Justification
A.7.2 During employment
Objective : To ensure that employees and contractors are aware of and fulfil their information security responsibilities.
A.7.2.1
Management
responsibilities
Control Y /
● DKICT Perkara 02
Keselamatan Organisasi
● Taklimat kesedaran DKICT
kepada kakitangan/pihak
pembekal
● Mesyuarat Jawatankuasa
Kecil ICT
● Surat Akuan Pematuhan
Kakitangan Dasar
Keselamatan ICT Majlis
Bandaraya Petaling Jaya
● Surat Akuan Pematuhan
Pihak Ketiga Dasar
Keselamatan ICT Majlis
Bandaraya Petaling Jaya
● DKICT 040101
Tanggungjawab
Keselamatan Semasa
Dalam Perkhidmatan
Bagi memastikan arahan
keselamatan organisasi
dipatuhi seperti yang
telah ditetapkan.
Clause
ControlTiltle Control Applicabili
ty
Reasonforselectio
n
Reference Justification
A.7.2.2
Information
security
awareness,
educationan
d training
Control
All employees of the organization and,
where relevant, contractors shall receive
appropriate awareness education and
training and regular updates in
organizational policies and procedures,
as relevant for their job function.
Y /
● DKICT 040102 Terma &
Syarat Perkhidmatan
● DKICT 100105
Pelanggaran
Perundangan
● Pelan Latihan ICT
● Takwim Kursus Tahunan
MBPJ
● Kursus Suaikenal
● Taklimat Dasar
Keselamatan ICT
● Surat Tawaran
Pelantikan
● Transfer of Technology
(informal)
Untuk memastikan
kompetensi kakitangan
mencapai standard
kualiti dalam bidang
tugas dan dapat
mengurangkan risiko
keselamatan.
Clause
ControlTiltle Control Applicabili
ty
Reasonforselectio
n
Reference Justification
A.7.2.3Disciplinary
process
Control
There shall be a formal and
communicated disciplinary
process in place to take
action agains temployees
who have committed an
information security
breach.
Y /
● Warta Negeri
● Dasar Majlis
Perbandaran Petaling
Jaya
● Surat Peringatan
Memastikan hukuman
dikenakan keatas pihak
yang melanggar
peraturan.
A.7.3 Termination and change of employment
Objective : To protect the organization’s interests as part of the process of changing or
terminating employment.
A.7.3.1
Termination or change of employmentresponsibilities
Control
Information security
responsibilities and duties
that remain valid after
termination
Y /
● Warta Negeri
● Dasar Majlis Perbandaran
Petaling Jaya
● Surat Penamatan
Perkhidmatan
● Lembaga Tatatertib.
● Prosedur Pengurusan Kata
Nama Pengguna (User ID)
& Kata Laluan (Password)
(MBPJ-ISMS-P2-002)
Dasar diwujudkan bagi
mengurangkan risiko
pendedahan maklumat
setelah ditamatkan
perkhidmatan.
Clause
ControlTiltle Control Applicabili
ty
Reasonforselectio
n
Reference Justification
A.8 Asset management
A.8.1 Responsibility for assets
Objective:To identify organizational assets and define appropriate protection responsibilities.
A.8.1.1Inventory of
assets
Control
Assets associated with
information and
information processing
facilities shall be identified
and an inventory of these
assets shall be drawn up
and maintained.
Y / /
● DKICT 030101 Inventori
Aset
● Daftar Harta Modal
(KEW.PA-2)
● Laporan Penilaian Risiko
MyRAM Step 3 –
Identification of asset
Mengenalpasti semua
asset ICT, merekod
maklumat asset dalam
sistem pengurusan aset
dan sentiasa
dikemaskini.
A.8.1.2Ownership of
assets
Control
Assets maintained in the
inventory shall be owned.
Y / /
● DKICT Perkara 03
Kawalan dan
Pengelasan Aset
● Sistem MyAsset (Senarai
Daftar Harta Modal
(KEW.PA-4))
● Laporan MyRAM – List of
Assets
Semua aset ICT adalah
hak milik MBPJ.
Penerima aset
direkodkan dalam
Sistem MyAsset dan
setiap pengguna
adalah
bertanggunjawab ke
atas aset ICT tersebut.
Clause
ControlTiltle Control Applicabili
ty
Reasonforselectio
n
Reference Justification
A.8.1.3Acceptable
use of assets
Control
Rules for the acceptable
use of information and of
assets associated with
information and
information processing
facilities shall be identified,
documented and
implemented.
Y / /
● DKICT Perkara 03
Kawalan dan
Pengelasan Aset
● Prosedur Pinjaman
Peralatan Komputer
di MBPJ (MBPJ-ISMS-
P3-014)
● Borang Pinjaman
Peralatan Komputer
● Rekod Pengunaan
Peralatan
Mesyuarat
Pengguna
mengesahkan
penempatan asset
ICT yang
ditempatkan dan
bertanggungjawab
keatas semua asset
ICT dibawah
kawalannya.
A.8.1.4Returnof
assets
Control
Allemployeesandexternalp
arty usersshallreturnallofthe
organizationalassetsintheir
possessionupontermination
of
theiremployment,contract
or agreement.
Y / /
● Makluman
Kakitangan
Pelantikan Baru,
Peletakan Jawatan
Dan Bersara
● Surat Penamatan
Perkhidmatan
Memastikan semua
aset dipulangkan
selepas tamat
perkhidmatan.
Clause
ControlTiltle Control Applicabili
ty
Reasonforselectio
n
Reference Justification
A.8.2 Information classification
Objective: To ensure that information receives and appropriate level of protection inaccordance with it simportance to the
organization.
A.8.2.1
Classification
of
information
Control
Information shall be
classified in terms of legal
requirements, value, Y / /
● DKICT 030201
Pengelasan Maklumat
● DKICT 030202
Pengendalian
Maklumat
● Prosedur Klasifikasi dan
Pengendalian
Maklumat (MBPJ-ISMS-
P2-001)
● Lapoaran Penilaian
Risiko MyRAM –
Valuation of Assets
● Arahan Keselamatan
Memastikan maklumat
di kelaskan mengikut
tahap sensitivi
pendedahan dan
pengubahsuaian aset.
Clause
ControlTiltle Control Applicabili
ty
Reasonforselectio
n
Reference Justification
A.8.2.2Labelling of
information
Control
Anappropriate set of
procedures for information
labelling shall be
developed and
implemented in
accordance with their
information classification
scheme adopted by the
organization.
Y / /
● DKICT 030201
Pengelasan Maklumat
● DKICT 030202
Pengendalian
Maklumat
● Prosedur Klasifikasi dan
Pengendalian
Maklumat (MBPJ-ISMS-
P2-001)
● Prosedur Pengendalian
Media (MBPJ-ISMS-P2-
007)
Memastikan pegawai
yang mengendalikan
aset ICT mengetahui
tahap keselamatan
aset.
A.8.2.3Handling of
assets
Control
Procedures for handling assets shall be developed and implemented inaccordance withThe information
classification scheme
adopted by the
organization.
Y / /
● DKICT 030202 -
Pengendalian
Maklumat
● Prosedur Klasifikasi dan
Pengendalian
Maklumat (MBPJ-ISMS-
P2-001)
● Prosedur Pengendalian
Media (MBPJ-ISMS-P2-
007)
Mengurangkan risiko
kebocoran maklumat
kepada pihak yang
tidak berkenaan.
Clause
ControlTiltle Control Applicabilit
y
Reasonforselectio
n
Reference Justification
A.8.3 Media handling
Objective: To prevent unauthorized disclosure, modification,removal or destruction of information stored on media.
A.8.3.1
Management
of removable
media
Control
Procedures shall be
implemented for the
management of removable
media inaccordance with
the classification scheme
adopted by the
organization.
Y /
● DKICT 060602 Prosedur
Pengendalian Media
● Prosedur Pengendalian
Media (MBPJ-ISMS-P2-
007)
Prosedur diwujudkan
untuk mengawal
maklumat yang
disimpan dalam hard
disk, thumb drives, cd’s
dan juga maklumat
berbentuk laporan.
A.8.3.2Disposalof
media
Control
Mediashallbedisposedof
securelywhennolongerrequi
red, usingformalprocedures.
Y /
● DKICT 060602 Prosedur
Pengendalian Media
● Satu Pekeliling
Perbendaharaan (1PP)
Memastikan risiko
kebocoran maklumat
dapat dikurangkan.
A.8.3.3
Physical
media
transfer
Control
Media containing
information shall be
protected against
unauthorized access,
misuseor corruption during
transportation.
Y
● Prosedur Pengurusan E-
mel bagi Data Cukai
Taksiran (MBPJ-ISMS-P2-
015)
● Prosedur Pengendalian
Media (MBPJ-ISMS-P2-
007)
Clause
ControlTiltle Control Applicabili
ty
Reasonforselectio
n
Reference Justification
A.9 Access control
A.9.1 Business requirements of access control
Objective: To limit access to information and information processing facilities.
A.9.1.1Access
control policy
Control
An access control policy
shall be established,
documented and
reviewed based on
business and information
security requirements.
Y /
● DKICT Perkara 07
Kawalan Capaian
● Prosedur Kawalan
Keselamatan Log On
(MBPJ-ISMS-P2-018)
Kawalan dibuat untuk
menghalang dari
berlakunya
pendedahan dan
kebocoran maklumat.
A.9.1.2
Accessto
networksand
network
services
Control
Usersshallonlybeprovidedwi
th accesstothenetworkand
networkservicesthattheyha
ve
beenspecificallyauthorized
to use.
Y /
● DKICT 070301 Kawalan
Capaian Rangkaian
● DKICT Perkara 06
Pengurusan Operasi &
Komunikasi
060501 Kawalan
Infrastruktur Rangkaian
User ID & Password
Kawalan dibuat untuk
menghalang capaian
yang tidak sah dan
tanpa kebenaran ke
atas maklumat.
A.9.2 Useraccessmanagement
Objective:Toensureauthorizeduseraccessandtopreventunauthorizedaccesstosyste
msandservices.
A.9.2.1
User
registrationan
d de-
registration
Control
A formal user registration and
de-registration process shall be
implemented to enable
assignment of access rights.
Y /
● DKICT 070201 Akaun
Pengguna
● e-Mel (Makluman
Pengaktifan Akses)
● Prosedur Kawalan
Keselamatan Log On
(MBPJ-ISMS-P2-018)
● Permohonan
penggunaan VPN (P3)
● Prosedur Pengurusan
Kata Nama Pengguna
dan Kata Laluan (MBPJ-
ISMS-P2-018)
● Mform – Borang
Permohonan
Penggunaan Sistem
dan Emel
● Borang Pembatalan
Penggunaan Sistem
(Nama Pengguna/
Katalaluan) (MBPJ-ISMS-
P2-002-B01)
Hanya pengguna yang
berdaftarkan sahaja
yang layak mengakses
sistem.
Clause
ControlTiltle Control Applicabilit
y
Reasonforselection Reference Justification
A.9.2.2User access
provisioning
Control
A formal user access
provisioning process shall be
implemented to assign or
revoke access rights for all
usertypes to all systems and
services.
Y /
● DKICT 070204 Hak Capaian
(Privilege)
● DKICT 070201 Akaun
Pengguna
● Prosedur Kawalan Keselamatan
Log On (MBPJ-ISMS-P2-018)
● Surat Akuan Pematuhan
Kakitangan Dasar Keselamatan
ICT Majlis Bandaraya Petaling
Jaya
● Surat Akuan Pematuhan Pihak
Ketiga Dasar Keselamatan ICT
Majlis Bandaraya Petaling Jaya
● Akuan keselamatan Kontraktor
(Lampiran A/B)
● Email (Makluman Pengaktifan
Akses)
Setiap sistem
mempunyai
peringkat capaian
pengguna bagi
memastikan
keselamatan
maklumat.
Clause
ControlTiltle Control Applicabilit
y
Reasonforselectio
n
Reference Justification
A.9.2.3
Managemen
t of
privileged
access rights
Control
The allocation and use of
privileged access rights
shall be restricted and
controlled.
Y /
● DKICT 070204 Hak Capaian
● Menggunakan unik ID dan
kata laluan
● Senarai akses pengguna
dan peringkat capaian
sistem
Setiap sistem mempunyai
peringkat capaian
pengguna bagi
memastikan keselamatan
maklumat.
A.9.2.4
Managemen
t of secret
authenticatio
n information
of users
Control
The allocation of secret
authentication information
shall be controlled through
a formal management
process.
Y
/ ● DKICT 070203 Pengurusan
Kata Laluan
● Borang Permohonan
Penggunaan Sistem
(Nama Pengguna/
Katalaluan) (MBPJ-ISMS-P2-
002-B01)
● Menggunakan Unik ID
Pengguna yang layak
akan dikenalpasti untuk
mengakses sistem.
Server aplikasi - Pegawai
aplikasi menggunakan
unik ID. Tetapi terdapat 2
aktiviti (compile source
log & restart application
services) perlu
mengunakan ID Admin.
Perkongsian bagi ID
Admin hanya dibenarkan
bagi 2 aktiviti tersebut
(diluar waktu bekerja).
Pegawai Infra akan
menukar kata laluan
tersebut setiap kali ID
Admin digunakan oleh
Pegawai Aplikasi
Clause
ControlTiltle Control Applicabilit
y
Reasonforselectio
n
Reference Justification
A.9.2.5
Review of
user access
rights
Control
Asset owners shall review
users’Y /
● DKICT 070201 Akaun
Pengguna
● Borang Pembatalan
Penggunaan Sistem
(Nama Pengguna/
Katalaluan) (MBPJ-ISMS-
P2-002-B01)
● Semakan kawalan
capaian - Security
Metrics
Kawalan dibuat supaya
pengguna yang
dibenarkan sahaja
untuk mengakses
sistem.
A.9.2.6
Removalor
adjustmentof
accessrights
Control
The access rights of
allemployees and external
party users to information
and information processing
facilities shall be removed
upon termination of their
employment, contractor
agreement ,or adjusted
upon change.
Y /
● DKICT 070204 Hak
Capaian
● Makluman Kakitangan
Pelantikan Baru,
Peletakan Jawatan Dan
Bersara (e-mel Bahagian
Sumber Manusia)
● Borang Pembatalan
Penggunaan Sistem
(Nama Pengguna/
Katalaluan) (MBPJ-ISMS-
P2-002-B01)
Penamatan capaian
sistem dan kemudahan
perlatan ICT adalah
adalah mengikut
prosedur yang telah
ditetapkan.
Clause
ControlTiltle Control Applicabilit
y
Reasonforselectio
n
Reference Justification
A.9.3 User responsibilities
Objective:To make users accountable for safe guarding their authentication
information.
A.9.3.1
Use of secret
authenticatio
n information
Control
Users shall be required to
follow the organization’s
practices in the use of
secret authentication
information.
Y /
● DKICT 070203
Pengurusan Kata Laluan
● Prosedur Pengurusan
kata Nama Pengguna
dan Katalaluan (MBPJ-
ISMS-P2-002)
● Menggunakan unik ID
dan kata laluan patuh
kepada keperluan DKICT
MBPJ
Pengesahan
pengenalan maklumat
sulit dilakukan dengan
memerlukan kata
laluan bagi
mendapatkan
maklumat melalui emel
yang diberikan
gunapakai DKICT
070203 Pengurusan
Kata Laluan iaitu:-
Minimum 8 Aksara
Pertukaran kata
laluan maksimum
90 hari
Clause
ControlTiltle Control Applicabilit
y
Reasonforselectio
n
Reference Justification
A.9.4 System and application access control
Objective:To prevent unauthorized access to systems and
applications.
A.9.4.1Information accessrestriction
Control
Access to information and
application system functions
shall be restricted
inaccordance with the
access control policy.
Y /
● DKICT 070501 Capaian
Aplikasi dan Maklumat
● Prosedur Pengendalian
Firewall & IPS (MBPJ-ISMS-
P3-004)
● Senarai Akaun Pengguna
dan tahap capaian
● Encrypt password pada
Database (Sistem
ePenilaian, Sistem Kutipan,
Sistem eAduan)
● Senarai Akaun Pengguna
dan tahap capaian pada
Sistem ePenilaian
Firewall dan IPS digunakan
untuk memastikan
kawalan kepada capaian
ke sistem aplikasi dan
maklumat hanya
dibenarkan mengikut
A.9.4.2Secure log-on
procedures
Control
Where required by the
access control policy,
access to systems and
applications shall be
controlled by a secure log-
on procedure.
Y /
● DKICT 070401 Capaian
Sistem Pengoperasian
● Prosedur Keselamatan Log
On (MBPJ-ISMS-P2-018)
● Kawalan 3 kali cubaan
login sistem (Sistem
ePnilaian & Sistem eAduan)
Untuk memantau akses
yang tidak dibenarkan
kepada sistem dan
aplikasi
Clause
ControlTiltle Control Applicabili
ty
Reasonforselectio
n
Reference Justification
A.9.4.3
Password
managemen
t system
Control
Password management
systems shall be interactive
and shall ensure quality
passwords.
Y /
● DKICT 070203
Pengurusan Kata Laluan
● Kata laluan yang
ditetapkan minimum 8
aksara
Pertukaran kata laluan
90 hari sekali melalui
peringatan daripada
sistem dengan minimum
8 aksara.
A.9.4.4
Use of
Privileged
utility
programs
Control
The use of utility programs
that might be capable of
overriding system and
application controls shall
be restricted and tightly
controlled.
Y /
● 070401 Capaian Sistem
Pengoperasian
● Dibenarkan kepada
pentadbir sistem sahaja
Kawalan dibuat untuk
memastikan
keselamatan fail sistem
terjamin.
A.9.4.5
Access
control to
program
source code
Control
Access to program source
code shall be restricted. Y
/● DKICT 070401 Capaian
Sistem Pengoperasian
● Dibenarkan kepada
pentadbir sistem sahaja
● Unik ID & Kata laluan
Pentadbir sistem sahaja
dibenarkan untuk
mengemaskini source
code
A.10 Cryptography
A.10.1Cryptographic controls
Objective:To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/orintegrity of information.
Clause
ControlTiltl
e
Control Applicabilit
y
Reasonforselectio
n
Reference Justification
A.10.1.1
Policy on
the use of
cryptogra
phic
controls
Control
A policy on the use of
cryptographic controls for
protection of information
shall be developed and
implemented.
Y /
● DKICT 080201
Penyulitan
● Enkripsi kata laluan
Sistem Kutipan di
pangkalan data
pada Jun 2018
● SSL digunakan pada
Sistem eAduan
Melindungi
kerahsiaan, intergriti
dan kesahihan
maklumat
A.10.1.2
Key
managem
ent
Control
A policy on the use,
protection and lifetime of
cryptographic keys shall
be developed and
implemented through their
whole lifecycle.
Y
/
● DKICT 080202
Pengurusan Kunci
Meletakkan
password untuk
melindungi
kerahsiaan, intergriti
dan kesahihan
maklumat
A.11 Physical and environmental security
A.11.1Secure areas
Objective: To prevent unauthorized physical access, damage and interference to the organization’s information and information
processing facilities.
ClauseControl Tiltle
Control Applicabilit
y
Reasonforselectio
n
Reference Justification
A.11.1.1
Physical
security
perimeter
Control
Security perimeters shall be
defined and used to protect
areas that contain either
sensitive or critical information
and information processing
facilities.
Y /
● DKICT 05 Keselamatan
Fizikal
● Kaunter pengawal
● Buku log pelawat
● Buku Rekod
Keluar/Masuk Pelawat
Bahagian Teknologi
Maklumat MBPJ
● Buku log Pusat Data
● Pas pelawat/kad akses
pekerja
● Card Access Door
● Emergency alarm
● Thumbprint bagi Pusat
Data
● Kawalan CCTV
● Pemadam kebakaran
dalam Pusat Data
Kawasan larangan
mempunyai kawalan
keselamatan yang
diperlukan seperti yang
dinyatakan.
ClauseControl Tiltle
Control Applicabilit
y
Reasonforselectio
n
Reference Justification
A.11.1.2
Physical
entry
controls
Control
Secure areas shall be
protected by appropriate
entry controls to nsure that
only authorized personnel
are allowed access.
Y /
● DKICT 050102
Kawalan Masuk
Fizikal
● Pas Pelawat/Kad
Akses Pekerja
● Card Access Door
● Thumbprint bagi
Pusat Data
● Kawalan CCTV
● Buku Log Pusat Data
● Buku Rekod
Keluar/Masuk
Pelawat Bahagian
Teknologi Maklumat
MBPJ
● Buku Log Pusat Data
● Buku Log Pelawat
Kawasan larangan
mempunyai
kawalan
keselamatan yang
diperlukan seperti
yang dinyatakan.
Clause
Control
Tiltle
Control Applicabilit
y
Reasonforselection Reference Justification
A.11.1.3
Securing
offices, rooms
and facilities
Control
Physical security for offices, rooms and
facilities shall be designed and
applied.
Y /
● DKICT 050101 Perimeter
Keselamatan Fizikal
● Pas Pelawat/Kad Akses Pekerja
● Buku Log Pelawat
● Buku Rekod Keluar/Masuk
Pelawat Bahagian Teknologi
Maklumat MBPJ
● Card Access Door
● Bilik kawalan pusat data
● Kawalan buku log Pusat Data
● Pelan susunatur Pejabat
● Fail Kabinet berkunci
● Kawalan CCTV
Kawasan larangan
mempunyai kawalan
keselamatan yang
diperlukan seperti yang
dinyatakan.
A.11.1.4
Protecting
against
external and
environmental
threats
Control
Physical protection against natural
disasters, malicious attack or
accidents shall be designed and
applied.
Y /
● DKICT 050301 Kawalan
Persekitaran
● Penyelenggaraan Bangunan
oleh Jabatan Kejuruteraan
● Laporan Penyelenggaraan
Peralatan Keselamatan (Fire
Fighting)
● Sprinkler
● Alat pemadam api
● Smoke Detector
● Genset
● UPS
● Emergency Alarm
● CCTV
● FM200
Penyelenggaraan
dilakukan oleh pihak
yang berkaitan bagi
memastikan risiko dalam
ancaman luaran dan
persekitaran dapat
diminima.
Clause
ControlTiltle Control Applicabilit
y
Reasonforselectio
n
Reference Justification
A.11.1.5
Working in
secure
areas
Control
Procedures for working in
secure areas shall be
designed and applied.
Y /
● DKICT 050103
Kawasan Larangan
● Prosedur Kebenaran
Melakukan Kerja di
Pusat Data (MBPJ-
ISMS-P3-009)
● Pas pelawat/pas
pekerja
● Buku Log Pusat Data
● Bilik kawalan pusat
data
● Keluar/masuk dan
diiringi Pegawai Data
Pusat (Pihak Ketiga)
Menyediakan bilik
kawalan pusat data
untuk pihak ketiga
membuat
penyelengaraan
dan menyediakan
pegawai pengiring
bagi kawasan
larangan.
Clause
Control
Tiltle
Control Applicabilit
y
Reasonforselectio
n
Reference Justification
A.11.1.6
Delivery
and
loading
areas
Control
Access points such as
delivery and loading areas
and other points where
unauthorized persons
could enter the premises
shall be controlled and, if
possible, isolated from
information processing
facilities to avoid
unauthorized access.
Y /
● DKICT 050102 Kawalan
Masuk Fizikal
● Bilik kawalan pusat data
● Buku Rekod Pelawat Unit
Teknologi Maklumat
● Prosedur Pelawat Unit
Teknologi Maklumat (MBPJ-
ISMS-P3-017)
Kawasan penyerahan
dan penyediaan
peralatan ICT disediakan
bagi mengelakkan
sebarang ancaman
pencerobohan yang
berkemungkinan berlaku.
A.11.2 Equipment
Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations.
A.11.2.1
Equipment
siting and
protection
Control
Equipment shall be sited
and protected to reduce
the risks from
environmental threats and
hazards, and opportunities
for unauthorized access.
Y /
● Pelan Lantai Tingkat 3 Ibu
Pejabat MBPJ
● Pelan Lantai Jabatan
Penilaian & Pengurusan
Harta
● Pelan Lantai Jabatan
Perbendaharaan, Tingkat 1
Peralatan ICT diletakkan
di tempat terkawal bagi
mengurangkan risiko
ancaman daripada
ancaman persekitaran
dan peluang
pencerobohan yang
mungkin akan berlaku.
Clause
ControlTiltle Control Applicabilit
y
Reasonforselectio
n
Reference Justification
A.11.2.2Supporting
utilities
Control
Equipment shall be
protected from power
failures and other
disruptions caused by
failures in supporting
utilities.
Y /
● Genset
● UPS
● Pelaksanaan
Redundancy Core Switch
(Supporting utilities bagi
risiko Hardware
Malfunction)
Utiliti disediakan bagi
memastikan
peralatan ICT tidak
terdedah dengan
kegagalan di dalam
menyediakan
perkhidmatan yang
diperlukan.
A.11.2.3Cabling
security
Control
Power and
telecommunications
cabling carrying data or
supporting information
services shall be protected
from interception,
interference or damage.
Y /
● DKICT 050204 Kabel
● Rak peralatan
Rangkaian Berpusat
● Trunking Cable/
Cable tie
● Raised floor di Pusat
Data
Peralatan yang
disediakan
melindungi kabel
yang ditempat
disetiap switch
Majlis.
Clause
ControlTiltle Control Applicabilit
y
Reasonforselection Reference Justification
A.11.2.4Equipment
maintenance
Control
Equipment shall be
correctly maintained to
ensure its continued
availability and integrity.
Y /
● DKICT 050205
Penyelenggaraan
● Laporan Penyelenggaraan
Berkala Peralatan ICT
● Perkhidmatan
penyelenggaraan
kerosakan (Corrective
Maintenance – adhoc
basis)
● Perkhidmatan
Penyelenggaraan dan
Bantuan Teknikal
Perkakasan, Perisian dan
Rangkaian dan Sokongan
Pusat Data oleh Venture
Nucleus (M) Sdn Bhd
● Corrective action done by
Pasukan Teknikal (LAN,
WAN, Komputer & Laptop))
● Penyelenggaraan berkala
dari pasukan teknikal
(Komputer & laptop)
● Fine tuning healthcheck -
setiap 6 bulan
● Preventive maintenance
setiap 3 bulan bagi Oracle
12c (Laporan
penyelenggaraan 4 kali
setahun)
● Penyelenggaraan oleh
Array Technologies (SUN
SPARC T702)
Fail penyelenggaraan
Pusat Data MBPJ
disediakan bagi
memastikan dalam
kebolehsediaan dan
integriti perkhidmatan.
Clause
ControlTiltle Control Applicabilit
y
Reasonforselection Reference Justification
A.11.2.4
● Sokongan Waranti dan
Penyelenggaraan oleh Unit
Teknikal (Laptop
● Penyelenggaraan oleh Pihak
Ketiga, Strategic Alliance –
Dell Storage, Internal Firewall
(Sangfor))
● Sokongan dan
Penyelenggaraan bagi
Antivirus Kyrol
● Preventive maintenance by
Centory Software (M) Sdn Bhd
(Sistem ePenilaian)
● Sokongan teknikal daripada
BKJ (UPS, Split Aircond, Alat
Pemadam Api & FM200)
● Penyelenggaraan CCTV
(Caliber Interconnects dan
Datasonic)
Clause ControlTiltle Control Applicability Reasonforselection Reference Justification
A.11.2.5Removal of
assets
Control
Equipment, information or
software shall not be taken off-
site without prior authorization.
Y /
● DKICT 050206
Peminjaman Perkakasan
Untuk Kegunaan Diluar
Pejabat
● Prosedur Pinjaman
Peralatan Komputer di
MBPJ (MBPJ-ISMS-P3-014)
Melindungi dan
mengawal pergerakan
aset ICT dari berlakunya
kehilangan atau
dimanipulasikan oleh
pihak yang tidak
bertanggungjawab.
A.11.2.6
Security of
equipment and
assets off-
premises
Control
Security shall be applied to off-
site assets taking into account
the different risks of working
outside the organization’s
premises.
Y /
● DKICT 050207 Peralatan
di luar premis.
● Prosedur Pinjaman
Peralatan Komputer di
MBPJ (MBPJ-ISMS-P3-014)
Kawalan bagi peralatan
yang digunapakai di luar
premis.
A.11.2.7
Secure disposal
or reuse of
equipment
Control
All items of equipment
containing storage media shall
be verified to ensure that any
sensitive data and licensed
software has been removed or
securely overwritten prior to
disposal or re-use.
Y /
● DKICT 050208 Pelupusan
● Borang Perakuan
Pelupusan (PEP) (MBPJ-
ISMS-P1-007-L06)
● Satu Pekeliling
Perbendaharaan (1PP)
● Kemaskini KEW.PA-2,
KEW.PA-3, KEW.PA-16,
KEW.PA-17, KEW.PA-18
dan KEW.PA-19.
Kawalan digunakan
supaya tidak berlaku
pendedahan maklumat
selepas aset ICT
dilupuskan.
Clause
ControlTiltle Control Applicabilit
y
Reasonforselection Reference Justification
A.11.2.8
Unattended
user
equipment
Control
Users shall ensure that
unattended equipment has
appropriate protection.
Y /
● DKICT 050209 Clear
Desk dan Clear
Screen
● Screen saver with
password protected
Memastikan tiada
penyalahgunaan
dalam penggunaan
aset ICT.
Selepas dua (2) minit
screen saver
diaktifkan
A.11.2.9
Clear desk
and clear
screen policy
Control
A clear desk policy for
papers and removable
storage media and a clear
screen policy for
information processing
facilities shall be adopted.
Y /
● DKICT 050209 Clear
Desk dan Clear
Screen
● Screen saver with
password protected
Memastikan tiada
penyalahgunaan
dalam penggunaan
aset ICT.
Selepas dua (2) minit
screen saver
diaktifkan
Clause
ControlTiltle Control Applicabilit
y
Reasonforselection Reference Justification
A.12 Operations security
A.12.1 Operational procedures and responsibilities
Objective: To ensure correct and secure operations of information processing facilities.
A.12.1.1
Documente
d operating
procedures
Control
Operating procedures shall
be documented and
made available to all users
who need them.
Y /
● DKICT 060101 –
Pengendalian
Prosedur
● Dokumen P2
● Dokumen P3
● Proses Pengurusan
Aduan - penerimaan
dan pengesahan
aduan melalui Sistem
eAduan oleh Seksyen
Aduan Awam
Sebagai rujukan
bagi memastikan
pengendalian
prosedur dilakukan
dengan cekap
Clause ControlTiltle Control Applicability Reasonforselection Reference Justification
A.12.1.2Change
management
Control
Changes to the organization,
business processes, information
processing facilities and systems
that affect information security
shall be controlled.
Y /
● DKICT 060102 Kawalan
Perubahan
● Prosedur Pengurusan
Perubahan (MBPJ-ISMS-
P2-007)
● Prosedur Pengurusan
Patch (MBPJ-ISMS-P2-010)
Perubahan kepada
organisasi, kemudahan
pemprosesan maklumat
dan sistem yang
menjejaskan
keselamatan maklumat
hendaklah dikawal.
A.12.1.3Capacity
management
Control
The use of resources shall be
monitored, tuned and
projections made of future
capacity requirements to
ensure the required system
performance.
Y /
● DKICT 060201
Perancangan kapasiti
● Prosedur Pengurusan
Kapasiti Sumber (MBPJ-
ISMS-P2-019)
● Memastikan pelan
pengunjuran kapasiti
dilaksanakan sekurang-
kurangnya sekali
setahun.
Penggunaan sumber
harus dipantau
mengikut keperluan
kapasiti berdasarkan
kegunaan masa
hadapan untuk
memastikan prestasi
sistem yang diperlukan.
A.12.1.4
Separation of
development,
testing and
operational
environments
Control
Development, testing, and
operational environments shall
be separated to reduce the risks
of unauthorized access or
changes to the operational
environment.
Y /
● Network diagram MBPJ
o Dev Server
o Production Server
Pembangunan dan
ujian bagi persekitaran
operasi hendaklah
dipisahkan untuk
mengurangkan risiko
akses yang tidak
dibenarkan atau
perubahan kepada
persekitaran operasi.
Clause
ControlTiltle Control Applicabilit
y
Reasonforselection Reference Justification
A.12.2 Protection from malware
Objective: To ensure that information and information processing facilities are protected against malware.
A.12.2.
1
Controls
against
malware
Control
Detection, prevention and
recovery controls to
protect against malware
shall be implemented,
combined with appropriate
user awareness.
Y /
● DKICT 060302
Perlindungan dari
Mobile Code
● Anti-virus Kyrol bagi
server dan
laptop/notebook/
PC.
● Laporan anti-virus.
● Content/Web Filtering
– Web Marshal
● Prosedur Pengurusan
Anti-virus dan
Perlindungan Kod
Perosak (MBPJ-ISMS-
P2-012)
Melaksanakan
kawalan ancaman
dari virus, malware,
trojan serta
cecacing.
A.12.3 Backup
Objective: To protect against loss of data.
Clause Control Tiltle Control Applicability Reasonforselection Reference Justification
A.12.3.1Information
backup
Control
Backup copies of information,
software and system images
shall be taken and tested
regularly in accordance with an
agreed backup policy.
Y /
● DKICT 060401 Backup
● Prosedur pengendalian
backup dan reload data
(MBPJ-ISMS-P3-001)
● Policy Backup Recovery
● Backup file di oracle
storage
● Aktiviti restore 2 kali
setahun
● Backup file ke NAS di
Menara MBPJ & Pusat
Komuniti MBPJ
Prosedur sokongan bagi
maklumat, perisian dan
sistem imej hendaklah
dilakukan dan diuji
secara teratur bagi
memastikan oparasi
dapat diteruskan
apabila berlakunya
bencana.
A.12.4 Logging and monitoring
Objective: To record events and generate evidence.
A.12.4.1 Event logging
Control
Event logs recording user
activities, exceptions, faults and
information security events shall
be produced, kept and
regularly reviewed.
Y /
● DKICT 061102 Sistem Log
● DKICT 061103
Pemantauan Log
● DKICT 070202 Jejak Audit.
● Prosedur Pemantauan
Penggunaan Sistem
(MBPJ-ISMS-P2-021)
Pemantauan bagi
rakaman aktiviti
pengguna dan peristiwa
keselamatan maklumat
hendaklah
dikemukakan, disimpan
dan sentiasa dikaji
semula.
Clause
ControlTiltle Control Applicabilit
y
Reasonforselection Reference Justification
● Terdapat audit trail
dalam Oracle bagi
aktiviti yang
dilaksanakan
berdasarkan IP dan
Computer Name
(Oracle 12c)
A.12.4.2
Protection of
log
information
Control
Logging facilities and log
information shall be
protected against
tampering and
unauthorized access.
Y /
● DKICT 061103
Pemantauan Log
● DKICT 070202 Jejak
Audit
● Prosedur
Pemantauan
Penggunaan Sistem
(MBPJ-ISMS-P2-021)
Kerja-kerja semasa
log maklumat
hendaklah dilindungi
daripada sebarang
gangguan
A.12.4.3
Administrator
and
operator logs
Control
System administrator and
system operator activities
shall be logged and the
logs protected and
regularly reviewed.
Y /
● DKICT 070202 Jejak
Audit
● DKICT 061103
Pemantauan Log
● Prosedur
Pemantauan
Penggunaan Sistem
(MBPJ-ISMS-P2-021)
● Log dalam
Pangkalan Data
Pentadbir sistem dan
aktiviti pengendali
sistem akan dilog
dan log dilindungi
dan sentiasa dikaji
semula.
Clause ControlTiltle Control Applicability Reasonforselection Reference Justification
A.12.4.4Clock
synchronisation
Control
The clocks of all relevant
information processing systems
within an organization or
security domain shall be
synchronised to a single
reference time source.
Y /
● DKICT 061103
Pemantauan Log
● Masa server ditetapkan
mengikut Network Time
Protocol (NTP) server
sistem pemprosesan
maklumat yang relevan
dalam sesuatu
organisasi atau domain
keselamatan akan
ditempatkan kepada
sumber rujukan masa
yang tunggal.
A.12.5 Control of operational software
Objective: To ensure the integrity of operational systems.
A.12.5.1
Installation of
software on
operational
systems
Control
Procedures shall be
implemented to control the
installation of software on
operational systems.
Y/
● DKICT 080301 Kawalan
Fail Sistem
● DKICT 080401 Kawalan
Perubahan
● Prosedur Pengurusan
Patch (MBPJ-ISMS-P2-010)
● Prosedur Pengurusan
Perubahan (MBPJ-ISMS-
P2-006)
● Borang Permohonan
Penggunaan
Aplikasi/Perisian
Prosedur kawalan
hendaklah dilaksanakan
untuk mengawal
pemasangan perisian
pada sistem operasi.
Clause ControlTiltle Control Applicability Reasonforselection Reference Justification
A.12.6 Technical vulnerability management
Objective: To prevent exploitation of technical vulnerabilities
A.12.6.1
Management
of technical
vulnerabilities
Control
Information about technical
vulnerabilities of information
systems being used shall be
obtained in a timely fashion, the
organization’s exposure to such
vulnerabilities evaluated and
appropriate measures taken to
address the associated risk.
Y /
● DKICT 080501 Kawalan
Dari Ancaman Teknikal
● Prosedur Pengurusan
Patch (MBPJ-ISMS-P2-010)
● Patches dilaksanakan
sewaktu Preventive
Maintenance
● Pelaksanaan Vulnerability
Assessment
Maklumat mengenai
kelemahan teknikal
sistem maklumat yang
digunakan hendaklah
diperolehi dengan cara
yang tepat.
A.12.6.2
Restrictions on
software
installation
Control
Rules governing the installation
of software by users shall be
established and implemented.
Y /
● DKICT 080301 Kawalan
Fail Sistem
● DKICT 080301 Kawalan
Fail Sistem
● Prosedur Pertukaran
Maklumat
● Prosedur Melindungi
Harta Intelek
Prosedur kawalan dan
peraturan yang
mengawal
pemasangan perisian
oleh pengguna
hendaklah dilaksanakan
bagi mengelakkan
pengguna melakukan
instalasi software yang
tidak dibenarkan oleh
Majlis.
Clause ControlTiltle Control Applicability Reasonforselection Reference Justification
A.12.7 Information systems audit considerations
Objective: To minimise the impact of audit activities on operational systems.
A.12.7.1
Information
systems audit
controls
Control
Audit requirements and
activities involving verification of
operational systems shall be
carefully planned and agreed
to minimise disruptions to
business processes.
Y /
● Prosedur Audit Dalam
ISMS (MBPJ-ISMS-P1-004)
Keperluan audit bagi
aktiviti-aktiviti yang
melibatkan pengesahan
sistem operasi
hendaklah dirancang
dengan teliti bagi
mengurangkan
gangguan pada
Business process
A.13 Communications security
A.13.1 Network security management
Objective: To ensure the protection of information in networks and its supporting information processing facilities.
A.13.1.1Network
controls
Control
Networks shall be managed
and controlled to protect
information in systems and
applications.
Y /
● DKICT 020106 Pentadbir
Rangkaian
● Firewall – Fortigate
● Intrusion Detection
System
● Virtual LAN
● Web Content Filtering
● Password Wifi
Sistem Rangkaian
hendaklah diuruskan
dan dikawal untuk
melindungi maklumat
dalam sistem dan
aplikasi.
Clause ControlTiltle Control Applicability Reasonforselection Reference Justification
A.13.1.2
Security of
network
services
Control
Security mechanisms, service
levels and management
requirements of all network
services shall be identified and
included in network services
agreements, whether these
services are provided in-house
or outsourced.
Y /
● DKICT 060501 Kawalan
Infrastruktur Rangkaian
● Network diagram MBPJ
Kawalan/ prosedur
keselamatan dan
perkhidmatan untuk
keperluan pengurusan
bagi semua
perkhidmatan
rangkaian hendaklah
dikenal pasti dan
dimasukkan dalam
perjanjian perkhidmatan
rangkaian,
A.13.1.3Segregation in
networks
Control
Groups of information services,
users and information systems
shall be segregated on
networks.
Y /
● DKICT 060501 Kawalan
Infrastruktur Rangkaian
● Network diagram MBPJ
Untuk melindungi
perkhidmatan
Rangkaian Majlis.
A.13.2 Information transfer
Objective: To maintain the security of information transferred within an organization and with any external entity.
Clause
ControlTiltle Control Applicabilit
y
Reasonforselection Reference Justification
A.13.2.
1
Information
transfer
policies and
procedures
Control
Formal transfer policies,
procedures and controls
shall be in place to protect
the transfer of information
through the use of all types
of communication facilities.
Y /
● Prosedur
Pengendalian Media
(MBPJ-ISMS-P2-007)
● Prosedur Pengurusan
e-Mel bagi Data
Cukai Taksiran (MBPJ-
ISMS-P2-015)
● Pekeliling Kemajuan
Pentadbiran Awam
Bilangan 1 tahun
2003: Garis panduan
mengenai Tatacara
penggunaan internet
Dan mel elektronik Di
agensi-agensi
kerajaan
Prosedur dan
kawalan hendaklah
berada di lakukan
untuk melindungi
pemindahan
maklumat melalui
penggunaan semua
jenis kemudahan
komunikasi.
A.13.2.
2
Agreements
on
information
transfer
Control
Agreements shall address
the secure transfer of
business information
between the organization
and external parties.
Y
● Surat Akuan
Pematuhan Pihak
Ketiga Dasar
Keselamatan ICT
Majlis Bandaraya
Pelating Jaya.
● Kontrak Perjanjian
● Akuan Keselamatan
Kontraktor (Lampiran
A/B)
Kawalan bagi
memastikan
maklumat yang
diberikan kepada
pihak ketiga dijaga
dari segi kerahsiaan
dan integriti.
Clause ControlTiltle Control Applicability Reasonforselection Reference Justification
A.13.2.3Electronic
messaging
Control
Information involved in
electronic messaging shall be
appropriately protected.
Y /
● DKICT 060902 Pengurusan
Mel Elektronik (E-mail)
● Garis Panduan
Penggunaan dan
Pengurusan e-Mel Majlis
Bandaraya Petaling Jaya
(http://eps.mbpj.gov.my/
emel.pdf)
● Prosedur Pengurusan e-
Mel bagi Data Cukai
Taksiran (MBPJ-ISMS-P2-
015)
● Anti-Spam – Mail Filtering
Prosedur diwujudkan
bagi memastikan
maklumat yang dihantar
melalui dilindungi.
A.13.2.4
Confidentiality
or
nondisclosure
agreements
Control
Requirements for confidentiality
or non-disclosure agreements
reflecting the organization’s
needs for the protection of
information shall be identified,
regularly reviewed and
documented.
Y /
● DKICT 020109 Pengguna
● DKICT 020201 Keperluan
Keselamatan Kontrak
dengan Pihak Ketiga.
● Surat Akuan Pematuhan
Pihak Ketiga Dasar
Keselamatan ICT Majlis
Bandaraya Pelating
Jaya.
● Kontrak Perjanjian
● Akuan Keselamatan
Kontraktor (Lampiran
A/B)
Syarat-syarat untuk
kerahsiaan atau
ketakdedahan
perjanjian
mencerminkan
keperluan organisasi
untuk melindungi
maklumat itu dikenal
pasti, sentiasa dikaji dan
didokumentasikan.
Clause ControlTiltle Control Applicability Reasonforselection Reference Justification
A.14 System acquisition, development and maintenance
A.14.1 Security requirements of information systems
Objective: To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for
information systems which provide services over public networks.
A.14.1.1
Information
security
requirements
analysis and
specification
Control
The information security related
requirements shall be included
in the requirements for new
information systems or
enhancements to existing
information systems.
Y /
● Waterfall methodology
● User Requirement
Specification (URS)
● DKICT Perkara 08
Pembangunan dan
Penyelenggaraan Sistem
● DKICT 080401 Kawalan
Perubahan
● DKICT 080402
Pembangunan Perisian
Secara Outsource
● Contoh spesifikasi Tender
Keperluan berkaitan
keselamatan maklumat
akan dimasukkan dalam
keperluan untuk sistem
maklumat baru atau
penambahbaikan untuk
sistem maklumat yang
sedia ada.
A.14.1.2
Securing
application
services on
public networks
Control
Information involved in
application services passing
over public networks shall be
protected from fraudulent
activity, contract dispute and
unauthorized disclosure and
modification.
Y
Capaian rangkaian dalaman
atau VPN
Sebagai
penambahbaikan bagi
sistem yang terlibat di
dalam Skop ISMS
Clause ControlTiltle Control Applicability Reasonforselection Reference Justification
A.14.1.3
Protecting
application
services
transactions
Control
Information involved in
application service transactions
shall be protected to prevent
incomplete transmission, mis-
routing, unauthorized message
alteration, unauthorized
disclosure, unauthorized
message duplication or replay.
Y
Dedicated kaunter (user ID
dan mesin)
Transaksi maklumat perlu
dikawal daripada
transaksi yang tidak
lengkap, mis-routing,
pengubahan,
pendedahan dan
pertindihan maklumat
yang tidak sah.
A.14.2 Security in development and support processes
Objective: To ensure that information security is designed and implemented within the development lifecycle of information systems.
A.14.2.1
Secure
development
policy
Control
Rules for the development of
software and systems shall be
established and applied to
developments within the
organization.
Y /
● DKICT 080101 Keperluan
Keselamatan Kiptografi
● DKICT 080301 Kawalan
Fail Sistem
● DKICT 080401 Kawalan
Perubahan
● DKICT 080402
Pembangunan Perisian
Secara Outsource
Kawalan Peraturan
untuk pembangunan
perisian dan sistem
dilakukan bagi
memastikan setiap
perubahan tidak
menganggu perjalanan
sistem.
Clause
ControlTiltle Control Applicabilit
y
Reasonforselection Reference Justification
A.14.2.
2
System
change
control
procedures
Control
Changes to systems within
the development lifecycle
shall be controlled by the
use of formal change
control procedures.
Y /
● DKICT 080401
Kawalan Perubahan
● Prosedur Pengurusan
Perubahan (MBPJ-
ISMS-P2-006)
Perubahan kepada
sistem dalam boleh
dikawal dengan
menggunakan
prosedur kawalan
perubahan.
A.14.2.
3
Technical
review of
applications
after
operating
platform
changes
Control
When operating platforms
are changed, business
critical applications shall be
reviewed and tested to
ensure there is no adverse
impact on organizational
operations or security.
Y /
● Prosedur Pengurusan
Perubahan (MBPJ-
ISMS-P2-006)
● Borang
Penambahbaikan
Sistem (MBPJ-ISMS-P2-
006-B01)
Apabila platform
operasi diubah,
aplikasi bagi sistem
kritikal hendaklah
dikaji semula dan
diuji untuk
memastikan tiada
kesan buruk ke atas
operasi organisasi
atau keselamatan.
A.14.2.
4
Restrictions
on changes
to software
packages
Control
Modifications to software
packages shall be
discouraged, limited to
necessary changes and all
changes shall be strictly
controlled.
Y /
● Prosedur Pengurusan
Perubahan (MBPJ-
ISMS-P2-006)
Sebarang
Perubahan pada
perisian akan
dikawal, terhad
kepada perubahan
yang diperlukan dan
semua perubahan
hendaklah dikawal
dengan ketat.
Clause ControlTiltle Control Applicability Reasonforselection Reference Justification
A.14.2.5
Secure system
engineering
principles
Control
Principles for engineering secure
systems shall be established,
documented, maintained and
applied to any information
system implementation efforts.
Y
● DKICT 070201 Akaun
Pengguna
● Prosedur Pengurusan
Perubahan (MBPJ-ISMS-
P2-006)
Kawalan bagi capaian
untuk sistem hendaklah
ditubuhkan, di
dokumenkan,
dikekalkan dan
digunakan untuk
memastikan
keselamatan di dalam
prinsip kejuruteraan
sistem.
A.14.2.6
Secure
development
environment
Control
Organizations shall establish and
appropriately protect secure
development environments for
system development and
integration efforts that cover
the entire system development
lifecycle.
Y
● DKICT 080101 Keperluan
Keselamatan Kiptografi
● DKICT 080301 Kawalan
Fail Sistem
● Borang Permohonan
Penambahan/Pindaan
Pangkalan Data Oracle
● Borang Maklumbalas
Permohonan
Penambahan/Pindaan
Pangkalan Data Oracle
Prosedur dan dokumen
kawalan telah
diwujudkan bagi
memastikan
keselamatan di dalam
pembangunan sistem.
A.14.2.7Outsourced
development
Control
The organization shall supervise
and monitor the activity of
outsourced system
development.
Y
● DKICT 080402
Pembangunan Perisian
Secara Outsource
● Kontrak Perjanjian
Aktiviti pembangunan
sistem outsourcing
diselia dan dikawal.
Clause
ControlTiltle Control Applicabilit
y
Reasonforselection Reference Justification
Prosedur Pengurusan Pembekal Dan Pihak Ketiga (MBPJ-ISMS-P2-008)
Surat Tawaran Dan Surat Setujuterima
A.14.2.
8
System
security
testing
Control
Testing of security
functionality shall be
carried out during
development.
Y
● DKICT 080101
Keperluan
Keselamatan
Kiptografi
● Prosedur Pengurusan
Perubahan (MBPJ-
ISMS-P2-006)
Ujian fungsi
keselamatan telah
dijalankan semasa
pembangunan.
A.14.2.
9
System
acceptance
testing
Control
Acceptance testing
programs and related
criteria shall be established
for new information
systems, upgrades and new
versions.
Y /
● DKICT 060202
Penerimaan Sistem
● Spesifikasi Keperluan
Sistem (URS)
● User Acceptance Test
(UAT)
● Final Acceptance
Test (FAT)
kriteria yang
berkaitan hendaklah
ditubuhkan bagi
sistem maklumat
dengan versi yang
baru.
Clause
No.ControlTiltle Control
Applicability
(Y/N)
Reasonforselection
Reference JustificationRR SR/BP RAR
A.14.3 Test data
Objective: To ensure the protection of data used for testing.
A.14.3.1 Protection of
test dataControl
Test data shall be selected
carefully, protected and
controlled.
Y /
● Prosedur Pengurusan
Perubahan (MBPJ-ISMS-
P2-006)
● Prosedur Pemantauan
Penggunaan Sistem
(MBPJ-ISMS-P2-021)
Data ujian hendaklah
dipilih dengan berhati-
hati, dilindungi dan
dikawal.
A.15 Supplier relationships
A.15.1 Information security in supplier relationships
Objective: To ensure protection of the organization’s assets that is accessible by suppliers.
A.15.1.1
Information
security policy
for supplier
relationships
Control
Information security
requirements for mitigating the
risks associated with supplier’s
access to the organization’s
assets shall be agreed with the
supplier and documented.
Y /
● DKICT 060801
Perkhidmatan
Penyampaian
● Prosedur Pengurusan
Pembekal dan Pihak
Ketiga (MBPJ-ISMS-P2-
008)
● Kontrak Perjanjian
● Minit Mesyuarat Kick Off
● Dasar Keselamatan ICT
MBPJ
Keperluan keselamatan
maklumat untuk
mengurangkan risiko
yang berkaitan dengan
akses kepada
pembekal aset
hendaklah dipersetujui.
Pembekal
didokumenkan.
Clause
No.ControlTiltle Control
Applicability
(Y/N)
Reasonforselection
Reference JustificationRR SR/BP RAR
A.15.1.2
Addressing
security within
supplier
agreements
Control
All relevant information security
requirements shall be
established and agreed with
each supplier that may access,
process, store, communicate,
or provide IT infrastructure
components for, the
organization’s information.
Y /
● Surat Akuan Pematuhan
Pihak Ketiga Dasar
Keselamatan ICT Majlis
Bandaraya Petaling
Jaya
● Akuan Keselamatan
Kontraktor (Lampiran
A/B)
● Kontrak Perjanjian
Penyelenggaraan
Semua keperluan
keselamatan maklumat
yang relevan
hendaklah ditubuhkan
dan dipersetujui
dengan setiap pihak
pembekal yang boleh
mengakses,
memproses,
menyimpan,
berkomunikasi, atau
menyediakan
komponen infrastruktur,
maklumat organisasi IT.
A.15.1.3
Information
and
communicatio
n technology
supply chain
Control
Agreements with suppliers shall
include requirements to
address the information
security risks associated with
information and
communications technology
services and product supply
chain.
Y /
● DKICT 060801
Perkhidmatan
Penyampaian
● Surat Akuan Pematuhan
Pihak Ketiga Dasar
Keselamatan ICT Majlis
Bandaraya Petaling
Jaya
● Akuan Keselamatan
Kontraktor (Lampiran
A/B)
Perjanjian dengan
pembekal hendaklah
termasuk keperluan
untuk menangani risiko
keselamatan maklumat
yang berkaitan dengan
teknologi komunikasi
maklumat dan
perkhidmatan dan
rangkaian bekalan
produk.
Clause
No.ControlTiltle Control
Applicabili
ty
(Y/N)
Reasonforselection
Reference JustificationRR SR/BP RAR
A.15.2 Supplier service delivery management
Objective: To maintain an agreed level of information security and service delivery in line with supplier agreements.
A.15.2.
1
Monitoring
and review
of supplier
services
Control
Organizations shall
regularly monitor, review
and audit supplier service
delivery.
Y /
● DKICT 060801
Perkhidmatan
Penyampaian
● Kontrak Perjanjian
Penyelenggaraan
● Laporan
Penyelenggaraan
Pemantauan dan
kajian sentiasa
dilakukan dengan
pihak pembekal.
A.15.2.
2
Managing
changes to
supplier
services
Control
Changes to the provision
of services by suppliers,
including maintaining and
improving existing
information security
policies, procedures and
controls, shall be
managed, taking account
of the criticality of business
information, systems and
processes involved and re-
assessment of risks.
Y /
● DKICT 060801
Perkhidmatan
Penyampaian
● Laporan
Penyelenggaraan
● Laporan Penilaian
Risiko (MyRAM)
● Prosedur Pengurusan
Perubahan (MBPJ-
ISMS-P2-006)
Perubahan kepada
penyediaan
perkhidmatan oleh
pembekal, termasuk
mengekalkan dan
memperbaiki dasar
keselamatan
maklumat yang
sedia ada.
Clause
No.ControlTiltle Control
Applicability
(Y/N)
Reasonforselection
Reference JustificationRR SR/BP RAR
A.16 Information security incident management
A.16.1 Management of information security incidents and improvements
Objective: To ensure a consistent and effective approach to the management of information security incidents, including communication on security events
and weaknesses.
A.16.1.1
Responsibilities
and
procedures
Control
Management responsibilities
and procedures shall be
established to ensure a quick,
effective and orderly response
to information security
incidents.
Y /
● DKICT Perkara 060103
Prosedur Pengurusan
Insiden
● DKICT Perkara 040201
Pelaporan Insiden
● Prosedur Pengurusan
Insiden Keselamatan ICT
(MBPJ-ISMS-P2-005)
● Pekeliling Am Bilangan 1
Tahun 2001 - Mekanisme
Pelaporan Insiden
Keselamatan Teknologi
Maklumat dan Komunikasi
● Surat Pekeliling Am
Bilangan 4 Tahun 2006 -
Pengurusan Pengendalian
Insiden Keselamatan
Teknologi Maklumat dan
Komunikasi Sektor Awam.
Tanggungjawab dan
prosedur pengurusan
hendaklah ditubuhkan
untuk memastikan
tindak balas yang
cepat, berkesan dan
teratur kepada insiden
keselamatan
maklumat.
Clause
No.ControlTiltle Control
Applicabili
ty
(Y/N)
Reasonforselection
Reference JustificationRR SR/BP RAR
A.16.1.2
Reporting
information
security
events
Control
Information security events
shall be reported through
appropriate management
channels as quickly as
possible.
Y /
● DKICT Perkara 040201
Pelaporan Insiden
● Prosedur Pengurusan Insiden
Keselamatan ICT (MBPJ-ISMS-
P2-005)
● Pelaporan insiden ke
Mesyuarat Jawatankuasa
Kemasyarakatan
Perkhidmatan Dan Teknologi
Maklumat atau
Jawatankuasa Kecil ICT MBPJ
Insiden keselamatan
maklumat hendaklah
dilaporkan kepada pihak
pengurusan secepat yang
mungkin.
A.16.1.3
Reporting
information
security
weaknesses
Control
Employees and
contractors using the
organization’s information
systems and services shall
be required to note and
report any observed or
suspected information
security weaknesses in
systems or services.
Y /
● DKICT Perkara 060103
Prosedur Pengurusan Insiden
● DKICT Perkara 040201
Pelaporan Insiden
● Prosedur Pengurusan Insiden
Keselamatan ICT (MBPJ-ISMS-
P2-005)
● Senarai pegawai
Keselamatan ICT yang boleh
dihubungi di Pusat Data
● Pelaporan insiden ke
Mesyuarat Jawatankuasa
Kemasyarakatan
Perkhidmatan Dan Teknologi
Maklumat atau
Jawatankuasa Kecil ICT MBPJ
Sebarang kelemahan di
dalam keselamatan
maklumat yang ditemui di
dalam sistem atau
perkhidmatan perlu
dilaporkan kepada pihak
yang bertanggungjwab
dengan segera.
Clause
No.ControlTiltle Control
Applicability
(Y/N)
Reasonforselection
Reference JustificationRR SR/BP RAR
A.16.1.4
Assessment of
and decision
on information
security events
Control
Information security events
shall be assessed and it shall be
decided if they are to be
classified as information
security incidents.
Y /
● DKICT Perkara 060103
Prosedur Pengurusan
Insiden
● DKICT Perkara 040201
Pelaporan Insiden
● Prosedur Pengurusan
Insiden Keselamatan ICT
(MBPJ-ISMS-P2-005)
● Pekeliling Am Bilangan 1
Tahun 2001 –Mekanisme
Pelaporan Insiden
Keselamatan Teknologi
Maklumat dan
Komunikasi
● Surat Pekeliling Am
Bilangan 4 Tahun 2006 -
Pengurusan
Pengendalian Insiden
Keselamatan Teknologi
Maklumat dan
Komunikasi Sektor
Awam
Insiden keselamatan
maklumat hendaklah
dilaporkan kepada
pihak atasan dan
tindakan pemulihan
bencana perlu
dilakukan dengan
segera.
Clause
No.ControlTiltle Control
Applicability
(Y/N)
Reasonforselection
Reference JustificationRR SR/BP RAR
A.16.1.5
Response to
information
security
incidents
Control
Information security incidents
shall be responded to in
accordance with the
documented procedures.
Y /
● DKICT Perkara 060103
Prosedur Pengurusan
Insiden
● DKICT Perkara 040201
Pelaporan Insiden
● Prosedur Pengurusan
Insiden Keselamatan ICT
(MBPJ-ISMS-P2-005)
● Pekeliling Am Bilangan 1
Tahun 2001 - Mekanisme
Pelaporan Insiden
Keselamatan Teknologi
Maklumat dan
Komunikasi
● Surat Pekeliling Am
Bilangan 4 Tahun 2006 -
Pengurusan
Pengendalian Insiden
Keselamatan Teknologi
Maklumat dan
Komunikasi Sektor
Awam
Insiden keselamatan
maklumat akan
dikendalikan mengikut
SOP yang telah
diwujudkan.
Clause
No.ControlTiltle Control
Applicability
(Y/N)
Reasonforselection
Reference JustificationRR SR/BP RAR
A.16.1.6
Learning from
information
security
incidents
Control
Knowledge gained from
analysing and resolving
information security incidents
shall be used to reduce the
likelihood or impact of future
incidents.
Y /
● DKICT Perkara 060103
Prosedur Pengurusan
Insiden
● Prosedur Pengurusan
Insiden Keselamatan ICT
(MBPJ-ISMS-P2-005)
● DKICT Perkara 040201
Pelaporan Insiden
● Pelaporan insiden ke
Mesyuarat
Jawatankuasa
Kemasyarakatan
Perkhidmatan Dan
Teknologi Maklumat dan
Jawatankuasa Kecil ICT
MBPJ
● Surat Pekeliling Am
Bilangan 4 Tahun 2006 -
Pengurusan
Pengendalian Insiden
Keselamatan Teknologi
Maklumat dan
Komunikasi Sektor
Awam
Insiden dilaporkan
untuk menyelesaikan
isu-isu keselamatan
maklumat ICT supaya
insiden yang sama
tidak berulang lagi
atau dapat
dikurangkan.
Clause
No.ControlTiltle Control
Applicability
(Y/N)
ReasonforselectionReference Justification
RR SR/BP RAR
A.16.1.7Collection of
evidence
Control
The organization shall define
and apply procedures for the
identification, collection,
acquisition and preservation of
information, which can serve
as evidence.
Y /
● DKICT Perkara 060103
Prosedur Pengurusan
Insiden
● Prosedur Pengurusan
Insiden Keselamatan ICT
(MBPJ-ISMS-P2-005)
● Surat Pekeliling Am
Bilangan 4 Tahun 2006 -
Pengurusan
Pengendalian Insiden
Keselamatan Teknologi
Maklumat dan
Komunikasi Sektor
Awam
● Pelaporan insiden ke
Mesyuarat
Jawatankuasa
Kemasyarakatan
Perkhidmatan Dan
Teknologi Maklumat
atau Jawatankuasa
Kecil ICT MBPJ
Bagi memantau dan
mengurangkan risiko
insiden keselamatan
dan menambahbaik
kawalan keselamatan
aset ICT.
A.17 Information security aspects of business continuity management
A.17.1 Information security continuity
Objective: Information security continuity shall be embedded in the organization’s business continuity management systems
Clause
No.ControlTiltle Control
Applicabili
ty
(Y/N)
Reasonforselection
Reference JustificationRR SR/BP RAR
A.17.1.1
Planning
information
security
continuity
Control
The organization shall
determine its requirements
for information security
and the continuity of
information security
management in adverse
situations, e.g. during a
crisis or disaster.
Y /
● DKICT 090101 Pelan
Kesinambungan
Perkhidmatan
● BIA – Business Impact
Analysis (Report)
● Penyambungan
Perlaksanaan projek
DRC bagi Tahun 2017 -
2020
● Menyediakan bajet
DRC setiap tahun
Untuk memastikan
operasi sistem tidak
tergendala dan
menggangu
perkhidmatan
penyampaian Majlis.
A.17.1.2
Implementin
g
information
security
continuity
Control
The organization shall
establish, document,
implement and maintain
processes, procedures
and controls to ensure the
required level of continuity
for information security
during an adverse
situation.
Y /
● DKICT 090101 Pelan
Kesinambungan
Perkhidmatan
● Prosedur Pengendalian
Pemulihan Bencana ICT
MBPJ (MBPJ-ISMS-P2-
016)
● Pelaksanaan
perkhidmatan Cloud
DRC
● Laporan Simulasi DRC
MBPJ
Kawalan dibuat untuk
memastikan operasi
sistem tidak
tergendala.
Clause
No.ControlTiltle Control
Applicability
(Y/N)
ReasonforselectionReference Justification
RR SR/BP RAR
A.17.1.3
Verify, review
and evaluate
information
security
continuity
Control
The organization shall verify the
established and implemented
information security continuity
controls at regular intervals in
order to ensure that they are
valid and effective during
adverse situations.
Y /
● DKICT 090101 Pelan
Kesinambungan
Perkhidmatan
● Simulasi DRC telah
dilaksanakan semasa UAT
pada 10 April 2018 dan
FAT pada 11 Jun 2018
Memastikan maklumat
yang diberikan adalah
benar dan boleh
dipercayai.
A.17.2 Redundancies
Objective: To ensure availability of information processing facilities.
A.17.2.1
Availability of
information
processing
facilities
Control
Information processing facilities
shall be implemented with
redundancy sufficient to meet
availability requirements.
Y /
● DKICT 090101 Pelan
Kesinambungan
Perkhidmatan
● Prosedur Pengendalian
Pemulihan Bencana ICT
MBPJ (MBPJ-ISMS-P2-016)
● Redundancy core switch
● Simulasi DRC telah
dilaksanakan pada Jun
2018 dan Dec 2018
● Laporan Simulasi DRC
MBPJ
Sebagai panduan
sekiranya berlaku
gangguan atau
bencana bagi
memastikan
perkhidmatan
pengoperasian tidak
tergendala.
Clause
No.ControlTiltle Control
Applicability
(Y/N)
ReasonforselectionReference Justification
RR SR/BP RAR
A.18 Compliance
A.18.1 Compliance with legal and contractual requirements
Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.
A.18.1.1
Identification
of applicable
legislation and
contractual
requirements
Control
All relevant legislative statutory,
regulatory, contractual
requirements and the
organization’s approach to
meet these requirements shall
be explicitly identified,
documented and kept up to
date for each information
system and the organization.
Y /
● DKICT Perkara 10
Pematuhan
Dasar dan polisi yang
dilaksanakan adalah
untuk menjamin
keselamatan aset ICT
MBPJ.
A.18.1.2Intellectual
property rights
Control
Appropriate procedures shall
be implemented to ensure
compliance with legislative,
regulatory and contractual
requirements related to
intellectual property rights and
use of proprietary software
products.
Y /
● DKICT Perkara 10
Pematuhan
● Prosedur Perlindungan
Harta Intelek (MBPJ-
ISMS-P2-020)
Mematuhi prosedur
yang telah ditetapkan
untuk melindungi aset
ICT
Clause
No.ControlTiltle Control
Applicability
(Y/N)
ReasonforselectionReference Justification
RR SR/BP RAR
A.18.1.3Protection of
records
Control
Records shall be protected
from loss, destruction,
falsification, unauthorized
access and unauthorized
release, in accordance with
legislatory, regulatory,
contractual and business
requirements.
Y /
● Arahan Keselamatan
● DKICT 050202 Dokumen
● Prosedur Kawalan
Dokumen ISMS (MBPJ-
ISMS-P1-002)
● Prosedur Kawalan
Rekod ISMS (MBPJ-ISMS-
P1-002)
● Simpan dalam kabinet
berkunci.
Untuk memastikan
keselamatan rekod
aset ICT.
A.18.1.4
Privacy and
protection of
personally
identifiable
information
Control
Privacy and protection of
personally identifiable
information shall be ensured as
required in relevant legislation
and regulation where
applicable.
Y /
● DKICT 070204 Hak
Capaian (Privilege)
● Arahan Keselamatan
● Kontrak Perjanjian
● Surat Akuan Pematuhan
Kakitangan Dasar
Keselamatan ICT Majlis
Bandaraya Petaling
Jaya
● Surat Akuan Pematuhan
Pihak Ketiga Dasar
Keselamatan ICT Majlis
Bandaraya Petaling
Jaya
Kawalan bagi
melindungi maklumat
peribadi.
Clause
No.ControlTiltle Control
Applicability
(Y/N)
ReasonforselectionReference Justification
RR SR/BP RAR
A.18.1.5
Regulation of
cryptographic
controls
Control
Cryptographic controls shall be
used in compliance with all
relevant agreements,
legislation and regulations.
Y
/
● DKICT 080201 Penyulitan
● DKICT 080202
Pengurusan Kunci
Melindungi kerahsiaan,
integriti dan kesahihan
maklumat.
A.18.2 Information security reviews
Objective: To ensure that information security is implemented and operated in accordance with the organizational policies and procedures.
A.18.2.1
Independent
review of
information
security
Control
The organization’s approach to
managing information security
and its implementation (i.e.
control objectives, controls,
policies, processes and
procedures for information
security) shall be reviewed
independently at planned
intervals or when significant
changes occur.
Y /
● Pelaksanaan Audit
Dalam ISMS
● Pelaksanaan Audit ISMS
oleh Pihak SIRIM
● Panduan Mesyuarat
Kajian Semula ISMS
(MBPJ-ISMS-P1-011)
Pelaksanaan ISMS perlu
ada pengukuran bagi
memastikan
keberkesanan
terhadap keselamatan
aset ICT secara
berterusan.
Clause
No.ControlTiltle Control
Applicability
(Y/N)
ReasonforselectionReference Justification
RR SR/BP RAR
A.18.2.2
Compliance
with security
policies and
standards
Control
Managers shall regularly review
the compliance of information
processing and procedures
within their area of
responsibility with the
appropriate security policies,
standards and any other
security requirements.
Y /
● DKICT 100103
Pematuhan dengan
Dasar, Piawaian dan
Keperluan Teknikal
● Surat Akujanji
Perkhidmatan
● Pelaksanaan Audit
Dalam ISMS
Pematuhan kepada
dasar yang telah
ditetapkan.
A.18.2.3
Technical
compliance
review
Control
Information systems shall be
regularly reviewed for
compliance with the
organization’s information
security policies and standards.
Y /
● Prosedur Pengukuran
Keberkesanan ISMS
(MBPJ-ISMS-P1-006)
● Pelaksanaan Audit
Dalam ISMS
● Prosedur Pengukuran
Keberkesanan Kawalan
ISMS - Backup/Restore
Untuk mengukur
keberkesanan dan
pematuhan terhadap
keselamatan maklumat
aset ICT.
KEMASKINI SOA VERSI 5.0Revision No. Revision Date Page No. Description of Change
5.0 30/5/2019
5, 6, 8,19, 21, 22,
25, 27, 30, 31, 32,
34, 53, 56, 57 dan
58
Kemaskini pada kawalan berikut berdasarkan implementasi terkini di MBPJ:
A.5.1.1 Policies for information security
A.5.1.2 Review of the policies for information security
A.6.1.4 Contact with special interest groups
A.9.2.1 User registration and de-registration
A.9.2.4 Management of secret authentication information of users
A.9.2.5 Review of user access rights
A.9.2.6 Removal or adjustment of access rights
A.9.4.1 Information access restriction
A.9.4.2 Secure log-on procedures
A.10.1.1 Policy on the use of cryptographic controls
A.11.1.2 Physical entry controls
A.11.2.4 Equipment maintenance
A.12.1.1 Documented operating procedures
A.16.1.3 Reporting information security weaknesses
A.16.1.7 Collection of evidence
A.17.1.1 Planning information security continuity
A.17.1.2 Implementing information security continuity
A.17.1.3 Verify, review and evaluate information security continuity
A.17.2.1 Availability of information processing facilities
KEMASKINI SOA VERSI 5.1
Revision
No.
Revision
DatePage No. Description of Change
5.1 14/8/2019 15,23,27
Kemaskini pada kawalan berikut berdasarkan
pelaksanaan ISMS yang terkini di MBPJ:
A.8.1.4 Return of assets
A.9.4.2 Secure log-on procedures
A.11.1.4 Protecting against external and
environmental threats
REVISION RECORDS