INFORMATION SECURITY POLICY

& INFORMATION SECURITY POLICY GOVERNANCE MANAGEMENT

NO. NAME MATRIC NO. 1 NURUL AIN BINTI RADZWAN 21DIT24F1145 2 NUR ALYA MAISARAH BINTI HALIM 21DIT24F1148 3 ARNIE AMIERA BINTI IDHAM IZMAN 21DIT24F1360 4 MEERAA NAGESHWARY A/P VIYASYEN 21DIT24F1363 DFC20313: CYBERSECURITY FUNDAMENTALS LECTURER: MOHAMAD IZZAT BIN ISMAIL CLASS: DIT2H DATE: 17/3/2025

TABLE OF CONTENTS MALAYSIA INTRODUCTION AUSTRALIA GERMANY 1- 2- 3- 4- 1.1 WHAT'S INFORMATION SECURITY POLICY GOVERNANCE AND MANAGEMENT? 2.1 GOVERNANCE STRUCTURE 2.2 POLICY DEVELOPMENT 2.3 POLICY ENFORCEMENT 2.4 REGULAR REVIEW 2.5 AUDITING & REPORTING 3.1 GOVERNANCE STRUCTURE 3.2 POLICY DEVELOPMENT 3.3 POLICY ENFORCEMENT 3.4 REGULAR REVIEW 3.5 AUDITING & REPORTING 4.1 GOVERNANCE STRUCTURE 4.2 POLICY DEVELOPMENT 4.3 POLICY ENFORCEMENT 4.4 REGULAR REVIEW 4.5 AUDITING & REPORTING

INTRODUCTION Information security is a critical aspect of national cybersecurity strategies, ensuring that sensitive data, systems, and infrastructure remain protected from cyber threats. Each country establishes its own security policies, governance structures, and enforcement mechanisms to maintain a secure digital environment. 1.1WHAT'SINFORMATIONSECURITYPOLICY GOVERNANCEANDMANAGEMENT? SECURITY POLICY

2.1 GOVERNANCE STRUCTURE 2.2 POLICY DEVELOPMENT 2.3 POLICY ENFORCEMENT 2.4 REGULAR REVIEW 2.5 AUDITING & REPORTING AUSTRALIA

Provide leadership and services for the well-being of its people. Maintain law and order Support economic growth and social development Protect the country and its interests Making and enforcing laws. Providing public services like healthcare, education, and transport. Managing the economy and national security Representing Australia internationally RESPONSIBILITIES 2.1 AUSTRALIA - GOVERNANCE STRUCTURE PURPOSEAND MISSION 1.Federal Government (National Level) Led by the Prime Minister. Makes laws for the whole country on big issues like defense, immigration, and trade. Parliament has two parts: House of Representatives (lower house) and Senate (upper house). 2. State and Territory Governments Each of the six states and two territories has its own government. Led by a Premier (state) or Chief Minister (territory). Responsible for schools, hospitals, roads, and police. 3. Local Governments (Councils) Manage cities and towns. Take care of local services like rubbish collection, parks, and local roads. STRUCTURE

2.2 AUSTRALIA - POLICY DEVELOPMENT Sets out Australia’s main goals for fighting terrorism, protecting against cyberattacks, securing borders, and keeping the law. These goals change over time to respond to new threats. NATIONAL SECURITY STRATEGY Government departments talk to businesses, experts, and the public to get their opinions and ideas. This helps make sure that security policies meet the needs of everyone. CONSULTATION AND STAKEHOLDER INVOLVEMENT Australia has special security rules for important areas like energy, communication, and finance. The Critical Infrastructure Centre works to find weak points in these important systems and create policies to protect them. Many of Australia’s security policies are created through laws made by the government. Important laws include the Telecommunications and Other Legislation Amendment Act 2018, which helps law enforcement access information, and the ASIO Act, which gives the Australian Security Intelligence Organisation (ASIO) its powers to protect national security. CYBERSECURITY ANDCRITICAL INFRASTRUCTURE PROTECTION LEGISLATIVE FRAMEWORK

2.3 AUSTRALIA - POLICY ENFORCEMENT Responsible for making sure national security rules are followed, especially in fighting terrorism, organized crime, and cybercrime. Work closely with local police and law enforcement from other countries to keep Australia safe. AUSTRALIAN FEDERALPOLICE (AFP) Works with both the public and private sectors to ensure that cyber security policies are implemented, including responding to cyber incidents, promoting best practices, and assisting critical infrastructure providers. AUSTRALIAN CYBERSECURITY CENTRE(ACSC) Regulatory agencies like the Australian Prudential Regulation Authority (APRA) and the Office of the Australian Information Commissioner (OAIC) make sure companies in areas like finance, communications, and health follow security rules and protect people’s information. If people or companies don't follow security laws, they can face punishments like fines, penalties, or even criminal charges. For example, companies that don’t follow cyber security rules may be fined, and people breaking antiterrorism laws could be arrested or taken to court. COMPLIANCE BODIES PENALTIESAND SANCTIONS

Australia regularly checks its security laws to make sure they stay effective against new problems. For example, the Parliamentary Joint Committee on Intelligence and Security often looks into proposed changes to national security laws 2.4 AUSTRALIA - REGULAR REVIEW & AUDITING The Australian National Audit Office (ANAO): reviews how government departments carry out their policies. The Inspector-General of Intelligence and Security (IGIS) : makes sure intelligence and security agencies are following the law. AUDITAND OVERSIGHTBODIES REVIEWOFSECURITY LAWSANDPOLICIES Important agencies, like the Australian Cyber Security Centre, publish yearly reports that explain how the country’s security is doing, point out challenges, share successes, and update any security policies. ANNUAL REPORTING

2.5 AUSTRALIA - AUDITING AND REPORTING 2024 Public Transparency Some reports, like those about cyberattacks, weaknesses in important systems, and privacy issues, are shared with the public. For example, the Australian Cyber Security Centre (ACSC) releases yearly reports that explain cyber threats, incidents, and how they are being handled. Accountability Performance Measurement Australia’s security policies are made to be clear and regularly checked by government committees and independent groups. The Commonwealth Ombudsman and the Australian Human Rights Commission help make sure that security measures respect people's rights and freedoms. Policies are regularly checked through audits, reviews, and reports. These reviews help see if agencies are working well, find areas that need improvement, and make sure resources are used correctly for security needs.

3.1 GOVERNANCE STRUCTURE 3.2 POLICY DEVELOPMENT 3.3 POLICY ENFORCEMENT 3.4 REGULAR REVIEW 3.5 AUDITING & REPORTING GERMANY

Ensure the cybersecurity of Germany's government agencies, critical infrastructure, businesses, and citizens 1. 2. Strengthen IT resilience Detect and respond to threats 3. Educate and raise awareness 4. Cyber Threat Monitoring & Response: Detecting and responding to cyberattacks affecting Germany Critical Infrastructure Protection: Ensuring that key sectors are resilient against cyber threats. Encryption & Secure Communications: Researching and recommending encryption methods. Advisory Role: Providing cybersecurity advice to both public institutions and private companies. 3.1 GERMANY - GOVERNANCE STRUCTURE PURPOSEANDMISSION RESPONSIBILITIES Falls under the Federal Ministry of the Interior and Community (BMI) STRUCTURE

In Germany, BSI (Federal Office for Information Security) leads policy development, working under the Federal Ministry of the Interior (BMI). Policies align with EU cybersecurity laws. BSI conducts regular cybersecurity risk assessments to identify national security threats. These assessments help shape new policies. 3.2 GERMANY - POLICY DEVELOPMENT GOVERNANCE&OVERSIGHT RISKASSESSMENT& RESEARCH

Policies are drafted by BSI and BMI, in consultation with government agencies, cybersecurity experts, and industry leaders. Policies are legally enforced through IT-SiG (IT Security Act), BSIG (BSI Act), and GDPR. Compliance is mandatory for businesses and critical sectors. 3.2 GERMANY - POLICY DEVELOPMENT POLICYDRAFTING APPROVAL& IMPLEMENTATION

3.2 GERMANY - POLICY DEVELOPMENT Businesses and IT security firms are invited to provide feedback before finalizing policies. This ensures practical and effective regulations. PUBLIC&INDUSTRY CONSULTATION Germany follows ISO 27001, NIST standards, and EU cybersecurity laws, ensuring global alignment in cybersecurity policies. INTERNATIONAL COMPLIANCE

Mandatory compliance for critical infrastructure Strict penalties for non-compliance (fines up to €20 million) BSI enforces regulations through audits and monitoring Companies must report cyber incidents within 24 hours High cybersecurity standards for businesses and government agencies Germany’s enforcement system is one of the strictest in the world, ensuring national cybersecurity resilience through strong laws and penalties. 3.3 GERMANY - POLICY ENFORCEMENT

3.4 GERMANY - REGULAR REVIEW Emerging risks could include ransomware, phishing attacks, zeroday exploits, AI-based threats, or supply chain vulnerabilities. By continuously reviewing and adapting standards, BSI helps maintain robust defenses against the latest threats. BSI Grundschutz (IT Baseline Protection): Gets regular updates, incorporating new threat models and technologies like cloud security or IoT. KRITIS regulation (Critical Infrastructure Protection): Regularly revised to ensure sectors like energy, healthcare, and telecommunications stay resilient to evolving cyber risks. WHYCONTINUOUS UPDATESMATTER? EXAMPLESOFUPDATEDSTANDARDS:

3.5 GERMANY - AUDITING AND REPORTING Audits must be performed by certified, independent experts and reported to the Federal Office for Information Security (BSI). MANDATORYSECURITY AUDITS: AUDITING AND REPORTING MINIMUMSECURITY MEASURES: Companies must implement state-of-the-art security measures, like firewalls, intrusion detection, and network segmentation. INCIDENTREPORTING OBLIGATION: Any significant cybersecurity incidents must be reported immediately to the BSI. EXTENDEDSCOPE: Expanded the law’s coverage to more industries, including waste management and food production, while introducing stricter cybersecurity standards.

MALAYSIA 4.1 GOVERNANCE STRUCTURE 4.2 POLICY DEVELOPMENT 4.3 POLICY ENFORCEMENT 4.4 REGULAR REVIEW 4.5 AUDITING & REPORTING

Malaysia Cyber Security Strategy (MCSS) 2020-2024 – Five-year plan to strengthen national cybersecurity. Personal Data Protection Act (PDPA) 2010 – Governs the protection of personal data in commercial transactions. Communications and Multimedia Act (CMA) 1998 – Regulates digital communications and cybersecurity. 4.1 MALAYSIA GOVERNANCE STRUCTURE 1. National Cyber Security Agency (NACSA) – Oversees and coordinates cybersecurity strategies under the National Security Council. 2. CyberSecurity Malaysia (CSM) – Provides advisory services, cybersecurity monitoring, and incident response. 3. Malaysian Communications and Multimedia Commission (MCMC) – Regulates cybersecurity compliance for telecommunications and internet providers. KEYAGENCIES&AUTHORITIES STRATEGICFRAMEWORK& GOVERNANCE Inter-agency collaboration between government bodies, private sector, and international cybersecurity organizations. Cyber drills & simulations conducted to assess and improve national cyber resilience. Regular updates to cybersecurity frameworks to align with global best practices. COORDINATION& IMPLEMENTATION

4.2 MALAYSIA POLICY DEVELOPMENT Launched by the National Cyber Security Agency (NACSA) under the National Security Council. Focuses on enhancing Malaysia’s cybersecurity infrastructure through collaboration with private sectors and international bodies. NATIONAL CYBER1. MALAYSIACYBER SECURITYSTRATEGY (MCSS)2020-2024 Malaysia is drafting a Cybersecurity Act to provide a stronger legal framework. Aims to enforce cybersecurity standards and protect critical sectors from cyber threats. CYBERSECURITY ACT Functions as a central hub for monitoring and responding to cyber threats. Enhances national cybersecurity incident response capabilities. NATIONALCYBER COORDINATION& COMMANDCENTRE(NC4) MALAYSIADIGITAL ECONOMYBLUEPRINT (MYDIGITAL) Cybersecurity policies are embedded in MyDIGITAL to ensure a safe digital economy. Supports digital transformation while maintaining strict security measures.

Mandatory compliance for critical infrastructure. Strict penalties for non-compliance (fines & legal actions). NACSA and MCMC enforce regulations through audits and monitoring. Companies must report cyber incidents within 24 hours. High cybersecurity standards for businesses and government agencies. 4.3 MALAYSIA- POLICY ENFORCEMENT

4.4 MALAYSIA - REGULAR REVIEW Emerging risks include ransomware, phishing, and supply chain vulnerabilities. Continuous review and updates help maintain strong cybersecurity defenses. National Cyber Security Agency (NACSA) ensures policies remain relevant. Malaysia Cyber Security Strategy (MCSS): Regular updates to address new cyber threats. Personal Data Protection Act (PDPA): Reviewed to strengthen data privacy regulations. WHYCONTINUOUS UPDATESMATTER? EXAMPLESOFUPDATEDSTANDARDS:

4.5 MALAYSIA - AUDITING AND REPORTING Security audits must be conducted by certified experts and regularly reviewed to ensure compliance. MANDATORYSECURITY AUDITS: AUDITING AND REPORTING MINIMUMSECURITY COMPLIANCESTANDARDS: Organizations must adhere to security frameworks such as: Malaysia Cyber Security Strategy (MCSS). CYBERINCIDENTREPORTING OBLIGATION: The National Cyber Coordination and Command Centre (NC4) requires organizations to report cyber incidents immediately. Financial institutions report cybersecurity risks to Bank Negara Malaysia (BNM) under its Risk Management in Technology (RMiT) framework. REPORTINGTOREGULATORY BODIES:

THANK YOU