INFORMATION SECURITY POLICY GOVERNANCE AND MANAGEMENT QUESTIONS : i) Governance structure ii) Policy development iii) Policy enforcement iv) Regular review v) Auditing and Reporting Siddhartha - U.S Lim Zi Yang - Malaysia Loke Tian Sun - Japan Siddhartha A/L Gauthama Dass 21DIT24F1261 Lim Zi Yang 21DIT24F1106 Loke Tian Sun 21DIT24F1167
United States - International Cyberspace & Digital Policy Strategy i) Government Structure ● They are known for their collaborative approach in which the United States engages with allies and partners to shape cyberspace governance and digital policies. ● Secondly, it has governmental oversight by the department of state which leads in coordinating international cybersecurity policies. ● The US has its federal agencies involved like the Cybersecurity and Infrastructure Security Agency ( CISA ) and National Security Agency ( NSA ) enforce security standards. ii) Policy Development ● The United States International Cyberspace and Digital Policy Strategy is updated regularly to address emerging cyber threats. ● It was developed under the National Defense Authorization Act to ensure the continuity across administrations. ● Not only that, it has an Environmental Protection Agency ( EPA ), it extends the Information Security Policy to include the Data Loss Prevention ( DLP ) and digital rights management which serve as a foundation for future operational procedures and standards.
iii) Policy Enforcement ● The Cybersecurity and Infrastructure Security Agency (CISA) enforces cybersecurity policies across Federal Civilian Executive Branch ( FCEB ) agencies. ● It requires compliance with the binding operational directives and emergency directives issued by CISA. ● Then, the CISA Directives which develops and oversees the implementation of binding operational directives and emergency directives that require action from certain federal agencies within the civilian Executive Branch. iv) Regular Review ● It has a Chief Information Security Officer ( CISO ) Handbook to emphasize the importance of continuous improvement in cybersecurity programs which encourages CISOs to regularly assess and update their strategies. ● Secondly it has a Policy Review Committee to make sure the NCSP remains up-to-date with evolving threats and strategies as necessary. ● Additionally, HIPAA Security Rule Updates which were released in January 2025, the United States Department of Health and Human Services proposed new regulations to enhance cybersecurity protection for electronic protected health information (ePHI).
v) Auditing and Reporting ● CISA develops compliance programs requiring agencies to report on their cybersecurity postures. ● Information Security Auditing that have the guidelines highlight the importance of auditing information security measures, ensuring that vulnerabilities are promptly addressed to maintain system integrity ● .EPA Information Security Procedures which is the Environmental Protection Agency (EPA) has established procedures to facilitate the implementation of security control requirements, as identified in the National Institute of Standards and Technology (NIST) Special Publication 800-53, Revision 5. These procedures cover various aspects, including incident response and media protection, ensuring a structured approach to auditing and reporting. References for U.S : https://www.state.gov/bureaus-offices/bureau-of-cyberspace-and-digital-policy/ https://www.cisa.gov/ https://csrc.nist.gov/publications/sp https://www.epa.gov/irmpoli8/information-security-policy-procedures-and-standards https://www.hhs.gov/hipaa/for-professionals/security/index.html https://www.gao.gov/products/gao-23-104705
MALAYSIA CYBERSECURITY POLICE - NACSA i) Governance structure Malaysia has a centralized governance structure for cybersecurity under the National Cyber Security Agency (NACSA), established in 2017.NACSA operates under the Prime Minister’s Department and is the primary agency responsible for coordinating cybersecurity efforts across the country. It works with other agencies like the Ministry of Communications and Multimedia (KKMM), the Royal Malaysia Police (PDRM), and CyberSecurity Malaysia (a specialized agency under KKMM). ii) Policy development Malaysia develops its cybersecurity policies through a collaborative and research-based process.CyberSecurity Malaysia conducts research on emerging threats, such as phishing and ransomware, to inform policy decisions. iii) Policy enforcement 1.The Royal Malaysia Police (PDRM) has a dedicated Cybercrime Unit within its Commercial Crime Investigation Department (CCID) to investigate and combat cybercrimes like online scams and hacking。 2.Malaysia have Regulatory Bodies specialized agencies that enforce specific policies (e.g., the Malaysian Communications and Multimedia Commission for telecommunications). iv) Regular Review After a rise in ransomware attacks in 2022, Malaysia reviewed its NCSS and introduced new guidelines for critical infrastructure protection in 2023.NACSA and CyberSecurity Malaysia monitor global and local cyberthreat trends and update policies accordingly. The NCSS itself is designed to be reviewed every five years (2020-2025), with interim updates as needed.CyberSecurity Malaysia also conducts annual National Cybersecurity Exercises (for example: X-Maya) to test and improve response strategies.
v) Auditing and Reporting CyberSecurity Malaysia publishes annual reports on cyberthreats, such as the Malaysia Cyber Threat Landscape Report, which details incidents, trends, and mitigation efforts. The 2024 report highlighted a 30% increase in phishing attacks and outlined government responses. NACSA also conducts audits of critical national infrastructure (e.g., energy, healthcare) to ensure compliance with cybersecurity standards. References: https://www.nacsa.gov.my/ https://www.nacsa.gov.my/act854.php https://www.nacsa.gov.my/faq.php#:~:text=The%20National%20Cyber%20Security%20 Agency%20(NACSA)%20is%20a%20dedicated%20agency,C. https://asset.mkn.gov.my/wp-content/uploads/2020/10/MalaysiaCyberSecurityStrategy2 020-2024.pdf https://ms.wikipedia.org/wiki/Jabatan_Perdana_Menteri_Malaysia https://www.pikom.org.my/2024/FOCS/PIKOM_Cybersecurity_Report.pdf https://www.ensigninfosecurity.com/resources/threat-insights/cyber-threat-landscape-rep ort-2024
JAPAN CYBERSECURITY POLICE - NISC i) Government Structure ● The Cybersecurity Strategic Headquarters was established under the Cabinet in November, 2014 for the purpose of effectively and comprehensively promoting cybersecurity policies. The Cybersecurity Strategic Headquarters is headed by the Chief Cabinet Secretary, with his deputy - the Minister in charge of Cybersecurity - and composed of the Chairman of the National Public Safety Commission, the other relevant Ministers and knowledgeable experts from academia and business sectors. ● National center of Incident readiness and Strategy for Cybersecurity, “NISC” has been established since 2015 which was formerly called National Information Security Center since 2005, under the same abbreviation “NISC”, as a secretariat of the Cybersecurity Strategy Headquarters, working together with the public and private sectors on a variety of activities to create a "free, fair and secure cyberspace". NISC plays its leading role as a focal point in coordinating intra-government collaboration and promoting partnerships between industry, academia, and public and private sectors. ii) Policy Development ● The foundation of Japan’s development cooperation policy is the Development Cooperation Charter (decided by the Cabinet in February 2015). Japan defines its development cooperation policy as being based on: adhering to the course it has taken to date as a peace-loving nation, while contributing even more proactively to securing the peace, stability and prosperity of the international community from the perspective of “Proactive Contribution to Peace” based on the principle of international cooperation; and securing the national interests of Japan through this approach.
iii) Policy Enforcement ● In Japan, each ministry is responsible for cyber security policies in their respective areas, and overall coordination of cybersecurity policy is conducted by NISC (National Center of Incident Readiness and Strategy for Cybersecurity) under the Cybersecurity Strategic Headquarters. iv) Regular Review ● The current Cybersecurity Strategy issued in September 2021 is the third one under the Basic Act on Cybersecurity. The Cybersecurity Strategy shows a basic position on cybersecurity policy, its objectives and its implementation for 3 years domestically and internationally. Overview of the Cybersecurity Strategy is as below. v) Auditing and Reporting ● In order to support autonomous and continuous improvement in cybersecurity capabilities at independent administrative agencies and other government-affiliated organizations, PA undertakes some tasks of the Cybersecurity Strategy Headquarters and the National Center of Incident Readiness and Strategy for Cybersecurity (NISC).
References: https://www.nisc.go.jp/eng/index.html#sec1 https://www.mofa.go.jp/files/000406629.pdf https://www.meti.go.jp/english/policy/safety_security/cybersecurity/index.html https://www.nisc.go.jp/eng/index.html#sec2 https://www.ipa.go.jp/en/about/activities/security-auditing.html