E-Government

3.0 E-Government

3.1 Data Standard

  • State-wide Data Standard
    • Purpose

    In an effort to standardise and facilitate the sharing of data across State agencies, there is a need to establish a "State-wide Data Dictionary". The Dictionary will feature a core section of data elements that cross all State agencies (e.g., name, address, etc.), and a section dedicated to each functional area of government activity (e.g., forestry, agriculture, etc.) that covers the data elements unique to that area. The purpose of this policy is to make agencies aware that this effort is underway and describe the framework for its achievement.

    • Overview

    Data collected and captured by the State Government is a valuable resource. This data contains important operational, research and historical information about the State. Because information management within the State has evolved in a largely decentralised manner, government databases may not be compatible, thus inhibiting appropriate and authorised data sharing and fostering duplication. The State-wide Data Dictionary will redress this problem and realise the following benefits:

    • fostering the strategic use of technology to manage information as a State asset
    • providing standard definitions that will facilitate communications between government agencies
    • improving management decisions through the availability of more timely and accurate information
    • enabling the integration of systems which will become easier with consistent definitions

    The creation of a State-wide Data Dictionary is a long term investment which requires the input of many people. The objective of such an effort is threefold:

    • First, to promote data sharing among agencies, by having common data definitions for electronic data interchange and/or shared databases;
    • Second, to foster interagency data analysis, by simplifying the integration required to bring a variety of data sources into a common data warehouse environment; and
    • Third, to facilitate interagency application development by enabling agencies to co-develop and reuse databases and programming modules that support common cross-agency functions.

    The State-wide Data Dictionary will be produced in several stages, beginning with an overarching section covering core data elements applicable to all State agencies. After the first section is complete, other functional areas will be developed. All development will take place in work group settings. During development, issues such as accurate and consistent data across State platforms and the delivery of data to where and when it is needed at an affordable cost, will be emphasised. Each section of the State-wide Data Dictionary will constitute a Preferred Standard. As such, agencies will be expected to adopt the standard over time, on a proactive basis, in all State Government applications that will or may be shared across agencies or levels of government. In this manner, a gradual standardisation of critical information will be fostered.

    • Policy

The "State-wide Data Dictionary" will, among others, include a section for each of the following areas:

  • Personal Identification - information collected about a person
  • Business Identification - information collected about a business
  • Government Identification - information collected about a governmental organisation
  • Environmental - information required to manage the environment
  • Human Services - health, mental health, social services information
  • Revenue - information about revenue collected by State organisations
  • Administrative - information collected and used to operate the State (e.g., financial data)

Every effort should be made to incorporate established conventions and national standards into the State-wide Data Dictionary.

To initiate the process, the State Computer Services Department will convene a Data Standardisation Work Group, with one member from each functional area. The State Computer Services Department will provide overall direction and to ensure co-ordination among standardisation efforts.

The Work Group will:

  • Review and finalise the Personal Identification section of the State-wide Data Dictionary for distribution to all State agencies.
  • Review all existing functional area Data Dictionaries to determine and resolve any overlap and inconsistencies that may exist.
  • Develop a process for adding, modifying and deleting data elements.
  • Finalise minimum Data Dictionary documentation guidelines pertaining to metadata elements, definitions, acceptable values, default values and value definitions.
  • Identify other related initiatives that must be undertaken to make the State-wide Data Dictionary a success.
  • A Functional Area Work Group for each of the areas, for Business, Government, Environmental, Revenue and Administrative. Each Work Group will be responsible for developing its section of the State-wide Data Dictionary within a timeframe set in conjunction with the Task Force.

3.2 Electronic Government Domain

  • Electronic Government and Internet Domain
    •  The domain name for the Sabah State Electronic Government Systems (Intranet and Internet) shall be — sabah.gov.my.
    • The State Government shall be the owner of the domain name — sabah.gov.my.
    • The Ministry of Resource Development and IT, as the System Administrator, shall be the controller and administrator of the domain name — sabah.gov.my
    • Sabah Net Sdn Bhd as the System Operator, shall maintain the domain name — sabah.gov.my
  • Sub-Domain

 Agencies are allowed to maintain their own sub-domain names if they meet the following criteria:

  • The agency concerned has the necessary expertise and manpower to maintain the systems
  • The agency concerned is providing Intranet services to its officers or the general public

Agencies wishing to maintain their own sub-domain names must apply to the System Administrator for approval.
Agencies that maintain their own sub-domain names must comply with the policies and standards as stipulated by the System Administrator from time to time.

 

3.3 Domain Web Hosting

    • Domain web hosting shall be provided to each State Government agency host their respective agency website.
    • With prior approval from the Sabah.Net Administrator, the State Government agency shall be reponsible to provide the following information to the Sabah.Net Operator:
      • The confirmed URL of website
      • Type of Content Management System (CMS) Platform
      • Type of Web Server required
      • Operating system platform
      • Database system
      • Name and E-mail of person responsible for the agency’s website
      • Vendor information if the website is outsourced
    • The website must pass through a security audit process performed by sgCERT. The website shall be made live-accessible only if it has passed the security audit process.
    • The security audit process shall be repeated whenever the agency website has undergone changes in application scripts,  the application of security patches and due to version upgrade.
    • All State Government agency hosting their websites at the Sabah.Net Domain Web Hosting shall be responsible to ensure their respective websites are updated with the latest security patches or versions.
    • The Sabah.Net Operator shall have the authority to suspend the website’s operation if a security risk is identified.  The Sabah.Net Operator shall notify the agency’s person responsible prior to suspending the website’s operations.
    • The validity and verification of all information published on the agency’s website shall be the sole responsibility of the the said agency.  The Sabah.Net Administrator nor the Sabah.Net Operator shall neither be liable for any damages nor any loss resulting from the use of information published in all the websites hosted in Sabah.Net.

 

3.4 Updating of Information

The usefulness of any home page is only as good as the contents provided within. Irrelevant and out-of-date information published on the Web may compromise the credibility and image of the agency concerned. Hence:

  • All State agencies are responsible for updating their respective information on the Internet and Intranet web pages.
  • Information on the Internet/Intranet should be updated regularly (daily if necessary) to reflect its currency.
  • "Copyright" notices should be posted at the end of the homepage.
  • Each ministry, department and agency should identify and authorise at least one person to be responsible for the update. This is to ensure that the update is genuine. This person should be the CIO of the said agency.

3.5 Email

  •  Electronic Mail Services
    • The State Government shall maintain one central e-mail system for all government officials (including the ministers) and officers with standard naming convention as determined by the System Administrator.
    • Creation of new e-mail accounts:
      • New State Government Civil Service employee e-mail accounts shall be created automatically upon activation of employee record  at Sistem Maklumat Sumber Manusia (SM2).
      • For non-SM2 e-mail accounts, request for new e-mail accounts shall be submitted via the Government Account Tracking System (GATS) .
    • Applications for new e-mail accounts should submit their requests (electronically or otherwise) to the nearest Kumpulan Sokongan IT (KSIT) for processing. Information required include the name of the person, IC, post, mailing address and telephone and fax contacts.
    • E-mail account assigned to each government officials (including ministers) shall have a mailbox size of 1 gigabytes (GB).
    • All e-mail account holders are requested to manage their correspondences as per the Management and Retention guidelines.
    • All account holders are encouraged to change their passwords from time to time. This is to minimise the breach of security and confidentiality.
    • E-mail account holders shall abide by the rules and conditions as instituted by the System Administrator or System Operator from time to time.
    • E-mail accounts shall be terminated once the account holder is no longer employed by the State Government Civil Service. Alert and instruction of termination shall be given through GATS in synchronization with SM2. E-mail accounts shall be deleted from the e-mail system within one (1) month from notice of termination.
  •  

  • Size and Attachments
    • Email is provided to enhance the service delivery and performance of the Government. Unnecessarily large e-mail messages or e-mail with unnecessarily large attachments create congestion within and between e-mail systems. This congestion results in long delays and unnecessary costs for the storage and transport of the said e-mail. Just a few excessively large messages can create a number of e-mail delivery delays and other "performance" failures for many users.
    • To help manage the potential for e-mail system congestion (and some type of denial of service attacks), the size of each e-mail message shall be capped to a maximum size of 20 megabytes (MB).

 

  • Management and Retention

A message sent or received by e-mail in the conduct of public business is, by law, a public record, which falls within three broad categories:

  • Transitory records, including copies posted to several persons and casual and routine communications similar to telephone conversations.
  • Public records with a less than permanent retention period; and
  • Public records with a permanent or permanent/archival retention period.

Retention guidelines for each of these categories follows:

  • Transitory - No retention requirement. Public officials and employees receiving such communications may delete them immediately.
  • Less than Permanent - Follow retention period for equivalent hard copy records as specified in an approved retention schedule.  May be in the form of a hard copy print-out or it may be stored electronically. The retention must be in a form where the data can be retrieved and interpreted for the legal retention period.
  • Permanent or Permanent/Archival - Retention may be in the form of a hard-copy printout.  The information must be eye readable without interpretation.

Depending upon the function of the public record being generated by e-mail, state agencies may take steps to institute procedures for routinely printing e-mail records, including all transmissions and receipt data in the system, and filing the printouts in the normal course of business.

3.6 Firewall

 Firewall compromise would be potentially disastrous to subnet security. For this reason, agencies will, as far as is practical, adhere to the below listed stipulations when configuring and using firewalls.

  • Limit firewall accounts to only those absolutely necessary, such as the administrator. If practical, disable network logins.
  • Use smartcard or authentication tokens to provide a much higher degree of security than that provided by simple passwords. Challenge-response and one-time password cards are easily integrated with most popular systems.
  • Remove compilers, editors, and other program development tools from the firewall system(s) that could enable a cracker to install Trojan horse software or backdoors.
  • Do not run any vulnerable protocols on the firewall such as TFTP, NIS, NFS, UUCP.
  • Consider disabling finger command. The finger command can be used to leak valuable user information.
  • Consider not using the e-mail gateway commands (EXPN and VFRY) which can be used by crackers to probe for user addresses.
  • Do not permit loopholes in firewall systems to allow friendly systems or users special entrance access. The firewall should not view any attempt to gain access to the computers behind the firewall as friendly.
  • Disable any feature of the firewall that is not needed, including other network access, user shells, applications, and so forth.
  • Turn on full-logging at the firewall and read the logs weekly at a minimum.

 

3.7 State IT Resource Security

  • Control of Computers and Information Resources

    Information resources are valuable assets of the State. The wilful and knowing unauthorised use, alteration, or destruction of these assets is a computer-related crime.

    • Access to data files and programs shall be limited to those individuals authorised to view, process, or maintain particular systems.
    • All information and communications resources leased or owned by the State and all time sharing services billed to the State shall be used only to conduct State business.
    • All computer software developed by State employees or contract personnel on behalf of the State or purchased for the use of the State is State property and shall be protected as such, unless the contract under which the software is developed specifically provides otherwise.
    • Sensitive information shall be accessible only to personnel who are authorised by the agency on the basis of strict "need to know" in the performance of their duties. Data containing any sensitive information shall be readily identifiable and treated as sensitive in its entirety.
    • When sensitive information from an agency is received by another agency in connection with the transaction of official business, the receiving agency shall maintain the confidentiality of the information in accordance with the conditions imposed by the providing agency.
    • A sufficiently complete history of transactions shall be maintained for each session involving access to critical and sensitive information, as determined by risk analysis, to permit an audit of the system.
  • Physical Security and Access to Data Processing Facilities

    All State information processing areas must be protected by physical and environmental controls appropriate for the size and complexity of the operations and the criticality or sensitivity of the systems operated at those locations.

  • Logical Data and Access Controls
  • Except for public users of information resources where such access is authorised, or for situations where risk analysis demonstrates no need for individual accountability of users, each user of a multiple-user information resource shall be assigned a unique personal identifier or user identification. User identification shall be authenticated before access is granted.

 

  • A user's access authorisation shall be removed when the user's employment is terminated or the user transfers to a position where access to the information resource is no longer required.
  • Controls shall ensure that users of information resources can access stored software or system control data only if they have been authorised to do so.
  • Except for public users of information resources where such access is authorised, or for situations where risk analysis demonstrates no need for individual accountability of users, each user of a multiple-user information resource shall be assigned a unique personal identifier or user identification. User identification shall be authenticated before access is granted.
  • A user's access authorisation shall be removed when the user's employment is terminated or the user transfers to a position where access to the information resource is no longer required.
  • Controls shall ensure that users of information resources can access stored software or system control data only if they have been authorised to do so.
  • Data and System Integrity
    • Controls shall be established to maximise the accuracy and completeness of data.
    • For tasks that are susceptible to fraudulent or other unauthorised activity, agencies should ensure adequate separation of functions.
    • Test functions shall be kept either physically or logically separate from production functions. Copies of production data shall not be used for testing unless the data has been desensitised or unless all personnel involved in testing are otherwise authorised access to the data.
    • After a new system has been placed in operation, all program changes shall be approved before implementation to determine whether they have been authorised, tested, and documented.

       

  • Network Security
    • Network resources participating in the access of sensitive information shall assume the sensitivity level of that information for the duration of the session. Controls shall be implemented commensurate with the highest risk.
    • Agencies shall prescribe sufficient controls to ensure that access to network services and host services and subsystems is restricted to authorised users and uses only. These controls shall selectively limit services based upon: user identification and authentication (e.g., password), or designation of other users, including the public where authorised, as a class (e.g., public access through dial-up or public switched networks), for the duration of a session.
    • While in transit, sensitive information shall be encrypted if sending stations, receiving stations, terminals, and relay points are not all under positive State control, or if any are operated by or accessible to personnel who have not been authorised access to the information, unless the requirement to transfer such information has been validated and cannot be satisfied with information which has been desensitised, and the agency head has documented acceptance of the risks of not encrypting the information based on evaluation of the costs of encryption against exposures to all relevant risks.
    • Selection of encryption algorithms and key management practices shall be based on documented risk analysis. Algorithms may incorporate one time ciphers, symmetric, or asymmetric encryption, or combinations of these methods. Where the algorithm or its implementation permits variable length keys, the determination of key length shall be based on documented risk analysis.

 

  • Backup and Recovery
    • Data and software essential to the continued operation of critical agency functions shall be backed up on regular intervals. The security controls over the backup resources shall be as stringent as the protection required of the primary resources.
    • All information resources identified as critical to the continuity of governmental operations shall have written and cost effective contingency plans to provide for the prompt and effective continuation of critical State missions in the event of a disaster, and these contingency plans shall be tested at least annually.

       

  • Personnel Security and Security Awareness
    • Every employee shall be held responsible for information resource security to the degree that his or her job requires the use of information resources. Fulfilment of security responsibilities shall be mandatory, and executive agencies are authorised to enforce compliance with security responsibilities through disciplinary actions, up to and including dismissal, civil penalties, or criminal penalties.
    • Agencies shall provide an on-going awareness and training program in information security and in the protection of State information resources.
    • Awareness and training in security shall not be limited to formal training sessions, but shall include on-going briefings and continual reinforcement of the value of security consciousness.

       

  • System Acquisition, Auditing and Reporting
    • Appropriate information security and audit controls shall be incorporated into new systems.
    • An internal audit of the agency information security function shall be performed periodically.
    • Automated systems which process sensitive information should, to the degree practicable, provide the means whereby authorised personnel have the ability to audit and establish individual accountability for any action that can potentially cause access to, generation of, or affect the release of the information.
    • Security incidents and breaches shall be promptly investigated and reported to the appropriate authorities.

 

  • Level of Security

Level 0

Unrestricted access. This level represents the unrestricted environment where there are no access controls and no assumptions can be made about anyone operating at this level. Essentially, there is no security at this level.

Level 1

Audit and screening of unnecessary access. At this level simple auditing and screening procedures are established. To pass Level 1 security, the security manager generally provides systems that require simple logging of the access. Since there is no user authentication (passwords) at this level, the logging is generally accomplished by logging of network addresses or some other identifier. Security at this level may also exclude some traffic that has no reason to cross the boundary.

Level 2

Audit and screening of illegal access. At this level logging is still only by address or some other identifier but now specific protocols or applications are prevented from passing. For a network this might mean All inbound TELNET is blocked. For a system this could be all dial-in traffic after 6:00 p.m. Data and systems in this environment are not critical and can be reconstructed in a reasonable amount of time if destroyed.

Level 3

Audit, screening and loose authentication. At this level users are required to identify themselves by a basic mechanism, such as a password. This is "loose" because the user does not have to do much to prove they are who they say they are. Audit information now contains user identification as well as addresses. Data in this environment must be protected from unauthorized access. If seen by unauthorized personnel it is unfortunate, but not a major problem. Audit trails are very important so that security managers are aware that information has been accessed by unauthorized parties.

Level 4

Audit and physical access only. At this level, more sophisticated authentication schemes are employed to ensure that the user is really who they say they are. This is generally accomplished by systems that utilize one time passwords, challenge/response systems, or physical identification. Data in this environment is extremely sensitive such that if the data is viewed by unauthorized personnel severe consequences would occur.

Level 5

Audit and physical access only. This level is the most secure level. Access at this level is so strict that remote access is not allowed and only the most strenuous authentication is employed. This level of security would be employed to protect resources for which absolutely no illegal access can be tolerated without very severe consequences.

 

3.8 Use of Approved Software

The purpose of this policy is to ensure that the utility of State owned computers is not diminished by the installation of unauthorised software. Usage of State owned computers may be diminished as a result of the configuration being modified by the installation of personally owned software, by the introduction of a computer virus, by filling up the hard disk with personally owned software, by decreasing the compatibility of documents with those of other employees due to the business use of personally owned software, or detracting from efficiency by spending business time learning and using non standard software. This policy also attempts to reduce the State's potential liability resulting from an employee's use of software which has not been properly licensed.
Therefore, only approved and licensed software acquired or systems developed by the State Computer Services Department for official use may be loaded onto, or used on State Government owned computers.

 

3.9 Acceptable use of Antivirus

  •  File Transfer

    Any file transferred electronically into any State owned computers must be scanned for virus infection before, during or immediately after the transfer. All transferred files must be scanned prior to execution or use.

  • Periodic System Checks

    All equipment and software must be scanned at predefined time intervals to ensure that the environment is free of any virus corruption.

  • Virus Detection Software

     All equipment and software must execute a standard virus scan product approved by the State Computer Services Department (SCSD). The scanner must be executed as part of an approved plan.

  • Virus Introduction

No person shall write, distribute or introduce any software known or suspected to be infected into the State computing environment.
Each infestation must be reported to the SCSD. The following information must be collected and reported in order to properly track and eradicate each occurrence:

  • Virus name or type
  • Software used to detect the infection
  • Extent of infection (single PC, LAN, server, mini computer, etc.)
  • Source of virus
  • Potential recipients of infected material
  • Steps taken (or planned) to disinfect

 

Back to Sabah.Net Policies