PEOPLE FACTORS IN CYBER

RESILIENCE: CREATING THE NEED FOR

CYBERSECURITY EXPERTS

THE 6TH REGIONAL CYBER D R . Z A H R I Y U N O S

h tt p : / / z a h r i y u n o s . b l o g s p o t . m y
SECURITY SUMMIT C h i e f O p e r a ti n g O ffi c e r
20 -21 November 2017 CyberSecurity Malaysia

Copyright © 2017 CyberSecurity Malaysia

 ABOUT CYBERSECURITY MALAYSIA

Started operation as the Malaysia

A technical cyber security agency under Computer Emergency Response Team
the Ministry of Science, Technology & (MyCERT) in year 1997 and later
Innovation “rebranded” as CYBERSECURITY
MALAYSIA in 2007

Copyright © 2017 CyberSecurity Malaysia 2

 ABOUT OIC-CERT
FULL MEMBER GENERAL MEMBER
1. Azerbaijan Azerbaijan Government CERT 1. bdCERT, Bangladesh
2. Bangladesh BGD e-GOV CIRT 2. BangladeshCERT, Bangladesh
3. Brunei Brunei CERT (BruCERT) 3. Kazakhstan Center for Analysis and Investigation of Cyber-Attack
4. Cote d Ivoire Cote d Ivoire CERT (CI CERT) (CIACA)
5. Egypt Egypt CERT (EG-CERT) 4. PISA CERT, Pakistan
6. Indonesia Indonesia Security Incident Response Team on 5. Turkey CERT (TR-CERT), Turkey
Internet Infrastructure / Coordination Centre (ID-SIRTII) 6. Iran APA Isfahan Univ of Tech CERT (APA IU TCert), Iran
7. Iran Iran CERT (IrCERT) 7. APA AmirKabir Univ of Tech CERT (APA AUCert), Iram
8. Jordan Jordan CERT (JO-CERT) 8. APA Shiraz Univ CERT (APA SUCert), Iran
9. Kazakhtan Kazakhstan CERT (KZ-CERT) 9. APA Sharif Univ CERT (APA SharifCert), Iran
10. Libya Libya CERT 10. MAHER Center, Iran
COMMERCIAL MEMBER
11. Malaysia CyberSecurity Malaysia
1. FireEye Malaysia, Malaysia
12. Morocco Moroccan CERT (maCERT)
2. Telekom Applied Business, Malaysia
13. Nigeria Consultancy Support Services (CS2) Limited
3. Duzon, South Korea
14. Oman Oman National CERT (OCERT)
4. Intellium Ltd, United Kingdom
15. Pakistan National Response Centre for Cyber Crime
5. Microsoft Security Response Center, United States
(NR3C)
16. Saudi Arabia Saudi CERT (SA CERT) PROFESSIONAL MEMBER
17. Sudan Sudan CERT 1. Assoc Prof. Dr. Hatim Mohamad Tahir. Malaysia
18. Syria Information Security Center (ISC) 2. Dr. Abdulrahman Ahmad Abdu Muthana, Yemen
19. Tunisia Tunisia CERT (TunCERT) 3. Prof. Dr. Rabiah Ahmad, Malaysia
20. UAE UAE CERT (aeCERT) 4. Mr. Abdul Fatah Mohamed Yatim
FELLOW MEMBER
1. Prof. Nabil Sahli, Tunisia AFFILIATE MEMBER
1. Team Cymru, United State
HONORARY MEMBER
1. Organization of the Islamic Cooperation, Saudi Arabia
Total Members Total Countries
42 21
Copyright © 2017 CyberSecurity Malaysia 3
 OIC-CERT STRATEGIC PILLAR

STRATEGIC
LEAD BY ACTION PLANS
PILLAR
Organizational Chair & 1. OIC-CERT members to establish a leading CERT as the “Point of Contact” for the
Structure Secretariat coordinated efforts in mitigating cyber threats.
2. OIC-CERT to provide the necessary support to members in establishing the national
CERTs.
International Oman 1. Engagement / collaboration with international organization, peers, counter parts, academia
Cooperation and and private industry to promote OIC-CERT cooperation in mitigating cyber incident
Promotion among OIC-CERT members.
2. Promoting OIC-CERT at regional and international levels.
Standard and Egypt & Iran 1. Develop OIC-CERT cyber security policies, procedures and best practices.
Regulations 2. Ensure compliance to OIC-CERT cyber security policies, procedures and best
practices.
Technical and Iran & 1. Establish a methodology for the sharing and enhancement of technical solutions and
Technology Azerbaijan technologies among OIC-CERT members.
2. Determine the effectiveness of the methodology for the sharing and enhancement of
technical solutions and technologies among OIC-CERT members.
Capacity Building Malaysia & 1. Establish specialized cyber security training programs for OIC-CERT members.
Indonesia 2. Establish awareness on the cyber security capacity building program for OIC-CERT
members.
3. Measure the effectiveness of the training programs.
Awareness UAE 1. Develop library of information security awareness materials that can be used among the
OIC-CERT countries for national awareness campaigns.
2. Develop a guideline for executing effective information security awareness programs.

Copyright © 2017 CyberSecurity Malaysia 4

CYBERSECURITY LEARNING CONTINUUM

E Cyber Security Specialists and

D Professionals *A
U *I
C *B
A Education and Experience
T
I
O
N
Roles and Responsibilities Relative to IT Systems *A
*I
Design & Implement Review & *B
T Manage Acquire Use Other
Develop & Operate Evaluate
R
A
I
N
I
N All employees involved with IT systems
G
Security Basics and Literacy
A
W
A
R
E A l l C i ti z e n
N *Beginning
E *Intermediate
S Security Awareness *Advanced
S

Source: National Institute of Standards and Technology (NIST) SP 800-16

Copyright © 2017 CyberSecurity Malaysia 5
IMPERATIVE ATTRIBUTES FOR EDUCATION
AND EXPERIENCE

A holistic framework of cyber security

professional certification that defines:

1. Cyber security domains

2. Independent assessments
3. Impartiality of examinations
4. Competences of trainers
5. Requirements of professional memberships
6. Continuous Professional Development (CPD) plan

Copyright © 2017 CyberSecurity Malaysia 6

CERTIFIED CYBER SECURITY PROGRAMS

Training Providers (example) Programs (example)

1. (ISC)2 CISSP
2. SANS GWAPT, GPEN, GMOB, GCED
3. ISACA CISM, CISA
4. CompTIA Security+, Network+
5. EC Council CEH, ECSA
6. DRI BCP 501, BCLE 2000
7. Mile2 Pentest Hacking, Disaster Recovery
8. Cyber Intelligence CCDA, CISAM
9. LGMS Certified Forensics Lead Accessor
10. K2Baseline CSAP
11. Orbitage CITA, CIPA

Copyright © 2017 CyberSecurity Malaysia 7

OUR PROPOSAL: GLOBAL ACCREDITED
CYBERSECURITY EDUCATION (ACE) SCHEME

The Global Accredited Cybersecurity Education (ACE) Scheme is a large-

scale systematic plan of actions & arrangements to establish the certification
plans for Cyber Security Professional at par with recognized international
standards

Professional certifications are industry driven & vendor neutral.

Foundation to:
• Assure workforce capabilities and experiences
• Secure and validate core skills, knowledge, attitude and
experience
• Assure trustworthiness, ethical conducts and responsibilities

The Global Accredited Cybersecurity Education (ACE) Scheme is guided by

ISO/IEC 27001 and ISO/IEC 9001.

Professional Examinations are aligned with the requirements of ISO/IEC 17024.

Copyright © 2017 CyberSecurity Malaysia 8

APPROVAL

7TH OIC-CERT ANNUAL GENERAL MEETING

9 Sept 2015 - Approval of the proposal of Cyber Security Professional

Certification Scheme during the OIC-CERT 7th Annual General Meeting @ Kuala
Lumpur, Malaysia

OIC-CERT STEERING COMMITTEE MEETING

15 March 2016 - Approval of the Concept Paper on the Cyber Security
Professional Certification Scheme during the OIC-CERT Steering Committee
Meeting @ Yogjakarta, Indonesia

8TH OIC-CERT ANNUAL GENERAL MEETING

13 Dec 2016 - Approval of the Global Accredited Cybersecurity Education
(ACE) Scheme during the OIC-CERT 8th Annual General Meeting @ Jeddah,
Saudi Arabia

Copyright © 2017 CyberSecurity Malaysia 9

GLOBAL ACCREDITED CYBERSECURITY
EDUCATION (ACE) SCHEME

GOAL
To create world class
competent work-force in cyber
security and promote the
development of cyber security
professional programmes
within the region

OBJECTIVES
1 To establish a
professional certification
programme that is
recognized globally
2 To provide cyber security
professionals with the right
knowledge, skills, attitude
(KSA) and experience

3 3 To promote the 4 To ensure accredited

personnel has been
development of cyber
independently assessed and
security professional committed to a consistent
programmes globally and high quality service level

Copyright © 2017 CyberSecurity Malaysia 10

GLOBAL ACE SCHEME GOVERNANCE
STRUCTURE

Board of Governance
Highest authority that decides
the overall strategy and policy
direction of the Scheme

Secretariat Quality Assurance

Manage the daily operation
of the Scheme and act as
conduit for all the
committees Certification Body

Technical Bureau Management Bureau

Oversees the business management aspects of the
In charge of the various technical aspects of the Scheme
Scheme

Professional Trainer Cyber Security

Domains Membership Business
Examination Competency Management Development

Copyright © 2017 CyberSecurity Malaysia 11

 GLOBAL ACE SCHEME MALAYSIA CHAPTER:
IMPLEMENTATION PLAN & PROGRESS TO-DATE

1. Each committee to
1. Certifications and
1. Identification of develop respective
programs & activities
membership
respective enrolment – In
1. The official -In progress
1.The completion committee progress
formation of 2. Each committee to
of scheme heads and
Malaysia develop respective 2. Pilot programs
development members -
Pilot Chapter implementation plan- rollout – In
plan document DONE
- DONE In progress progress
- DONE 2. Appointment of
2. First local 3. Harmonization
2.Identification of respective
BoG & between committees’
Malaysia Pilot committee activities-In progress
respective
BoG chairman heads and
Committees
and its members -
meeting -
Professional
4. Professional training
starts-In progress Launching 5
members - DONE
DONE
DONE 3. Workshop to
3.Appointment of kick-start pilot 4
the local BoG Chapter Execution
chair and development
members - -DONE
DONE Formation 3

Inception 2

Development 1

April June July Aug 1st Qtr

2016 2016 2016 2016 2018
Copyright © 2017 CyberSecurity Malaysia 12
PROGRESS TO-DATE:
GOVERNANCE STRUCTURE (MALAYSIA CHAPTER)

Board of Governance
Member organizations: 15

Quality Assurance
Secretariat (Member
organizations: 3)
CyberSecurity Malaysia Certification Body
(Member
organizations: 4)

Technical Bureau Management Bureau

Oversees the business management aspects of the Scheme
In charge of the various technical aspects of the Scheme

Professional Trainer Cyber Security

Membership Business
Examination Competency Domains
Management Development
(Member (Member (Member
(Member (Member
organizations: 3) organizations: 6) organizations:
organizations: 7) organizations:
25)
2)

Copyright © 2017 CyberSecurity Malaysia 13

PROGRESS TO-DATE:
KNOWLEDGE, SKILL & ATTITUDE (KSA) OF DOMAIN

Industry
Requirements
Alignment

Training KSA Assessments/

Programs Descriptors Examinations

Malaysia Board of Existing Country Industry

Technologies / Malaysia Professional Chapters Based
Ministry of Higher Education Certifications Certifications Certifications

Copyright © 2017 CyberSecurity Malaysia 14

PROGRESS TO-DATE:
CERTIFIED TRAINING PROGRAMS

Certified Penetration Tester CPT

Certified Cyber Defender Associate CCDA
Certified Digital Forensics First Responder CDFFR
Certified Information Security Awareness Manager CISAM
Certified Information Security Management System
CISMS
Copyright © 2017 CyberSecurity Malaysia 15
PROGRESS TO-DATE:
TRAINER COMPETENCY FRAMEWORK

RECRUITMENT EVALUATION PERFORMANCE & COMPETENCY ASSESSMENT

TRAINER CANDIDATE CRITERIA EVALUATION PERFORMANCE CONTINUOUS

(3) Years
(6) Months
ASSESSMENT ASSESSMENT

 Application Form  Continuous

 Soft Skill  Trainer

Every Three
 Curriculum Vitae

Every Six
Professional
 Technical Skill Assessment Form
 Supporting Document Development

TRAINING
SESSION

CRITERIA & STANDARD APPROVAL

REQUIREMENT COMPETENCY EVALUATION

 Qualification APPROVAL CERTIFIED/

 Performance Gap Analysis
 Experience RECERTIFIED TRAINER
 Performance Report
 Professional
certification  BoG Chairman Endorsement
 Skill  Trainer Positioning

Copyright © 2017 CyberSecurity Malaysia 16

 PROGRESS TO-DATE:
MEMBERSHIP MANAGEMENT

Professional membership is for

PROGRESS-TO-DATE: individuals who demonstrate competency
and knowledge in cyber security practices
MEMBERSHIP MANAGEMENT Associate membership is for and professional experience.
individuals who have industry
cyber security knowledge but lack
the years of professional
experience; or transfer from
Student Member.
Student membership is for full
time undergraduate students
from recognized universities PROFESSIONAL
who aspire to adopt cyber
security as a career.

ASSOCIATE

STUDENT
Obtain any of the scheme’s certification or possess other recognized certification

Minimum education qualification: Diploma from recognized universities

One-time processing fee

Annual Renewal: Fee + 20 Annual Renewal: Fee + 40 CPD

Annual Renewal: N/A
CPD points points
Copyright © 2017 CyberSecurity Malaysia 17
 PROGRESS TO-DATE:
PROGRESS-TO-DATE:
BUSINESS
BUSINESS DEVELOPMENT
DEVELOPMENT

Revenue/Profit Sharing Model

Country Chapter Inter-Chapters Collaboration

Trainers Engagement
Content Acquisitions
Examinations

Membership
Membership
Consultancy
Consultancy

Partnership
Partnership

Contents
Training

Training

Contents Joint
Development
Training

Development

Consultancy
Events
Events

Engagement
Acquisitions
Joint
Local Partners/ Collaborators

Notes:
Membership & Examinations are
subject to profit sharing between the
Country Chapter, Malaysia Chapter &
OIC-CERT Secretariat
18

Copyright © 2017 CyberSecurity Malaysia 18

 OVERALL SUMMARY (MALAYSIA CHAPTER)

8 KSA Descriptors
25 Organizations
Developed
Engaged
Trainer
KSA Framework Competency
3 Training 4 Professional
Global ACE Established Framework
partners Exams
Scheme Portal Established
Engaged Established
Developed 10 workshops Train-the-
4 Workshops
Conducted Conducted Professional Trainer Online Exam
10 country chapters Training Programs Program System
Operation Conducted
Established Established
interested Manual V1.0
Developed
MBOT Cyber Trainers Membership
TEP-Cyber Security CyberSecurity
Competency Professional
Malaysia as Security Framework
Examination
Secretariat Domains Developed

Secretariat Membership
Database System
Membership Established
Management
Penetration Tester Certification
Scheme Aligned &
Established
Partnerships &
Business
Digital Forensics Collaborations
Development
Psychometric Quality Model Established
QMS aligned
Assessment established Assurance
to ISO9001 & Cost/Pricing
ISO27001
Mechanism
Profit Sharing Established
Scheme
Established

Copyright © 2017 CyberSecurity Malaysia 19

 OUR ASPIRATION: MUTUAL RECOGNITION THROUGH
GLOBAL ACE SCHEME RECOGNITION ARRANGEMENT

Global ACE Scheme Recognition Arrangement allows for mutual recognition of certified cyber security
professionals, which creates value for the cyber security industry and participating countries.

AZ Chapter IR Chapter KZ Chapter

EG Chapter MY Chapter

SA Chapter BN Chapter

NG Chapter ID Chapter

OM Chapter PS Chapter

SD Chapter AE Chapter

PK Chapter BD Chapter .. .. Chapter

Knowledge, Skills & Attitude

Professional Examinations
Global ACE Scheme
Professionals Credential
Mutual Recognition Areas
Registered Trainers
Copyright
Registered© 2017 CyberSecurity
Training Programs Malaysia 20
WAY FORWARD

1 Invitation to all countries to participate in

the Global ACE Scheme

2 Establishment of the Global ACE Scheme

Recognition Arrangement

Copyright © 2017 CyberSecurity Malaysia 21

Copyright © 2017 CyberSecurity Malaysia 22