In the digital age, where sensitive information flows seamlessly through the internet, cybersecurity has become a paramount concern for just about every industry around the globe. Educational institutions are no exception to this. In fact, the Microsoft Global Threat Tool has reported the education industry to be the most affected industry by enterprise malware in the last 30 days. The high volume of personal information and research data stored by higher education institutions, coupled with limited security budgets and headcount, makes this industry a prime target for cybercrime.
While Malaysia does not have specific cybersecurity laws for educational institutions, it does provide a number of sporadic laws to counter cybercrime. In this blog, we will be covering the frameworks and legislation that educational institutions need to be aware of.
The Personal Data Protection Act 2010 (PDPA) aims to protect personal data and ensure privacy. The PDPA applies to anyone who processes and has control over the processing of any personal data with respect to commercial transactions, such as educational institutions holding students’ personal data.
The PDPA sets out seven personal data protection principles that institutions must comply with. These are as follows:
The general principle sets out parameters for the processing of personal data by a data user, providing that personal data shall not be processed unless:
The principle stipulates that in order to process personal data, the data subject must have given consent, or if processing the personal data is necessary.
The Notice and Choice Principle requires a data user to, by written notice, inform a data subject of matters relating to the information of the data subject, which is being processed by, or on behalf of that data user.
The Disclosure Principle prohibits a data user from disclosing the personal data of a data subject:
The Security Principle stipulates that the appropriate steps be taken to protect personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, or alteration or destruction. In the case a data processor handles the data on behalf of the data user, the data user must still take appropriate security measures to govern the data processing and take reasonable steps to ensure compliance with said measures.
The Retention Principle provides that personal data must not be retained longer than is necessary for the fulfilment of the purpose for which it is processed, requiring the data user to destroy or permanently delete all personal data that is no longer required for that purpose.
The Data Integrity Principle requires a data user to take reasonable steps to ensure that the personal data is accurate, complete, not misleading, and kept up to date. This can be done by preparing a form for updating personal data or by updating personal data immediately upon receiving a personal data correction notice.
The Access Principle states that a data subject will be given access to their personal data held by the data user and be able to correct that personal data where it is inaccurate, misleading, or not up to date.
While not a national regulation, the ISO 27001 is an international standard for the implementation of enterprise-wide Information Security Management Systems (ISMS). It is a framework to comply with to protect information assets from malicious actors. The global standard provides complete guidance on building, implementing, maintaining, and consistently improving the ISMS.
The process of getting an ISO 27001 certification involves:
Educational institutions may choose to align their cyber security practices with the ISO 27001 to enhance their security posture.
The Computer Crimes Act 1997 (CCA) is a crucial piece of legislation made to counter cybercrimes. It addresses offences such as unauthorized access to computer material, unauthorized access with intent to commit other offences, and unauthorized modification of the contents of any computer.
The Copyright (Amendment) Act aims to protect copyrighted works, including literary work such as computer programs and online materials. It outlines the applicable licensing principles and technological protection measures in relation to copyrighted work. Institutions should keep this in mind when distributing materials to staff and students and ensure that they abide by this act.
In conclusion, as educational institutions embrace technology to enhance learning experiences, the importance of cybersecurity cannot be overstated. Compliance with Malaysian cybersecurity regulations and being aware of its legislation is a crucial step toward fostering a secure digital environment.
By understanding and adhering to the regulations, educational institutions can ensure the resilience of their digital infrastructure in the face of evolving cyber threats.
Security strategies are evolving; driven by regulatory requirements, customer expectations around data privacy and AI-driven…
In our April 2024 quarterly release, LogRhythm Axon showcases new enhancements from its two week…
In our April 2024 quarterly release, LogRhythm SIEM introduces new enhancements to bring you faster…