Skip to content

Exabeam Delivers First Configurable Peer Benchmarking for CISO Decision-Making — Read the Release

Your Guide to Education Cybersecurity Compliance in Malaysia

  • Mar 07, 2024
  • Exabeam Editor
  • 4 minutes to read

Table of Contents

    In the digital age, where sensitive information flows seamlessly through the internet, cybersecurity has become a paramount concern for just about every industry around the globe. Educational institutions are no exception to this. In fact, the Microsoft Global Threat Tool has reported the education industry to be the most affected industry by enterprise malware in the last 30 days. The high volume of personal information and research data stored by higher education institutions, coupled with limited security budgets and headcount, makes this industry a prime target for cybercrime.

    While Malaysia does not have specific cybersecurity laws for educational institutions, it does provide a number of sporadic laws to counter cybercrime. In this blog, we will be covering the frameworks and legislation that educational institutions need to be aware of.

    Personal Data Protection Act 2010

    The Personal Data Protection Act 2010 (PDPA) aims to protect personal data and ensure privacy. The PDPA applies to anyone who processes and has control over the processing of any personal data with respect to commercial transactions, such as educational institutions holding students’ personal data.

    The PDPA sets out seven personal data protection principles that institutions must comply with. These are as follows:

    1. General Principle
    2. Notice and Choice Principle
    3. Disclosure Principle
    4. Security Principle
    5. Retention Principle
    6. Data Integrity Principle
    7. Access Principle

    General Principle

    The general principle sets out parameters for the processing of personal data by a data user, providing that personal data shall not be processed unless:

    • it is for a lawful purpose directly related to an activity of the data user
    • it is necessary for, or directly related to, that purpose
    • the data is adequate but not excessive in relation to that purpose

    The principle stipulates that in order to process personal data, the data subject must have given consent, or if processing the personal data is necessary.

    Notice and Choice Principle

    The Notice and Choice Principle requires a data user to, by written notice, inform a data subject of matters relating to the information of the data subject, which is being processed by, or on behalf of that data user.

    Disclosure Principle

    The Disclosure Principle prohibits a data user from disclosing the personal data of a data subject:

    • for any purpose other than the purpose disclosed at the time of the collection of the personal data or any directly related purpose
    • to any party other than a class of third parties the data user may disclose the personal data to as stated in the written notice

    Security Principle

    The Security Principle stipulates that the appropriate steps be taken to protect personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, or alteration or destruction. In the case a data processor handles the data on behalf of the data user, the data user must still take appropriate security measures to govern the data processing and take reasonable steps to ensure compliance with said measures.

    Retention Principle

    The Retention Principle provides that personal data must not be retained longer than is necessary for the fulfilment of the purpose for which it is processed, requiring the data user to destroy or permanently delete all personal data that is no longer required for that purpose.

    Data Integrity Principle

    The Data Integrity Principle requires a data user to take reasonable steps to ensure that the personal data is accurate, complete, not misleading, and kept up to date. This can be done by preparing a form for updating personal data or by updating personal data immediately upon receiving a personal data correction notice.

    Access Principle

    The Access Principle states that a data subject will be given access to their personal data held by the data user and be able to correct that personal data where it is inaccurate, misleading, or not up to date.

    ISO 27001

    While not a national regulation, the ISO 27001 is an international standard for the implementation of enterprise-wide Information Security Management Systems (ISMS). It is a framework to comply with to protect information assets from malicious actors. The global standard provides complete guidance on building, implementing, maintaining, and consistently improving the ISMS.

    The process of getting an ISO 27001 certification involves:

    1. Conducting a gap analysis
    2. Determining current information security risk assessment of ISMS controls
    3. Developing written security policies/controls, ISMS procedures, and policy improvement
    4. Providing training for staff
    5. Establishing ISO 27001 best practices if security improvements are necessary
    6. Obtaining ISO 27001 third-party certification

    Educational institutions may choose to align their cyber security practices with the ISO 27001 to enhance their security posture.

    Other Legislations to Keep in Mind

    Computer Crimes Act 1997

    The Computer Crimes Act 1997 (CCA) is a crucial piece of legislation made to counter cybercrimes. It addresses offenses such as unauthorized access to computer material, unauthorized access with intent to commit other offences, and unauthorized modification of the contents of any computer.

    The Copyright (Amendment) Act aims to protect copyrighted works, including literary work such as computer programs and online materials. It outlines the applicable licensing principles and technological protection measures in relation to copyrighted work. Institutions should keep this in mind when distributing materials to staff and students and ensure that they abide by this act.

    In conclusion, as educational institutions embrace technology to enhance learning experiences, the importance of cybersecurity cannot be overstated. Compliance with Malaysian cybersecurity regulations and being aware of its legislation is a crucial step toward fostering a secure digital environment.

    By understanding and adhering to the regulations, educational institutions can ensure the resilience of their digital infrastructure in the face of evolving cyber threats.

    Learn More About Exabeam

    Learn about the Exabeam platform and expand your knowledge of information security with our collection of white papers, podcasts, webinars, and more.

    • Blog

      How Exabeam Helps Organizations Adapt to Australia’s Privacy Reforms

    • Blog

      Enabling OJK Regulatory Compliance and Cyber Resilience for Indonesia’s Banking and Financial Sector With Exabeam

    • Blog

      Lessons Learned from the Treasury Department Attack

    • Blog

      SIEM Best Practices to Help You Comply With Indonesia’s Personal Data Protection Law

    • White Paper

      Implementing Australia’s Six Shields of Cybersecurity

    • Data Sheet

      Exabeam Support for the NYDFS Cybersecurity Regulation (23 NYCRR 500)

    • Show More