Sei sulla pagina 1di 50











I hereby declare that MUHAMMAD FAHMI BIN JAAFAR (1128541), student of

Department of Communication Engineering, International Islamic University Malaysia
(IIUM) has successfully completed his Engineering Industrial Training from 8th June 2015
till 7th September 2015 at Telekom Malaysia Berhad. This report is prepared by the above-
mentioned student as a partial fulfillment of this training. All information given in this
report is true and does not contain any confidential information or classified data might in
a way or other abuse the company’s policy.


( )

Engineering Internship Training (EIT) is a coursework entitled to every engineering
student in IIUM. Each student is given opportunity to choose their own preferable company
to undergo the EIT. I am grateful that I was granted a golden opportunity to complete my
EIT in the biggest telecommunication company in Malaysia which is Telekom Malaysia

First and foremost, I would like to express my gratitude to Allah S.W.T for giving
me the strength to complete my internship in three months without facing a lot of
difficulties. In addition, I would also like to thank my supervisor, Puan Nuremi bt Abdul
Halim for her undivided attention and help through my training. During my three months
of internship, she always helped me and gave a lot of beneficial lesson in the working field
to me. Besides that, I would like to thanks fellow executives in Information Security and
Business Continuity Management (ISBCM) unit for their help and experience sharing in
working with me. It would not be easy for me to endure this three months of office works
without them.

Here, I would also like to thank Dr. Ahmad Zamani bin Jusoh, who kindly spent
his time to visit me at the company and who will also be the assessor of my Engineering
Industrial Report (EIT) final report. I was really grateful to him for his warm and
comfortable attention during the visit. He was also very kind and friendly towards me and
my supervisor. After the visit, my supervisor got a different perspective towards the
lecturer and respected them more. On top of that, I would like to thank my parents and
friends who always supported me during this period. Last but not least, I would like to
express our gratitude to Kuliyyah of Engineering for giving me a golden opportunity to
gain experience in such a great company.



1.1 Background of the Company 1

1.2 Vision and Mission of Telekom Malaysia Berhad 3
1.3 Values of Telekom Malaysia Berhad 3
1.3.1 Total Commitment to Customer 4
1.3.2 Uncompromising Integrity 4
1.3.3 Care, Respect and Responsibility 4
1.4 Information Security and Business Continuity Management (ISBCM) 4
1.4.1 Organizational Chart 5
1.4.2 Jobs and Functions 6


2.1 Week 1 (8th June – 12th June) 7

2.2 Week 2 (15th June – 19th June) 8
2.3 Week 3 (22nd June – 26th June) 8
2.4 Week 4 (29th June – 3th July) 8
2.5 Week 5 (6th July – 10th July) 9
2.6 Week 6 (13th July – 17th July) 9
2.7 Week 7 (20th July – 14th July) 9
2.8 Week 8 (27th July – 31st July) 9
2.9 Week 9 (3rd August – 7th August) 10
2.10 Week 10 (10th August – 14th August) 10
2.11 Week 11 (17th August – 21st August) 10
2.12 Week 12 (24th August – 28th August) 11
3.1 Projects Carried Out 12
3.1.1 ISMS 12
3.1.2 TM Network Operation – Data Analysis Report 17

3.1.3 Information Security Info graphic Poster 18
3.1.4 NOC BCM & IS Awareness Seminar 22
3.1.5 TM Statement of Applicability; Gap Analysis 26
3.1.6 TM Change Management System 31
3.1.7 TM Dashboard 32
3.1.8 ISMS Readiness Dashboard 35
3.1.9 Request For Change Dashboard 38
3.1.10 OLA Dashboard 39
3.2 Problem Encountered and Problem Solving Process 41
3.2.1 Lack of Knowledge on Access Database 41
3.2.2 Limited Creativity on Design 41


Figure 1 TM Logo 2
Figure 2 Managers of ISBCM Unit 5
Figure 3 Executives of Information Security Team 5
Figure 4 Data Analysis Report 17
Figure 5 Sample of Info Graphics by TM 18
Figure 6 Awareness Seminar Poster 22
Figure 7 GUI for the SoA Application 29
Figure 8 Input has been added into the Combo box 29
Figure 9 Radar Chart as a Result of the Calculation of Gap Analysis 30
Figure 10 TM CMS 32
Figure 11 Main Menu of CMS 32
Figure 12 GUI for TM Dashboard Creator 33
Figure 13 Input is added using Control 34
Figure 14 Created Dashboard 34
Figure 15 Created Report 35
Figure 16 GUI for ISMS Dashboard Creator 36
Figure 17 Created Dashboard 36
Figure 18 Details of Dashboard 37
Figure 19 GUI Control for RFC Dashboard 38
Figure 20 Dashboard for Successful RFC 38
Figure 21 Dashboard of detailed RFC for every NM 39
Figure 22 GUI Control for OLA Dashboard 39
Figure 23 Dashboard for Overall OLA 40
Figure 24 Dashboard of detailed OLA for every NM 40

1.1 Background of the Company

Telekom Malaysia Berhad (TM) is the largest telecommunication company in

Malaysia. It has a monopoly on the fixed line network and has a considerable market share
of the mobile communications market after its acquisition of Celcom and merging with its
mobile operation arm, TMTouch. It has an internet service provider subsidiary (TMNet)
offering narrowband and broadband connectivity. Broadband connectivity is through DSL
under TMNet's Streamyx brand. Due to its near monopoly of the last mile connections,
TMNet is now the sole DSL broadband provider in the country. However, despite its high
number of subscribers, TM Net is subject to very vocal user criticism, with allegations of
poor service and clueless customer management.

TM Company or formerly known as Telekom Malaysia Berhad (TMB) is a corporate

body established in Malaysia after it was privatized. Before privatization, it was known as
the Department of Telecom Malaysia or JTM by its short name. Before it was privatized,
JTM was administered under the Department of Telecommunications and Posts. On the 1st
January 1987, JTM was chaired by Dato 'Mohd Rashdan bin Haji Baba and since that JTM
was converted to Telekom Malaysia Berhad (TMB). The purpose of TMB establishment
was to reduce the burden of government spending and to improve the quality of services.
TMB was also known as an ambitious organization that can stand independently. TMB
plays a somewhat different role from JTM. Its focus was towards the real business that can
be done more effectively and will indirectly enhance the development of the country
economically and socially.

On the 14 April 2005, TMB has undergone rebranding which was officiated by Dato
'Seri Abdullah Haji Ahmad Badawi, Prime Minister of Malaysia at that time. It was a
platform to inject a new enthusiasm and passion to the overall image of the company and
to approach customer service culture which is more fresh and energetic. Prime Minister of
Malaysia willingness to officially launch the new brand identity showed the support of the
Government towards TM in the company’s quest to bring real and new change to TM.

Figure 25 TM Logo

The new identity is the visual identity of the second change of the Company since 1990
when it became a public listed entity, and it was already 15 years since the last time the
brand change. This rebranding process is an essential step forward towards the
transformation initiatives that strengthen and supported TM business development strategy
which was unveiled recently. Furthermore, this rebranding will help TM handle rapid
changes in markets and technology.

The first identity change occurred in the year of 1987 when the Company was shifted
from a government entity to a corporatized body, known as STM or Telekom Malaysia.
This was followed by another change of name and identity to Telekom Malaysia Berhad
as the Company is listed on the Main Board of Bursa Malaysia on 7th November 1990. All
these occurrence of transformation involved changes in the name and logo of the company.

The efforts of changing the brand, possessed a deeper focus. The reasons of the
transformation were very enticing. The first reason was the year of 2005 marked the 15th
anniversary of the TM was enlisted entity on Bursa Malaysia, so this rebranding was hoped
to inject a fresh approach to the brand and to bring a reformation to the overall company
brand identity. Secondly, the fresh approach was taken by the company to strengthen the
efforts in the previous changes. Thirdly, the re-branding efforts will help to render the
brand from being identified as the only local brand and placed them back in line with other
well-known international telecommunications companies competing in this region.
Transformation of the rebranding included changes to the provision of TM perception. This
modification represents more than just the mere outward change the logo and name change,
but the main thrust of this transformation is to plant a customer service oriented culture
among members and will be strengthened by improving the quality of services rendered.

In order to realize the transformation, TM is focusing on providing an intensive training
for all members of the “front-line” staff. This was meant to equip them with the necessary
customer service skills so that they can provide a good quality of services in a professional
and consistent manner for all customers touch points. In addition, TM is rolling out a CRM
IT infrastructure that will improve the systems and processes to ensure that all of the 'liner'
ready to deal with inquiries from customers. These changes are aimed to show the new
identity TM as an emphatic, bold, enthusiastic and energetic.

1.2 Vision and Mission of Telekom Malaysia Berhad (TM)

TM believe connections make everything possible. Therefore, as Malaysia’s

leading provider in information communications technologies, TM strive to provide the
right connections to help you bring your close ones closer. From the way we operate to
what we intend to accomplish both on the local and international front, we apply and hold
close a vision of excellence created towards making your life better. TM's objective is to
be Malaysia’s leading new generation communications provider, embracing customer
needs through innovation and execution excellence. In achieving this, TM is committed to
providing a variety of telecommunications facilities that are innovative, productive and
quality services and support needed by developing countries.

On the other hand, the TM mission is to provide comprehensive services to our

customers and try to be a world class telecommunications company. TM planned to achieve
this goal through the development of human resources, supplying products and provide
excellent quality services and while also meet the needs of the country, employees and

1.3 Values of Telekom Malaysia Berhad (TM)

Telekom Malaysia Berhad (TM) possessed its own values to serve as the track as
well as the natural guide to achieve its corporate mission and vision. These values will help
to mold Telekom Malaysia Berhad (TM) in the quest of becoming a world-class
telecommunications company.

1.3.1 Total Commitment to Customer

Telekom Malaysia Berhad (TM) is conscious, responsive and productive in

meeting all the needs and expectations of our customers. TM is also prepared to implement
various continuous improvements in order to offer a valuable service to customers. In other
words, Telekom Malaysia Berhad (TM) mainly focuses on customers and always renders
the priority to quality in achieving total customer satisfaction.

1.3.2 Uncompromising Integrity

Telekom Malaysia Berhad (TM) is committed to the truth and honesty in all actions.
Therefore, Telekom Malaysia Berhad (TM) is entitled to be honest, dedicated and
committed to the organization's aspirations TM and always fair in their dealings with
customers, suppliers and colleagues.

1.3.3 Care, Respect and Responsibility

Teamwork and mutual respect for each other is the practice in the organization
Telekom Malaysia Berhad (TM). Telekom Malaysia Berhad (TM) continues to seek a
harmonious environment and is conscious to the cooperation, kindness, language, mutual
understanding, have an open mind and always appreciate the opinions and feelings of
others is a culture employees of Telekom Malaysia Berhad (TM).

1.4 Information Security and Business Continuity Management(ISBCM)

In TM, there are various divisions and units to ensure a better management of the
company. ISBCM section is located under Data Network Management (DNM) division
under department of Information Technology and Network Technology (IT&NT) Telekom
Malaysia Berhad.

1.4.1 Organizational Chart

Figure 26 Managers of ISBCM Unit

Figure 27 Executives of Information Security Team

1.4.2 Jobs and Functions
 Coordinator for Security Initiatives in their respective Division.
 Subject matter expert in developing and maintaining Security Initiatives and
 Advises on issues of security and risk reduction in their respective division.
 Plan and implement the security training and awareness in respective division.
 Responsible for setting-up security policies, evaluating new threats and reducing
risk of intrusion, loss of data integrity and compliance violations.
 Suggests and evaluates resources for approaching security concerns, and generates
initiatives to propose major projects that will improve NOC security.

During the internship, all students are required to write a summary on their daily
activities in terms of brief description of practical training exercise done, details of the
project participated and the types of skills obtained. Here is a summary of weekly activities
done during my internship in TM.

2.1 Week 1(8th June – 12th June)

On the first day of internship, I was ordered to report duty to the Information
Security and Business Continuity Management (ISBCM) unit, IT and Network Technology
– Division Data Network Management (DNM) at TM IT Complex, Cyberjaya. I was put
under the supervision of Puan Nuremi bt Abdul Halim, the manager of Information
Security (Compliance & Governance), ISBCM unit. There are another two executives
working under Puan Nuremi as her assistants, En. Muhammad Shazarizul Harizzat Mohd
Samsuri and Puan Najihah Mat Noh. Firstly, I have been introduced to the company’s
organization chart. I have been briefed about the Information Security Management System
(ISMS) which is currently being applied and developed in the TM Company. Besides that,
I have been given task to summarize a network data analysis report. The task was quite
simple involving the usage of Microsoft Excel and Adobe PDF. I have also attended two
meetings with the unit members. During the meeting, besides getting my job scope, I got a
lot more of information about the attempt to breach TM security and few applicable action
and solution to counter it, briefed by another unit member, En Amir. The members were
also discussing about their job description and activity list as they needed to send a half
year report to the upper management. The first week was finally ended with a ‘gotong-
royong’ with fellow officers in the right wing of level 2, TM IT complex as we were going
to enter the month of Ramadan on the following week. Last but not least, on the Friday
evening, I have been to another meeting conducted in the next building, TM NOC
discussing about the aftermath of the recent earthquake in Sabah which involved a few
TM’s assets there.

2.2 Week 2(15th June – 19th June)

I have learned a lot more about the ISMS, which has 14 domain in its Standard. I
was also assigned to do a quick research on ‘safer online shopping’ for info graphic poster
in information security programs, initiatives and engagements. The poster was created to
raise awareness on safety of online shopping. On Wednesday, I attended a seminar on
‘Network Operation Centre (NOC) Business Continuity Management (BCM) and
Information Security (IS) Awareness’ at Telekom Malaysia Convention Centre (TMCC)
in Kuala Lumpur. I have learned a lot of thing regarding my unit during the seminar.

2.3 Week 3(22nd June – 26th June)

I started my third week by creating a system flowchart for my assignment. I was

assigned to create a program that will ease the calculation of gap analysis for the ISMS
Statement of Applicability. For this assignment, I have chosen Visual Basic Programming
as the programming language as it provides me with easiness in terms of interface and
coding simplicity in regard to other programming language. Throughout the week, I learnt
how to access database, create radar chart and code few calculations. Besides that, I tried
to add, delete, search, get, and clear data from and into the database. I chose Microsoft
Access database for it is commonly used and easily integrated with visual basic

2.4 Week 4(29th June – 3th July)

During the fourth week, I have managed to create and finalize the ISMS Statement
of Applicability system. The GUI for the system is also touched up to make it more
attractive and easy to use. Besides that, the info graphic poster assignment that was given
during the 2nd week had also been done and finalized. Lastly, I was introduced to the change
management system in TM. I have learnt quite a few things on the order to ‘request for
change (RFC)’ for the company. I was assigned to analyze the RFC under 4 topic which
are status, category, impact and DN/NOC.

2.5 Week 5(6th July – 10th July)

In week 5, I have been assigned to make an analysis to the RFC report. This time,
I have learned a lot of tricks and options that can be used in Microsoft Excel. I learnt how
to create pivot table based on data and the usage of filter option. For the 2nd assignment, I
was introduced to TM Dashboard which is used to show the progress for ISMS. There are
5 steps of progress shown; review, amendment, verification, endorsement and awareness.
At first, I was assigned to design a better dashboard which is ought to be more attractive.
Then, I was asked to create an application, which will automate the progress bar for the
dashboard. As usual, I started my visual community application and learnt more on
progress bar functionality in visual basic programming. Last but not least, I got to analyze
the attendance data for members in the ISBCM unit. There are basically 4 main concerns
in the attendance which are working days, leave including annual, emergency and medical,
late in or out, and missing in action.

2.6 Week 6(13th July – 17th July)

During week 6, I have completed the 2nd assignment which was to create the
dashboard. I have also done a few summarization for the EIT report and slides. Since
EidulFitri is on Friday, I have applied for 2 days off on Wednesday and Thursday.

2.7 Week 7(20th July – 14th July)

Another week passed with only two days of attendance since I took another three
days off this week. After a long holiday, I was excited to test the compatibility of my
programs to be used as a published application. I have got it tested on few different version
of PC and find quite a few problem, mostly caused by font used which is not compatible
globally. After a few changes, the applications can run smoothly.

2.8 Week 8(27th July – 31st July)

During the eighth week, I have already been preparing for the slides and report
since the lecturer from IIUM was going to visit soon. I have compiled all the projects that
have been done so far. Besides that, I started to do a deep research on TM Company. I
learnt the company’s background, its vision and mission, and core values. The study was

included in the EIT report. I have done 60% of the EIT report including Introduction,
Summaries of Duties and Working Experiences.

2.9 Week 9(3rd August – 7th August)

On Tuesday, all unit member of the ISBCM unit had a mini gathering for Hari Raya
celebration at Taman Tasik Perdana Kuala Lumpur. Back to work, I was assigned to
retouch the info graphic poster that have been done previously. It took a whole lot of time
for me to redo the poster as the previous one is having a huge amount of words and this
isn’t parallel to the nature of info graphic poster which need to have more graphical image
than words.

2.10 Week 10(10th August – 14th August)

This week, I was introduced to ISMS Readiness, an analysis to check Plan Do

Check Act (PDCA) of ISMS functioning. While doing the info graphic poster, I was given
a new assignment which is to create a new dashboard for the ISMS Readiness. The concept
is the same as the previous TM dashboard but there were a few things that need to be
changed and after all, I did managed to build the application faster than the one I did before.

2.11Week 11(17th August – 21st August)

Basically, I used up this week to prepare power point slides for the presentation
during lecturer’s visit. On Thursday, I was visited by Dr. Zamani Jusoh from IIUM to
present my internship training. The presentation was done together with three other IIUM
students; Ameer Amri bin Kamarulzaman and Fathin Nur Najati bt Abdul Halim. Later on,
I was assigned to create another dashboard for my colleague but before that, I was briefed
about the project. This time, the dashboard is not for ISMS but for another unit which is IS
Control and Assurance.

2.12 Week 12(24th August – 28th August)

It’s the last week for my internship training at TM, on Monday, we have a potluck
party at the office. The rest of the week was used to finish my EIT report as fulfillment
for my Industrial Training course. Besides that, I joined a few activities conducted by the
musolla such as Yasin recitation and Kuliah Zuhur. On the last day, I was given a lot of
advice and recommendations by the manager on my life journey after finishing my
degree. That marks the end of my internship for three months at Telekom Malaysia
Berhad. Let’s go back to school!

3.1 Projects Carried Out

3.1.1 ISMS

Information Security Management System (ISMS) is a set of policies concerned with

information security management or IT related risks. The idioms arose primarily out of BS
7799.There are 10 clauses in the ISMS standard.

1. Scope
 Requirement to establish, implement and maintain information security
management system within the organization.
 Example; in TM there are TMNOC, or Server Room
2. Normative Reference
 ISO/IEC 27000
3. Terms and Definitions
4. Context of Organization
 Understanding organization and its context
 Organization shall determine the issues that are relevant and affect
its ability to achieve the outcome of ISMS.
 Understanding needs and expectations of interested parties
 Organization shall determine the interested party and its requirement
relevant to ISMS.
 Information Security Management System
 Organization shall establish, implement, and continually improve
ISMS accordance to its standard.
5. Leadership
 Leadership and Commitment; Top management should
 Ensure the security policy are established and compatible with the
 Ensure the integration of ISMS requirement in organization process.

 Ensure the resources needed for ISMS are available.
 Ensure ISMS achieves its intended outcome
 Promoting continual improvement of ISMS
 Directing and supporting people to contribute to the effectiveness of
 Support other managerial roles
 Policy
 Should be appropriate with the purpose of the organization
 Include information security objectives
 Include commitment to satisfy applicable requirement
 Include commitment for continual improvement of ISMS
 The Information Security Policy (ISP) shall:
 Available as documented information
 Be communicated within the organization
 Available to interested parties
6. Planning
 Organization shall:
 Ensure ISMS can achieve its intended outcome
 Evaluate the effectiveness of action
 Plan action to address the risk
 Achieve continual improvement
 Prevent, reduce undesired effect
 In Information Security Risk Assessment, Organization shall define and
apply risk assessment by:
 Identify the information security risk
 Analyze the information security risk; its consequences and level
 Evaluates the information risk by prioritizing for risk treatment
 Ensure repeated risk assessment produce consistent, valid and
comparable result
 Establish and maintains information security risk criteria
 In Information Security Risk Treatment, an organization shall:

 Select appropriate risk treatment options using assessment result
 Determine control that are necessary to implement treatment chosen
 Produce statement of applicability that contains necessary control
 Formulate risk treatment plan
 Obtain risk owner’s approval and acceptance

Information Security Objectives and Planning to Achieve Them

 Information security objectives shall:

 Be consistent with policy
 Be measurable
 Be communicated
 Be updated
 When planning to achieve objectives, an organization should determine:
 What will be done
 What resource will be required
 Who will be responsible
 When it will be completed
 How the result will be evaluated
7. Support
 Resources
 Organization shall determine and provide resources needed.
 Competence
Organization shall:
 Determine necessary competency of person working for it
 Ensure these persons are competent
 Retain appropriate documented information as evidence of
 Take actions to acquire necessary competence and evaluate it.
 Awareness
 The person doing work should be aware of:
 Policy

 Contribution
 Implication of not conforming with ISMS
 Communication
 Documented information
 Organization should include documented information of ISMS
related policy
8. Operation
 Operational Planning and Control
 An organization shall:
 Plan, control and implement process needed to meet
information security requirement
 Keep documented information
 Control planned changes and review consequences of action
 Ensure process are determined and controlled
 Information Security Risk Assessment
 Perform assessment as planned interval
 Retain documented information as results assessment
 Information Security Risk Treatment
 Implement the treatment plan
 Retain documented information as results treatment
9. Performance Evaluation
 Monitoring, Measurement, Analysis and Evaluation
 Organization shall determine:
 What needs to be monitored and measured
 Methods for monitoring and measuring
 When the monitoring should be performed
 Who shall monitor and measure
 When the can be analyzed
 Who shall analyze the result
 Internal Audit
 Organization shall:

 Plan, maintain an audit program
 Define audit criteria and scope for each audit
 Select auditors
 Ensure results are reported to management
 Retain documented information as evidence
 Management Review
 Review shall consider:
 Status of action from previous review
 Changes in issues that are relevant to ISMS
 Feedback
 Results of risk assessment
10. Improvement
 When a nonconformity occur, an organization shall:
 React, take action and deal with consequences
 Evaluate need of action to eliminate cause of nonconformity
 Implement any action needed
 Review effectiveness of any action taken
 Make changes to the ISMS
 Continual improvement
 ISMS should always be improved for a better future

ISBCM unit in TM is responsible in planning, developing, implementing and maintaining

ISMS throughout TMNOC in Cyberjaya. Therefore, I was given the opportunity to
understand more about the ISMS and take part in their project in implementing this system.
There are a few applications that have been created to help the unit members in organizing
the system implementation. The programs created are reported later in the report.

3.1.2 TM Network Operation – Data Analysis Report

Figure 28 Data Analysis Report

Data analysis is important to make sure the progress of implementation for the
ISMS is going to be on track. Thus, I was assigned to analyze the data for every section
in ISBCM. My work for this report is simple. I just need to transfer data and graph from
Microsoft Excel into a PDF Document.

3.1.3 Information Security Info graphic Poster

Figure 29 Sample of Info Graphics by TM

Here are the advantages of info graphics:

 Info graphics are more eye-catching than printed words, since they usually
combine images, colors, movement, and content that naturally draw the eye.
 Since most of us have increasingly shorter attention spans, we tend to “scan”
material as opposed to actually reading text. Furthermore, we tend to
remember information that we’ve seen more so than read.

 Info graphics are extremely shareable for use around the web. For example,
an info graphic published on a Word Press blog or website usually provides
an embed code. They are also easily shared on social networks and have a
better chance of becoming viral compared to ordinary text.
 Info graphics can be used to reinforce a brand, simply because they are so
visually appealing. If design of an info graphic is consistent with colors,
shapes, and messages, along with an organization logo, it will have an
effective means of “Brand Awareness”.
 A well designed and aesthetically pleasing info graphic will drive people to
an organization site since they are more likely to “share” and “click” on it.
Also, this can help with Google’s “Page Rank” algorithm, which is
important for SEO.
 Finally, info graphics are a fun and engaging medium that can generate a
unique connection with visitors to either company’s site or a location that
has featured the info graphic.

I was assigned to create an info graphic poster entitling ‘safer internet shopping’.
Firstly, I searched for more information on the topic from the internet and then I tries to
convey the messages into a poster in terms of drawing and design. From the project, I have
obtained a lot of new skills in Adobe Photoshop. Examples are marque tool, quick selection
tool, and editing tool. The final design of the poster is shown below.

3.1.4 NOC BCM & IS Awareness Seminar

Figure 30 Awareness Seminar Poster

During the 1st month of my internship, as I struggled to understand the basic concept
and the functionality of ISBCM unit in the company, I was required to attend a seminar
which was held at the Telekom Malaysia Convention Centre in Kuala Lumpur. I have
gathered a lot of knowledge during the Seminar. The summary are written below.
Basically, there are 4 unit under Information Security and Business Continuity
Management (ISBCM) Section.

1. Information Security; Control and Assurance Unit (ISCA)

 Information – an asset which has value to an organization which must be
 Information Security – defined by CIA
 Confidential – ensure the information can be assessed only by
authorized parties.
 Integrity – protection of system information from being modified.
 Availability – assurance that a system is accessible when needed.
 DDos Attack – distributed Denial of Service.
 The master will command the bot to flood the server with request,
thus it will hang/jam.

 Threat – something that can potentially damage network and organization.
 Vulnerability – weakness in the organization that can be exploit by a threat.
 Risk – threat + vulnerability
 Plan, Check Do and Act (PDCA) method is used against threat.
 The PDCA process:
 Establish the ISMS
o Define ISMS Context and Requirement
o Organization Chart and Business Functions
o IS & Business Objectives
o Interested Parties
o Interface & Dependencies
o Internal & External Issues
 Implement and Operate the ISMS
o Consolidate assets registered
o Conduct risk assessment
o Implement risk treatment plan
o Training & awareness programs
o Implement procedure & controls
 Maintain and Improve the ISMS
o Identify actions towards
o Non-compliance and improvement
o Receive approval and acknowledgement from management
o Provide feedback to Internal & External Auditors
 Monitor and Review the ISMS
o Monitor & review ISMMM
o Conduct Compliance Checking
o Facilitate internal & external audit
o Conduct Management review for management feedback
 Example of security measures – 10 minutes screen lock for laptop.
2. Information Security; Compliance and Governance Unit (ISCG)
 ISMS vs. QMS – security oriented vs. quality oriented.

 Information Security Management System (ISMS) – apply risk
management process to ensure risk are adequately managed.
 There are 14 domain and 10 clause in ISMS.
 Information Security Policy
 Organization of Information Security
 Human Resource Security
 Asset Management
 Access Control
 Cryptography
 Physical and Environmental Security
 Operations Security
 Communications Security
 System Acquisition, Development and Maintenance
 Supplier Relationship
 Information Security Incident Management
 Information Security Aspect of Business Continuity Management
 Compliance
 Example of control in the ISMS domain; 4 classification of Information
 Public
 Internal Use
 Confidential
 Secret

3. Business Continuity Management; Risk Management and Business Impact
Analysis (RMBIA)
 BCM ensures that TM businesses continue to function with little or no
interruption of operations and services in the event of any disruptions due
to natural disaster or manmade disaster.
 To minimize service disruptions and increases the ability of TM to reliably
meet the needs of our customers and stakeholders, resulting in a reputation

as a reliable provider of telecommunication services, and, possibly, in
improved profitability and increased market share.
 Business Impact Analysis (BIA) – process of analyzing business functions
and the effect that business disruption might have upon them.
 Risk Analysis – assessment process that identify, analyze, and evaluate the
risk if incidence to occur to the organization.
 Generic BIA process
 Identify business unit
 Identify critical function
 Data collection
 Data analysis
 Report

4. Business Continuity Management; Crisis Management and Disaster Recovery

 TM is committed to all reasonable steps to identify potential impacts that
threaten the organization and provides a framework for building business
resilience and the capability for an effective response that safeguards the
interests of its key stakeholders, reputation, brand and value creating activities.
 The BCM approach will be conducted through the:
 Establishment of Business Continuity Plan
 Periodic reviewing of Business Impact Analysis and Risk Assessment
 Periodic updating of Business Continuity Plan
 Periodic awareness and exercise of the Business Continuity Plan
 The Group CEO is accountable to the stakeholders for the implementation of
BCM framework and practices.
 The respective LOB, Business and Central Function Heads are responsible to
ensure that their key functions are able to continue following major disruptive
incidents, crisis or disaster.

 Business Continuity ensures that businesses continue to function with little or
no interruption of operations and services in the event of any disruptions
including, but not limited to, power outages, telecommunications failures,
terrorist attacks, fires, natural disasters, and sabotage.
 The basic concept of business continuity and disaster recovery is simple:
minimize service disruptions and the resulting financial losses.
 This increases the ability of organizations to reliably meet the needs of their
customers and stakeholders, resulting in a reputation as a reliable provider of
goods and services, and, possibly, in improved profitability and increased
market share.
 To achieve these objectives, organizations must implement Business Continuity
Management. BCM is a process driven method to safeguard organizations’
reputation, profitability, and, should there be a major catastrophe, survival.
 These are BIA clusters:


Metro Hill
Exchange Station

7 Clusters
of BIA
Submarine Suburban
/ Satellite Exchange

Rural Island
Exchange Station

3.1.5 TM Statement of Applicability; Gap Analysis

The importance of Statement of Applicability (sometimes referred to as SoA) is usually

underrated – like the Quality Manual in ISO 9001, it is the central document that defines
how an organization will implement a large part of its information security. Actually, the
Statement of Applicability (ISO 27001 Clause 6.1.3 d) is the main link between the risk

assessment and treatment and the implementation of information security – its purpose is
to define which of the suggested 114 controls (security measures) from ISO 27001 Annex
A will apply, and for those that are applicable the way they will be implemented. As Annex
A is considered to be comprehensive, but not exhaustive for all situations, nothing prevents
the organization from also considering another source for the controls. There are six levels
in which every controls are analyzed. The levels are:

 Non-Existent – Complete lack of recognizable control

 Initial – There is evidence that a security issue exists and needs to be addressed;
however there are no controls in place to tackle the issue.
 Limited – Security controls are still in development and/or there is limited
documentation to support the requirement.
 Defined – Security controls have been documented and communicated through
training, but there are areas where the required detail is lacking and/or they are not
fully implemented.
 Manage – It is possible to measure the effectiveness of security controls but there
is no evidence of any compliance reviews and/or the controls require further
refinement to reach the required level of compliance.
 Optimized – Security controls have been refined to the level required by ISO 27001
based on effective leadership, change management, continual improvement and
internal communication.
 Out of Scope – Controls is out of scope

The importance of Statement of Applicability in an organization:

 First of all, during risk treatment, the controls that are necessary is identified
because the identified risks need to be decreased; however, in SoA the controls that
are required because of other reasons are also identified – i.e. because of the law,
contractual requirements, because of other processes, etc.

 Second, the Statement of Applicability justifies the inclusion and exclusion of

controls from Annex A, and the inclusion of controls from another source.

 Third, the Risk Assessment Report could be quite lengthy – some organizations
might identify a few thousand risks (sometimes even more), so such a document is
not really useful for everyday operational use; on the other hand, the Statement of
Applicability is rather short – it has a row for each control (114 from Annex A, plus
the added ones), which makes it possible to present it to management and to keep
it up-to-date.

 Fourth, and most important, SoA must document whether each applicable control
is already implemented or not. Good practice (and most auditors will be looking for
this) is also to describe how each applicable control is implemented – e.g. either by
making a reference to a document (policy/procedure/working instruction etc.), or
by shortly describing the procedure in use, or equipment that is used.

Gap analysis involves the comparison of actual performance with potential

or desired performance. In TM, I was assigned to create an application which will
automatically calculate the gap analysis from the Statement of Applicability. The
application will ease the flow of existing method in calculating the gap analysis
which involves a lot of works, from transferring data needed between two Excel
documents and creating tables for calculation and finally creating the radar chart.
Using the application, the user just need to key in the levels of controls and the
program will calculate the gap analysis and create a radar chart by itself.

Figure 31 GUI for the SoA Application

Figure 32 Input has been added into the Combo box

Figure 33 Radar Chart as a Result of the Calculation of Gap Analysis

For the calculation part, I set marks to each of the level by increment of 1 starting from 0
for ‘non-existent’. But, there is no mark allocated if the selection of level ‘out of scope’ is
made. Instead, the control will be ousted from the calculation permanently. The following
code shows the calculation of the gap analysis for the first domain.

If cb1.SelectedIndex = 0 Then
valued1 = 0
ElseIf cb1.SelectedIndex = 1 Then
valued1 = 1
ElseIf cb1.SelectedIndex = 2 Then
valued1 = 2
ElseIf cb1.SelectedIndex = 3 Then
valued1 = 3
ElseIf cb1.SelectedIndex = 4 Then
valued1 = 4
ElseIf cb1.SelectedIndex = 5 Then
valued1 = 5
d1 = d1 - 1
valued1 = 0
End If
markd1 = markd1 + valued1 'combobox1
If cb2.SelectedIndex = 0 Then
valued1 = 0
ElseIf cb2.SelectedIndex = 1 Then
valued1 = 1
ElseIf cb2.SelectedIndex = 2 Then
valued1 = 2
ElseIf cb2.SelectedIndex = 3 Then
valued1 = 3
ElseIf cb2.SelectedIndex = 4 Then
valued1 = 4
ElseIf cb2.SelectedIndex = 5 Then

valued1 = 5
d1 = d1 - 1
valued1 = 0
End If
markd1 = markd1 + valued1 'combobox1+combobox2
finald1 = markd1 / d1

As stated above, there are a total of 14 domain to be calculated in the gap analysis. Thus,
‘finald1’ is the value for the first domain which is Information Security Policy. From the
chart in figure 5, the value for ‘finald1’ is 5 which means that either all the controls in the
domain is optimized or one of them are out of scope since there are only two controls in
the domain.

3.1.6 TM Change Management System

Change management is an IT service management discipline. The objective of

change management in this context is to ensure that standardized methods and procedures
are used for efficient and prompt handling of all changes to control IT infrastructure, in
order to minimize the number and impact of any related incidents upon service. Changes
in the IT infrastructure may arise reactively in response to problems or externally imposed

The goal of the change management process is to ensure that standardized methods
and procedures are used for efficient and prompt handling of all changes, in order to
minimize the impact of change-related incidents upon service quality, and consequently
improve the day-to-day operations of the organization.

Figure 34 TM CMS

Figure 35 Main Menu of CMS

3.1.7 TM Dashboard

Dashboards often provide at-a-glance views of KPIs (key performance indicators)

relevant to a particular objective or business process (e.g. sales, marketing, human
resources, or production). The term dashboard originates from the automobile dashboard
where drivers monitor the major functions at a glance via the instrument cluster.
Dashboards give signs about a business letting the user know something is wrong or
something is right. The corporate world has tried for years to come up with a solution that
would tell them if their business needed maintenance or if the temperature of their business

was running above normal. Dashboards typically are limited to show summaries, key
trends, comparisons, and exceptions. There are four Key elements to a good dashboard:

 Simple, communicates easily

 Minimum distractions…it could cause confusion
 Supports organized business with meaning and useful data
 Applies human visual perception to visual presentation of information

Mainly, the dashboard here is created to show the progress of the ISMS policy, whether it
is still in any of these 5 process;

 Review
 Amendment
 Verification
 Endorsement
 Awareness

At the end of the day, this dashboard is going to help the executives in their presentation
of work in front of the VP and even can be used during audit period.

Figure 36 GUI for TM Dashboard Creator

Figure 37 Input is added using Control

Figure 38 Created Dashboard

Figure 39 Created Report

3.1.8 ISMS Readiness Dashboard

This project was done in conjunction with the previous TM Dashboard. Basically,
the mechanisms is the same but a few changes has been done to make it more detailed. For
this dashboard, the objectives is to show the readiness of ISMS policy to be implemented
in 6 different scope. They are:

 VP Office
 Access Network Management
 Data Network Management
 Internet Service Provider Network Management
 Transmission and International Network Management
 Voice Network Management

Figure 40 GUI for ISMS Dashboard Creator

Figure 41 Created Dashboard

Figure 42 Details of Dashboard

3.1.9 Request For Change Dashboard
RFC or Request for Change is a functionality in the Change Management System.
It stores any request requested by the user and analyzed.

Figure 43 GUI Control for RFC Dashboard

Figure 44 Dashboard for Successful RFC

Figure 45 Dashboard of detailed RFC for every NM

3.1.10 OLA Dashboard

Figure 46 GUI Control for OLA Dashboard

Figure 47 Dashboard for Overall OLA

Figure 48 Dashboard of detailed OLA for every NM

3.2 Problem Encountered and Problem Solving Process

3.2.1 Lack of Knowledge on Access Database

To create the TM Gap Analysis and TM Dashboard applications, I have make use
of Access database to store the data required. This is new to me as I have never done any
connection between VB to Access before. To make up for it, I have used the internet to
learn more on the steps and procedure for the works. There are a lot of YouTube tutorial
videos that can be watched to understand more on the programming.

3.2.2 Limited Creativity in Design

Due to horrible design, I have been asked to improve my info graphic poster for at
least three times. As a result, I have done three different version of the info graphic poster,
which may look unprofessional at start but keep improving on the next version. This
problem of lack of creativity was encountered by more training and following few
examples of info graphic taken from the internet.


I have completed three months of internship successfully at Telekom Malaysia
Berhad. During the period, the objectives of EIT were achieved. The objectives are to
expose students with the working environment, to enhance and supplement the knowledge
and skills of students, to develop students in term of ability, competence and interpersonal
relationship, to expose and familiarize the students to rules and regulations including safety
in industrial environment, and to develop the spirit of team working among students and
other working group members. I also learn from the company that ethics is more important
than skills. I am grateful to learn something very valuable from this company since there
is not many company which upholds ethics more than skills.

Even though I encountered few problems during this training period, I am still glad
that I have managed to learn a lot of new knowledge and gain more experience. Thus, I
gladly finished my internship in this company, which I hope will pave my road in becoming
a great engineer for this country and ummah.

Praise be to Allah for all the things that He have done in order for me to complete
this engineering industrial training session without any big obstacle.