What is NACSA and how does it differ from PDPA?

The National Cyber Security Agency, NACSA, is the lead Malaysian government body for national cybersecurity strategy and the operation of the Cybersecurity Act 2024 framework. PDPA addresses personal data protection and is enforced separately by the Personal Data Protection Commissioner. Many federal agencies must demonstrate readiness against both regimes simultaneously.

What does Cybersecurity Act 2024 readiness involve for a Malaysian agency?

The Act establishes obligations for designated National Critical Information Infrastructure entities, including risk assessment, incident reporting and adoption of recognised standards. A readiness exercise typically covers a baseline assessment, a gap analysis against the relevant code of practice and a remediation roadmap supported by independent technical evidence.

Can nCrypt work inside a federal agency's clearance and procurement framework?

Yes. nCrypt has delivered engagements under federal procurement frameworks including direct appointment under the appropriate panel arrangements, with all team members holding the requisite security clearance levels for the data classifications in scope.

How long does a NACSA-aligned readiness assessment typically take?

For an agency of moderate size with four to six internet-facing citizen services, plan on a twelve to sixteen week end-to-end engagement covering technical assessment, architecture review, documentation uplift and a knowledge-transfer programme for internal staff.

Does the engagement include training for in-house security staff?

Yes. Knowledge transfer is a deliberate workstream rather than an afterthought. Recent engagements have included structured upskilling for sixty or more internal staff across security operations, application security and architecture roles, with material aligned to the agency's own role definitions.

Back to Case Studies

GovernmentNACSA-AlignedCybersecurity Act 2024

Federal Agency Reached NACSA Readiness Across Citizen-Facing Services

How nCrypt delivered a NACSA-aligned readiness assessment, citizen-data VAPT, architecture review and structured staff upskilling for a Malaysian federal agency ahead of a Cybersecurity Act 2024 sectoral readiness exercise. Client identifying details have been anonymised under the engagement non-disclosure agreement.

5M+

Citizen Records in Scope

Findings on Final Audit

Internet-Facing Services Hardened

60+

Internal Staff Upskilled

Aligned

Cybersecurity Act 2024 Readiness

12 weeks

End-to-End Engagement

The Client

A Malaysian Federal Agency Custodian of Multi-Million Citizen Records

The client is a Malaysian federal agency operating citizen-facing services on behalf of the relevant ministry, with custodianship of more than five million citizen records and operational responsibility for several internet-facing services used daily by the public. The agency sits within scope of the Cybersecurity Act 2024 as an operator of critical national-information infrastructure.

The technology estate combines a long-standing on-premises core, a growing footprint in the national government cloud and a small set of inter-agency integrations that exchange citizen data under formal sharing arrangements. The internal cybersecurity function is staffed but had limited recent exposure to adversary-quality independent assessment.

The engagement was triggered by the agency's preparation for a Cybersecurity Act 2024 sectoral readiness exercise being coordinated by the National Cyber Security Agency. The Director-General had given an explicit instruction that the agency would enter the readiness exercise with a defensible technical posture and a documentation pack capable of standing up to NACSA review.

Engagement Summary

Sector: Federal Government
Frameworks: NACSA guidance, Cybersecurity Act 2024, ISO 27001
Records in Scope: 5M+ citizen records
Engagement Length: 12 weeks
Methodology: PTES, OWASP ASVS L2, NIST CSF mapping

The Challenge

A Defensible Posture Inside a Single Quarter

Previous independent assessments of the agency had been limited in depth and had produced reports that were not directly defensible to a regulator-style review. The principal challenge was therefore to combine adversary-quality technical assessment with the structured documentation and architecture review that a NACSA-aligned readiness exercise would expect.

The agency's estate carried a number of long-standing exposures that had been documented internally but not yet remediated, including legacy framework versions on two of four internet-facing services and inconsistent privileged-account hygiene across the on-premises core. The engagement had to assess these exposures against an external adversary lens rather than restate the existing internal documentation.

The inter-agency sharing dimension added complexity. Several integrations exchanging citizen data with partner agencies had grown organically over the years and were no longer fully documented in the agency's own data-flow inventory. NACSA readiness required a credible and current data-flow picture, not the historical snapshot that existed at the start of the engagement.

Finally, the agency's leadership was clear that the engagement would only be judged successful if it left the in-house team materially more capable of running a NACSA-aligned posture independently in future. A structured knowledge-transfer programme was a contractual requirement rather than a value-add.

Our Approach

Four Workstreams Mapped Directly to NACSA Expectations

nCrypt staffed a six-consultant team, all holding the appropriate clearance levels for the data classifications in scope, and structured the engagement as four parallel workstreams across a twelve-week field window.

The technical assessment workstream covered the four internet-facing citizen services with full VAPT scope under OWASP ASVS Level 2, followed by an internal pentest of the on-premises core focused on privileged-access hygiene, lateral-movement exposure and backup-estate reachability. Active testing was conducted against mirrored environments wherever a service-availability risk existed.

The architecture review workstream produced a current-state and target-state view of the agency's estate mapped explicitly to NACSA-aligned control objectives and to NIST Cybersecurity Framework functions. The data-flow inventory was rebuilt from primary sources rather than refreshed, capturing every active inter-agency integration and the legal basis under which it operated.

The documentation workstream prepared the readiness pack that the agency would submit into the NACSA exercise. Every technical finding was mapped to a specific control objective and to a documented remediation owner inside the agency, so that the pack functioned as both an evidence submission and an internal action plan.

The knowledge-transfer workstream delivered structured upskilling to more than sixty internal staff across security operations, application security and architecture roles. Sessions were designed in collaboration with the agency's own learning and development function and were aligned to existing role definitions, so that the material survived the engagement as part of the agency's standard onboarding.

Findings

Five Categories That Drove the Readiness Programme

Critical

Citizen Lookup Service Lacked Server-Side Authorisation

A long-standing internal lookup service used by frontline officers had been exposed via a wrapper API to a partner agency without re-applying server-side authorisation. An authenticated partner-agency user could enumerate records well beyond the legitimate use case.

Critical

Privileged Domain Accounts Reused for Routine Operations

Domain Admin accounts were being used for routine operational tasks across the agency's estate, including help-desk troubleshooting on standard user workstations. A compromised user workstation could harvest these credentials and reach the central directory in a single hop.

High

Public-Facing Services Running on Unsupported Frameworks

Two of four internet-facing citizen services ran on framework versions that had reached end of vendor support. While no immediately exploitable defect was identified, the future-risk profile and the inability to receive security patches were inconsistent with NACSA expectations for critical national-information infrastructure.

High

Backup Estate Reachable from Production Domain

Backup repositories were joined to the same Active Directory forest as the production estate, with privileged accounts shared across both. An attacker achieving domain compromise could plausibly destroy backup copies in the same operation, eliminating the recovery option for a ransomware-class event.

Medium

Insufficient Documentation of Data Flows for NACSA Submission

The agency's data-flow documentation predated the latest reorganisation and did not accurately reflect current inter-agency sharing arrangements. The gap was material to a credible NACSA submission and to the Cybersecurity Act 2024 sectoral readiness exercise.

Outcomes

Clean Audit and a More Capable Internal Team

Every critical and high finding was remediated and validated on retest inside the engagement window. The citizen lookup service authorisation defect was closed inside the first ten days of the remediation phase, and privileged-account hygiene across the on-premises core was rebuilt around tier-zero separation with quarterly access review embedded in the agency's standard operating procedure.

The agency entered the NACSA-aligned readiness exercise with a clean technical posture and a documentation pack that NACSA reviewers accepted without follow-up clarification requests. The Director-General has cited the engagement as the model for how future independent assessments will be commissioned across the agency.

The knowledge-transfer outcome has been equally durable. Two staff members who took part in the upskilling programme have since taken on senior security-engineering roles inside the agency, and the upskilling material has been adopted into the agency's standard onboarding for new technical hires. nCrypt is engaged on an annual reassessment cycle aligned to the NACSA reporting calendar.

Related Work