Activity #2 – UGRD IT 6300A-1

1.ISOIEC Standards 9126 Concept and it’s relationship with

information assurance and security
- The fundamental objective of the ISO/IEC 9126 standard is to address some of the
well known human biases that can adversely affect the delivery and perception of a
software development project. These biases include changing priorities after the start of
a project or not having any clear definitions of "success". By clarifying, then agreeing on
the project priorities and subsequently converting abstract priorities (compliance) to
measurable values (output data can be validated against schema X with zero
intervention), ISO/IEC 9126 tries to develop a common understanding of the project's
objectives and goals.

2. Define Information Assurance and Security

-Information assurance and security is a rapidly growing field, but what’s it all about?
How can you start working in information security? Do you have the right skills and
education? Information security conference are key to staying on top of this rapidly
evolving industry. If you’re looking to grow your career in a new direction and turn your
love of computer science into a lucrative paycheck, you’ve come to the right place.
Keep reading to learn more about this exciting field and whether it’s a good fit for you.

3. The difference between information and data.

Information - is defined as knowledge gained through study, communication,

research, or instruction. Essentially, information is the result of analyzing and
interpreting pieces of data. Whereas data is the individual figures, numbers, or
graphs, information is the perception of those pieces of knowledge.

Data - is a raw form of knowledge and, on its own, doesn’t carry any significance
or purpose. In other words, you have to interpret data for it to have meaning.
Data can be simple—and may even seem useless until it is analyzed, organized,
and interpreted.
-is defined as a collection of individual facts or statistics. (While “datum” is
technically the singular form of “data,” it’s not commonly used in everyday
language.) Data can come in the form of text, observations, figures, images,
numbers, graphs, or symbols. For example, data might include individual prices,
weights, addresses, ages, names, temperatures, dates, or distances.

4. CIA Triad give definition and scenario (confidentiality,

integrity, availability)

1. Confidentiality - is roughly equivalent to privacy. Confidentiality measures

are designed to prevent sensitive information from unauthorized access
attempts. It is common for data to be categorized according to the amount and
type of damage that could be done if it fell into the wrong hands. More or less
stringent measures can then be implemented according to those categories.

 It provides confidentiality by requiring two-factor authentication  (both a

physical card and a PIN code) before allowing access to data

2.Integrity - involves maintaining the consistency, accuracy and

trustworthiness of data over its entire lifecycle. Data must not be changed in
transit, and steps must be taken to ensure data cannot be altered by
unauthorized people (for example, in a breach of confidentiality).

 The ATM and bank software enforce data integrity by ensuring that any
transfers or withdrawals made via the machine are reflected in the accounting
for the user's bank account

3. Availability - means information should be consistently and readily

accessible for authorized parties. This involves properly maintaining hardware
and technical infrastructure and systems that hold and display the information.
  The machine provides availability because it's in a public place and is
accessible even when the bank branch is closed

5. Common Security measures Data Privacy Act of 2010.

Scope and Application

The Data Privacy Act is broadly applicable to individuals and legal entities that process
personal information, with some exceptions. The law has extraterritorial application,
applying not only to businesses with offices in the Philippines, but when equipment
based in the Philippines is used for processing. The act further applies to the processing
of the personal information of Philippines citizens regardless of where they reside.

Approach

The Philippines law takes the approach that “The processing of personal data shall be
allowed subject to adherence to the principles of transparency, legitimate purpose, and
proportionality.”

Collection, processing, and consent

The act states that the collection of personal data “must be a declared, specified, and
legitimate purpose” and further provides that consent is required prior to the collection
of all personal data. It requires that when obtaining consent, the data subject be
informed about the extent and purpose of processing, and it specifically mentions the
“automated processing of his or her personal data for profiling, or processing for direct
marketing, and data sharing.” Consent is further required for sharing information with
affiliates or even mother companies.

Consent must be “freely given, specific, informed,” and the definition further requires
that consent to collection and processing be evidenced by recorded means. However,
processing does not always require consent.

Required agreements
The law requires that when sharing data, the sharing be covered by an agreement that
provides adequate safeguards for the rights of data subjects, and that these
agreements are subject to review by the National Privacy Commission.

Sensitive Personal and Privileged Information

The law defines sensitive personal information as being:

 About an individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical or political affiliations;

 About an individual’s health, education, genetic or sexual life of a person, or to

any proceeding or any offense committed or alleged to have committed;

 Issued by government agencies “peculiar” (unique) to an individual, such as

social security number;

 Marked as classified by executive order or act of Congress.

Surveillance

Interestingly, the Philippines law states that the country’s Human Security Act of 2007 (a
major anti-terrorism law that enables surveillance) must comply with the Privacy Act.

Privacy program required

The law requires that any entity involved in data processing and subject to the act must
develop, implement and review procedures for the collection of personal data, obtaining
consent, limiting processing to defined purposes, access management, providing
recourse to data subjects, and appropriate data retention policies. These requirements
necessitate the creation of a privacy program. Requirements for technical security
safeguards in the act also mandate that an entity have a security program.

Data subjects' rights

The law enumerates rights that are familiar to privacy professionals as related to the
principles of notice, choice, access, accuracy and integrity of data.

The Philippines law appears to contain a “right to be forgotten” in the form of a right to
erasure or blocking, where the data subject may order the removal of his or her
personal data from the filing system of the data controller. Exercising this right requires
“substantial proof,” the burden of producing which is placed on the data subject. This
right is expressly limited by the fact that continued publication may be justified by
constitutional rights to freedom of speech, expression and other rights.

Mandatory personal information breach notification

The law defines “security incident” and “personal data breach” ensuring that the two are
not confused. A “security incident” is an event or occurrence that affects or tends to
affect data protection, or may compromise availability, integrity or confidentiality. This
definition includes incidents that would result in a personal breach, if not for safeguards
that have been put in place.

A “personal data breach,” on the other hand, is a subset of a security breach that
actually leads to “accidental or unlawful destruction, loss, alteration, unauthorized
disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Requirement to notify 

The law further provides that not all “personal data breaches” require notification., which
provides several bases for not notifying data subjects or the data protection authority.
Section 38 of the IRRs provides the requirements of breach notification:

 The breached information must be sensitive personal information, or information

that could be used for identity fraud, and

 There is a reasonable belief that unauthorized acquisition has occurred, and

 The risk to the data subject is real, and

 The potential harm is serious.

The law provides that the Commission may determine that notification to data subjects
is unwarranted after taking into account the entity’s compliance with the Privacy Act,
and whether the acquisition was in good faith.

Notification timeline and recipients

The law places a concurrent obligation to notify the National Privacy Commission as
well as affected data subjects within 72 hours of knowledge of, or reasonable belief by
the data controller of, a personal data breach that requires notification.

It is unclear at present whether the commission would allow a delay in notification of

data subjects to allow the commission to determine whether a notification is
unwarranted. By the law, this would appear to be a gamble.
Notification contents

The contents of the notification must at least:

 Describe the nature of the breach; 

 The personal data possibly involved;

 The measures taken by the entity to address the breach;

 The measures take to reduce the harm or negative consequence of the breach;

 The representatives of the personal information controller, including their

contact details;

 Any assistance to be provided to the affected data subjects.

Penalties

The law provides separate penalties for various violations, most of which also include
imprisonment. Separate counts exist for unauthorized processing, processing for
unauthorized purposes, negligent access, improper disposal, unauthorized access or
intentional breach, concealment of breach involving sensitive personal information,
unauthorized disclosure, and malicious disclosure.

Any combination or series of acts may cause the entity to be subject to imprisonment
ranging from three to six years as well as a fine of approximately $20,000 to $100,000.

Notably, there is also the previously mentioned private right of action for damages,
which would apply.