Foundation of Information Security

SPSaS 2102
Learning Module

Page 149
 Foundation of Information Security
SPSaS 2102
Learning Module

Philippine Cybersecurity
(Retrieved from DICT)
https://dict.gov.ph/cybersecurity/
(Note: You may Ctrl+Click on the colored hyperlink to view the webpage resources)

1) National Cybersecurity Plan

x 2004 National Cybersecurity Plan

2) Laws/Policies/Standards in force relating to cyber/information security (Abstract or

summary of each document with URL pointing to authoritative source)

x 2011-2016 National Security Policy

x R.A. 8792 (E-Commerce Act)
x R.A. 9775 (Anti-Child Pornography Act of 2009)
x R.A. 9995 (Anti-Photo and Video Voyeurism Act of 2009)
x R.A. 10173 (Data Privacy Act of 2012)
x R.A. 10175 (Cybercrime Prevention Act of 2012)
x M.O. 37, s2001 (Providing for the Fourteen Pillars of Policy and Action of the
Government Against Terrorism – critical infrastructure is defined in this document
and requires the preparation of a comprehensive security plan [1][a] above)
x E.O. 810, s2009 (Institutionalizing the Certification Scheme for Digital Signature)
x A.O. 39, s2013 (Government Web hosting Service of DOST ICT Office)
x PNS ISO/IEC 270001:2005 (Information technology — Security techniques —
Information security management systems – Requirements)
x PNS ISO/IEC 27002:2005 (Information technology — Security techniques — Code
of practice for information security management)

3) Incident Response/Report an Incident

x ITU-T X.1205 (April 2008, Series X: Data Networks, Open System

Communications and Security – Overview of Cybersecurity)
x Process for reporting an incident
x Form to be accomplished

4) Awareness Campaign/Education/Events

x Video Clip on Be Aware, Secure and Vigilant

x Poster for download
x Pamphlets for download (Pamphlet 1 and Pamphlet 2)
x Booklet (2013 NSTW) for download

5) International Cooperation

Page 150
 Foundation of Information Security
SPSaS 2102
Learning Module

x ASEAN- Japan

6) Contact Information

x DOST ICT Office

Office of Deputy Executive Director for Cybersecurity
Ground Floor, ICTO Building
Carlos P. Garcia Avenue
U.P. Campus, Diliman
1101 Quezon City
Tel: (632)920-0101 local 1200
x National Bureau of Investigation
Cybercrime Division
Taft Avenue, Manila
Tel: (632)523-8231 to 38 local 3454, 3455
Email: [email protected]
x Philippine National Police
PNP-ACG Operations Center
Camp Crame, Quezon City
Tel: (632)414-1560
Fax: (632)414-2199
Email: [email protected]
x DOJ Office of Cybercrime
Padre Faura Street
Ermita, Manila
Tel: (632)521-8345 and (632)524-2230
Email: [email protected]

Issued Policies and Standards

1. Philippine National Public Key Infrastructure (PNPKI) Certificate Policy (Version

2.0)
2. Approval of the Philippine National Public Key Infrastructure (PNPKI) Certification
Authority (CA) Certification Practice Statement (CPS) (Version 1.0)
3. Prescribing Policies and Procedures Governing the Accreditation of Government
Registration Authorities under the National Certification Scheme for Digital
Signatures
4. Approval of the Philippine Electronic Government Interoperability Framework
(PeGIF) Version 1.0 For Implementation by Government Agencies - PART I
5. Approval of the Philippine Electronic Government Interoperability Framework
(PeGIF) Part II, otherwise known as the Information Interoperability Framework
(IIF), for Implementation by Government Agencies
6. Rules and Regulations on Migrating to the Government Web Hosting Service
(GWHS) of the Department of Science and Technology's Information and
Communications Technology Office (ICT Office)

Page 151
 Foundation of Information Security
SPSaS 2102
Learning Module

1. Annex A - List of Approved Content Management Systems (CMSs)

2. Annex B - Content Management System (CMS) Qualifying Procedure
3. Annex C - Government Website Template Design (GWTD) Guidelines
4. Annex D - Technical and Security Guidelines on the Government Web Hosting
Service (GWHS)
5. Annex E - Capability Building Policy

1. Prescribing the GovMail Service Guidelines for Philippine Government Agencies

2. Prescribing The Philippine Government’S Cloud First Policy

Data Security
(Data retrieved from NPC- National Privacy Commission)
https://www.privacy.gov.ph/implementing-privacy-and-data-protection-
measures/data-security/

What is access control policy?

Having all the latest software security tools does not mean that your system is safe from
any attacks. Continuous improvement in security of information and data processing
systems is a fundamental management responsibility. All applications and processing
systems that deal with personal and sensitive information should include some form of
authorization which is also known as access control policy. As systems grow in size and
complexity, access control is a special concern for systems and applications that are
distributed across multiple computers.

Access Control Policy sets requirements of credentials and identification that specify
how access to computers, systems, or applications is managed and who may access the
information in most circumstances. Authentication, authorization, audit, and access
approval are the common aspects of access control policy.

What are the best practices in implementing access control policy?

As a personal information controller or processor, it is a diligent responsibility to take great

efforts and be accountable in protecting the personal data that you process by managing
the areas, distribution, and life-cycle of authentication and authorization of your
organization’s processes. Access to any confidential, personal, and sensitive data must
always be protected, controlled, and managed with sufficient security policies. Preventing
unauthorized access and data breach is the primary objective of a controller and
processor. Physical and systematic approach in creating and managing access control
should also be established by the management. Also, the small to large scale applications

Page 152
 Foundation of Information Security
SPSaS 2102
Learning Module

of the personal information controllers and personal information processors should be

taken into consideration in the design and implementation of the policy.

What does the commission say about implementing access control policy?

In a time when data privacy and security matters, personal information controller and
personal information processors are obliged to implement strong, reasonable, and
appropriate organizational, physical, and technical security measures for the protection of
the personal information that they process. These include access control policies to off-
site and online access to personal and sensitive information. Accessing these kinds of
information due to negligence or intentional breach will result to fines and imprisonment.

What is a Data Center?

A data center is a facility housing electronic equipment used for data processing, data
storage, and communications networking. It is a centralized repository, which may be
physical or virtual, may be analog or digital, used for the storage, management, and
dissemination of data including personal data.

The National Privacy Commission imposes personal information controllers and personal
information processors should implement reasonable and appropriate organizational,
physical, and technical security measures for the protection of personal data,
especially in this critical infrastructure in Information and Communications Technology.

What are the recommended best practices for data center security?

1. Include security and compliance objectives as part of the data center design
and ensure the security team is involved from day one. Security controls
should be developed for each modular component of the data center—servers,
storage, data and network—united by a common policy environment.
2. Ensure that approach taken will not limit availability and scalability of
resources.
3. Develop and enforce policies that are context, identity and application-aware
for least complexity, and the most flexibility and scalability. Ensure that they
can be applied consistently across physical, virtual and cloud environments. This,
along with replacing physical with secure trust zones, will provide seamless and
secure user access to applications at all times, regardless of the device used to
connect to resources in the data center.
4. Choose security technologies that are virtualization-aware or enabled, with
security working at the network level rather than the server. Network security

Page 153
Foundation of Information Security
SPSaS 2102
Learning Module

should be integrated at the hypervisor level to discover existing and new virtual
machines and to follow those devices as they are moved or scaled up so that
policy can be dynamically applied and enforced.
5. Monitor everything continuously at the network level to be able to look at all
assets (physical and virtual) that reside on the local area network (even
those that are offline) and all inter-connections between them. This monitoring
should be done on a continuous basis and should be capable of tracking dynamic
network fabrics. Monitor for missing patches, application, or configuration changes
that can introduce vulnerabilities which can be exploited.
6. Look for integrated families of products with centralized management that
are integrated with or aware of the network infrastructure, or common
monitoring capabilities for unified management of risk, policy controls, and
network security. This will also give detailed reports across all controls that
provide the audit trail necessary for risk management, governance, and
compliance objectives. Integrated families of products need not necessarily be
procured from just one vendor. Look for those that leverage the needed capabilities
of a strong ecosystem of partnerships to provide a consolidated solution across all
data center assets.
7. Consider future as well as current needs and objectives at the design stage
such as whether access to public cloud environments is required.
8. Define policies and profiles that can be segmented and monitored in multi-
tenant environments. Consider security technologies that provide secure gateway
connections to public cloud resources.

What are the security requirements for a computer system?

1. Secure user authentication protocols including:

a. Control of user IDs and other identifiers;
b. Reasonably secure method of assigning and selecting passwords, or use of
unique identifier technologies, such as biometrics or token devices;
c. Control of data security passwords to ensure that such passwords are kept
in a location and/or format that does not compromise the security of the data
they protect;
d. Restricting access to active users and active user accounts only; and
e. Blocking access to user identification after multiple unsuccessful attempts to
gain access or the limitation placed on access for the particular system;
2. Secure access control measures that:
a. Restrict access to records and files containing personal information to those
who need such information to perform their job duties; and
b. Assign unique identifications plus passwords, which are not vendor supplied
default passwords, to each person with computer access, that are
reasonably designed to maintain the integrity of the security of the access
controls;

Page 154
 Foundation of Information Security
SPSaS 2102
Learning Module

3. Encryption of all transmitted records and files containing personal information that
will travel across public networks, and encryption of all data containing personal
information to be transmitted wirelessly;
4. Reasonable monitoring of systems, for unauthorized use of or access to personal
information;
5. Encryption of all personal information stored on laptops or other portable devices;
6. For files containing personal information on a system that is connected to the
Internet, there must be reasonably up-to-date firewall protection and operating
system security patches, reasonably designed to maintain the integrity of the
personal information;
7. Reasonably up-to-date versions of system security agent software which must
include malware protection and reasonably up-to-date patches and virus
definitions, or a version of such software that can still be supported with up-to-date
patches and virus definitions, and is set to receive the most current security
updates on a regular basis;
8. Education and training of employees on the proper use of the computer security
system and the importance of personal information security.

What is encryption?

Encryption protects emails, bank accounts, transactions, and messages. In general, it

protects data by encoding the information in such a way that it is only accessible to
authorized parties or individuals. It is a way of safeguarding data, documents, or
information from this generation’s threats such as malicious hackers, spies, and criminals.
It is one of the best tools to protect privacy especially for individuals. It is considered to be
a necessity in keeping data privacy.

What does the commission state about encryption?

“Any technology used to store, transport, or access sensitive personal information for
purposes of off-site access approved shall be secured by the use of the most secure
encryption standard recognized by the Commission.”

Data at rest, in transit, and in use should all be treated equally in terms of preserving its
privacy and managing its security.

What should be encrypted?

Emails

Page 155
 Foundation of Information Security
SPSaS 2102
Learning Module

Most corporations, organizations, agencies, and firms use emails to communicate, send
files, and exchange data. This way of communication has been the standard of electronic
messaging for many years. It has also been one of the major cases of privacy breaches
throughout those years. These kinds of incidents exposed the privacy of several
individuals so they should be managed, guarded, and most importantly, prevented.
Organizations that transfer personal data via email should either make sure that the data
is encrypted or use a secure email facility that facilitates the encryption.

Portable Media
Attack on privacy can happen anytime, anywhere, any place and sometimes even with
portable storage devices. It can infiltrate an organization’s system and expose all of its
confidential and sensitive information. Devices such as USB flash drives and internal or
external disk that store, collect or transfer personal data must be encrypted, especially the
data in it. Organizations that use laptops to process personal data must use a full disk
encryption.

Links (URL)
Agencies and organizations that utilize online access to process personal data should
employ an identity authentication method that uses a secured encrypted link.

What does the commission recommend with regards to encryption?

“Organizational, physical, and technical security measures for personal data protection,
encryption, and access to sensitive personal information maintained by government
agencies, considering the most appropriate standard recognized by the information and
communications technology industry.”

“Advanced Encryption Standard with a key size of 256 bits (AES-256) as the most
appropriate encryption standard. Passwords or passphrases used to access personal
data should be of sufficient strength to deter password attacks. A password policy should
be issued and enforced through a system management tool.”

What are the standards for protecting personal information?

Every person that owns or licenses personal information shall develop, implement, and
maintain a comprehensive information security program that is written in one or more
readily accessible parts and contains organizational, technical, and physical security that
are appropriate to:

1. the size, scope and type of operations of the agency obligated to secure the
personal data under such comprehensive information of the DPA;
2. the amount of resources available to such person;
Page 156
 Foundation of Information Security
SPSaS 2102
Learning Module

3. the amount of stored data; and

4. the need for security and confidentiality of both client and employee information.
The safeguards contained in such program must be consistent with the safeguards
for protection of personal information and information of a similar character set
forth in the Data Privacy Act of 2012 by which the person who owns or licenses
such information may be regulated.

Without limiting the generality of the foregoing, every comprehensive information security
program shall include, but shall not be limited to:

1. Designating a DPO to maintain the comprehensive information security program;

2. Identifying and assessing reasonably foreseeable internal and external risks to the
security, confidentiality, and/or integrity of any electronic, paper or other records
containing personal information, and evaluating and improving, where necessary,
the effectiveness of the current security for limiting such risks, including but not
limited to:
o ongoing employee (including temporary and contract employee) training;
o employee compliance with policies and procedures; and
o means for detecting and preventing security system failures.
3. Developing security policies for employees relating to the storage, access and
transportation of records containing personal information outside of business
premises.
4. Imposing disciplinary measures for violations of the comprehensive information
security program rules.
5. Preventing terminated employees from accessing records containing personal
information.
6. Reasonable restrictions upon physical access to records containing personal
information, and storage of such records and data in locked facilities, storage areas
or cloud hosting.
7. Regular monitoring to ensure that the comprehensive information security program
is operating in a manner reasonably calculated to prevent unauthorized access to
or unauthorized use of personal information; and upgrading information security as
necessary to limit risks.
8. Reviewing the scope of the security measures at least annually or whenever there
is a material change in business practices that may reasonably implicate the
security or integrity of records containing personal information.
9. Documenting responsive actions taken in connection with any incident involving a
breach of security, and mandatory post-incident review of events and actions
taken, if any, to make changes in business practices relating to protection of
personal information.

Page 157
 Foundation of Information Security
SPSaS 2102
Learning Module

What is data sharing?

Data sharing is the disclosure or transfer to a third party of personal data under the
custody of a personal information controller or personal information processor. When
processing of personal information is outsourced (Personal Information Processor), such
disclosure or transfer must have been upon the instructions of the personal information
controller concerned. The term excludes outsourcing, or the disclosure or transfer of
personal data by a personal information controller to a personal information processor.

Personal Information Controllers (PIC) are those who decide what types of data are
collected and how they are processed (i.e. Ayala Land). On the other hand, Personal
Information Processors (PIP) are those who process data as instructed by the
controllers (i.e. HR Mall).

For transfers abroad, a personal information controller shall be responsible for any
personal data under its custody, including information that have been outsourced or
transferred to a personal information processor or a third party for processing, whether
domestically or internationally, subject to cross-border arrangement and cooperation.

Am I allowed to process personal data?

Processing of personal data collected from a party other than the data subject shall be
allowed under any of the following conditions:

x Authorized by law
x Consent for Data Sharing
x Covered by a data sharing agreement for commercial purposes
x Provided the following to data subjects before sharing:
1. Identity of PIC and PIP
2. Purpose of data sharing
3. Categories of personal data
4. Intended recipients of personal data
5. Broadcasted the rights of data subjects
6. Other information about the nature and extent of data sharing and manner
of processing
7. Sharing between government agencies for the purpose of a public function
or provision of a public service should be covered by a data sharing
agreement.

Page 158
 Foundation of Information Security
SPSaS 2102
Learning Module

What is a Data Sharing Agreement?

A data sharing agreement refers to a contract, joint issuance, or any similar document
that contains the terms and conditions of a data sharing arrangement between two or
more parties provided that only personal information controllers shall be made parties to a
data sharing agreement. Where a data sharing agreement involves the actual transfer of
personal data or a copy from one party to another, such transfer shall comply with the
security requirements imposed by the Philippine Data Privacy Act, its IRR, and all
applicable issuances of the National Privacy Commission.

What are the things I should see on a Data Sharing Agreement?

x Purpose of Data Sharing

x Participating personal information controller and processor:
1. Types of personal data
2. Personal information processor that will process personal data
3. Manners of how PIC and PIP are processing personal data
4. The remedies available to a data subject in case the processing of personal
data violates his or her rights and how these rights may be exercised;
5. Designated data protection officer or compliance officer.
x Duration of the agreement
x General description of the security measures that will ensure the protection of
personal data of the data subjects, including the policy for retention or disposal of
records.
x Inform how a data subject can obtain a copy of the data sharing agreement.
x If a personal information controller shall grant online access to personal data under
its control or custody, it shall specify the following information:
1. Justification for allowing online access;
2. Parties that shall be granted online access;
3. Types of personal data that shall be made accessible online;
4. Estimated frequency and volume of the proposed access; and
5. Program, middleware and encryption method that will be used.
x It shall specify the PIC responsible for addressing any information request, or any
complaint filed by a data subject, and/or any investigation by the Commission
x It shall identify the method that shall be adopted for the secure return, destruction,
or disposal of the shared data.
x It shall specify other terms and conditions that the parties may agree on.

Page 159
 Foundation of Information Security
SPSaS 2102
Learning Module

Cybersecurity in the Philippines

Note: The cited material below is written by SyCip Salazar Hernandez & Gatmaitan
retrieved from: https://www.lexology.com/library/detail.aspx?g=63436afb-fc7c-
41aa-967c-cef82a8e4cff

Legal framework
Legislation
Summarize the main statutes and regulations that promote cybersecurity. Does
your jurisdiction have dedicated cybersecurity laws?
The Cybercrime Prevention Act of 2012 (CPA) defines the following as cybercrimes:

x offences against the confidentiality, integrity and availability of computer data and
systems (illegal access, illegal interception, data interference, system interference,
misuse of devices and cybersquatting);
x computer-related offences (computer-related forgery, computer-related fraud and
computer-related identity theft); and
x content-related offences (cybersex, child pornography, unsolicited commercial
communications and libel).
The CPA appointed the National Bureau of Investigation (NBI) and Philippine National
Police (PNP) as enforcement authorities, and regulates their access to computer data,
creating the Cybercrime Investigation and Coordinating Center (CICC) as an inter-agency
body for policy coordination and enforcement of the national cybersecurity plan, and an
Office of Cybercrime within the Department of Justice (DOJ-OC) for international mutual
assistance and extradition.
The Supreme Court’s Rule on Cybercrime Warrants (AM No. 17-11-03-SC) governs the
application and grant of court warrants and related orders involving the preservation,
disclosure, interception, search, seizure or examination, as well as the custody and
destruction of computer data, as provided under the CPA.
The Electronic Commerce Act of 2000 (ECA) provides for the legal recognition of
electronic documents, messages and signatures for commerce, transactions in
government and evidence in legal proceedings. The ECA penalises hacking and piracy of
protected material, electronic signature or copyrighted works, limits the liability of service
providers that merely provide access, and prohibits persons who obtain access to any
electronic key, document or information from sharing them. The ECA also expressly
allows parties to choose their type or level of electronic data security and suitable
technological methods, subject to the Department of Trade and Industry guidelines.
The Access Devices Regulation Act of 1998 (ADRA) penalises various acts of access
device fraud such as using counterfeit access devices. An access device is any card,
plate, code, account number, electronic serial number, personal identification number or
Page 160
 Foundation of Information Security
SPSaS 2102
Learning Module

other telecommunications service, equipment or instrumental identifier, or other means of

account access that can be used to obtain money, goods, services or any other thing of
value, or to initiate a transfer of funds. Banks, financing companies and other financial
institutions issuing access devices must submit annual reports of access device frauds to
the Credit Card Association of the Philippines, which forwards the reports to the NBI.
The Data Privacy Act of 2012 (DPA) regulates the collection and processing of personal
information in the Philippines and of Filipinos, including sensitive personal information in
government; creates the National Privacy Commission (NPC) as a regulatory authority;
requires personal information controllers to implement reasonable and appropriate
measures to protect personal information and notify the NPC and affected data subjects
of breaches; and penalises unauthorised processing, access due to negligence, improper
disposal, processing for unauthorised purposes, unauthorised access or intentional
breach, concealment of security breaches and malicious or unauthorised disclosure in
connection with personal information.
The Philippines acceded to the Convention on Cybercrime, effective on 1 July 2018.
Which sectors of the economy are most affected by cybersecurity laws and
regulations in your jurisdiction?
Transportation, energy, water, health, emergency services, banking and finance, business
process outsourcing, telecommunications, media and the government sectors are
considered critical information infrastructures (CII), and are required to observe
information security standards by the Department of Information and Communications
Technology (DICT).
Has your jurisdiction adopted any international standards related to cybersecurity?
The DICT Memorandum Circular No. 5 (2017) requires government agencies to adopt the
Code of Practice in the Philippine National Standard (PNS) ISO/IEC 27002 (Information
Technology - Security Techniques - Code of Practice for Information Security Controls) by
14 September 2018, and CII to implement the PNS on Information Security Management
System ISO/IEC 27001 by 14 September 2019. Non-CII sectors may voluntarily adopt
PNS ISO/IEC 27002. DICT conducts risk and vulnerability assessment based on ISO
27000 and ISO 31000 and security assessment based on ISO/IEC TR 19791:2010 of CIIs
at least once a year. The DICT also issues a Certificate of CyberSecurity Compliance to
CIIs based on ISO/IEC 15408 (Information Technology - Security Techniques - Evaluation
Criteria for IT Security) and ISO/IEC 18045 (Methodology for IT Security Evaluation).
In prescribing the government’s Cloud First Policy, DICT Circular No. 2017-002 includes
ISO/IEC 27001 as an accepted international security assurance control for verifying data
that can be migrated to GovCloud or the public cloud, and ISO/IEC 17203:2011 Open
Virtualization Format specification as a standard for interoperability of GovCloud
workloads.
What are the obligations of responsible personnel and directors to keep informed
about the adequacy of the organisation’s protection of networks and data, and how
may they be held responsible for inadequate cybersecurity?
Page 161
 Foundation of Information Security
SPSaS 2102
Learning Module

The specific obligation to keep informed of the adequacy of cybersecurity results from
general obligations. Under the DPA, the employees, agents or representatives of a
personal information controller who are involved in the processing of personal information
are required to operate and hold personal information under strict confidentiality if the
personal information is not intended for public disclosure, even after leaving the public
service, transfer to another position or upon termination of employment or contractual
relations. Also, diligence in preventing the commission of offences under the DPA are
required of responsible company officers. If they participated in, or by gross negligence,
allowed the commission of an offence, they may be penalised by a fine and imprisonment.
The CPA requires persons with leading positions in a corporation who act or decide on its
behalf to exercise sufficient supervision or control within the corporation to prevent
cybercrime offences. If they fail this duty, the corporation may suffer a fine and hold them
responsible under the corporation’s internal rules.
The Central Bank of the Philippines (BSP) Manual of Regulations for Banks requires
directors of BSP-supervised institutions (BSI) to understand the BSIs’ IT risks and ensure
that they are properly managed. BSIs include banks, non-banks with quasi-banking
functions, non-bank electronic money issuers and other non-bank institutions subject to
the BSP’s supervision.
How does your jurisdiction define cybersecurity and cybercrime?
The CPA defines ‘cybercrime’ as those offences listed in question 1, while it defines
‘cybersecurity’ as the collection of tools, policies, risk management approaches, actions,
training, best practices, assurance and technologies that can be used to protect the cyber
environment and organisation and user’s assets, where ‘cyber’ refers to a computer or a
computer network, the electronic medium in which online communication takes place.
‘Data privacy’ is a DPA term that refers to personal information only as data. Thus,
cybersecurity covers other kinds of data but data privacy covers environments other than
cyber.
There are no regulations specific to ‘information system security’ that may be compared
with cybercrime enforcement.
What are the minimum protective measures that organisations must implement to
protect data and information technology systems from cyberthreats?
The DPA requires personal information controllers and their processors to include in their
reasonable and appropriate organisational, physical and technical security measures
against accidental or unlawful processing and natural or human dangers:

x safeguards to protect its computer network against accidental, unlawful or

unauthorised usage or interference with or hindering of their functioning or
availability;
x a security policy with respect to the processing of personal information; and

Page 162
 Foundation of Information Security
SPSaS 2102
Learning Module

x a process for identifying and accessing reasonably foreseeable vulnerabilities in its

computer networks, and for taking preventive, corrective and mitigating action
against security incidents that can lead to a security breach.
The NPC requires all digitally processed personal data to be encrypted, preferably with
AES-256, and passwords to be enforced through a policy and a system management tool.
For onsite and online access by government agency or contractor personnel to sensitive
personal information, the DPA requires security clearance from the head of the source
agency, a secure encrypted link for access and multifactor authentication of identity, and
middleware for full control over the access. For off-site access, the agency head must
approve within two business days of a request for, at most, 1,000 records at a time, and
the most secure encryption standard recognised by NPC is used. Agencies must use full-
disk encryption when storing personal data on laptops and send passwords in a separate
email.
Scope and jurisdiction
Does your jurisdiction have any laws or regulations that specifically address
cyberthreats to intellectual property?
The ECA penalises piracy or the unauthorised copying, reproduction, dissemination,
distribution, importation, use, removal, alteration, substitution, modification, storage,
uploading, downloading, communication, making available to the public or broadcasting of
protected material, electronic signature or copyrighted works, including legally protected
sound recordings or phonograms, or information material on protected works, through the
use of telecommunication networks, such as, but not limited to, the internet, in a manner
that infringes intellectual property rights, with a fine and imprisonment.
The CPA penalises cybersquatting or the acquisition of a domain name over the internet
in bad faith to profit, mislead, destroy reputation and deprive others from registering the
same if such a domain name is:

x similar, identical or confusingly similar to an existing trademark registered with the

appropriate government agency at the time of the domain name registration;
x identical or in any way similar to the name of a person other than the registrant, in
the case of a personal name; and
x acquired without right or with intellectual property interests in it.
Does your jurisdiction have any laws or regulations that specifically address
cyberthreats to critical infrastructure or specific sectors?
The CPA imposes a stiffer fine and prison term for offences against the confidentiality,
integrity and availability of computer data systems if done against critical infrastructure.
This refers to the computer systems, networks, programs, computer data and traffic data
vital to the Philippines, whose destruction, incapacitation or interference with would have
a debilitating impact on national or economic security, national public health and safety, or
any combination of these.

Page 163
 Foundation of Information Security
SPSaS 2102
Learning Module

DICT Memorandum Circular No. 5 (2017) prescribes policies and rules on CII protection
based on the National Cybersecurity Plan 2022 (NCP2022). Aside from requiring
compliance with international standards, the Circular requires each CII to have a
computer emergency response team (CERT), which shall report cybersecurity incidents
within 24 hours from detection to DICT as the National CERT, telecommunications
operators and ISPs to conduct cyber hygiene on their networks, CII websites to obtain a
DICT seal of cybersecurity, covered organisations to implement a disaster recovery plan
and business continuity plan, and DICT to conduct annual CII cyber drills. Also, DICT
Memorandum Circular No. 7-17 implements DICT’s Programme on CyberSecurity
Education and Awareness for CII.
Does your jurisdiction have any cybersecurity laws or regulations that specifically
restrict sharing of cyberthreat information?
The DICT CERT Manual for creating the CERT for each organisation provides a
communication procedure aimed at ensuring that sensitive or critical information is not
disclosed when communicating and coordinating with parties and groups outside the
National CERT. The procedure requires the written approval of management for
disclosure of information to the media and of the CyberSecurity Bureau for
communicating and sharing information with law enforcement agencies.
What are the principal cyberactivities that are criminalised by the law of your
jurisdiction?
Question 1 describes the CPA cybercrimes and offences under the DPA, ECA and ADRA
that may cover cyberactivities relevant to organisations as they may either be committed
by organisations or committed against organisations (as possible targets).
How has your jurisdiction addressed information security challenges associated
with cloud computing?
They are mainly addressed through a general cybersecurity framework, regulations
specific to the banking and government sectors, and participation in cybersecurity
initiatives as a member of the International Telecommunications Union.
The BSP requires the prior approval of a BSP-supervised financial institution’s (BSFI’s)
use of cloud services on the conduct of due dilgence on the cloud service provider (CSP),
the service’s compliance with data security, confidentiality and disaster recovery
requirements, and mandatory provisions in the service contract. The BSP’s 2017
Enhanced Guidelines on Information Security Management also requires BSFI
management to ‘fully understand the nature of the cloud technology in line with business
requirements and satisfy themselves as to the level of security and compliance to data
privacy and other relevant rules and regulations’, and to oversee the cloud service
provider’s ‘adherence to security, performance and uptime, and back-up and recovery
arrangements contained in the contract/agreement’.
Apart from implementing a cybersecurity awareness campaign, the DICT issued
Department Circular No. 2017-002 to regulate the security of government-contracted
cloud services with data migration through international security assurance controls and
Page 164
 Foundation of Information Security
SPSaS 2102
Learning Module

industry-accepted encryption; baseline and optional security controls for CSPs to host
classes of government data; and logical security audit on data access and continuous
security monitoring to ensure data confidentiality, integrity and availability.
How do your jurisdiction’s cybersecurity laws affect foreign organisations doing
business in your jurisdiction? Are the regulatory obligations the same for foreign
organisations?
The regulatory obligations for domestic and foreign organisations doing business in the
Philippines are the same.
Also, the DPA applies extraterritorially on an organisation’s acts or practices outside of
the Philippines if:

x the act, practice or process relates to personal information about a Philippine

citizen or a resident;
x the organisation has a link with the Philippines; and
x the organisation is processing personal information in the Philippines, or even if the
processing is outside the Philippines, as long as it is about Philippine citizens or
residents.
Best practice
Increased protection
Do the authorities recommend additional cybersecurity protections beyond what is
mandated by law?
As mentioned in question 1, the DICT recommends optional security controls for CSPs to
host classes of government data. With respect to government agencies that process the
personal data records of more than 1,000 individuals, the NPC recommends the use of
ISO/IEC 27002 as the minimum standard to assess any gaps in the agency’s control
framework for data protection.
How does the government incentivise organisations to improve their
cybersecurity?
Under the NCP2022, the DICT aims to raise the business sector’s awareness of cyber
risks, security measures and possible public-private partnership on improving
cybersecurity. The government has yet to especially incentivise organisations to improve
their cybersecurity.
Identify and outline the main industry standards and codes of practice promoting
cybersecurity. Where can these be accessed?
See question 3.
Are there generally recommended best practices and procedures for responding to
breaches?

Page 165
 Foundation of Information Security
SPSaS 2102
Learning Module

BSP Circular No. 1019 (2018) prescribes technology and cyber-risk reporting and
notification requirements for BSFIs. The Circular provides procedures for reporting to the
BSP major cyber-related incidents, such as those involving significant data loss or
massive data breach, and disruptions of financial services and operations.
NPC Circular No. 16-03 provides guidelines for personal data breach management,
requiring organisations to implement a security incident management policy to ensure:

x the creation of a data breach response team, which will be responsible for
implementing the policy;
x implementation of organisational, physical and technical security measures, and of
policies to prevent or minimise personal data breaches and assure timely discovery
of the same;
x implementation of an incident response procedure;
x mitigation of negative consequences to data subjects; and
x compliance with all laws and regulations on data privacy.
Information sharing
Describe practices and procedures for voluntary sharing of information about
cyberthreats in your jurisdiction. Are there any legal or policy incentives?
None as of yet. But the NCP2022 aims to use organisation reports to develop
cybersecurity measures and to promote the sharing of information between the
government and private sector.
How do the government and private sector cooperate to develop cybersecurity
standards and procedures?
The DICT is creating technical working groups to review existing and develop new
cybersecurity courses to integrate these courses into the curriculum of engineering,
computer science, information technology, law and criminology. The NCP2022 includes
establishing and creating programmes among CERTs, law enforcement, academia and
industries as one of the government’s key initiatives.
Insurance
Is insurance for cybersecurity breaches available in your jurisdiction and is such
insurance common?
Only a few insurance companies so far offer insurance for data security breaches,
network interruption and cyber extortion as well as fines resulting from breach of
administrative obligations relative to cybersecurity.
Enforcement
Regulation

Page 166
 Foundation of Information Security
SPSaS 2102
Learning Module

Which regulatory authorities are primarily responsible for enforcing cybersecurity

rules?
The NBI Cybercrime Division, PNP Anti-Cybercrime Group, DOJ-OC, CICC, BSP and
NPC enforce various rules related to cybersecurity.
Describe the authorities’ powers to monitor compliance, conduct investigations
and prosecute infringements.
The CPA authorises the NBI Cybercrime Division and PNP Anti-Cybercrime Group to
investigate cybercrimes. The DOJ prosecutes cybercrimes and its DOJ-OC coordinates
international mutual assistance and extradition. The CICC CERT provides assistance to
suppress real-time commission of cybercrimes and facilitates international cooperation on
intelligence, investigations, suppression and prosecution. Law enforcement authorities
may collect or record traffic or non-traffic data in real time upon being authorised by a
court warrant.
The New Central Bank Act (Republic Act No. 7653) confers on the BSP the power to
supervise the operations of banks and exercise such regulatory powers under Philippine
laws over the operations of finance companies and non-bank financial institutions
performing quasi-banking functions and institutions performing similar functions.
The NPC (i) enforces, monitors compliance of government and private entities with, and
investigates and recommends to the DOJ, the prosecution of violations under the DPA; (ii)
facilitates cross-border enforcement of data privacy protection; and (iii) can issue cease-
and-desist orders, or impose a temporary or permanent ban on the processing of
personal information upon finding that the processing will be detrimental to national
security or public interest, or both.
What are the most common enforcement issues and how have regulators and the
private sector addressed them?
The NCP2022 sets out the following key programme areas to address the need for
increased awareness and capacity-building for both the public and private sectors:

x the protection of CII through cybersecurity assessment and compliance, national

cyber drills and exercises, and a national database for monitoring and reporting;
x the protection of government networks through a national computer emergency
response programme, a capacity building and capability development programme,
a pool of information security and cybersecurity experts, the Threat Intelligence
and Analysis Operations Center, protection of electronic government transactions,
and the update of licensed software;
x the protection for supply chain through a national common criteria evaluation and
certification programme; and
x the protection of individuals through the acceleration of learning skills and
development, a cybersecurity outreach project, a national cybersecurity awareness

Page 167
 Foundation of Information Security
SPSaS 2102
Learning Module

month, equipping the government and programmes for local and international
cooperation.
Also, the Supreme Court has addressed the need for procedures for securing court
warrants specifically for investigating and prosecuting cybercrimes.
The issue of enforcement against cybercrimes committed by actors or on online platforms
outside Philippine territory is being addressed by forging closer international cooperation
with agency counterparts in other jurisdictions, as the country’s accession to the
Cybercrime Convention this year demonstrates.

Penalties
What penalties may be imposed for failure to comply with regulations aimed at
preventing cybersecurity breaches?
In general, the penalties consist of fines and imprisonment.
What penalties may be imposed for failure to comply with the rules on reporting
threats and breaches?
BSIs that fail to report breaches in information security, especially incidents involving the
use of electronic channels, may be penalised with fines, suspension of the BSI’s
privileges or access to the Central Bank’s credit facilities, as well as revocation of a quasi-
banking licence. Internet service providers and internet hosts that fail to promptly report
child pornography to police authorities may be penalised with fines and imprisonment. As
to breaches related to personal information, the NPC has yet to provide penalties specific
to the failure to report.
How can parties seek private redress for unauthorised cyberactivity or failure to
adequately protect systems and data?
The DPA entitles data subjects the right to be indemnified for any damage sustained
owing to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorised use
of personal information. Claims for indemnity may be filed with the NPC.
Parties may provide for redress in a contract and claim damages for breach of contract.
Philippine tort law allows claims for damages resulting from acts or omissions involving
negligence or those involving violations by private entities or individuals of the
constitutional rights of other private individuals. Claims may be filed in court or through
alternative dispute resolution mechanisms.
Threat detection and reporting
Policies and procedures
What policies or procedures must organisations have in place to protect data or
information technology systems from cyberthreats?

Page 168
 Foundation of Information Security
SPSaS 2102
Learning Module

A CERT that will respond to cyberattacks is required of every bureau, office, agency and
instrumentality of the government.
For personal data protection, the NPC requires organisations to create a security incident
management policy, which shall include:

x conduct of a privacy impact assessment to identify attendant risks in the

processing of personal data, which should take into account the size and sensitivity
of the personal data being processed, and impact and likely harm of a personal
data breach;
x a data governance policy that ensures adherence to the principles of transparency,
legitimate purpose and proportionality;
x the implementation of appropriate security measures, which protect the availability,
integrity and confidentiality of personal data being processed;
x regular monitoring for security breaches and vulnerability scanning of computer
networks;
x capacity building of personnel to ensure knowledge of data breach management
principles and internal procedures for responding to security incidents; and
x a procedure for the regular review of policies and procedures, including the testing,
assessment and evaluation of the effectiveness of the security measures.
Security measures are required to ensure the availability, integrity and confidentiality of
the personal data being processed, such as implementation of backup solutions, access
control and secure log files, encryption, data disposal and return-of-assets policy.
Describe any rules requiring organisations to keep records of cyberthreats or
attacks.
The NPC requires all actions taken by a personal information controller or personal
information processor to be properly documented by the designated data protection
officer, should a personal data breach occur.
Describe any rules requiring organisations to report cybersecurity breaches to
regulatory authorities.
BSIs must report breaches in information security, especially incidents involving the use
of electronic channels. Depending on the nature and seriousness of the incident, the BSP
may require the BSI to provide further information or updates on the reported incident until
the matter is finally resolved. BSFIs must report major cyber-related incidents, such as
those involving significant data loss or massive data breach, and disruptions of financial
services and operations, to the BSP.
The Anti-Child Pornography Act requires internet service providers and internet hosts to
notify the police authorities when a violation is being committed using its server or facility
and preserve evidence of such violation.

Page 169
 Foundation of Information Security
SPSaS 2102
Learning Module

The DPA requires personal data breach notification to the NPC.

Timeframes
What is the timeline for reporting to the authorities?
BSFIs must submit a report to the BSP within two hours of discovery of major cyber-
related incidents and disruptions of financial services and operations, and a follow-up
report within 24 hours from discovery. Companies engaged in the business of issuing
access devices must submit an annual report to the Credit Card Association of the
Philippines about access device frauds. Internet service providers and internet hosts must
report any form of child pornography in their system to the police authorities within seven
days of discovery. The NPC must be notified within 72 hours upon knowledge of, or the
reasonable belief by, the personal information controller or personal information processor
that a personal data breach has occurred.

Reporting
Describe any rules requiring organisations to report threats or breaches to others
in the industry, to customers or to the general public.
Apart from the personal data breach notification to the data subject required by the NPC,
there are no rules for reporting threats or breaches to others in the industry, customers or
the public.
Update and trends
Update and trends
What are the principal challenges to developing cybersecurity regulations? How
can companies help shape a favorable regulatory environment? How do you
anticipate cybersecurity laws and policies will change over the next year in your
jurisdiction?
Since Philippine cybersecurity laws are relatively new, the lack of awareness on the need
for cybersecurity and the relevant laws and regulations remains the principal challenge for
authorities. The NCP2022 will continue to dictate the changes in policies and regulations
over the next few years as it progresses from capacity-building to corrective enforcement.
Collaboration with the government by private companies on rule-making and compliance,
to help deal with the constant cybersecurity threats to their operations and the potential
financial risks, should encourage a favorable regulatory environment.

Page 170
 Foundation of Information Security
SPSaS 2102
Learning Module

Activity 01: Essay (50 points each)

01. Reasoning. Choose two (2) Local ICT policy cited on this module. Why do you
think these policies is beneficial in our Country and how these policies can be
applied in general. Defend your answer. (You have to discuss its application in ICT
literacy, education, enterprises, government, cyberspace etc.)

01.

Page 171
 Foundation of Information Security
SPSaS 2102
Learning Module

02.

Page 172