FINAL TERM

TOPIC I. Cybersecurity Fundamentals

Overview of Cybersecurity Concepts

This section elaborates on the essential principles and practices that form the foundation of cybersecurity. Understanding these
concepts is crucial for protecting systems, networks, and data from digital attacks.

Foundational Concepts

• Cybersecurity Basics: Understanding the protection of systems, networks, and data from digital attacks is crucial. This
includes recognizing the importance of safeguarding sensitive information against unauthorized access and breaches.

• Types of Threats:

• Malware: Malicious software designed to disrupt, damage, or gain unauthorized access to computer systems (e.g.,
viruses, ransomware, spyware).

• Phishing: Fraudulent attempts to acquire sensitive information by masquerading as trustworthy entities in

electronic communications.

• Hacking: Unauthorized intrusion into a computer or network with the intent to steal, alter, or destroy data.

• Vulnerabilities: Weaknesses in a system that can be exploited by threats, such as outdated software or inadequate
password management.

Intermediate Concepts
• Risk Management: The process of identifying, assessing, and prioritizing risks followed by coordinated efforts to minimize,
monitor, and control the probability or impact of unfortunate events.

• Threat Modeling: A structured approach to identifying potential threats and vulnerabilities specific to a system, which aids
in enhancing security measures.

Cybersecurity Principles

• Confidentiality: Ensuring that sensitive information is accessible only to those authorized to have access.

• Integrity: Safeguarding the accuracy and completeness of information and preventing unauthorized modifications.

• Availability: Ensuring reliable access to information for authorized users when needed.

Advanced Concepts

• Advanced Persistent Threats (APTs): Long-term targeted attacks where intruders maintain undetected access to a network
over extended periods.
• Zero-Day Vulnerabilities: Newly discovered vulnerabilities that are exploited by attackers before developers have had a
chance to issue patches.
• Proactive Defense Strategies: Utilizing advanced technologies such as AI-based threat detection and predictive analytics to
anticipate and prevent cyber threats.

Activity

⎯ Conduct a case study analysis of a recent cybersecurity breach. Identify the types of threats involved, assess vulnerabilities,
and propose potential prevention strategies.

TOPIC II. Data Privacy and Protection

Data Privacy and Protection Laws and Regulations

This section covers the legal frameworks governing data privacy and protection.

Foundational Knowledge
 • Importance of Data Privacy: Emphasizes the necessity of protecting individuals’ personal information from unauthorized
access or disclosure.

• Key Data Privacy Laws:

• GDPR (General Data Protection Regulation): A comprehensive European law regulating data collection, storage,
and usage practices aimed at protecting personal data.
• CCPA (California Consumer Privacy Act): A U.S. regulation that provides California residents with enhanced
rights regarding their personal information.

Basic Principles of Data Privacy

• Transparency: Clear communication regarding how personal data is collected, used, and shared.

• Purpose Limitation: Collecting personal data only for specific, legitimate purposes.

• Data Minimization: Limiting data collection to what is necessary for its intended use.

Intermediate Knowledge

• Best Practices for Data Protection: Techniques such as data encryption, secure storage solutions, and robust access
controls to safeguard sensitive information.

• Rights of Data Subjects: Including rights to access, correct, delete, and restrict processing of personal data.

• Data Protection Impact Assessment (DPIA): A process mandated under GDPR for evaluating risks related to data
processing activities.

Advanced Knowledge

• Emerging Privacy Regulations: Overview of global privacy regulations such as Brazil’s LGPD, China’s PIPL, and India’s PDP
Bill and their implications for international business operations.

• Advanced Data Protection Technologies: Techniques like pseudonymization and anonymization that enhance data protection
in high-risk scenarios.

• Privacy by Design: Integrating privacy considerations into the development lifecycle of systems and processes.

In the Philippine context, Data Privacy and Protection is governed primarily by the Data Privacy Act of 2012 (Republic Act No. 10173),
which aims to protect the privacy of individuals while ensuring the free flow of information to promote innovation and growth.
Data Privacy and Protection: Philippine Context

Key Concept:
The Data Privacy Act of 2012 mandates that organizations processing personal data must ensure that this data is handled securely, with
appropriate measures in place to protect it from unauthorized access, modification, or destruction. It also gives individuals rights over
their personal information, aligning with global privacy standards like the GDPR.

Important Topics:

1. Data Privacy Act of 2012 (Republic Act No. 10173)

Overview: The Data Privacy Act provides a legal framework for protecting personal information in both public and private sectors. It
defines the rights of data subjects (the individuals whose data is being collected) and the responsibilities of organizations that process
personal data.

Key Provisions:

• Consent: Organizations must obtain explicit consent from individuals before collecting, using, or sharing their personal data.
• Rights of Data Subjects: Individuals have the right to access, correct, and request the deletion of their personal information.
• Accountability: Organizations must appoint a Data Protection Officer (DPO) responsible for ensuring compliance with the law.
 o Example: A telecommunications company in the Philippines must notify customers if their personal data (e.g., phone
numbers, billing addresses) will be used for marketing purposes and must obtain their consent before doing so.

2. Role of the National Privacy Commission (NPC)

Overview: The National Privacy Commission (NPC) is the regulatory body responsible for overseeing the implementation of the Data
Privacy Act, ensuring organizations comply with data privacy regulations, and protecting the rights of Filipino citizens.

Functions:

• Enforcement: The NPC has the authority to investigate violations of data privacy laws and impose penalties, including fines
and imprisonment, for non-compliance.
• Education: The NPC also plays an educational role, offering guidelines, conducting seminars, and issuing advisories to raise
awareness of data privacy.
o Example: In 2019, the NPC ordered a financial technology company to cease processing the personal data of its
users after finding that its practices violated the Data Privacy Act.

3. Rights of Data Subjects in the Philippines

Overview: Filipino citizens have specific rights under the Data Privacy Act, which empower them to control how their personal data is
collected and processed.

Key Rights:

• Right to Information: Individuals have the right to know why and how their data is being collected and used.
• Right to Access: They can request a copy of their data from any entity that has collected it.
• Right to Rectification: If the data is inaccurate or incomplete, they can request corrections.
• Right to Erasure: Individuals can demand that their personal data be deleted when it is no longer needed.
o Example: A Filipino citizen can request an e-commerce platform to delete their account and all personal data (e.g.,
purchase history, payment information) associated with it, if they no longer wish to use the service.

4. Responsibilities of Data Controllers and Processors

Overview: Organizations that collect, store, or process personal data are referred to as data controllers or data processors. They must
implement security measures to protect data from unauthorized access, breaches, and other risks.

Key Responsibilities:

• Data Protection Measures: These include encryption, access controls, and secure data storage to safeguard sensitive
information.
• Data Breach Notification: Organizations must inform the NPC and affected individuals of any data breach within 72 hours.
• Data Sharing and Outsourcing: If data is shared with third parties, the controller must ensure that the recipient also
complies with the Data Privacy Act.
o Example: A local hospital that collects sensitive medical information must have encryption in place and restrict
access to authorized personnel only. In case of a data breach, it must notify the NPC and affected patients
immediately.

5. Penalties for Non-Compliance

Overview: The Data Privacy Act outlines penalties for individuals or organizations that fail to comply with its provisions. These include
fines, imprisonment, and damages to be paid to affected data subjects.

Penalties:

• Imprisonment: Violators can face up to six years of imprisonment, depending on the severity of the violation.
• Fines: Monetary penalties range from PHP 500,000 to PHP 5 million.
• Civil Liabilities: Organizations may be ordered to pay damages to individuals whose privacy has been violated.
o Example: A company that fails to protect its customers' personal data could face a fine of up to PHP 5 million, as
well as civil liabilities to compensate affected individuals.

Data Privacy Best Practices for Businesses in the Philippines:

 • Appoint a Data Protection Officer (DPO): Every organization must have a DPO responsible for overseeing compliance with
the Data Privacy Act. This officer acts as a liaison between the company and the NPC.
• Conduct Regular Privacy Impact Assessments (PIA): Organizations should evaluate how personal data is processed and
stored, assessing the potential risks and ensuring compliance with the law.
• Implement Data Security Measures: Using encryption, firewalls, and regular audits, businesses can protect sensitive data
from unauthorized access or breaches.
• Ensure Transparency in Data Collection: Always inform users about what data is being collected, why it is being collected,
and how it will be used.

o Examples of Data Breaches in the Philippines:

o Comelec Breach (2016): One of the largest government data breaches in the Philippines, where sensitive voter
data was exposed, affecting millions of Filipino citizens. This incident highlighted the need for stricter data protection
measures across all government agencies.
o Cathay Pacific Breach (2018): The NPC launched an investigation after Cathay Pacific announced that the personal
data of around 100,000 Filipino passengers had been exposed. This raised concerns about how international
businesses protect the data of Filipino citizens.

Challenges and Future Directions:

• Compliance Among SMEs: Many small and medium-sized enterprises (SMEs) in the Philippines struggle to comply with the
Data Privacy Act due to limited resources and awareness.
• Cross-Border Data Transfers: As businesses increasingly operate globally, ensuring that data transferred outside the
Philippines is adequately protected remains a challenge.
• Public Awareness: Raising awareness among Filipinos about their data privacy rights is essential for enforcing the law and
ensuring compliance by organizations.

Conclusion:
Data privacy and protection are critical in the digital age, particularly in the Philippines, where the Data Privacy Act of 2012 provides the
legal foundation to safeguard personal data. Businesses and organizations must comply with these regulations to protect individuals'
rights and avoid legal consequences, while citizens must be informed about their rights to ensure their personal information is handled
with care.

Activity

⎯ Analyze a real-world case where compliance with data privacy laws (e.g., GDPR) impacted business practices. Discuss best
practices for ensuring compliance.

TOPIC III. Ethical Issues in IT

Understanding Ethical Dilemmas in IT

This section explores various ethical challenges faced by IT professionals.

Foundational Issues

• Data Breaches: Ethical considerations surrounding companies' responsibilities to protect user data and inform affected
users’ post-breach.

• Digital Surveillance: Balancing security monitoring with respect for user privacy rights.

• Intellectual Property (IP): Protecting IP rights in software development while respecting others' innovations.

• Digital Divide: Addressing disparities in technology access and its implications for social equality.

Intermediate Issues

• Ethical Frameworks for IT: Application of ethical theories like utilitarianism and deontology in technology decision-making
processes.

• Informed Consent in Data Collection: Ensuring users are fully aware of and agree to data collection practices prior to
consent.
 • Transparency and Accountability: Establishing clear policies on data usage while ensuring accountability for breaches or
misuse.

Advanced Issues

• Artificial Intelligence (AI) Ethics: Exploring biases in AI algorithms, transparency in AI decision-making processes, and
accountability for AI-driven actions.
• Corporate Responsibility in Cybersecurity: The ethical obligation for organizations to invest in cybersecurity measures
that protect user data effectively.

• Technological Unemployment: Addressing ethical responsibilities associated with job displacement due to automation
technologies.

Activity

⎯ Engage in a debate discussing the ethical implications of digital surveillance. Consider perspectives on privacy rights versus
security needs.

TOPIC IV. Security Technologies

Overview of Key Security Technologies

This section provides insights into essential security tools used in cybersecurity.

Foundational Security Tools

• Firewalls: Systems designed to prevent unauthorized access while permitting outward communication based on
predetermined security rules.
• Encryption: The process of converting information into code to prevent unauthorized access; critical for protecting sensitive
data.
• Multi-Factor Authentication (MFA): A security mechanism requiring two or more verification methods from independent
categories of credentials.

Intermediate Security Tools

• Intrusion Detection Systems (IDS): Tools that monitor network traffic for suspicious activity or known threats.

• Antivirus Software: Programs designed to detect, prevent, and remove malware from systems effectively.

• VPNs (Virtual Private Networks): Secure connections that encrypt internet traffic over public networks.

Advanced Security Tools

• Intrusion Prevention Systems (IPS): Proactive systems capable of automatically blocking detected threats before they
cause harm.

• SIEM (Security Information and Event Management): Platforms providing real-time analysis of security alerts generated
by hardware and applications across networks.
• Next-Gen Firewalls (NGFW): Advanced firewalls incorporating features like deep packet inspection alongside traditional
firewall capabilities.

Activity

⎯ Conduct a lab exercise where students configure basic security tools such as firewalls and IDS within a mock network
environment.

TOPIC V. Incident Response and Recovery

Planning for Incident Response and Recovery

This section outlines strategies for effective incident response planning.

Foundational Concepts
• Incident Response: A structured approach aimed at managing cybersecurity incidents effectively to minimize impact on
operations.

Core Phases of Incident Response:

1. Preparation
2. Detection
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned

Disaster Recovery Basics: Plans outlining procedures for restoring critical systems after cyberattacks or disasters.

Intermediate Concepts

• Business Continuity Planning (BCP): Strategies ensuring essential functions continue during crises or disruptions.

• Developing an Incident Response Plan (IRP): A comprehensive guide detailing organizational response actions including
roles, communication strategies, and recovery steps.

Key Metrics for Recovery

Establishing metrics such as Recovery Time Objective (RTO) and Recovery Point Objective (RPO) helps define acceptable limits for
downtime and data loss during recovery efforts.

Advanced Concepts
• Advanced Threat Response Techniques involve automated detection methods, threat hunting practices, and forensic analysis
techniques aimed at sophisticated cyber threats.
• Conducting Tabletop Exercises simulates incident scenarios allowing teams to practice response strategies effectively.

Continuous Improvement

Incorporating lessons learned from past incidents enhances future defenses while improving response protocols.

Activity

⎯ Conduct a simulated cybersecurity incident where students develop an incident response plan including post-event analysis
focusing on recovery strategies.