Republic of the Philippines

Camiguin Polytechnic State College

Balbagon, Mambajao, Camiguin, Philippines

A Case Study on Information Security Planning in a State

Colleges’ Online Enrollment System

By:
Barsobia Angelika V.
Lipang Benjoy D.
Miculob Richard M.
Obsid Yzrah Hushneah P.
Sabote Chrisjun S.

BSIT– 3A

March 28, 2025

 EXECUTIVE SUMMARY

Background

The rapid digitization of educational systems has revolutionized

administrative processes, offering convenience and efficiency for both

institutions and students. Camiguin Polytechnic State College (CPSC) embraced

this transformation by implementing an Online Enrollment System, designed to

facilitate student registration, tuition fee payments, and access to academic

records. While this innovation significantly improved operational efficiency, it

also introduced substantial cybersecurity vulnerabilities that threatened the

integrity and confidentiality of sensitive data. The system, which handles

personally identifiable information (PII), financial transactions, and academic

records, became a prime target for cyber threats due to inadequate security

measures.

Initial reports from the CPSC IT department highlighted alarming security

gaps. Weak password practices among students, such as the use of "123456" or

"password," left accounts susceptible to brute-force attacks (Smith & Johnson,

2021). Additionally, system logs revealed multiple unauthorized access attempts,

suggesting coordinated hacking efforts (Brown et al., 2022). Perhaps most

concerning were incidents of data leakage, where students inadvertently

accessed others' academic records due to flawed session management protocols

(Garcia, 2023). Compounding these issues, phishing campaigns targeted

students with fraudulent emails directing them to fake enrollment portals, further

compromising credential security (Lee & Patel, 2020).

The absence of multi-factor authentication (MFA), end-to-end encryption,

and regular security audits exacerbated these risks. Research indicates that

educational institutions are increasingly targeted due to their vast repositories of

sensitive data and often outdated security infrastructures (NIST, 2020). Without

immediate intervention, CPSC faced potential legal repercussions under data

protection laws, financial losses from fraud, and irreversible damage to

institutional reputation. This case study underscores the urgency of adopting a

comprehensive Information Security Plan aligned with global standards such as

ISO/IEC 27001 and the NIST Cybersecurity Framework to safeguard stakeholders

and ensure system resilience.

Overview

This case study examines the cybersecurity challenges faced by Camiguin

Polytechnic State College’s (CPSC) Online Enrollment System, proposing a

structured four-phase strategy grounded in the ISO/IEC 27001 framework to

mitigate risks. The approach emphasizes risk assessment, policy development,

implementation of controls, and continuous monitoring, ensuring alignment with

globally recognized security standards (ISO, 2013). The first phase focuses on

identifying vulnerabilities through systematic evaluations of weak authentication

practices, unencrypted data transmissions, and gaps in user awareness training.

Penetration testing is employed to simulate real-world cyberattacks, enabling the

IT team to prioritize remediation efforts and address exploitable weaknesses

(NIST, 2020). Building on these findings, the second phase involves formulating

robust policies, including stringent password requirements—mandating 12-

character passwords with alphanumeric-symbol combinations and quarterly

updates—and Role-Based Access Control (RBAC) to restrict system access based

on user roles, thereby minimizing unauthorized exposure of sensitive academic

and financial data.

The third phase integrates technological safeguards to fortify system

defenses. Multi-Factor Authentication (MFA) is implemented to reduce credential

theft risks by requiring SMS-based one-time passwords (OTPs) or authentication

app verification during logins (Brown et al., 2022). Simultaneously, Transport

Layer Security (TLS 1.3) encrypts data during transmission, while Advanced

Encryption Standard (AES-256) secures stored information, ensuring compliance

with data protection regulations (Garcia, 2023). To address potential breaches,

the fourth phase establishes an incident response protocol outlining roles for

containment, eradication, and recovery, alongside regular backup audits to

guarantee data integrity and recoverability in the event of ransomware or

system failures (Lee & Patel, 2020).

Collectively, these measures aim to achieve three objectives: preventing

unauthorized access through layered authentication, detecting threats via real-

time monitoring tools like Security Information and Event Management (SIEM),

and responding swiftly to incidents to minimize disruption. Beyond technical

solutions, the study underscores the critical role of the human factor in

cybersecurity. Mandatory training programs are advocated to educate students

and staff on identifying phishing attempts, resisting social engineering tactics,

and adopting secure password practices, fostering a culture of vigilance (Smith &

Johnson, 2021). By harmonizing policy, technology, and user education, CPSC

seeks to transform its enrollment system into a resilient platform capable of

safeguarding sensitive data while maintaining stakeholder trust in an era of

escalating cyber threats.

Initial Assessment

Security Landscape

The initial security assessment of Camiguin Polytechnic State College’s

Online Enrollment System revealed significant vulnerabilities stemming from its

open-access design, which prioritized user-friendliness at the expense of

foundational security measures. A critical gap identified was the absence of

enforced password policies, allowing students to use weak or easily guessable

passwords without mandatory expiration schedules, thereby leaving accounts

vulnerable to brute-force attacks. Compounding this risk was the lack of real-

time monitoring mechanisms to detect and alert administrators about repeated

failed login attempts, enabling malicious actors to exploit authentication

weaknesses undetected. Furthermore, the system transmitted sensitive data—

including personal student details and financial information—over unencrypted

channels, exposing it to interception by third parties during transmission. These

oversights collectively created a high-risk environment where unauthorized

access, data breaches, and credential theft could occur unchecked, jeopardizing

both institutional integrity and student privacy.

Existing Threats

The Online Enrollment System faces multiple security threats that

undermine its integrity and user trust. A significant vulnerability stems from the

widespread use of weak passwords by students, such as easily guessable

sequences like "123456," which leave accounts susceptible to unauthorized

access. Compounding this issue are repeated failed login attempts recorded in

system logs, indicating potential brute-force attacks aimed at breaching user

accounts. Additionally, flawed session management protocols have resulted in

data leakage incidents, where students inadvertently accessed other users’

academic records, exposing sensitive information and violating privacy. Further

exacerbating these risks are phishing campaigns targeting students through

fraudulent emails that mimic the enrollment portal, directing victims to

counterfeit websites designed to steal login credentials. Together, these threats

create a precarious security environment, jeopardizing both institutional data

and student confidentiality.

Security Assessment

The security assessment of the system uncovered critical vulnerabilities

that expose it to significant risks. A primary deficiency is the reliance on single-

factor authentication, with no implementation of multi-factor authentication

(MFA), leaving user accounts vulnerable to compromise through stolen or

guessed credentials. Additionally, sensitive data, including personal and financial

information, is transmitted in plaintext due to the absence of encryption

protocols, making it susceptible to interception by malicious actors during

transmission. Compounding these technical shortcomings is the lack of

comprehensive training programs for both students and staff, leaving them

unaware of phishing tactics and unprepared to identify fraudulent attempts to

steal login credentials. Together, these gaps create a high-risk environment

where unauthorized access, data breaches, and credential theft are not only

possible but likely, threatening both institutional security and user privacy.

Key Initiatives

Security Policy Development

To address the vulnerabilities identified in the Online Enrollment System,

the institution prioritized the development of robust security policies aimed at

mitigating risks and safeguarding sensitive data. Central to these efforts is the

implementation of a password policy requiring users to create strong passwords

of at least 12 characters, incorporating a mix of uppercase and lowercase letters,

numbers, and symbols, while mandating mandatory password updates every 90

days to reduce the risk of credential compromise. Complementing this measure

is the introduction of Role-Based Access Control (RBAC), a strategic framework

designed to restrict access to academic records and financial data exclusively to

authorized personnel, such as administrators and faculty, based on their specific

roles and responsibilities. By tailoring access permissions to user roles, this

initiative minimizes unauthorized exposure of sensitive information, ensuring

that students, staff, and external actors interact with the system only within

predefined boundaries. Together, these policies form a foundational layer of

defense, aligning with global security standards and fostering a culture of

accountability in managing institutional data.

Authentication Systems

To bolster the security of the Online Enrollment System, the institution has

prioritized the adoption of advanced authentication mechanisms to counteract

vulnerabilities exposed during the security assessment. A cornerstone of this

effort is the implementation of Multi-Factor Authentication (MFA), which

introduces an additional layer of verification beyond traditional username-

password logins. Under this system, users are required to confirm their identity

through a secondary method, such as a one-time password (OTP) sent via SMS or

a time-sensitive code generated by an authentication app (e.g., Google

Authenticator or Microsoft Authenticator). By mandating MFA for all logins, the

initiative significantly reduces the risk of unauthorized access, even if credentials

are compromised through phishing or brute-force attacks. This two-step

verification process not only addresses the previously identified weaknesses in

single-factor authentication but also aligns with global cybersecurity best

practices, ensuring that only legitimate users can access sensitive academic and

financial data. The universal application of MFA across all user roles—students,

faculty, and administrators—reinforces the system’s resilience against evolving

threats while fostering trust in the institution’s commitment to safeguarding

digital interactions.

Vulnerability Assessment
 To proactively identify and address security weaknesses within the Online

Enrollment System, the institution has instituted a rigorous program of

**quarterly vulnerability assessments**. These assessments include

comprehensive penetration testing, where ethical hackers simulate real-world

cyberattacks to uncover exploitable flaws in the system’s infrastructure,

applications, and user interfaces. Following each assessment, identified

vulnerabilities—such as SQL injection risks, which could allow attackers to

manipulate databases, and cross-site scripting (XSS) flaws, enabling malicious

code injection into web pages—are promptly remediated through targeted

patches and updates. By systematically addressing these high-risk

vulnerabilities, the initiative ensures that potential entry points for attackers are

sealed, significantly reducing the likelihood of data breaches or unauthorized

access. This ongoing cycle of testing and remediation not only strengthens the

system’s defenses but also aligns with industry best practices, fostering a

proactive security posture that adapts to emerging threats and safeguards the

integrity of student and institutional data.

Incident Response Plan

The institution’s incident response plan establishes a structured protocol

to address security breaches swiftly and minimize operational disruption. Central

to this strategy is the detection phase, which involves continuous monitoring of

system logs to identify suspicious activity, such as rapid sequences of failed login

attempts or unusual access patterns that may indicate brute-force attacks or

unauthorized intrusion. Upon detecting a threat, the containment phase is

activated, requiring immediate action to isolate compromised accounts by

locking them, thereby preventing further unauthorized access and halting the

spread of potential damage. Finally, the recovery phase focuses on restoring

system integrity by retrieving unaffected data from encrypted backups, ensuring

minimal data loss and downtime while verifying the absence of residual threats

before resuming normal operations. This phased approach not only mitigates the

immediate impact of breaches but also reinforces the system’s resilience against

future incidents, aligning with best practices for cybersecurity incident

management.

Progress Evaluation

Monitoring

To evaluate the effectiveness of the security enhancements, the

institution has implemented Security Information and Event Management (SIEM)

tools, which continuously collect and analyze real-time data from network

devices, servers, and applications to identify emerging threats. These tools

correlate events across the system, enabling rapid detection of anomalies such

as unusual login patterns or malware activity, thereby allowing IT teams to

investigate and neutralize risks before they escalate. Complementing this

initiative, firewall logging has been activated to meticulously track all inbound

and outbound network traffic, with a focus on identifying unauthorized access

attempts. This granular logging not only highlights potential intrusion vectors but

also provides actionable insights into attack trends, empowering administrators

to adjust firewall rules and block malicious IP addresses proactively. Together,

these measures create a layered monitoring framework that enhances visibility

into the network’s security posture, ensuring timely threat mitigation and

reinforcing the institution’s ability to safeguard sensitive data against

sophisticated cyberattacks.

Access Control

To strengthen the security framework of the Online Enrollment System,

the institution has prioritized tightening access controls across user roles.
Administrative accounts, which hold elevated privileges to manage sensitive

academic and financial data, are now required to use Multi-Factor Authentication

(MFA) for all logins. This ensures that even if administrative credentials are

compromised, unauthorized access is thwarted by the additional verification step

—such as a one-time password (OTP) or biometric confirmation—effectively

reducing risks like phishing or credential theft. Simultaneously, student access

has been rigorously restricted to self-service functions only, such as course

registration, tuition fee payments, and academic record viewing, while blocking

permissions to modify system settings or access confidential databases. This

segregation of privileges aligns with the principle of least privilege minimizing

the potential damage from compromised student accounts and ensuring that

sensitive operations remain insulated from unauthorized interactions. Together,

these measures create a layered defense strategy that balances usability with

robust security, safeguarding critical institutional assets while maintaining

compliance with data protection standards.

Conclusion

Summary

The cybersecurity vulnerabilities identified in Camiguin Polytechnic State

College’s Online Enrollment System underscore the urgent need for proactive

risk management as educational institutions increasingly embrace digital

transformation. The proposed Information Security Plan addresses these

challenges through a multi-layered defense strategy that integrates technical

controls, policy enforcement, and user education, creating a resilient framework

to counteract evolving threats. A key achievement of this plan is the enhanced

authentication security achieved through the implementation of Multi-Factor

Authentication (MFA), which studies suggest reduces credential theft risks by up

to 99% by requiring secondary verification steps such as one-time passwords

(Brown et al., 2022). Additionally, the adoption of end-to-end encryption for data

transmission and storage ensures compliance with the Data Privacy Act of 2012

(Republic Act No. 10173), safeguarding sensitive student and institutional

information from unauthorized access or tampering. Beyond technical measures,

the establishment of transparent incident response protocols has played a

pivotal role in rebuilding stakeholder trust, as students and staff now have clarity

on how breaches are detected, contained, and resolved, fostering confidence in

the system’s reliability. By harmonizing these initiatives, CPSC not only mitigates

immediate risks but also sets a precedent for secure digitization in Philippine

higher education, demonstrating that robust cybersecurity practices are

indispensable in preserving institutional integrity and public trust in an era of

escalating cyber threats.

References

Brown, T., Miller, R., & Davis, K. (2022). Cybersecurity Threats in Higher

Education: Trends and Countermeasures. Journal of Educational Technology,

15(3), 45-60.

Garcia, L. (2023). Data Leakage in Student Portals: Causes and Solutions.

International Conference on Cybersecurity.

ISO/IEC 27001. (2013). Information security management systems.

Lee, S., & Patel, M. (2020). Phishing Attacks Targeting Universities: A Case

Study Analysis. Cybersecurity Journal, 8(2), 112-125.

National Institute of Standards and Technology (NIST). (2020). Guide to

Information Security Planning.

Republic Act No. 10173. (2012). Data Privacy Act of 2012. Philippines.
 Smith, A., & Johnson, B. (2021). The Impact of Weak Passwords on

Institutional Security. Journal of Information Security, 12(1), 33-47.