13.1 Security measures to be considered

  • Securing CBMS assets in the context of:
    • Data security
    • Information security
    • Device security
  • Personnel security
  • Asset security

Security measures that we need to consider for CBMS as securing CBMS assets in the contexts of data security, information security and device security.

Data security is the prevention of unauthorized access, use, disruption, modification, or destruction of data in storage.

Information security is the prevention of unauthorized access, use, disruption, modification, or destruction of information.

By these definitions, we can see that data security is specific to data in storage. On the other hand, information security is a far broader practice that encompasses end-to-end information flows, which includes processes, knowledge, user interfaces, communications, automation, computation, transactions, infrastructure, devices, sensors and data storage. Data security therefore is merely a layer of information security.

Device security refers to measures designed to protect sensitive information stored on and transmitted by laptops, smartphones, tablets, wearables, and other portable devices. At the root of mobile device security is the goal of keeping unauthorized users from accessing the enterprise network.

Now, we also have, as a security concept, personnel security, which is a system of policies and procedures that aim to manage and minimize the risk of people, or staff, exploiting legitimate access to an organization’s assets or premises for unauthorized purposes. These purposes can encompass many forms of criminal activity, from minor theft to terrorism.

Meanwhile, asset security describes concepts, structures, principles and standards aimed at monitoring and securing assets covering anything that can be important to the organization, such as partners, employees, facilities, equipment and information.

https://simplicable.com/new/data-security-vs-information-security#:~:text=Data%20security%20is%20the%20prevention,modification%20or%20destruction%20of%20informationopen in new window
https://www.vmware.com/topics/glossary/content/mobile-device-security.htmlopen in new window
https://www.gov.uk/government/publications/crowded-places-guidance/personnel-and-people-security#:~:text=Personnel%20security%20is%20a%20system,minor%20theft%20through%20to%20terrorismopen in new window
https://resources.infosecinstitute.com/certification/cissp-domain-2-asset-security-need-know-exam/open in new window

13.2 Information security aspects

We may not be able to cover all information security aspects outlined here but PSA has, at least touched, up to varying levels of degrees, the information security aspects in CBMS and its adopted information systems covering the following:

  • Audit trail
  • Backdoor
  • Cryptography
  • Cybersecurity
  • Data breach
  • Data security
  • Hardening
  • Information security testing, which has been covered by SQAD
  • Input validation, which has also been covered by SQAD and also by CBSS and even, you from the field offices
  • Network security, this has been taken care of by SDD, SOID and SQAD
  • Penetration test
  • Privacy
  • Proxy server
  • Sandbox, and
  • Security control - Admittedly, there are some information security aspects here that may not be applicable to CBMS, such as IoT (or Internet of Things) security.

Admittedly, there are some information security aspects here that may not be applicable to CBMS, such as IoT (or Internet of Things) security.

Common Information Security Considerations
  • Active Attack
  • Advanced Persistent Threat
  • AI Box
  • Antifragile
  • Audit Trail
  • Backdoor
  • Canary Trap
  • Critical Infrastructure
  • Cryptographic Keys
  • Cryptographic Salt
  • Cryptography
  • Data Breach
  • Data Remanence
  • Data Room
  • Data Security
  • Data Sovereignty
  • Data Wipe
  • Deep Magic
  • Defense In Depth
  • Defensive Computing
  • Degaussing
  • Digital Identity
  • Document Control
  • Failure Of Imagination
  • Format-preserving Encryption
  • Geofencing
  • Hardening
  • Hashcode
  • Honeypot
  • Human Error
  • Information Security Testing
  • Input Validation
  • IoT Security
  • Key Stretching
  • Multi-Factor Authentication
  • Mutual Authentication
  • Need To Know
  • Network Security
  • Non-repudiation
  • Nonce
  • Operations Security
  • Overlay Network
  • Passive Attack
  • Password Entropy
  • Password Fatigue
  • Patch Management
  • Penetration Test
  • Principle Of Least Privilege
  • Privacy
  • Proof Of Work
  • Proxy Server
  • Pseudorandom
  • Sandbox
  • Secure Code Review
  • Security As A Service
  • Security Controls
  • Security Event
  • Security Through Obscurity
  • Strong Authentication
  • Tarpit
  • Tokens
  • Zero-day

Source: https://simplicable.com/new/information-securityopen in new window

13.3 Data Privacy Act of 2012

All government activities and transactions with the public are governed by the Data Privacy Act and, as the CBMS collects Personal Information, it is thus covered by the DPA.

  • Protecting Individual Personal Information in Information and Communications System (ICS) in the Government and Private Sector

Source: Introduction to the Data Privacy Act (DPA) of 2012
Atty. Vida Zora Bocar, CIPM, CIPP/e
Policy Review Division
National Privacy Commission

13.4 Information classification

When talking about information security, we will have to understand that there are different classifications of information according to scope of operation. From this classification, which may not be discreetly exclusive to one another, we get to determine the appropriate security controls that we could apply to each:

  • Public data - comprises information that can be viewed by the general public and the disclosure of which would not cause damage
  • Sensitive information - needs extraordinary precautions to ensure confidentiality and integrity
  • Private data - may include personal information and where the unauthorized disclosure of which can be disastrous
  • Confidential information - information used within the organization and where serious consequences may occur if such information is subjected to unauthorized disclosure
  • Secret information - if disclosed, can adversely affect national security
  • Top secret information - if disclosed, could cause massive damage to national security
  • Unclassified information - not sensitive
  • Personal information
  • Sensitive personal information

Source: https://resources.infosecinstitute.com/certification/cissp-domain-2-asset-security-need-know-exam/open in new window

In the context of CBMS, we will be dealing with personal information, and sensitive personal information.

Personal Information

Refers to any information, whether recorded in a material form or not:

  • from which the identity of an individual is apparent (e.g., Juan Dela Cruz);
  • can be reasonably or directly ascertained by the entity holding the information (e.g., NSCRG); or
  • when put together with other information would directly and certainly identify an individual

Sensitive Personal Information

Within personal information, some personal data are classified as sensitive information which must not be easily disclosed. Examples are:

  • Individual’s race, ethnic origin, marital status, age, color and religious, philosophical, political affiliations
  • Individual’s health, education, genetic or sexual life, or to any proceeding for any offense committed or alleged to have been committed by the individual
  • Government-issued personal numbers such as SSS, GSIS, PhilHealth, Pag-IBIG, LTO and previous health records and tax returns

Source: Introduction to the Data Privacy Act (DPA) of 2012
Atty. Vida Zora Bocar, CIPM, CIPP/e
Policy Review Division
National Privacy Commission

13.5 Securing Personal Information

We need security measures in CBMS to protect personal information against:

  • any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing
  • natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination

Source: Republic Act 10173 – Data Privacy Act of 2012

13.6 DICT guidance on information classification

A quick look at DICT’s guidance on information classification, when they issued a 2020 circular with the subject on Amendments to Department Circular No. 2017-002 regarding the Prescribing the Philippine Government’s Cloud First Policy:

  • Highly sensitive government data
  • Above-sensitive government data
  • Sensitive government data
  • Non-sensitive government data

Each data classification is officially defined in the abovementioned department circular, wherein it is stated that the government agency shall select the appropriate cloud deployment model, which is a type of an internet or network-based data hosting model, based on the agency’s classification of data that its stores and processes, with due consideration to factors that include appropriate controls, security protocols and redundancy protocols.

The DICT Circular 2017-002 on Prescribing the Philippine Government’s Cloud First Policy also has guiding information sections on Security, Security Framework, Data Sovereignty and Data Residency.

Sources: https://dict.gov.ph/wp-content/uploads/2020/06/Department_Circular_No_10_Amendments_to_DC_No_2017_002_re_Prescribing.pdfopen in new window
https://dict.gov.ph/wp-content/uploads/2017/02/Signed_DICT-Circular_2017-002_CloudComp_2017Feb07.pdfopen in new window

13.7 Physical Security Measures

In CBMS, we should observe these physical security measures:

  • Limit access and activities in the room, workstation or facility. Only authorized personnel must have access to the CBMS data processing facility. The arrangement and setup of workstations and equipment shall take into consideration the physical environment and accessibility to its users and against the unauthorized public. The duties, responsibilities and schedule of CBMS authorized personnel involved in the processing of personal data are clearly defined to ensure that only individuals performing official duties shall be allowed access to the room and workstation, at any given time;

  • We need to maintain an inventory of devices being used for CBMS. Mobile devices used for data collection are registered through the system. However, desktops to be used for data validation and for data processing are not. This means that we need to actually certify and clear the computers that are going to be used for data processing. It is therefore important to keep an inventory of the actual ICT equipment being used for data validation or data processing especially those not on PSA premises. PSA field offices should therefore conduct regular and random data processing site inspections to assess if only authorized desktop computers are indeed being used in the data processing activities. Remember that these computers would store CBMS data that are classified as sensitive and even confidential. Meanwhile, information like MAC Address, IP addresses and other device identity attributes can be used for authenticating desktop devices and this is for consideration in the improvement of the data processing system.

  • Procedures must be put in place for the transfer, removal, disposal, and re-use of electronic media that store and process CBMS data, to ensure appropriate protection of personal information;

  • The facility used in the processing of personal data shall be, as far as practicable, protected from natural disasters, power disturbances, and other similar threats.

13.8 Technical Security Measures

Briefly, these are some technical security measures that need to be considered.

  • Safeguards to protect the computer network. We use firewalls for securing data transmission to and from CBMS servers. We also use HTTPS or secure HTTP for our web-based applications. And we have to make sure we have anti-virus software with the latest virus definitions in computers we used for CBMS. As an additional safeguard, we should keep our operating systems always updated with the latest security and anti-vulnerability patches, be they in Android, Windows or Linux, so that we can maximize the advantage of having up-to-date software environments with up-to-date OS-level security tools and protection.

  • Data encryption - CSWeb has an implementation on this.

  • Device authentication - only for mobile devices but hopefully all devices will pass some level of authentication

  • User authentication / Multi factor authentication process - User authentication with use of ID and password. Do not share your ID/Password. Accountability will be the owner of the ID/Password for any misuse. In the CBMS roll out, SQAD has always maintained the advice of adopting a multi-factor authentication process to be applied.

13.9 Organizational Security Measures

In the IRR or Implementing Rules and Regulations of the Data Privacy Act, there is mention of different areas of Security Measures for the Protection of Personal Data and a primary consideration is on Organizational Security Measures.

  1. Identify Data Protection Officer

    So, there is a need to designate an individual or individuals who shall function as data protection officer, compliance officer or otherwise be accountable for ensuring compliance with applicable laws and regulations for the protection of data privacy and security.

  2. Integrate Compliance Officer for Privacy

    We need to install Compliance Officers for Privacy on the provincial or municipal level. The NPC states in their website that:

    A Compliance Officer for Privacy (COP) is an individual or individuals who perform some of the functions of a DPO in these cases:

  1. For Local Government Units (LGUs). Aside from having a DPO, a component city, municipality, or barangay can designate a COP, as long as the COP shall be under the supervision of the DPO.
  2. For Government Agencies. Aside from having a DPO, a government agency that has regional, provincial, district, city, municipal offices, or any other similar subunits, may designate or appoint COP for each subunit. The COPs shall be under the supervision of the DPO.

In CBMS, we may need to designate and appoint Compliance Officers for Privacy (COP) in our field offices. Let us also determine and push for our partner LGUs to appoint, designate and/or identify their corresponding COPs.

  1. Data Protection Policies

    We need to have Data Protection Policies that provide for organization, physical, and technical security measures, and, for such purpose, take into account the nature, scope, context and purposes of the processing, as well as the risks posed to the rights and freedoms of data subjects.

  2. Privacy Impact Assessment

    We need to conduct a Privacy Impact Assessment to assess potential impacts on privacy of a process, information system, program, software module, device or other initiative which handles and manages personal information and in consultation with stakeholders, for taking actions as necessary to treat privacy risk.

    A PIA is more than just a tool: it’s a process that begins at the earliest possible stages of a project or an initiative when there are still opportunities to influence its outcome and thereby ensure privacy by design. It is a process that continues until, and even after, the project has been deployed. Initiatives vary substantially in scale and impact.

    A Personal Information Controller may have a responsibility to conduct a PIA and may request a Personal Information Processor to assist in doing this, acting on the Personal Information Controller’s behalf. A Personal Information Processor or a third party may also wish to conduct their own PIA.

    Source: https://www.privacy.gov.ph/appointing-a-data-protection-officer/

13.10 Obligations of PIC or PIP, to DPO or COP

Some of the obligations of personal information controllers or PICs and personal information processors PIPs relative to the DPO or COPs.

  • Effectively communicate to your personnel, the designation of the DPO or COP and his or her functions;
  • Allow the DPO or COP to be involved from the earliest stage possible in all issues relating to privacy and data protection;
  • Provide sufficient time and resources (financial, infrastructure, equipment, training, and staff) necessary for the DPO or COP to keep himself or herself updated with the developments in data privacy and security and to carry out his or her tasks effectively and efficiently;
  • Grant the DPO or COP appropriate access to the personal data it is processing, including the processing systems;
  • Where applicable, invite the DPO or COP to participate in meetings of senior and middle management to represent the interest of privacy and data protection;
  • Promptly consult the DPO or COP in the event of a personal data breach or security incident; and
  • Ensure that the DPO or COP is made a part of all relevant working groups that deal with personal data processing activities conducted inside the organization, or with other organizations.

Source: https://www.privacy.gov.ph/appointing-a-data-protection-officer/

The Data Privacy Act of 2012 contains information on punishable acts with corresponding penalties. Shown in this matrix is a convenient summary of this information.

Punishable ActJail TermFine (Pesos)
Access due to negligence1y to 3y - 3y to 6y500k to 4M
Unauthorized processing1y to 3y - 3y to 6y500k to 4M
Unauthorized purposes18m to 5y - 2y to 7y500k to 2M
Improper disposal6m to 2y - 3y to 6y100k to 1M
Intentional breach1y to 3y500k to 2M
Concealing breach18m to 5y500k to 1M
Malicious disclosure18m to 5y500k to 1M
Unauthorized disclosure1y to 3y - 3y to 5y500k to 1M
Combination of acts3y to 6y1M to 5M

Violation to the Data Privacy Act is punishable with jail term and up to millions of pesos. And it’s not only confined in the systems/applications we use. Processes and even our attitude towards data handling will be dealt with. Consent is given but does not necessarily mean we can use or distribute the information freely. Personal Information needs to be used only for their intended purpose and nothing more. In other words, the processing of information should be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose.

So, beware and be aware!

13.11 DP with LGU as partner implementer

  • Consider holding a joint Privacy Impact Assessment activity or series of activities with LGU partner - In the context of CBMS, especially when working with LGU’s, we may need to conduct meetings, seminars and workshops with them, possibly for holding a joint PIA on data processing at the field level, where the results can serve as basis on what should be addressed and how it can be addressed.

  • Oath on Data Privacy - Have their data handlers, data processors and data managers sign the Oath on Data Privacy. They can also come up with their own version but the critical components on data protection, security and preservation of integrity should all be there.

  • Share and cascade to LGU data processors PSA’s security protocols and guidelines on the handling of CBMS data - Make them aware of the security protocols, guidelines and data privacy compliance standards that we have on CBMS.

13.12 Access control

These are the strategies that we may employ in our CBMS security measures:

  • Unauthorized access risk assessment

    • Document containing risk assessments of unauthorized access
    • Install physical security measures for entering and exiting the data processing center/room/facility
  • User access policies

    • Documented and available policies and procedures under change management (on requesting, approving, providing, monitoring and removing user access)
  • Password management

    • Test and demonstrate that user password control is working effectively and as designed
    • Implement password policies on assigning the default password and allowing the user to personalize their passwords guided by password complexity requirements and safekeeping

In our LGU partners, let us check if they are implementing access control and covering these minimum guidelines.

13.13 Awareness and training

In our LGU partners, let us check if they are implementing awareness and training programs, and if they are covering these minimum guidelines.

  • Operational personnel security training

    • Security controls documents and reports should be readily accessible.
    • Install physical security measures for entering and exiting the data processing center/room/facility.
  • HR records and vetting

    • Personnel must indicate successful completion and fulfillment of required security protocols (such as Oath of Data Privacy) and security awareness training programs.

13.14 Audit and accountability

In our LGU partners, let us check if they are implementing audit and accountability strategies, and if they are covering these minimum guidelines.

  • Record usage of privileged accounts

    • Taken care of by the CBMS information system, but may need complementary physical measures for auditing as backup
    • Institutionalization of access and transaction logs wherever applicable and where complementary physical solutions would be necessary or beneficial
  • Record password changes

    • Date, time and circumstances behind password changes should be documented

13.15 Configuration management

In our LGU partners, let us check if they are implementing configuration management strategies, and if they are covering these minimum guidelines.

  • Configuration documentation

    • Record the description of the data processing setup and configuration on facilities, workstations and network and include information on when these have changed, what has changed and the motivations behind or circumstances surrounding these changes.
  • Configuration change managemen

    • Documentation on configuration changes should be versioned.

13.16 Contingency planning

In our LGU partners, let us check if they are implementing contingency planning strategies, and if they are covering these minimum guidelines.

  • Business continuity plan (BCP)

    • Check if the LGU has a business continuity plan whenever incidents affecting the data processing activities occur (ex. injury to processing staff, natural disasters, power loss, sudden change of personal circumstances in processing staff)
  • Business continuity roles and communications

    • BCP should show roles of responsible persons and what they should do when incidents occur, and how this will be communicated to the required and appropriate stakeholders

13.17 Incident response

In our LGU partners, let us check if they are implementing incident response mechanisms, and if they are covering these minimum guidelines.

  • Incident response policy

    • Policy statements on the identification of incidents and how to handle incidents whenever they occur
  • Incident response handling

    • Incidents and the corresponding response handling (with LGU partners) should be documented and shared with PSA
  • Incident monitoring

    • Consider employment of incident monitoring and tracking strategies or systems, and having these shared, whenever and wherever applicable between PSA and the partner LGU.
    • Update the incident tracking strategy or system upon relevant events.
    • Use the Incident Reporting module in the CBMS Android mobile application to report irregularities in CBMS operations.

13.18 Maintenance

In our LGU partners, let us check if they are implementing the following minimum maintenance requirements:

  • Hardware refresh and/or replacements
  • Software security patches and updates

13.19 Media protection and security

  • Data processing media should be in a physically secure location.
  • Backups should be stored at a physically secure location and may necessitate resiliency from a corresponding damage that affected the originals (such as deployment of offsite backups).
  • Physical and environmental protection
    • Include protection on ventilation systems, air conditioning, power supplies, fire protection.
    • Evidence of physical protection controls and physical security should be present.

13.20 Personnel security

  • HR records should indicate successful security clearances for data processing personnel
  • Access rights and privilege management

13.21 System and communications protection

  • Network risk mitigation controls
  • Regular network risk analysis
  • Communication channels control

Other references:
NIST’s Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organization Introduction to the Data Privacy Act (DPA) of 2012, Atty. Vida Zora Bocar, CIPM, CIPP/e, Policy Review Division, National Privacy Commission

Last Updated: