13.1 Security measures to be considered
- Securing CBMS assets in the context of:
- Data security
- Information security
- Device security
- Personnel security
- Asset security
Security measures that we need to consider for CBMS as securing CBMS assets in the contexts of data security, information security and device security.
Data security is the prevention of unauthorized access, use, disruption, modification, or destruction of data in storage.
Information security is the prevention of unauthorized access, use, disruption, modification, or destruction of information.
By these definitions, we can see that data security is specific to data in storage. On the other hand, information security is a far broader practice that encompasses end-to-end information flows, which includes processes, knowledge, user interfaces, communications, automation, computation, transactions, infrastructure, devices, sensors and data storage. Data security therefore is merely a layer of information security.
Device security refers to measures designed to protect sensitive information stored on and transmitted by laptops, smartphones, tablets, wearables, and other portable devices. At the root of mobile device security is the goal of keeping unauthorized users from accessing the enterprise network.
Now, we also have, as a security concept, personnel security, which is a system of policies and procedures that aim to manage and minimize the risk of people, or staff, exploiting legitimate access to an organization’s assets or premises for unauthorized purposes. These purposes can encompass many forms of criminal activity, from minor theft to terrorism.
Meanwhile, asset security describes concepts, structures, principles and standards aimed at monitoring and securing assets covering anything that can be important to the organization, such as partners, employees, facilities, equipment and information.
Sources:
https://simplicable.com/new/data-security-vs-information-security#:~:text=Data%20security%20is%20the%20prevention,modification%20or%20destruction%20of%20information
https://www.vmware.com/topics/glossary/content/mobile-device-security.html
https://www.gov.uk/government/publications/crowded-places-guidance/personnel-and-people-security#:~:text=Personnel%20security%20is%20a%20system,minor%20theft%20through%20to%20terrorism
https://resources.infosecinstitute.com/certification/cissp-domain-2-asset-security-need-know-exam/
13.2 Information security aspects
We may not be able to cover all information security aspects outlined here but PSA has, at least touched, up to varying levels of degrees, the information security aspects in CBMS and its adopted information systems covering the following:
- Audit trail
- Backdoor
- Cryptography
- Cybersecurity
- Data breach
- Data security
- Hardening
- Information security testing, which has been covered by SQAD
- Input validation, which has also been covered by SQAD and also by CBSS and even, you from the field offices
- Network security, this has been taken care of by SDD, SOID and SQAD
- Penetration test
- Privacy
- Proxy server
- Sandbox, and
- Security control - Admittedly, there are some information security aspects here that may not be applicable to CBMS, such as IoT (or Internet of Things) security.
Admittedly, there are some information security aspects here that may not be applicable to CBMS, such as IoT (or Internet of Things) security.
| Common Information Security Considerations | ||
|---|---|---|
|
|
|
Source: https://simplicable.com/new/information-security
13.3 Data Privacy Act of 2012
All government activities and transactions with the public are governed by the Data Privacy Act and, as the CBMS collects Personal Information, it is thus covered by the DPA.
- Protecting Individual Personal Information in Information and Communications System (ICS) in the Government and Private Sector
Source: Introduction to the Data Privacy Act (DPA) of 2012
Atty. Vida Zora Bocar, CIPM, CIPP/e
Policy Review Division
National Privacy Commission
13.4 Information classification
When talking about information security, we will have to understand that there are different classifications of information according to scope of operation. From this classification, which may not be discreetly exclusive to one another, we get to determine the appropriate security controls that we could apply to each:
- Public data - comprises information that can be viewed by the general public and the disclosure of which would not cause damage
- Sensitive information - needs extraordinary precautions to ensure confidentiality and integrity
- Private data - may include personal information and where the unauthorized disclosure of which can be disastrous
- Confidential information - information used within the organization and where serious consequences may occur if such information is subjected to unauthorized disclosure
- Secret information - if disclosed, can adversely affect national security
- Top secret information - if disclosed, could cause massive damage to national security
- Unclassified information - not sensitive
- Personal information
- Sensitive personal information
Source: https://resources.infosecinstitute.com/certification/cissp-domain-2-asset-security-need-know-exam/
In the context of CBMS, we will be dealing with personal information, and sensitive personal information.
Personal Information
Refers to any information, whether recorded in a material form or not:
- from which the identity of an individual is apparent (e.g., Juan Dela Cruz);
- can be reasonably or directly ascertained by the entity holding the information (e.g., NSCRG); or
- when put together with other information would directly and certainly identify an individual
Sensitive Personal Information
Within personal information, some personal data are classified as sensitive information which must not be easily disclosed. Examples are:
- Individual’s race, ethnic origin, marital status, age, color and religious, philosophical, political affiliations
- Individual’s health, education, genetic or sexual life, or to any proceeding for any offense committed or alleged to have been committed by the individual
- Government-issued personal numbers such as SSS, GSIS, PhilHealth, Pag-IBIG, LTO and previous health records and tax returns
Source: Introduction to the Data Privacy Act (DPA) of 2012
Atty. Vida Zora Bocar, CIPM, CIPP/e
Policy Review Division
National Privacy Commission
13.5 Securing Personal Information
We need security measures in CBMS to protect personal information against:
- any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing
- natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination
Source: Republic Act 10173 – Data Privacy Act of 2012
https://www.privacy.gov.ph/data-privacy-act/#20
13.6 DICT guidance on information classification
A quick look at DICT’s guidance on information classification, when they issued a 2020 circular with the subject on Amendments to Department Circular No. 2017-002 regarding the Prescribing the Philippine Government’s Cloud First Policy:
- Highly sensitive government data
- Above-sensitive government data
- Sensitive government data
- Non-sensitive government data
Each data classification is officially defined in the abovementioned department circular, wherein it is stated that the government agency shall select the appropriate cloud deployment model, which is a type of an internet or network-based data hosting model, based on the agency’s classification of data that its stores and processes, with due consideration to factors that include appropriate controls, security protocols and redundancy protocols.
The DICT Circular 2017-002 on Prescribing the Philippine Government’s Cloud First Policy also has guiding information sections on Security, Security Framework, Data Sovereignty and Data Residency.
Sources: https://dict.gov.ph/wp-content/uploads/2020/06/Department_Circular_No_10_Amendments_to_DC_No_2017_002_re_Prescribing.pdf
https://dict.gov.ph/wp-content/uploads/2017/02/Signed_DICT-Circular_2017-002_CloudComp_2017Feb07.pdf
13.7 Physical Security Measures
In CBMS, we should observe these physical security measures:
Limit access and activities in the room, workstation or facility. Only authorized personnel must have access to the CBMS data processing facility. The arrangement and setup of workstations and equipment shall take into consideration the physical environment and accessibility to its users and against the unauthorized public. The duties, responsibilities and schedule of CBMS authorized personnel involved in the processing of personal data are clearly defined to ensure that only individuals performing official duties shall be allowed access to the room and workstation, at any given time;
We need to maintain an inventory of devices being used for CBMS. Mobile devices used for data collection are registered through the system. However, desktops to be used for data validation and for data processing are not. This means that we need to actually certify and clear the computers that are going to be used for data processing. It is therefore important to keep an inventory of the actual ICT equipment being used for data validation or data processing especially those not on PSA premises. PSA field offices should therefore conduct regular and random data processing site inspections to assess if only authorized desktop computers are indeed being used in the data processing activities. Remember that these computers would store CBMS data that are classified as sensitive and even confidential. Meanwhile, information like MAC Address, IP addresses and other device identity attributes can be used for authenticating desktop devices and this is for consideration in the improvement of the data processing system.
Procedures must be put in place for the transfer, removal, disposal, and re-use of electronic media that store and process CBMS data, to ensure appropriate protection of personal information;
The facility used in the processing of personal data shall be, as far as practicable, protected from natural disasters, power disturbances, and other similar threats.
13.8 Technical Security Measures
Briefly, these are some technical security measures that need to be considered.
Safeguards to protect the computer network. We use firewalls for securing data transmission to and from CBMS servers. We also use HTTPS or secure HTTP for our web-based applications. And we have to make sure we have anti-virus software with the latest virus definitions in computers we used for CBMS. As an additional safeguard, we should keep our operating systems always updated with the latest security and anti-vulnerability patches, be they in Android, Windows or Linux, so that we can maximize the advantage of having up-to-date software environments with up-to-date OS-level security tools and protection.
Data encryption - CSWeb has an implementation on this.
Device authentication - only for mobile devices but hopefully all devices will pass some level of authentication
User authentication / Multi factor authentication process - User authentication with use of ID and password. Do not share your ID/Password. Accountability will be the owner of the ID/Password for any misuse. In the CBMS roll out, SQAD has always maintained the advice of adopting a multi-factor authentication process to be applied.
13.9 Organizational Security Measures
In the IRR or Implementing Rules and Regulations of the Data Privacy Act, there is mention of different areas of Security Measures for the Protection of Personal Data and a primary consideration is on Organizational Security Measures.
Identify Data Protection Officer
So, there is a need to designate an individual or individuals who shall function as data protection officer, compliance officer or otherwise be accountable for ensuring compliance with applicable laws and regulations for the protection of data privacy and security.
Integrate Compliance Officer for Privacy
We need to install Compliance Officers for Privacy on the provincial or municipal level. The NPC states in their website that:
A Compliance Officer for Privacy (COP) is an individual or individuals who perform some of the functions of a DPO in these cases:
- For Local Government Units (LGUs). Aside from having a DPO, a component city, municipality, or barangay can designate a COP, as long as the COP shall be under the supervision of the DPO.
- For Government Agencies. Aside from having a DPO, a government agency that has regional, provincial, district, city, municipal offices, or any other similar subunits, may designate or appoint COP for each subunit. The COPs shall be under the supervision of the DPO.
In CBMS, we may need to designate and appoint Compliance Officers for Privacy (COP) in our field offices. Let us also determine and push for our partner LGUs to appoint, designate and/or identify their corresponding COPs.
Data Protection Policies
We need to have Data Protection Policies that provide for organization, physical, and technical security measures, and, for such purpose, take into account the nature, scope, context and purposes of the processing, as well as the risks posed to the rights and freedoms of data subjects.
Privacy Impact Assessment
We need to conduct a Privacy Impact Assessment to assess potential impacts on privacy of a process, information system, program, software module, device or other initiative which handles and manages personal information and in consultation with stakeholders, for taking actions as necessary to treat privacy risk.
A PIA is more than just a tool: it’s a process that begins at the earliest possible stages of a project or an initiative when there are still opportunities to influence its outcome and thereby ensure privacy by design. It is a process that continues until, and even after, the project has been deployed. Initiatives vary substantially in scale and impact.
A Personal Information Controller may have a responsibility to conduct a PIA and may request a Personal Information Processor to assist in doing this, acting on the Personal Information Controller’s behalf. A Personal Information Processor or a third party may also wish to conduct their own PIA.
Source: https://www.privacy.gov.ph/appointing-a-data-protection-officer/
13.10 Obligations of PIC or PIP, to DPO or COP
Some of the obligations of personal information controllers or PICs and personal information processors PIPs relative to the DPO or COPs.
- Effectively communicate to your personnel, the designation of the DPO or COP and his or her functions;
- Allow the DPO or COP to be involved from the earliest stage possible in all issues relating to privacy and data protection;
- Provide sufficient time and resources (financial, infrastructure, equipment, training, and staff) necessary for the DPO or COP to keep himself or herself updated with the developments in data privacy and security and to carry out his or her tasks effectively and efficiently;
- Grant the DPO or COP appropriate access to the personal data it is processing, including the processing systems;
- Where applicable, invite the DPO or COP to participate in meetings of senior and middle management to represent the interest of privacy and data protection;
- Promptly consult the DPO or COP in the event of a personal data breach or security incident; and
- Ensure that the DPO or COP is made a part of all relevant working groups that deal with personal data processing activities conducted inside the organization, or with other organizations.
Source: https://www.privacy.gov.ph/appointing-a-data-protection-officer/
The Data Privacy Act of 2012 contains information on punishable acts with corresponding penalties. Shown in this matrix is a convenient summary of this information.
| Punishable Act | Jail Term | Fine (Pesos) |
|---|---|---|
| Access due to negligence | 1y to 3y - 3y to 6y | 500k to 4M |
| Unauthorized processing | 1y to 3y - 3y to 6y | 500k to 4M |
| Unauthorized purposes | 18m to 5y - 2y to 7y | 500k to 2M |
| Improper disposal | 6m to 2y - 3y to 6y | 100k to 1M |
| Intentional breach | 1y to 3y | 500k to 2M |
| Concealing breach | 18m to 5y | 500k to 1M |
| Malicious disclosure | 18m to 5y | 500k to 1M |
| Unauthorized disclosure | 1y to 3y - 3y to 5y | 500k to 1M |
| Combination of acts | 3y to 6y | 1M to 5M |
Violation to the Data Privacy Act is punishable with jail term and up to millions of pesos. And it’s not only confined in the systems/applications we use. Processes and even our attitude towards data handling will be dealt with. Consent is given but does not necessarily mean we can use or distribute the information freely. Personal Information needs to be used only for their intended purpose and nothing more. In other words, the processing of information should be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose.
So, beware and be aware!
13.11 DP with LGU as partner implementer
Consider holding a joint Privacy Impact Assessment activity or series of activities with LGU partner - In the context of CBMS, especially when working with LGU’s, we may need to conduct meetings, seminars and workshops with them, possibly for holding a joint PIA on data processing at the field level, where the results can serve as basis on what should be addressed and how it can be addressed.
Oath on Data Privacy - Have their data handlers, data processors and data managers sign the Oath on Data Privacy. They can also come up with their own version but the critical components on data protection, security and preservation of integrity should all be there.
Share and cascade to LGU data processors PSA’s security protocols and guidelines on the handling of CBMS data - Make them aware of the security protocols, guidelines and data privacy compliance standards that we have on CBMS.
13.12 Access control
These are the strategies that we may employ in our CBMS security measures:
Unauthorized access risk assessment
- Document containing risk assessments of unauthorized access
- Install physical security measures for entering and exiting the data processing center/room/facility
User access policies
- Documented and available policies and procedures under change management (on requesting, approving, providing, monitoring and removing user access)
Password management
- Test and demonstrate that user password control is working effectively and as designed
- Implement password policies on assigning the default password and allowing the user to personalize their passwords guided by password complexity requirements and safekeeping
In our LGU partners, let us check if they are implementing access control and covering these minimum guidelines.
13.13 Awareness and training
In our LGU partners, let us check if they are implementing awareness and training programs, and if they are covering these minimum guidelines.
Operational personnel security training
- Security controls documents and reports should be readily accessible.
- Install physical security measures for entering and exiting the data processing center/room/facility.
HR records and vetting
- Personnel must indicate successful completion and fulfillment of required security protocols (such as Oath of Data Privacy) and security awareness training programs.
13.14 Audit and accountability
In our LGU partners, let us check if they are implementing audit and accountability strategies, and if they are covering these minimum guidelines.
Record usage of privileged accounts
- Taken care of by the CBMS information system, but may need complementary physical measures for auditing as backup
- Institutionalization of access and transaction logs wherever applicable and where complementary physical solutions would be necessary or beneficial
Record password changes
- Date, time and circumstances behind password changes should be documented
13.15 Configuration management
In our LGU partners, let us check if they are implementing configuration management strategies, and if they are covering these minimum guidelines.
Configuration documentation
- Record the description of the data processing setup and configuration on facilities, workstations and network and include information on when these have changed, what has changed and the motivations behind or circumstances surrounding these changes.
Configuration change managemen
- Documentation on configuration changes should be versioned.
13.16 Contingency planning
In our LGU partners, let us check if they are implementing contingency planning strategies, and if they are covering these minimum guidelines.
Business continuity plan (BCP)
- Check if the LGU has a business continuity plan whenever incidents affecting the data processing activities occur (ex. injury to processing staff, natural disasters, power loss, sudden change of personal circumstances in processing staff)
Business continuity roles and communications
- BCP should show roles of responsible persons and what they should do when incidents occur, and how this will be communicated to the required and appropriate stakeholders
13.17 Incident response
In our LGU partners, let us check if they are implementing incident response mechanisms, and if they are covering these minimum guidelines.
Incident response policy
- Policy statements on the identification of incidents and how to handle incidents whenever they occur
Incident response handling
- Incidents and the corresponding response handling (with LGU partners) should be documented and shared with PSA
Incident monitoring
- Consider employment of incident monitoring and tracking strategies or systems, and having these shared, whenever and wherever applicable between PSA and the partner LGU.
- Update the incident tracking strategy or system upon relevant events.
- Use the Incident Reporting module in the CBMS Android mobile application to report irregularities in CBMS operations.
13.18 Maintenance
In our LGU partners, let us check if they are implementing the following minimum maintenance requirements:
- Hardware refresh and/or replacements
- Software security patches and updates
13.19 Media protection and security
- Data processing media should be in a physically secure location.
- Backups should be stored at a physically secure location and may necessitate resiliency from a corresponding damage that affected the originals (such as deployment of offsite backups).
- Physical and environmental protection
- Include protection on ventilation systems, air conditioning, power supplies, fire protection.
- Evidence of physical protection controls and physical security should be present.
13.20 Personnel security
- HR records should indicate successful security clearances for data processing personnel
- Access rights and privilege management
13.21 System and communications protection
- Network risk mitigation controls
- Regular network risk analysis
- Communication channels control
Other references:
NIST’s Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organization Introduction to the Data Privacy Act (DPA) of 2012, Atty. Vida Zora Bocar, CIPM, CIPP/e, Policy Review Division, National Privacy Commission