In the Republic of the Philippines, the valid and auditable practice of cybersecurity and data privacy ENSUE from government agencies and business enterprises that have been acting the legal obligations of securing the CYBER of data, information, application, network, storage infrastructure, and people that are threatened by CYBERCRIME and DATA PRIVACY VIOLATION in the information and communication system of service delivery.
At the national level, there are government agencies that are legally tasked with the delivery of the following obligations:
1. National Cybersecurity Plan
2. National Computer Emergency Response Team
3. National Policies and Implementation Collaboration on Cybersecurity
4. Complaint, Investigation, and Prosecution of Cybercrime
5. Data privacy rulemaking, advisory, public education, compliance and monitoring, complaints and investigation, and enforcement
6. Consumer protection policies and services related to cyber safety and data privacy
The implementation rules of RA 10844, RA 10175, and RA 10173 have obligated the heads of the agency, personal information controllers,s and personal information processors of private enterprises the legal accountabilities of ensuring cybersecurity and data privacy and to organize and enable the functions of Cybersecurity Officer (CYSO) or Chief Information Security Officer (CISO), and Data Protection Officer (DPO).
The governance of cybersecurity and data privacy are mandated in the publicly issued rules and policy of NPC and DICT to provide pieces of evidence that the privacy and security requirements are being integrated in the design, development, acquisition and operation of information and communication systems in government and private sector.
The providers of legal challenges on the limiting conditions and probable complaints on cybersecurity and data privacy have to communicate with clarity, coherence, completeness, and consistency the generally accepted principles and adopted international standards that underpin the rules enforced by the regulatory bodies in protecting the public interest and common benefits related to information privacy, confidentiality, integrity and availability, and consumer safety
The relevant acquisition of products and services, that are influenced by marketing events, has to find alignment with the organization’s conducted and reported security risk assessment, vulnerability and penetration testing, security audit and privacy impact assessment. Those are pre-requisite knowledge to plan-do-check-act the controls of cybercrime and data privacy violations in the cyber of doing business and in engaging citizens and customers with digital technology.
In the implementation policy on national cybersecurity plan, cybercrime investigation, and personal data protection, the DICT and NPC have required in their regulatory issuances the following pieces of evidence of securing the cyber critical infrastructure and personal information in the information and communication of government and private sector.
1. The use of international standards in crafting the security and privacy policy of government and enterprise.
The performance and result indicators of governance, management, and work on cybersecurity are based on the adopted international standards to implement pertinent rules and regulations on cybersecurity, information security and data privacy.
ISO 27002 is the specific international standard prescribed by both the DICT and NPC to determine security gaps and to create control policy requirements for cybersecurity and information security of data privacy.
2. The execution of prescribed action and reporting of evidence related to cybersecurity compliance certification, with the use of ISO 15408 – Evaluation criteria for IT security, and ISO 18045 – Methodology for IT security evaluation
3) System security audit, and risk assessment with the use of international standards on information security management and risk management
4) Vulnerability assessment and penetration testing
5) Creation and enablement of CERT with the use of F.I.R.S.T definition standards and data breach management team for data privacy violations.
6) Escalation protocol and data breach reporting procedure
7) Security operation center
8 ) Disaster recovery and business continuity plan
9) Cyber drills and exercises
10) Cybersecurity and data privacy training
11. Inventory and registration of personal data-related information and communication system
12. Privacy impact assessment of the system’s conformity to the data subject’s exercise of data privacy rights, privacy principles in data processing, and information security measures
An interesting cybersecurity and data privacy compliance indicator to relate the acceptable, actionable, and auditable implementation is the reported acquisition and utilization of government agencies and the private sector of the Philippine National Standards on cybersecurity, information security, and data privacy.
1. Cybersecurity governance and framework development
-ISO 27014 Information security governance
-ISO 27100 Cybersecurity concepts
-ISO 27110 Cybersecurity Framework
2. Cybersecurity risk management framework
-ISO 27005 Information security risk management
-ISO 29134 Privacy impact assessment
-ISO 27102 Cybersecurity insurance
-ISO 27031 ICT Business continuity management
-ISO 22317 Guidelines for business impact analysis
-ISO 31000 Risk management guidance
-ISO 31010 – Risk assessment technique
3. Cybersecurity control requirements
-ISO 27002 Information security control
-ISO 27701 Privacy information security
-ISO 29100 Data privacy framework
-ISO 27036 Security in supplier relationship
-ISO 27033 Network Security
-ISO 27040 Storage Security
-ISO 27034 Application Security
-ISO 27017 Cloud security
-ISO 27021 Competence requirements for information security management professionals
4. Cybersecurity incident management
-ISO/IEC 27035-1 Information security incident management — Part 1: Principles of incident management
-ISO/IEC 27035-2 Information security incident management — Part 2: Guidelines to plan and prepare for incident response
– ISO/IEC 27035-3
Information security incident management Part 3: Guidelines for ICT incident response operations
-ISO/IEC 27037 Guidelines for identification, collection, acquisition, and preservation of digital evidence
– ISO/IEC 27043 Incident investigation principles and processes
5. Cybersecurity information security audit
– ISO 27001 Information security management system requirements
– ISO 27007 Guidelines for information security management systems auditing
-ISO 27008 Guidelines for the assessment of information security controls
– ISO/IEC TR 15443 Security assurance framework
– ISO/IEC 15408 Evaluation criteria for IT security
– ISO/IEC 18045 Methodology for IT security evaluation
– ISO/IEC TS 19608. Guidance for developing security and privacy functional requirements
– ISO/IEC TR 19791. Security assessment of operational systems
– ISO/IEC TS 27022 Guidance on information security management system processes
The Philippines is a member of the international organization for standardization.
The DTI Bureau of Standards is responsible for the availability of ISO documents that support the regulatory policy of adopting international standards in the delivery of regulatory objectives.
The Philippines is a country member of the International Telecommunication Union (ITU) The DICT represents the country in the UN telecommunication body with published guidance on cybersecurity strategy development and security practices that are used by ISO.
The government agency and business enterprise’s yearly reporting of accomplishment, and marketing of best practices are made meaningful by their direct link to the physical and virtual pieces of evidence that realize and improve the cybersecurity plan; CERT creation ; and information security measures of data privacy.
Cybersecurity and data privacy training provide documented guidance or manual on policies, procedures and tools of securing access, device, person, process, data, applications, networks, storage, and physical infrastructure of digital presence.
The training content is made valid and verifiable in its identification, analysis, mapping, and application of the implementation rules and adopted international standards that are related to cybersecurity and data privacy performance requirements of RA 10844, RA 10175, and RA 10173.
It includes making as a knowledge source the competency framework provided by the international professional body of knowledge and training certification organization
1. Bristol Cybersecurity Body of Knowledge
2. ISC2
3. EC-Council
4. COMPTIA
5. ICDL Cybersecurity
The globalization of work in cyberspace makes knowledge acquisition easy and relevant to actual use with the adoption of international community-driven standards and a professional body of knowledge
jmlogic: Knowledge & Technology 