Information / Data Security in the Philippines
Data security means protecting the digital data, such as those in a database, from destructive forces
and from the unwanted actions of unauthorized users, such as a cyberattack or a data breach.
(https://en.wikipedia.org/wiki/Data_security)
What is access control policy?
Having all the latest software security tools does not mean that your system is safe from any attacks.
Continuous improvement in security of information and data processing systems is a fundamental
management responsibility. All applications and processing systems that deal with personal and
sensitive information should include some form of authorization which is also known as access
control policy. As systems grow in size and complexity, access control is a special concern for
systems and applications that are distributed across multiple computers.
Access Control Policy sets requirements of credentials and identification that specify how access to
computers, systems, or applications is managed and who may access the information in most
circumstances. Authentication, authorization, audit, and access approval are the common aspects of
access control policy.
What are the best practices in implementing access control policy?
As a personal information controller or processor, it is a diligent responsibility to take great efforts
and be accountable in protecting the personal data that you process by managing the areas,
distribution, and life-cycle of authentication and authorization of your organization’s processes.
Access to any confidential, personal, and sensitive data must always be protected, controlled, and
managed with sufficient security policies. Preventing unauthorized access and data breach is the
primary objective of a controller and processor. Physical and systematic approach in creating and
managing access control should also be established by the management. Also, the small to large scale
applications of the personal information controllers and personal information processors should be
taken into consideration in the design and implementation of the policy.
What is a Data Center?
A data center is a facility housing electronic equipment used for data processing, data storage, and
communications networking. It is a centralized repository, which may be physical or virtual, may be
analog or digital, used for the storage, management, and dissemination of data including personal
data.
The National Privacy Commission imposes personal information controllers and personal information
processors should implement reasonable and appropriate organizational, physical, and technical
security measures for the protection of personal data, especially in this critical infrastructure in
Information and Communications Technology.
�What are the recommended best practices for data center security?
1. Include security and compliance objectives as part of the data center design and ensure
the security team is involved from day one. Security controls should be developed for each
modular component of the data center—servers, storage, data and network—united by a
common policy environment.
2. Ensure that approach taken will not limit availability and scalability of resources.
3. Develop and enforce policies that are context, identity and application-aware for least
complexity, and the most flexibility and scalability. Ensure that they can be applied
consistently across physical, virtual and cloud environments. This, along with replacing
physical with secure trust zones, will provide seamless and secure user access to applications
at all times, regardless of the device used to connect to resources in the data center.
4. Choose security technologies that are virtualization-aware or enabled, with security
working at the network level rather than the server. Network security should be integrated
at the hypervisor level to discover existing and new virtual machines and to follow those
devices as they are moved or scaled up so that policy can be dynamically applied and
enforced.
5. Monitor everything continuously at the network level to be able to look at all assets
(physical and virtual) that reside on the local area network (even those that are offline)
and all inter-connections between them. This monitoring should be done on a continuous
basis and should be capable of tracking dynamic network fabrics. Monitor for missing
patches, application, or configuration changes that can introduce vulnerabilities which can be
exploited.
6. Look for integrated families of products with centralized management that are
integrated with or aware of the network infrastructure, or common monitoring
capabilities for unified management of risk, policy controls, and network security. This
will also give detailed reports across all controls that provide the audit trail necessary for risk
management, governance, and compliance objectives. Integrated families of products need
not necessarily be procured from just one vendor. Look for those that leverage the needed
capabilities of a strong ecosystem of partnerships to provide a consolidated solution across all
data center assets.
7. Consider future as well as current needs and objectives at the design stage such as
whether access to public cloud environments is required.
8. Define policies and profiles that can be segmented and monitored in multi-tenant
environments. Consider security technologies that provide secure gateway connections to
public cloud resources.
�What are the security requirements for a computer system?
1. Secure user authentication protocols including:
a) Control of user IDs and other identifiers;
b) Reasonably secure method of assigning and selecting passwords, or use of unique identifier
technologies, such as biometrics or token devices;
c) Control of data security passwords to ensure that such passwords are kept in a location and/or
format that does not compromise the security of the data they protect;
d) Restricting access to active users and active user accounts only; and
e) Blocking access to user identification after multiple unsuccessful attempts to gain access or
the limitation placed on access for the particular system;
2. Secure access control measures that:
a) Restrict access to records and files containing personal information to those who need such
information to perform their job duties; and
b) Assign unique identifications plus passwords, which are not vendor supplied default
passwords, to each person with computer access, that are reasonably designed to maintain the
integrity of the security of the access controls;
3. Encryption of all transmitted records and files containing personal information that will travel
across public networks, and encryption of all data containing personal information to be transmitted
wirelessly;
4. Reasonable monitoring of systems, for unauthorized use of or access to personal information;
5. Encryption of all personal information stored on laptops or other portable devices;
6. For files containing personal information on a system that is connected to the Internet, there must
be reasonably up-to-date firewall protection and operating system security patches, reasonably
designed to maintain the integrity of the personal information;
7. Reasonably up-to-date versions of system security agent software which must include malware
protection and reasonably up-to-date patches and virus definitions, or a version of such software that
can still be supported with up-to-date patches and virus definitions, and is set to receive the most
current security updates on a regular basis;
8. Education and training of employees on the proper use of the computer security system and the
importance of personal information security.
�What is encryption?
Encryption protects emails, bank accounts, transactions, and messages. In general, it protects data by
encoding the information in such a way that it is only accessible to authorized parties or individuals. It
is a way of safeguarding data, documents, or information from this generation’s threats such as
malicious hackers, spies, and criminals. It is one of the best tools to protect privacy especially for
individuals. It is considered to be a necessity in keeping data privacy.
Any technology used to store, transport, or access sensitive personal information for purposes of off-
site access approved shall be secured by the use of the most secure encryption standard recognized by
the Commission.
Data at rest, in transit, and in use should all be treated equally in terms of preserving its privacy and
managing its security.
What should be encrypted?
Emails
Most corporations, organizations, agencies, and firms use emails to communicate, send files, and
exchange data. This way of communication has been the standard of electronic messaging for many
years. It has also been one of the major cases of privacy breaches throughout those years. These kinds
of incidents exposed the privacy of several individuals so they should be managed, guarded, and most
importantly, prevented. Organizations that transfer personal data via email should either make sure
that the data is encrypted or use a secure email facility that facilitates the encryption.
Portable Media
Attack on privacy can happen anytime, anywhere, any place and sometimes even with portable
storage devices. It can infiltrate an organization’s system and expose all of its confidential and
sensitive information. Devices such as USB flash drives and internal or external disk that store, collect
or transfer personal data must be encrypted, especially the data in it. Organizations that use laptops to
process personal data must use a full disk encryption.
Links (URL)
Agencies and organizations that utilize online access to process personal data should employ an
identity authentication method that uses a secured encrypted link.
�Recommended Encryption
Organizational, physical, and technical security measures for personal data protection, encryption, and
access to sensitive personal information maintained by government agencies, considering the most
appropriate standard recognized by the information and communications technology industry.
Advanced Encryption Standard with a key size of 256 bits (AES-256) as the most appropriate
encryption standard. Passwords or passphrases used to access personal data should be of sufficient
strength to deter password attacks. A password policy should be issued and enforced through a system
management tool.
