Cyber Security Management

Competency Guide
Enable End-to-End Citizen Experience
of CYBER Security and Data PRIVACY
Notification and Disclaimer
Personal Data Privacy:
The name and email addresses collected, retained, and used in the
seminar are to recognize the participants and to send learning materials
and training information. The participant during the online live seminar
may opt to close his or her camera and simply use the microphone or
chat for questions and comments. The online live seminar is not
streamed in Facebook or YouTube without consent.

Copyright Notice:
The cited and annotated content of cited standards are duly owned by
their research organization or publishers.

The provided information about the rules and standards are for
educational purpose.
Belief on Competency Building

 The accountable and responsible

behind the understanding, decision,
and action of cyber security must have
the set of knowledge, skills and
behaviour that fit the appropriate end-
to-end delivery and support of
regulated cyber security level
requirements and assessed risks to be
controlled.
Belief on Competency Building

 The identification, elaboration,

analysis and documentation of cyber
security problem statements are made
valid and verifiable by the adopted
regulatory guidelines, internationally
recognized standards, and professional
body of knowledge.
Belief on Competency Building

 The valid, verifiable, acceptable and

actionable knowledge on cyber security are
communicated with clarity, coherence, and
completeness and consistency based on
stakeholder’s and whole-of-enterprise
agreement of the rules, standards,
organization, results, metrics, procedures
and technology.
Belief on Competency Building

 Real understanding about the insecurity

of a cyber infrastructure comes from
people who are the knowledge and
product sources of the vulnerability
exploitation, and security counter
measures.
Competency has to be linked to the
value stream and supply chain of cyber
security management and data privacy
Belief on Competency Building

 Useful data, report and analysis on cyber

security come from
1. Person or entity who analyzes the security
vulnerabilities and creates the “exploitation”
that will breach the confidentiality, integrity
and availability of information in the
targeted system.
Belief on Competency Building

 Useful data, report and analysis on cyber

security come from
2. Person or entity who creates the knowledge
and technology that examine the security
vulnerabilities and continously improve the
control of known and possible exploitation.
Belief on Competency Building

(Center for Creative

Leadership
Morgan McCall
Michael M. Lombardo
Robert A. Eichinger)
Cyber Cyber Security Regulatory Context
and Practice Standards
Security
Competenc Cyber Security Risks Management
y
Guide
Cyber Security Control Policies

Cyber Security Incident Management

Cyber Security Operation Centre

and Technology
Send your question
Part 1:
Cyber Security Regulatory
Context and and Practice
Standards
Question of Understanding
Are cyber security and data privacy
built-in or add-on in the STRATEGY,
SOURCING, DESIGN, BUILD, TEST,
INSTALLATION and OPERATION of the
digital business process, information
system and technology platform as
required by regulations, advisories,
directives, and circulars of R.A. 10173,
R.A. 10175, R.A. 10844, and DICT
Common Concept
• INTERNET or InterNetwork is
collection of interconnected networks

• The Internet is global system of inter-

connected networks in the public domain
(ISO 27032)
Common Concept
• Internet Services are services
delivered to a user to enable access to the
Internet via an assigned IP address, which
typically include authentication,
authorization and domain name services
(ISO 27032)
Common Concept
• Internet Crime is criminal activity
where services or applications in the
Internet are used for or are the target of a
crime, or where the Internet is the source,
tool, target, or place of a crime.
(ISO 27032)
Common Concept
• Internet Security is preservation of
confidentiality, integrity and availability
of information in the Internet
(ISO 27032)
Common Concept
Cyberspace is a complex environment
resulting from the interaction of people,
software and services on the Internet,
supported by worldwide distributed
physical information and communications
technology (ICT) devices and connected
networks.
(ISO 27032)
Common Concept
Cyberspace is a complex environment
resulting from the interaction of people,
software and services on the Internet,
supported by worldwide distributed
physical information and communications
technology (ICT) devices and connected
networks.
(ISO 27032)
Common Concept
Cyberspace is a complex environment
based on digital technologies that
provides a global place for digital
interaction among people including
formal and informal interactions with
public or private entities such as
businesses, governments, non-profit
organizations, and other groups.
(ISO 27100
Common Concept
Cyber refers to a computer or a
computer network, the electronic medium
in which online communication takes
place
(R.A. 10175)
Common Concept
Critical Infrastructure refers to the
computer systems, and/or networks, whether
physical or virtual, and/or the computer
programs, computer data and/or traffic data that
are so vital to this country that the incapacity or
destruction of or interference with such system
and assets would have a debilitating impact on
security, national or economic security, national
public health and safety, or any combination of
those matters
Common Concept
Cyber Security is preservation of
confidentiality, integrity and availability
of information in the Cyberspace

In addition, other properties, such as

authenticity, accountability, non-
repudiation, and reliability can also be
involved.
(ISO 27032)
Common Concept

Cyber Security is safeguarding of

society, people, organizations and
nations from risks caused by threats
that exploit an interconnected digital
environment of networks, services,
systems, and processes
(ISO 27100)
Common Concept
Cyber Security is to maintain an
acceptable level of stability, continuity,
and safety of entities operating in
cyberspace. While it is not possible to
always achieve these objectives, cyber
security aims to reduce cyber risks to a
tolerable level.
(ISO 27100)
Common Concept
Cyber Security refers to the collection of
tools, policies, risk management approaches,
actions, training, best practices, assurance
and technologies that can be used to protect
the cyber environment, and organization and
user’s assets.
(R.A. 10175)
Common Concept
Cyber Safety is the condition of being
protected against physical, social, spiritual,
financial, political, emotional, occupational,
psychological, educational or other types or
consequences of failure, damage, error,
accidents, harm or any other event in the
Cyberspace which could be considered non-
desirable.
(ISO 27032)
 
Common Concept
Cyber Safety can take the form of being
protected from the event or from exposure
to something that causes health or economic
losses. It can include protection of people or
of assets.

Safety in general is also defined as the state

of being certain that adverse effects will not
be caused by some agent under defined
Common Concept
Information Security is preservation
of confidentiality, integrity and availability 
of information

In addition, other properties, such

as authenticity, accountability, non-
repudiation, and reliability can also be
involved.
(ISO 27000)
Common Concept
Information Security Event is
identified occurrence of a system, service or
network state indicating a possible breach of
information security policy or failure
of controls, or a previously unknown
situation that can be security relevant
Common Concept
Information Security Incident is
about single or a series of unwanted or
unexpected information security events that
have a significant probability of
compromising business operations and
threatening information security.
(ISO 27000)
Common Concept
Information Security Incident
Management is set of processes for
detecting, reporting, assessing, responding
to, dealing with, and learning
from information security incidents.
Common ConceptPrivacy and Security Management
Outcome-Process-Procedure -Enabler

Governance of Information
Security
System by which an organization’s
information security activities are
directed and controlled.
(ISO 27000 3.23)
Common Concept
• Cyber Infrastructure is the system of
hardware, software, facilities and service components
that support the delivery of business systems and
digital-enabled processes.

• Cyber Security Infrastructure is

acquired and integrated to deliver and support the
business outcomes, and the service objectives of
cybercrime prevention and privacy protected data
collection, retention, transmission, utilization,
presentation, sharing, repurposing, and disposal.
Common Concepts
Cyber Insecurity is a shortfall that comes
from fragmented thinking, reactive acquisition,
and unmanaged vulnerability against the known
threats that violate confidentiality, integrity,
availability, and privacy of information in the
infrastructure, process, data, application, and
agreements of service delivery.
Common Concept

SECURE is an assurance that comes from a

proactive and standard-based identification and
detection, and an integrated protection and
response against varied threats. It is controlled
vulnerability in the policy, process, product, and
people of digital information service delivery.
.
Common Concept
Cyber Security Compliance is digital
service infrastructure has to be designed, built,
integrated, operated, and audited in accordance
with evaluated risks and technical security
measures described by R.A. 10175, Cyber
Crime Prevention Act of 2012, DICT National
Cyber Security 2022, and R.A. 10173, Data
Privacy Act of 2012.
Common Concept
National Cyber Security Plan refers to a
comprehensive plan of actions designed to improve the
security and enhance cyber resilience of infrastructures and
services.

It is a top-down approach to cyber security that contains

broad policy statements and establishes a set of national
objectives and priorities that should be achieved within a
specific timeframe.
(R.A. 10175)
Common Concept

Data Privacy represents the definitive view of

the of privacy rights, privacy principles and
security measures in the personal data that are
being created, collected, stored, transmitted, used,
disclosed, and destroyed by an enterprise or agency.
Send your question
Cyber Security Reference Architecture

It is the specification of the

organizational structure, functional
behavior, standards, and policies of a
computer network that includes both
network and security features.
(Cyber security Forum)
 Cyber Security Digital Environment
Security
Server Service Desk IT Services & National
Executive Business Operation
Support Security Office Government
Office Office
Agencies
Network
Project
Management
Management
Office

DNS
server
CLOUD
Web Intranet-Internet
server SERVICES
Database
Server GATEWAY
Apps
Server

Data Personal Personal Privacy Incident

E-Mail
Protection Information Information Response
Servicer
Officer Controller Processor Team End-Point
Access

File Public Customer and Users

Server
DATA
SUBJECT
DATA CENTER
Cyber Security Digital Environment
2 3
1 APPLICATION DATA
OPERATING ENVIRONMENT ENVIRONMENT
ENVIRONMENT Net Drive
Productivity Internet
Office Tools Browsing Device Store

Device & OS Image & Video Communication

Network OS Sharing Personal
& Collaboration Information
IOT OS
Sensor OS Business & Social Document
Application Management Removable
Drive
CRM & ERP System 4 Conversation
Data Creation, Collection, Retention, STORAGE & Streamed Data
Utilization, Disclosure, Dispose ENVIRONMENT

5
CONNECTIVITY Structured/
Bandwidth and Network Services ENVIRONMENT Unstructured
Data

6. SECURITY& Security Privacy Security

PRIVACY Controls Process Incident
ENVIRONMENT Management
Cyber Security
Methodologies and Technologies
PROCESS, DATA, APPLICATION & INFRASTRU
DATA
DATA Registration
CRM ERP
Identification COLLECT
USE
Payment ADMIN
Transaction
E DATA
STORE FINANCE ITSM
Analytic APPS M
Control RECORD
Monitor R DATA
DPA PPM
DATASHARE DATA
SECURE DISPOSE

CUSTOMER
“Data Subject” CYBER INFRASTRUCTURE
PROCESS, DATA, APPLICATION & INFRASTR
CUSTOMER DATA
EXPERIENCE CRM COLLECT ERP
1. Value E DATA ADMIN
2. Availability APPS STORE FINANCE ITSM
M
3. Completeness
RECORD
4. Accuracy R DATA
DPA PPM
DATASHARE DATA
5. Speed
6. Reach
7. Coverage DATA SECURE DISPOSE
8. Mobility USE
9. Portability
10. Privacy

CYBER INFRASTRUCTURE
 What are the look up references for the
cyber crime and data privacy risks that
must be mitigated?
R.A. 10175 An act defining cybercrime, providing for the
Cybercrime prevention, investigation, suppression and the
Prevention Act of
2012 imposition of penalties therefore and for other
purposes

R.A. 10173 An act protecting individual personal

Data Privacy Act of information in information and communication
2012
systems in the government and the private
sector, creating for this purpose a National
Privacy Commission, and for other purposes.
 Cyber Crime
1. It is offense against the confidentiality, integrity
and availability of computer data and systems.
1.1 Illegal Access. Access to the whole or any part of a computer system without
right
1.2 Illegal Interception made by technical means without right

Interception
1.3 Data Interference. Intentional or reckless alteration, damaging, deletion of
computer data
1.4 System Intentional alteration or reckless interference with the
functioning of a computer or computer network
Interference
1.5 Misuse of Devices Use, production, sale, procurement, importation, distribution,
 Cyber Crime
2. It is offense related with the use of computer.

2.1 Forgery Input, alteration, or deletion of any computer data without

right resulting in inauthentic data with the intent that it be
considered or acted upon for legal purposes as if it were
authentic

2.2 Fraud Unauthorized input, alteration, or deletion of computer data

or program or interference in the functioning of a computer
system, causing damage thereby with fraudulent intent
2.3 Identity Theft Intentional acquisition, use, misuse, transfer, possession,
alteration or deletion of identifying information belonging to
another, whether natural or juridical, without right.
Cyber Crime
3. It is offense related to creation and sharing of
content.
3.1 Cybersex Willful engagement, maintenance, control, or operation,
directly or indirectly, of any lascivious exhibition of sexual
organs or sexual activity, with the aid of a computer system
3.2 Child Unlawful or prohibited acts defined and punishable
by Republic Act No. 9775 or the Anti-Child Pornography Act
Pornography of 2009, committed through a computer system
3.3 Libel Unlawful or prohibited acts of libel as defined in Article 355
of the Revised Penal Code, as amended, committed through a
computer system
 Data Privacy Violation
Privacy violation is illegal or unwanted act that
endangers the privacy rights of a person and security
of personal data.
Data privacy violation is penalized act according to
R.A. 10173 Chapter VIII. The complaint can be
made through the use of NPC Complaint-Assisted
Section 25 Unauthorized
Form. Section 30 Concealment of
processing breach
Section 26 Negligence in access Section 31 Malicious disclosure
Section 27 Improper disposal Section 32 Unauthorized
disclosure
Section 28 Unauthorized purpose Section 33 Combination of acts
Data Privacy Violations
1.Unauthorized It is when personal information is
processing processed without the consent of the data
3-6 years imprisonment subject, or without being authorized
500K-4M penalty
using lawful criteria

2. Negligence in It is when personal information is made

access accessible due to negligence and without
1-6 years imprisonment being authorized by any existing law.
500K-4M penalty
Data Privacy Violation
3. Improper disposal It is when personal information is
6 mos-3 years imprisonment knowingly or negligently disposed,
100K-1M penalty
discard, or abandon in an area accessible
to the public or has otherwise placed the
personal information of an individual in
any container for trash collection
4. Unauthorized It is when personal information is
purpose processed for purposes not
1-7 years imprisonment
500K-2M penalty authorized by the data subject, or
otherwise authorized by any existing
 Data Privacy Violation
5. Unauthorized It is when an individual handling personal
access or information knowingly and unlawfully, or
intentional violating data confidentiality and security data
breach systems, breaks in any way into any system
1-3 years imprisonment where personal and sensitive personal
500K-2M penalty
information are stored
6. Concealed It is when an individual or entity who has
breach knowledge of a security breach and of the
1-5 years imprisonment obligation to notify the Commission pursuant
500K-1M penalty
to Section 20(f) of the Act, intentionally or by
omission conceals the fact of such security
Data Privacy Violation
7. Malicious It is when an individual or entity with
disclosure malice or in bad faith, discloses
1-65years imprisonment unwarranted or false information
500K-1M penalty
relative to any personal information or
sensitive personal information obtained
by him or her
8. Unauthorized It is when an individual or entity
disclosure discloses to third party personal
1-5 years imprisonment information not covered by legitimate
500K-2M penalty
purpose, lawful criteria, and without the
consent of the data subject.
Cyber Security and Data Privacy Protection Measures:
R.A. 10173 IRR Rule VI R.A. 10844 IRR Rule III -V
– Technical Security Measures –National Cyber Security Plan
1. Security policy in processing personal data 1. Cyber Threats to Control
2. Safeguards to protect computer network again unlawful, 2. Cyber Security Key Result Areas
illegitimate, and destructive activities 3. Cyber Security Action and Result
3. Confidentiality, integrity, availability, and resilience of the Indicators
processing systems and services
4. Vulnerability assessment and regular monitoring for
security breaches
5. Ability to restore the availability and access to personal
data 
6. Regularly testing, assessing, and evaluating the
effectiveness of security measures
7. Encryption of personal data during storage and while in
transit, authentication process

Secure CyberPrivacy Project

-johnmacasio@gmail.com
 R.A. 10175 On-Premise and On-Cloud R.A. 10173
Cyber Security CYBER SECURITY Data Privacy
Violations 1. CyberREQUIREMENTS
Security and Privacy
Violations
1. Illegal access Governance 1. Unauthorized
processing
2. Illegal 2. Control Policies based on
2. Negligence in
interception Regulations, Advisories, Agreements, access
3. Data interference and Standards 3. Improper
4. System 3. Maintained Registry of Assets disposal
interference 4. Threat Intelligence Database 4. Unauthorized
5. Misuse of device 5. Security Vulnerability, Risks, and purpose
5. Unauthorized
6. Fraud Privacy Impact Assessment
access
7. Forgery 6. Security and Privacy Management 6. Intentional
8. Identity Theft System breach
9. Cyber-squatting 7. Security Methodology and 7. Concealed
Send your question
Cyber Security Normative
References
 Regulatory Guidelines

1. R.A. 10175 –Cybercrime Prevention Law

2. R.A. 10173 – Data Privacy Law
3. R.A. 10844- DICT Law
4. R.A. 8772 - E-Commerce Law
Cyber Security Normative
References
 International Standards Organization
1. ISO 27OO – Information security overview and vocabulary
2. ISO 27001 – Information security management system
3. ISO 27002 - Information security controls
4. ISO 27005 – Information security risks management
5. ISO 27032 – Cyber security guidelines
6. ISO 27031 - ICT business continuity
Cyber Security Normative
References
 International Standards Organization
7. ISO 27O33 – Network security
8. ISO 27034 – Application security
9. ISO 27040 – Storage security
10.ISO 27017 – Cloud security
11.ISO 27035 – Security incident management
12.ISO 27036 – Information security supplier relationship
Cyber Security Normative
References
 European Telecommunication Standards
Institute
1. GS ISI 001-1 - V1.1.1 - Information
Security Indicators
2. ETSI TR 103 305 V1.1.1- Critical
Security Controls for Effective
Cyber Defense
Cyber Security Normative
References
 Lead Countries Cyber Security Guidance
1. NIST
2. ENISA
3. US-CERT CISA
Cyber Security Normative
References
 Professional Body of Knowledge

1. Cybok – Cyber Security Body of

Knowledge
2. ISC2 – Cyber Security Professional
Certification
3. EC Council – Cyber Security Professional
Certification
4. SANS – Computer Security
Cyber Security Normative
References
 Vulnerability Database

1. https://nvd.nist.gov/vuln/search
2. http://cve.mitre.org/about
3. https://www.exploit-db.com/
Cyber Security Normative
References
 Cyber Security Control Guidance

1. CIS – Center for Internet Security

2. OWASP-Open Web Application Security Project
Send your question
Training Assignment
Review R.A. 10175 –Cybercrime
Prevention Act, and the R.A. 10844
National CyberSecurity Plan of 2022,
and then, state the goals of
cybersecurity in the Philippines:

1. What to achieve
2. What to prevent
3. What to maintain
4. What to eliminate