JMLogic Consultancy

Sign of the time…

Medusa Ransomware is a known attack vector since 2021. A subject of international security alerts and mitigation measure advisories,

https://socradar.io/dark-web-profile-medusa-ransomware-medusalocker/

Philhealth security incident brings forward the question of its compliance (other government agencies) with DICT in doing the security activities required to have a Cybersecurity Compliance Certificate - DICT Dept Circular No 003 2020. It includes the activation of a CERT for security incident response.

The Department of Information and Communication and Technology (DICT) in its circular is supposed to submit to the Office of the President the names of government agencies without a cybersecurity compliance certificate

The National, sectoral and organization CERT is expected based on DICT policy to bring coordinated effort in the monitoring, detecting, alerting, and responding to security incident in the cyber of networked government agencies linked to the national security operation center of threat intelligence database at DICT.

The medusa ransomsre security incident of Philhealth is a case for the National Privacy Commission (NPC) to conduct the compliance check as defined in NPC circular 18-02 Guidelines on Compliance Checks.

The Philhealth security incident asks the question on how its governance and management acted NPC Circular 16-01 that specifies the legal obligations and security requirements to protect personal data. It includes the acquisition of competencies and resources to implement Rule VI of RA 10173 implementation regulations.

Philhealth database contains the largest number of personal data of individual that by law made member or beneficiary of Philhealth. It manages the information that can be used to operate the unified identification system of Philippine government.

Data Subject of Philhealth have right to raise privacy and security concern, or file complaint against the Personal Information Controller that fails the security measures of protecting information.

Data Subject has the right to be notified of the security incident if the breach involves personal data.

In cybersecurity, the control rules, practice standards and threat intelligence database serve as risk criteria and vulnerability indicators of a “trusted” service organization.enabled by digital technology.

When the risk criteria are undermined, security controls are not available to protect and respond.

Cybersecurity is at risk when the mandated obligations are simply resolved by legal remedies and good communication technique on the zero day of exploitation.

https://m.facebook.com/story.php?story_fbid=709329531222139&id=100064352964920

Humihiling ng pang-unawa ang sa publiko matapos maapektuhan ang operasyon nito dahil sa information security incident.

Iniimbestigahan na ng Korporasyon ang pangyayari.

Agile digital worker

Training of Trainers
Digital Governance and Management

Data Protection Competency Framework
Privacy by Design and By Default

How to determine, document, and demonstrate a privacy by design and by default information system development and operation?

Privacy-by-design is embeding the data privacy principles and information security control in the development lifecycle and processes of an information and communication system project.

Privacy-by-default is the privacy setting of the released product, system, or service to operation. It automates the trigerring of the conditions and functions to exercise privacy rights, to record privacy compliance, and to communicate security control.

Personal data is protected in the information and communication system of a government agency and business enterprise when it provides the system features that make the Data Subject to exercise the privacy right, and to get assurance on the security of personal information in the device, network, storage, application and people of data processing.

It includes the by default notification and consent to trigger data processing and security measures; and the alerting of the Data Subject on security incidents that may compromise confidentiality, integrity, and availability of information.

The exercise of privacy on data is supported by information processing application that is coded to execute the principles that validate and verify the privacy and security of personal information during and after data collection, transmission, retention, use, disclosure. And disposal.

The security of information in data protection is implementation of control that define administrative, legal, physical, technical, and people requirements for the information system to behave audited indicators of information confidentiality, process integrity, system availability, delivery reliability, infrastructure resilliency, and consumer safety.

The Personal Information Controller, Personal Information Processor, Data Protection Officer, and Privacy Regulators are obligated in RA 10173 to act guided by its statutory requirements and adapted international standards on personal information (section 2 RA 20173 Implementation rule 2016)

The interest protection and benefit realization of privacy on personal protection are reported real in the evaluated impact of the information and communication system to data subject privacy rights, data processing privacy principles and lawful criteria, and personal information security control.

The privacy impact assessment observed the common standards in defining risk assessment process, privacy risk criteria, risk measuring technique, and risk mitigation approach.

The use privacy threat modeling tool is necessary to properly illustrate, analyze, and test the context of data privacy violation in the designed and operated information processing system.

Data Flow Diagram is an important visualization tool to illustrate the data workflow that represents the “what, how, and who” of data, process, and application in behaving the limiting condition of privacy and security rules.

The development requirement traceability matrix of designed, developed, and released information and communication system provides the definitive listing of specific regulatory, functional, and technical requirements in creating the personal data enabled product or services that engage a Data Subject.

The international community driven standards serve as the basic knowledge source for the methodology and metrics to support valid and verifiable understanding behind the development and operation of an information and communication system considered as “privacy by design” and “privacy by default.”

The achievement of the statutory goal for the information and communication system of government and private sector to be designed developed and operated with data privacy is guided by a common questions of understanding associated with the following:

1. System design and operation is limited by an adapted privacy framework

2. System design and operation is programmed functionality to exercise privacy rights of Data Subject

3. System design and operation is system features to enforce information security control

4. System design and operation is documented activities to respond, recover from, and investigate data breach

Foundational knowledge source for the rules and standards in developing and operating a privacy by design and by default product, system, or services:

1. ISO 27550 - Privacy engineering for system life cycle processes

2. ISO 31700 - Privacy by design for consumer goods and services

3. ISO 29100 - Privacy Frameworrk

4. ISO 29134 - Privacy Impact Assessment

5. ISO 27002 & 27701 - Privacy Information Security Controls

6. 2016 Implementing Rules and Regulations of RA 10173

7. NPC issuances on data privacy rights, privacy impact assessment, and security measures

8. EU General Data Protection Regulations (GDPR)

9. USA Health Insurance Portability and Accountability Act of 1996

10. AICPA SOC2 Trusted Service Organization audit indicators

11. Payment Card Industry (PCI) Data Security Standard (DSS)

A government agency compliant with EO 605-2007 has documented guidance that brings clarity, coherence, completeness, and consistency with the use of ISO standarts that support implementation of regulations and policy for “Privacy by Design and by Default.”

Agile digita worker…
Knowledge Pointer

Data Protection Officer (DPO) is oversight role in data protection that is made right to do the right things first time right by openly published statutory requirements and international community driven standards to associate the first principles, privacy rights, risk criteria, control practice, regulatory compliance, and good governance in data privacy, information security, and cybersecurity.

DPO represents valid and verifiable understanding, decision, and work in the exercise of privacy rights on data; in the application of privacy principles in data processing; and in the security of information management asset linked to personal data.

DPO reads in full, and acts with completeness the data protection oversight objectives with adopted standards of pubished regulations.

DPO certification is acceptable, actionable, and auditable understanding of rules supported by statutory requirements and adopted international standards on protection of privacy and security of personal information.

In the Philippine the implemntating rules of RA 10173 - Data Privacy Act of 2012, clearly states - “Section 2. Policy. These Rules further enforce the Data Privacy Act and adopt generally accepted international principles and standards for personal data protection.”

PNS Advisory Adoptions - National Privacy Commission NO. 2021-004 - PNS ISO/IEC 29134 – Information technology – Security techniques […]