What is access control policy?

Having all the latest software security tools does not mean that your system is safe from any
attacks. Continuous improvement in security of information and data processing systems is a
fundamental management responsibility. All applications and processing systems that deal with
personal and sensitive information should include some form of authorization which is also
known as access control policy. As systems grow in size and complexity, access control is a
special concern for systems and applications that are distributed across multiple computers.

Access Control Policy sets requirements of credentials and identification that specify how
access to computers, systems, or applications is managed and who may access the information in
most circumstances. Authentication, authorization, audit, and access approval are the common
aspects of access control policy.

Back To Top 

What are the best practices in implementing access control

policy?

As a personal information controller or processor, it is a diligent responsibility to take great

efforts and be accountable in protecting the personal data that you process by managing the
areas, distribution, and life-cycle of authentication and authorization of your organization’s
processes. Access to any confidential, personal, and sensitive data must always be protected,
controlled, and managed with sufficient security policies. Preventing unauthorized access and
data breach is the primary objective of a controller and processor. Physical and systematic
approach in creating and managing access control should also be established by the management.
Also, the small to large scale applications of the personal information controllers and personal
information processors should be taken into consideration in the design and implementation of
the policy.

Back To Top 

What does the commission say about implementing access

control policy?

In a time when data privacy and security matters, personal information controller and personal
information processors are obliged to implement strong, reasonable, and appropriate
organizational, physical, and technical security measures for the protection of the personal
information that they process. These include access control policies to off-site and online access
to personal and sensitive information. Accessing these kinds of information due to negligence or
intentional breach will result to fines and imprisonment.

Back To Top 

What is a Data Center?

A data center is a facility housing electronic equipment used for data processing, data storage,
and communications networking. It is a centralized repository, which may be physical or virtual,
may be analog or digital, used for the storage, management, and dissemination of data including
personal data.

The National Privacy Commission imposes personal information controllers and personal
information processors should implement reasonable and appropriate organizational, physical,
and technical security measures for the protection of personal data, especially in this critical
infrastructure in Information and Communications Technology.

Back To Top 

What are the recommended best practices for data center

security?

1. Include security and compliance objectives as part of the data center design and
ensure the security team is involved from day one. Security controls should be
developed for each modular component of the data center—servers, storage, data and
network—united by a common policy environment.
2. Ensure that approach taken will not limit availability and scalability of resources.
3. Develop and enforce policies that are context, identity and application-aware for
least complexity, and the most flexibility and scalability. Ensure that they can be
applied consistently across physical, virtual and cloud environments. This, along with
replacing physical with secure trust zones, will provide seamless and secure user access
to applications at all times, regardless of the device used to connect to resources in the
data center.
4. Choose security technologies that are virtualization-aware or enabled, with security
working at the network level rather than the server. Network security should be
integrated at the hypervisor level to discover existing and new virtual machines and to
follow those devices as they are moved or scaled up so that policy can be dynamically
applied and enforced.
5. Monitor everything continuously at the network level to be able to look at all assets
(physical and virtual) that reside on the local area network (even those that are
offline) and all inter-connections between them. This monitoring should be done on a
continuous basis and should be capable of tracking dynamic network fabrics. Monitor for
 missing patches, application, or configuration changes that can introduce vulnerabilities
which can be exploited.
6. Look for integrated families of products with centralized management that are
integrated with or aware of the network infrastructure, or common monitoring
capabilities for unified management of risk, policy controls, and network
security. This will also give detailed reports across all controls that provide the audit trail
necessary for risk management, governance, and compliance objectives. Integrated
families of products need not necessarily be procured from just one vendor. Look for
those that leverage the needed capabilities of a strong ecosystem of partnerships to
provide a consolidated solution across all data center assets.
7. Consider future as well as current needs and objectives at the design stage such as
whether access to public cloud environments is required.
8. Define policies and profiles that can be segmented and monitored in multi-tenant
environments. Consider security technologies that provide secure gateway connections
to public cloud resources.

Back To Top 

What are the security requirements for a computer system?

1. Secure user authentication protocols including:

a. Control of user IDs and other identifiers;
b. Reasonably secure method of assigning and selecting passwords, or use of unique
identifier technologies, such as biometrics or token devices;
c. Control of data security passwords to ensure that such passwords are kept in a
location and/or format that does not compromise the security of the data they
protect;
d. Restricting access to active users and active user accounts only; and
e. Blocking access to user identification after multiple unsuccessful attempts to gain
access or the limitation placed on access for the particular system;
2. Secure access control measures that:
a. Restrict access to records and files containing personal information to those who
need such information to perform their job duties; and
b. Assign unique identifications plus passwords, which are not vendor supplied
default passwords, to each person with computer access, that are reasonably
designed to maintain the integrity of the security of the access controls;
3. Encryption of all transmitted records and files containing personal information that will
travel across public networks, and encryption of all data containing personal information
to be transmitted wirelessly;
4. Reasonable monitoring of systems, for unauthorized use of or access to personal
information;
5. Encryption of all personal information stored on laptops or other portable devices;
 6. For files containing personal information on a system that is connected to the Internet,
there must be reasonably up-to-date firewall protection and operating system security
patches, reasonably designed to maintain the integrity of the personal information;
7. Reasonably up-to-date versions of system security agent software which must include
malware protection and reasonably up-to-date patches and virus definitions, or a version
of such software that can still be supported with up-to-date patches and virus definitions,
and is set to receive the most current security updates on a regular basis;
8. Education and training of employees on the proper use of the computer security system
and the importance of personal information security.

Back To Top 

What is encryption?

Encryption protects emails, bank accounts, transactions, and messages. In general, it protects

data by encoding the information in such a way that it is only accessible to authorized parties or
individuals. It is a way of safeguarding data, documents, or information from this generation’s
threats such as malicious hackers, spies, and criminals. It is one of the best tools to protect
privacy especially for individuals. It is considered to be a necessity in keeping data privacy.

Back To Top 

What does the commission state about encryption?

“Any technology used to store, transport, or access sensitive personal information for purposes
of off-site access approved shall be secured by the use of the most secure encryption standard
recognized by the Commission.”

Data at rest, in transit, and in use should all be treated equally in terms of preserving its privacy
and managing its security.

Back To Top 

What should be encrypted?

Emails

Most corporations, organizations, agencies, and firms use emails to communicate, send files, and
exchange data. This way of communication has been the standard of electronic messaging for
many years. It has also been one of the major cases of privacy breaches throughout those years.
These kinds of incidents exposed the privacy of several individuals so they should be managed,
guarded, and most importantly, prevented. Organizations that transfer personal data via email
should either make sure that the data is encrypted or use a secure email facility that facilitates the
encryption.

Portable Media

Attack on privacy can happen anytime, anywhere, any place and sometimes even with portable
storage devices. It can infiltrate an organization’s system and expose all of its confidential and
sensitive information. Devices such as USB flash drives and internal or external disk that store,
collect or transfer personal data must be encrypted, especially the data in it. Organizations that
use laptops to process personal data must use a full disk encryption.

Links (URL)

Agencies and organizations that utilize online access to process personal data should employ an
identity authentication method that uses a secured encrypted link.

Back To Top 

What does the commission recommend with regards to

encryption?

“Organizational, physical, and technical security measures for personal data protection,
encryption, and access to sensitive personal information maintained by government agencies,
considering the most appropriate standard recognized by the information and communications
technology industry.”

“Advanced Encryption Standard with a key size of 256 bits (AES-256) as the most appropriate
encryption standard. Passwords or passphrases used to access personal data should be of
sufficient strength to deter password attacks. A password policy should be issued and enforced
through a system management tool.”

Back To Top 

What are the standards for protecting personal information?

Every person that owns or licenses personal information shall develop, implement, and maintain
a comprehensive information security program that is written in one or more readily accessible
parts and contains organizational, technical, and physical security that are appropriate to:
 1. the size, scope and type of operations of the agency obligated to secure the personal data
under such comprehensive information of the DPA;
2. the amount of resources available to such person;
3. the amount of stored data; and
4. the need for security and confidentiality of both client and employee information. The
safeguards contained in such program must be consistent with the safeguards for
protection of personal information and information of a similar character set forth in the
Data Privacy Act of 2012 by which the person who owns or licenses such information
may be regulated.

Without limiting the generality of the foregoing, every comprehensive information security
program shall include, but shall not be limited to:

1. Designating a DPO to maintain the comprehensive information security program;

2. Identifying and assessing reasonably foreseeable internal and external risks to the
security, confidentiality, and/or integrity of any electronic, paper or other records
containing personal information, and evaluating and improving, where necessary, the
effectiveness of the current security for limiting such risks, including but not limited to:
o ongoing employee (including temporary and contract employee) training;
o employee compliance with policies and procedures; and
o means for detecting and preventing security system failures.
3. Developing security policies for employees relating to the storage, access and
transportation of records containing personal information outside of business premises.
4. Imposing disciplinary measures for violations of the comprehensive information security
program rules.
5. Preventing terminated employees from accessing records containing personal
information.
6. Reasonable restrictions upon physical access to records containing personal information,
and storage of such records and data in locked facilities, storage areas or cloud hosting.
7. Regular monitoring to ensure that the comprehensive information security program is
operating in a manner reasonably calculated to prevent unauthorized access to or
unauthorized use of personal information; and upgrading information security as
necessary to limit risks.
8. Reviewing the scope of the security measures at least annually or whenever there is a
material change in business practices that may reasonably implicate the security or
integrity of records containing personal information.
9. Documenting responsive actions taken in connection with any incident involving a
breach of security, and mandatory post-incident review of events and actions taken, if
any, to make changes in business practices relating to protection of personal information.

Back To Top 

What is data sharing?

Data sharing is the disclosure or transfer to a third party of personal data under the custody of a
personal information controller or personal information processor. When processing of personal
information is outsourced (Personal Information Processor), such disclosure or transfer must
have been upon the instructions of the personal information controller concerned. The term
excludes outsourcing, or the disclosure or transfer of personal data by a personal information
controller to a personal information processor.

Personal Information Controllers (PIC) are those who decide what types of data are collected
and how they are processed (i.e. Ayala Land). On the other hand, Personal Information
Processors (PIP) are those who process data as instructed by the controllers (i.e. HR Mall).

For transfers abroad, a personal information controller shall be responsible for any personal data
under its custody, including information that have been outsourced or transferred to a personal
information processor or a third party for processing, whether domestically or internationally,
subject to cross-border arrangement and cooperation.

Back To Top 

Am I allowed to process personal data?

Processing of personal data collected from a party other than the data subject shall be allowed
under any of the following conditions:

 Authorized by law
 Consent for Data Sharing
 Covered by a data sharing agreement for commercial purposes
 Provided the following to data subjects before sharing:
1. Identity of PIC and PIP
2. Purpose of data sharing
3. Categories of personal data
4. Intended recipients of personal data
5. Broadcasted the rights of data subjects
6. Other information about the nature and extent of data sharing and manner of
processing
7. Sharing between government agencies for the purpose of a public function or
provision of a public service should be covered by a data sharing agreement.

Back To Top 

What is a Data Sharing Agreement?

A data sharing agreement refers to a contract, joint issuance, or any similar document that
contains the terms and conditions of a data sharing arrangement between two or more parties
provided that only personal information controllers shall be made parties to a data sharing
agreement. Where a data sharing agreement involves the actual transfer of personal data or a
copy from one party to another, such transfer shall comply with the security requirements
imposed by the Philippine Data Privacy Act, its IRR, and all applicable issuances of the National
Privacy Commission.

Back To Top 

What are the things I should see on a Data Sharing Agreement?

 Purpose of Data Sharing

 Participating personal information controller and processor:
1. Types of personal data
2. Personal information processor that will process personal data
3. Manners of how PIC and PIP are processing personal data
4. The remedies available to a data subject in case the processing of personal data
violates his or her rights and how these rights may be exercised;
5. Designated data protection officer or compliance officer.
 Duration of the agreement
 General description of the security measures that will ensure the protection of personal
data of the data subjects, including the policy for retention or disposal of records.
 Inform how a data subject can obtain a copy of the data sharing agreement.
 If a personal information controller shall grant online access to personal data under its
control or custody, it shall specify the following information:
1. Justification for allowing online access;
2. Parties that shall be granted online access;
3. Types of personal data that shall be made accessible online;
4. Estimated frequency and volume of the proposed access; and
5. Program, middleware and encryption method that will be used.
 It shall specify the PIC responsible for addressing any information request, or any
complaint filed by a data subject, and/or any investigation by the Commission
 It shall identify the method that shall be adopted for the secure return, destruction, or
disposal of the shared data.
 It shall specify other terms and conditions that the parties may agree on.