PNP ICT SECURITY MANUAL (PNPICTSM)

PART 1 – ICT SECURITY ADMINISTRATION

CHAPTER 1 – ICT SECURITY
ICT Security means protecting information systems from unauthorized access, use,
disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity
and availability. It has its process stages, from step 1 up to step 9.
To implement the appropriate ICT security measures, these are the stages that should be
follow. The Conduct of Risk Management, Policy Development, Security Development Plan, its
Implementation, Certification, Accreditation, Ongoing Operations and review. Every stage has its
purpose and responsibilities. With regards to system disposal, the key tasks for system disposal
are transition planning, migration and archiving of information and sanitizing and redeployment
or disposal of equipment and media. About the ICT systems it is defined as a related set of
hardware and software used for the communication, processing or storage of information, and
the administrative framework in which it operates. It includes computers, peripherals,
communication facilities and networks, software, information, maintenance and administration
procedures, and roles.
In terms of every user, they need to have a qualification before having an access to a
particular system in different categories such as dedicated, system high, compartmented and
multilevel.
With that, every users can ensure that their access will be confidential and private. It was
very satisfying that ICT Security did their tasks and responsibilities in detailed to ensure the
safety and its confidentiality.
CHAPTER 2 – SECURITY ROLES AND RESPONSIBILITIES
Information relating to the system specific roles and responsibilities of ICT security
advisers, system managers, system administrators and system users SHOULD be included in the
documentation produced for each system.
Security roles and responsibilities contains different topics. First, the DICTM, which
activated by virtue of PNP General Orders Number DPL 09-08 on April 1, 2009. The role of this
is to manage and formulate vital policies for the development and administration of ICT
resources. With its directional capacity, it is commissioned to oversee the roles of the
Information Technology Management Service (ITMS) and Communications and Electronics
Service (CES). Next is the ITM’s Role, it is primarily tasked to provide technical expertise to
develop and maintain Information Systems and IT Services, Information Technology expertise
through the designation/assignment of IT Officers to all PNP Regions, Distribution and control
of information system security (INFOSEC) material, IT Related policy advice and assistance to
all PNP Units, and Information Assurance assessment and inspection services. The CES’s roles
primarily tasked to provide technical expertise in the operation of radio and data communications
media such as facsimile and telephone facilities for transmission, receipt of data and
communication, multi-trunked systems for communication linkages, maintenance, repair and
security communications building and infrastructures.
In appointing/ Designing ICT Security Officer, Appointment of ITSSO and CTSSO will
change when the PNP IT and CT become fully integrated and when the proposed administrative
ICT offices in the regional levels are approved and functional. Every officer in charge has their
qualifications for them to be able to designate in a particular area. ITSSO must be fully
knowledgeable, have a detailed knowledge, be familiar with security strategies, provide advice
and have ready access to the DICTM, ITMS and CES and of the structure and architecture of the
organization’s information and communications systems. CTSSO has almost the same
qualifications with ITSSO but ITSSO need to have ready access to senior management on
security issues the same with ICTSP. Included also the security officers’ responsibilities.
Different responsibilities such as the primary responsibilities, administrative responsibilities,
Technical Security Advice and Training Responsibilities and their Reviewing Responsibilities
Security roles and responsibilities are stated very well. It is definitely clear to understand
what was the difference between the different officers. Also there are the so-called system users
which is categorized into 2, the general users and the privilege users which are having their roles
and responsibilities also.

CHAPTER 3 – SECURITY DOCUMENTATION

A documentation outline is essential for organizing all the required ICT security
documentation that would allow for easy creation, reference and maintenance of the information.
This chapter contains about the requirements for ICT Security Documentation, the
documentation process and classifying ICT Security Documents.
First topic, the Requirements for ICT Security Documentation. In terms of High-level
documents, the senior management in each PNP Units approves, promulgates and implements
security policy that sets out their approach and commitment to security. The resultant PNP-wide
documentation should be linked to an information security risk assessment and SHOULD
include security policies, an information security plan and security instructions. All system
specific Risk Assessments, System Security Plans and Standard Operating Procedures developed,
SHOULD be consistent with the objectives, risks and requirements defined in these high–level
documents. Second, the documentation process. This section has also its own content, to develop
content in which the DICTM RECOMMENDS that people with a good understanding of both
the subject matter and the PNP project, develop the ICT security documentation, to obtain
signature that all ICT security documents SHOULD be formally approved and signed off by an
appropriate person, documentation maintenance that the PNP Units SHOULD develop a
schedule for reviewing all ICT security documents at regular intervals. The last topic is about
classifying ICT Security Documents. ICT security documentation contains data that, if accessed
by someone with malicious intent, could significantly raise the risk to the systems it covers. The
PNP Information Classification MUST be followed when classifying ICT security
documentation by PNP Units.
 Users are using higher level documents to avoid repetition, they are also using a
documentation framework which include a complete listing of all ICT security documents. With
regards to classifying documents, it stated that in system classification, these are the categories to
be classified: Unclassified, Confidential, Restricted, Secret and Top Secret while in Document
classification, Confidential or Unclassified, Confidential, Restricted or confidential, Secret and
Top Secret.
Requirements for ICT Security Documentation, the documentation process and
classifying ICT Security Documents were clearly stated.

CHAPTER 4 - MANAGING RISK

The risk management methodology's initial step is risk assessment. Risk
assessment is a tool used by organizations to gauge the potential threat's scope and
the risk attached to an IT system.
This chapter provides information on developing and using a risk assessment to
assess and control risks affecting ICT systems in PPN. To control risk affecting ICT
systems we need to know here the development and maintenance and the guidance for
the risk assessment process. It should be the responsibility of the ITSSO and CTSSO to
develop their systems' risk evaluations, as well as their upkeep. The project manager
may be tasked with creating the initial risk assessment for new systems. In all other
circumstances, a risk assessment should be carried out whenever there is a major
change to the system or the environment in which it functions. There are also 6 stage in
conducting a Risk Management. The stage 1 is to establishing the content, the purpose
of this stage is to establish the scope, resources, and limitations and the project's
environmental context for its outputs related to risk assessment. The stage 2 is to
identifying the risk, creating a complete list of ICT security measures is the goal of this
stage. The stage 3 is to analyzing the risk, the objectives of this step are to distinguish
between acceptable and unacceptable risks, evaluate the likelihood of, vulnerability to,
and impact from each scenario to produce a "risk" value, and give data for the
evaluation and treatment of risks. The stage 4 is to assessing and prioritizing risks,
determine risk management priorities during this stage by determining whether or not
the level of risk for each scenario is acceptable and ranking it according to its urgency,
difficulty, and expense to reduce. The stage 5 is to developing a risk management plan,
this stage's goal is to find implementation tactics and controls that will lower the residual
risk for issues that were flagged as unacceptable in the risk register. Lastly, the stage 6
which is the risk assessment document, In the Risk Assessment document, the tables
used to calculate the effect, likelihood, and vulnerability ratings should be presented.
Risk is a function of the possibility that a given threat source will exploit a specific
possible vulnerability and the subsequent effects on the organization of that unfavorable
event. Threats to an IT system must be examined along with any potential vulnerabilities
and the IT system's controls in order to determine the possibility of a future unfavorable
event. Impact describes the potential severity of damage brought on by a threat
exploiting a vulnerability. Potential mission implications determine the amount of impact,
which in turn determines the proportional value of the affected IT assets and resources.
The implementation of risk treatment controls is described in a risk treatment
plan. Implemented. A risk management control is an action that is taken to reduce the
possibility and/or impact of a risk happening.

CHAPTER 5 - IDENTIFYING AND DEVELOPING ICT SECURITY POLICIES

A PNP ICT Security Policy is a high–level document that describes how PNP protects its
ICT resources. It allows the PNP to provide direction and show commitment to ICT security. An
ICT Security Policy is normally developed to cover all ICT systems.
In developing an ICT Security Policy, DICTM are responsible to create and implement
ICT policies in the Philippine National Police. They also follow a step-by-step process. In
Identifying existing policies and standards which include, but are not limited to the PNP-ICT
Security Manual, E-government Law, E–Commerce Law, The Privacy Act, NAPOLCOM
Circulars, The Public Records Act, and Other agency–specific policies. After that, organizing
policy statement which includes framework. In that framework we can see the responsibilities,
configuration control, access control, networking and connections with other systems, physical
security and media control, emergency procedures and incident management, change
management; and education and training.
In this chapter, it provides the process that is being considered by the DICTM in the
creation of UCT security policies are from stage 1 up to stage 8. It also shows on where can we
identify the existing policies and standards in connection with this manual and how can policy
statements will be organize.

CHAPTER 6 - DEVELOPING A SYSTEM SECURITY PLAN

System Security Plan (SSP) is formal document that provides an overview of the security
requirements for an information system and describes the security controls in place or planned
for meeting those requirements. Also it is the means of implementing ICT Security Policy and
the outcomes of the risk assessment; and details the high-level security architecture and specific
policies that are to be enforced within the system and for any interconnections to other systems.
To develop a good system security plan we need here the purpose, development and
maintenance and the last one is the stakeholders. The purpose in here is to help us to develop a
good security system. Next is the development and maintenance it is helpful to the SSP to avoid
repetitions. And the last one is the stakeholders to help them in strategic objectives by
contributing their experience and perspective, they can also provide necessary materials and
resources also their support is crucial to a successful System Security Plan. With regards to
Developing an SSP the Manager System should follow some steps first is to review the Risk
Assessment, ICT Security Policy, and any higher–level SSPs that may be relevant. The second
one is to develop the strategies required to implement the identified policies and controls.
Consult with stakeholders if necessary. Next is select or develop a document structure for the
SSP. The forth is to record the strategies in the appropriate section of the SSP. The last one is to
obtain all necessary certifications and insert them in the appropriate section of the SSP.
In terms of every person who need to develop a System Security Plan they need to know
and follow some the purpose and steps for them to be good their system security plan for them to
meet the security requirement of the system.
With that, all users must sure that they meet the security requirements for a system or
how an organization plans to meet the requirements.

CHAPTER 7- DEVELOPING AND MAINTAINING SOPs

In this chapter, it is about developing and using Standard Operating Procedures (SOPs)
with topics, developing SOPs and SOP contents. Standard Operating Procedures was defined as a
guideline for all system users, administrators, and managers on the steps to take to ensure a
system is operating correctly. A system's secure functioning is ensured by security-related SOP
material.
Instructing new users to comply with ICT security requirements is called user education.
Once you review the system audit trails and manual logs, particularly for privilege users it is in
the audit logs. In system integrity audit, it is to review, check test and inspect user accounts,
system software, the access control and the inspection of equipment and cabling. The labeling,
registering and mustering assets. We need to manage the maintenance of system software and
hardware and the sanitization or destruction of unserviceable equipment and media.
System manager or administrator SOPs are included in the SOP contents. Here are the
minimum-security procedures that should be documented in the IRSSO’s/CTSSO’s SOPs. The
user education, audit logs, system integrity audit, data transfers, asset musters and security
incidents. Under the system maintenance and hardware destruction are the user account
management, configuration control, access control, and the system backup and recovery. In the
system administrator SOPs, included are the system closedown, access control, passwords, user
account management and system backup and recovery.
System users should read and agree to abide by the System Users’ SOP. These are the
minimum-security procedures that should be documented in the system users’ SOPs. The
passwords, the need-to-know which is the guidelines on enforcing information protection on the
system, the security incidents, security classification, temporary absence, end of day, media
control, hard copy, visitors and maintenance. There is also the user guidelines that should be
recommended. The improper use of general access rights in which the PNP units should advise
the users.

CHAPTER 8 – MAINTAINING ICT SECURITY AND MANAGING SECURITY

INCIDENTS

Keeping ICT secure is an ongoing challenge. This includes implementing mechanisms to

protect information and system resources. Confidentiality, integrity, availability, authentication,
and access control are some of the ICT areas that must be kept secure.
It is critical to maintain ICT security measures once they are in place to ensure their
effectiveness. Staying current with changing technology and security requirements; performing
regular integrity checks; auditing security and implementing any necessary changes; and
detecting security breaches, responding to them, and documenting lessons learned are all part of
this. Effective security management also necessitates a regular review of compliance with the
ICT Security Policy, Risk Assessment, and System Security Plan.
The following are suggestions of a need for change in the way that merchandisers and
staff interact with their computer systems. Users relating problems or advancements and
merchandising notifying of upgrades to software or hardware; mindfulness of a new trouble or
vulnerability; connection to another system; advances in technology in general; enforcing new
systems that bear changes to being systems; and relating new tasks that bear updates or new
systems.
Change Management Standards
A proposed change to a system could involve an upgrade to system tackle or operation
software, the addition of an redundant outstation, or major changes to system access controls.
For advanced classified systems more strict controls should be in place. The change operation
process should define applicable conduct to be followed ahead and after critical changes are
enforced.
The Recommended Change Process is described in the ensuing stages. Test and apply
the approved changes. Update the system attestation and the applicable security attestation.
Notify and educate druggies of the changes that have been enforced. Continually educate
druggies in respect to ICT changes.
A breach of security is an event that impacts the confidentiality, integrity or vacuity of a
system. Standard PNP Units must develop, apply and maintain tools and procedures.
Automated tools are only as good as the position of analysis that they perform. It'll not be
apparent when an irregularity emerges, If tools aren't configured to assess the areas of high
threat in a system configuration.
 Staff must note and report any observed or suspected security sins in, or pitfalls to,
systems or services. PNP Units MUST direct labor force to report security incidents through the
applicable operation channels soon after an incident is discovered. The types, volumes and costs
of incidents and malfunctions should be quantified and covered.
Data spillage occurs when data becomes accessible to persons not cleared or briefed for
access to it. In all cases of spillage, PNP Units should assume that the information has been
compromised. Treatment of any similar spillage must be as an incident, and follow the Incident
Response Plan to deal with it.
DICTM Recommends that PNP Units follow the way below in handling detected vicious
canons.
Step 1 insulate the infected computer or network;
Step 2 overlook all connected systems, and any media used within a set period leading up to the
incident.
Step 3 insulate any other infected systems and/ or media to help re – infection.
The ITSSO may decide to allow an bushwhacker to continue some conduct under controlled
conditions for the purpose of seeking farther information or substantiation. It's important that
the integrity of logs, automatic inspection trails and intrusion discovery tool labors be defended
indeed. Units considering this approach should seek legal advice well in advance.

It is critical to maintain ICT security measures once they are in place to ensure their
effectiveness. Effective security management also necessitates a regular review of compliance
with the ICT Security Policy, Risk Assessment, and System Security Plan. Change Management
Standards
A proposed change to a system could involve an upgrade to system tackle or operation
software, the addition of an redundant outstation, or major changes to system access controls.
The change operation process should define applicable conduct to be followed ahead and after
critical changes are enforced. Notify and educate druggies of the changes that have been
enforced. A breach of security is an event that impacts the confidentiality, integrity or vacuity of
a system. Standard PNP Units must develop, apply and maintain tools and procedures. PNP
Units MUST direct labor force to report security incidents through the applicable operation
channels soon after an incident is discovered. It\’s important that the integrity of logs, automatic
inspection trails and intrusion discovery tool labors be defended indeed.
As a result, we must note and report any observed or suspected security flaws in, or
vulnerabilities in, systems or services. PNP Units believe that the data has been compromised.
Any similar spillage must be treated as an incident and dealt with in accordance with the Incident
Response Plan.
 We must constantly maintain and implement security features, as well as upgrade
systems. The PNP creates, applies, and maintains tools and procedures. Take note of and report
potential flaws in security systems.

CHAPTER 9 – REVIEWING ICT SECURITY

This chapter explains the essentials and the process for ICT Security reviews. It also
contains the following topics: ICT Security Reviews and Process for Reviewing ICT Security.
A security review is a collaborative process used to identify security-related issues,
determine the level of risk associated with those issues, and make informed decisions about risk
mitigation or acceptance. When there has been a specific incident, a change in the system's use or
environment that has a substantial influence on security architecture and policy, consideration of
connecting to another system or network, or as part of a routine or scheduled review, ICT
security must be reviewed.
The Directorate for Information and Communications Technology Management
(DICTM) recommends that PNP units review all aspects of ICT Security at least annually. Some
aspects may however, need to be reviewed more frequently. It should be covered the Security
Documentation that will review and update the Risk Assessment, ICT Security Policy. SSP, and
SOPs as necessary. It also includes the Operating Environment that will review when a threat
emerges or when there are changes, there are gains or lose of function, and operation of functions
is moved to a new physical environment.
The ITSSO and the CTSSO will conduct a review. The DICTM recommends a process of
peer review be undertaken where practicable and conduct a follow-up process to ensure that
security deficiencies identified during security reviews have been effectively resolved.
The Process for Review of ICT Security should have basis, elements, gathering
information, and process. In basis, should be based on comprehensive, current and reliable
information. In elements, the structure can be broken into set of elements which are the Security
Risk Management for the whole PNP might be best approached by a review of each program.
For particular program, review could be approached by PROs or division levels. For particular
building or installation, review approach could be by PROs, MPOs, CPOs, Stations, or type of
users, separately. In gathering information, it is depending on the scope and subject of the review,
the DICTM recommends that the ITSSO/CTSSO gather information about areas such as PNP
priorities, Program requirements, threat data, consequence estimates, effectiveness of existing
countermeasures, other possible countermeasures, and best practices. Information may be
gathered from the DICTM, the ITMS, the CES, and other system administrators and users.
Lastly, in process, PNP ICT Security Reviews should follow the core PNP ICT Security Process
with reference to the existing site and system documentation.