Data Security Policy for the Philippine Government Common Platform

  1. Background and Rationale

    1. The information collected by the Philippine government is necessary in order to deliver its services and make informed decisions with regards to national policy. Oftentimes, the information collected is of a confidential and sensitive nature. Exposure of such data to unauthorized parties would be harmful and could result in irreparable consequences that would affect the welfare of the citizens of the Philippines.

    2. Paramount to the successful implementation of the Philippine Government Common Platform (PGCP) is the successful implementation of its security policies. These policies exist to safeguard the information that the government gathers through its agencies. The successful implementation should also build-up confidence and cooperation among the different agencies, assuring them that their data will be safe, even if exposed to other agencies.

  1. Scope and Limitation

    1. This document will serve as a guide for the implementation of the security policies of the PGCP. The document will outline the following:

      • System standards that the GCP must adhere to

      • User Roles and Authorization Policies

      • Rules and Regulations with regards to the use of the system

      • Storage Media policy and the disposal of Media

      • Compliance with the rules and regulations of the PGCP

    1. The scope of document will encompass the following:

      1. The DICT as the main provider of the infrastructure and applications necessary to facilitate the functions of the PGCP

      1. The different agencies of the Philippine Government that are part of the collaborative groups that make up the PGCP, including National Government Agencies (NGAs), Government Financial Institutions (GFIs), Government Owned or Controlled Corporations (GOCCs), State Universities and Colleges (SUCs) and other units.

      1. The data shared by the agencies through the PGCP. This covers data that has become a part of the authoritative registries.

      1. The applications, hardware and systems deployed specifically for the implementation of the PGCP at the agency level.

      1. The citizens whose data will be a part of the GCP registries and who will be using the applications and services tied up with the GCP.

  1. Glossary of Terms

    1. Agency – an office within the Philippine Government that fulfills a specific function as part of the whole bureaucracy.

    1. Apps/ Applications – software that provide the functions required for the GCP system to function.

    1. Collaborative Groups – group of agencies within the government that have agreed to share data with each other due to the needs and mandates.

    2. Data Integrity – refers to the accuracy and consistency of the data.

    3. Encryption – method of securing data to render it unreadable except to authorized parties.

    1. GCP/ PGCP – abbreviation for Philippine Government Common Platform.

    1. GCP Office – this body is composed of personnel from the DICT that shall oversee the GCP system.

    2. PKI – Public Key Infrastructure: a type of electronic identification that is used as part of the system for user verification.

    3. Privilege – the functions a user may perform within the system of the PGGCP

    4. Repository/ Repositories – environment where the data and system components of the collaborative groups are stored

    1. Sanitation – for the purposes of this document, the act of removing content from storage media to render the previous content unreadable or unrecoverable.

    2. Steering Committee – Body composed of officers from the GCP and the different agencies that guide the policies of the GCP and its members.

    1. Storage Device/ Media – Hardware used to contain data or content in digital form.

  1. System Standards

    1. This refers to the properties and capabilities that the different components of the GCP must posses. This encompasses the applications, hardware and other tools that will be used to run system of the PGCP.

    2. The system must be capable of enforcing the data access rules between the agencies, based on the agreements of their respective collaborative group.

      1. It must be capable of identifying a an individual based on his or her user ID and credentials presented, the role of a user within the PGCP system and what functions the particular user has access to.

      1. The system must also be capable of monitoring all user activities at any given time and logging these activities for future reference.

    1. The system must have a means of encrypting ts contents to prevent unauthorized personnel from viewing it. It must support single sign-on and standard security certification (X.509, SSL, OCSP/CRL, and PKCS12) protocols, as per the GCP document.

    1. All software used in the system must run their latest stable, secure version.

      1. Personnel in charge of maintaining the software in the GCP environment must test the updated version before applying it to the PGCP. They must test the update for any possible bugs or compatibility flaws that it may cause with the other components.

      1. Once the update has passed the testing based on the benchmarks from authoritative bodies, the update may be applied to the PGCP system. The GCP Office must notify the members of the update and the changes in the system brought about by the update.

    1. Hardware that will be deployed to house the components of the GCP should comply with the following standards

      1. The hardware must comply with the system requirements listed in the GCP paper.

      1. Hardware must be positioned ins such a way that will make it difficult for unauthorized personnel to eavesdrop on the workstation monitors. This includes CCTV cameras, webcams and other types of remote viewing technology.

      1. The hardware must have some sort of protective cover that will prevent scrutiny and tampering of its internal components by unauthorized personnel.

      1. Network cabling must be installed away from electrical cables to prevent interruption of services. Network cabling must be properly insulated for protection.

      1. Only authorized personnel appointed by the GCP Office will be allowed to conduct maintenance and repair on any hardware components for the GCP. Personnel who have conducted repair or maintenance on the GCP must send a report with the GCP Office.

    1. The network must have means of preventing unauthorized access from outside the system.

      1. The network must have a firewall installed to prevent unauthorized intrusion.

      1. The network must also have a means of implementing a secure gateway in order to filter access to the system. It must also be capable of identifying the host where the users are accessing the system and block unauthorized hosts.

      1. The network must also be capable of generating reports about unauthorized network intrusions and inform the personnel in charge of security as soon at the attack occurs.

    1. The GCP Office must assign personnel in-charge of security. These personnel will be in-charge of monitoring the system for any bugs or unauthorized intrusions in the system and resolving them. These personnel must have the necessary experience with regards to network security matters and drawn from the DICT staff.

      1. Aside from monitoring, personnel in charge of security must conduct regular penetration tests to ensure the integrity of the system.

        1. These tests must be conducted once a month. The personnel in charge must test the system for any vulnerabilities based on the latest standards and methodologies from authoritative bodies. They must note any problem areas in the system and resolve it.

        1. After conducting the tests, they must notify the GCP office of their findings for review. They must inform them of any resolved and unresolved issues and the next steps to be taken. The GCP office may give advice on dealing with the unresolved issues.

      1. The security personnel are also responsible for updating the security tools in the GCP system.

      1. The security personnel must also issue monthly bulletins via official communication to the member agencies of the collaborative groups. Only content that has been reviewed and approved by the GCP Office may be released. They must inform them of any changes in the system such as upgrades or bug fixes. They may also disseminate other information such as scheduled down-times in the system, changes in key personnel, workshops/ trainings in the use of new features in the system, among others.

  1. Users and their Roles

    1. Users of the GCP are given roles within the system. The privileges and responsibilities of these roles within the GCP must be explicitly defined.

    1. Back-end Authorization

      1. Individuals who will be granted access to the back-end components of the GCP must be nominated by authorized officers of their parent agency.

        1. This individual must comply with the guidelines and qualifications set by an agency with regards to who can handle their data.

        1. The individual must be granted clearance by an authorized law-enforcement or intelligence agency of the Philippines.

        1. The user must then be approved by the GCP Steering Committee and the GCP Office. Once an individual has been approved by the GCP Office and the Steering Committee, he or she will be assigned a user ID.

      1. No user ID may have more than one (1) role. Each role given to an individual must be approved by the GCP Office and the GCP Steering Committee.

      1. The system must be capable of associating a role with a user ID, based on the assignment of the of the GCP Office. The system must also be capable of enforcing the appropriate user functions to all users based on their roles.

      1. Prior to being granted privileges to work withing the GCP environment, users must be made fully aware of all security procedures and rules with regards to the GCP. It falls to the personnel in charge of Security to properly orient all users. It is the responsibility of the Security personnel to make sure that users fully understand and appreciate the rationale of these procedures and the consequences if they are not followed.

    1. The different functions available to a user within the GCP system are defined as follows:

      1. Access – a user may use a particular type of data for a particular task, but does not necessarily have permission to view it.

      1. Read – a user is allowed to view the data within the system

      1. Search – a user is allowed to filter content within the system to locate the data he is looking for

      1. Write – a user is allowed to add new data into the system

      1. Edit – a user is allowed to change the content of data within the system

      1. Run – a user is allowed to run some of the apps or functions within the system

      1. Delete – a user is allowed to remove content from the system.

    1. The different roles within the GCP are:

      1. Contributor – Users with this role are allowed to Search and Access data they have permission for. A user must be given explicit permission to Read, Write and Edit data by the agency with authority over that particular data.

      1. Agency Level – Users with this role has the responsibility of overseeing the data and applications within the scope of their own agency, making sure that its contents are up-to-date and aligned with the policies of the GCP. Users with this role is allowed to Access, Read, Write, Edit, Search and Delete data from their parent agency and Run applications that directly affect their data at the agency’s level.

      1. Collaborative Group Level– Users with this role have access to the the applications used at the collaborative group level. It is also his responsibility to make sure that the contents of their repository are properly accessed by the authorized agencies. This user may Access and Search for data, Run applications necessary for the system to function and Delete content under their responsibility. This user may not Read, Write or Edit data within the collaborative group, nor could they Delete content outside their privileges.

      1. Registry Access– Users with this role have access to the the applications used at the registry level. It is also his responsibility to make sure that the contents of their registry are accessible by the authorized agencies. This user may Access and Search for data, Execute applications necessary for the system to function and Delete content under their responsibility. This user may not Read, Write or Edit data within the collaborative group, nor could they Delete content outside their privileges.

      1. Administration Access – Users with this access have access to the applications that affect the whole of the GCP. Each aspect of the whole GCP has a different administrator, with their own explicit functions. As stated in the GCP document, no Administrator will have complete access the the whole of the GCP. These Administrators are classified into the following:

        1. GCP Master Administrator – this administrator will have top-level access to the GCP system, but does not have the same access as the other administrators. This user may Search for data, Run applications and Delete content that are part of their function.

        1. Environment Administrator – this administrator will have access to the core components of the GCP system. This user may Run applications and Delete content that are part of their function.

        2. Database Administrator – this administrator will have access to the database tier of the system. This however does not necessarily give him access to the contents of the database. This user may Search for data, Run applications and Delete content that are part of their function.

        1. Application Administrator – this administrator will have access to a specific application within the system. This user may Run applications and Delete content that are part of their function.

  1. Client Access

    1. Individuals may also be granted access to a limited number of the components of the GCP services as clients of agencies that provide front-line services and GOCCs.

    1. The registration of these clients into the system shall be facilitated by the appropriate agency.

      1. Each client shall be given a unique user account that is tied to his or her identification credentials within the agency’s records. No client can possess more than one user account for that particular agency.

      1. The registration process must be accomplished in accordance to the provisions of the Anti-Red Tape Act of 2007. The guidelines for this process must also be made readily available to the public.

      1. Once a client has been registered, the agency must inform him or her as soon as possible. The agency must also give the client of his or her credentials and temporary password. The agency must instruct the client to change the temporary password as soon as possible.

    1. The clients may only have access to their personal data. They may only use applications in the GCP that allows the client to avail of the agency’s front line services.

  1. Training

    1. Training in the proper use of the GCP and its components must be made available for all Users.

    1. It is also the responsibility of the security personnel to train the users on the security standards and procedures of the GCP. They must be able to inform them about the rationale behind the security policies. They must also release guidelines on security matters for the benefit of the client users.

    1. Every personnel involved in the use of the back-end of the GCP must be trained not just in the proper use of the system, but in the different security protocols and practices being implemented within the system.

      1. Every member agency must send their designated GCP personnel to the training sessions organized by the GCP Office prior to the launch of their system.

      1. Access to the system will only be granted to those personnel who have completed this training course.

    1. The training of the clients is the responsibility of the agencies concerned. The agencies must make sure that their clients are properly trained in the use of the services available to them. The agency must also instruct their clients in the best practices involved in securing their credentials. The clients must also be instructed to change their temporary password as soon as possible.

    1. A user manual must be provided to the users, both as a booklet in electronic format and as an online wiki. The manual must be updated as often as possible to conform to the latest version of the system.

  1. Data Security Policies

    1. Data Classification

      1. The Philippine government has adopted the following system of classifying the secrecy of its data, based on Memorandum Circular 78 series 1964 (has this been amended, repealed? What’s the scope? [executive, judiciary, congress, LGUs, constitutional bodies?]) :

        1. Top Secret Matter – Information and material (matter) the unauthorized disclosure of which would cause exceptionally grave damage to the nation, politically, economically, or from a securing aspect

        1. Secret Matter – Information and material (matter) the unauthorized disclosure of which would endanger national security, cause serious injury to the interest or prestige of the nation or of any governmental activity or would be of great advantage to a foreign nation

        1. Confidential Matter – Information and material (matter) the unauthorized disclosure of which, while not endangering the national security, would be prejudicial to the interest or prestige of the nation or any government activity, or would cause administrative embarrassment or unwarranted injury to an individual or would be of advantage to a foreign nation.

        1. Restricted Matter – Information and material (matter) which requires special protection other than that determined to be Top Secret, Secret or Confidential.

      1. Due to their sensitive nature, data classified above Restricted should not be shared with the PGCP system. Agencies that need such data must go through the proper alternate channels to obtain such data.

      1. Data that has been reclassified below Confidential or declassified may be added to the data repositories. The data in question must have undergone the proper re-classification process based on MC 78. The agency must present to the GCP Steering Committee and GCP Office the documents that prove the re-classification of the data.

    1. Collaborative Groups

      1. The collaborative groups, under the guidance of the GCP Steering Committee must come up with the specific rules and regulations that will govern their collaboration effort.

      1. They must determine which agency will act as steward for a particular type of data. This agency shall vouch for the authenticity and accuracy of the data.

      1. The agencies must determine which data can be shared within the collaborative group. They must also agree which agencies may access the data and to its maximum extent.

      1. The rules must be codified with a written and signed agreement amongst the participants of the collaboration.

    1. Applications

      1. The agencies must determine what applications they would need in order to function within the GCP system. They must inform the GCP Office which among the Shared Apps provided by the DICT they would need.

      1. The requested apps shall be installed by GCP office. The GCP office shall provide the users with the appropriate training in the use of the apps.

      2. Agencies that need to include custom apps within the GCP system must develop their apps using the standards of the eGovFrame.

    1. User Access Policies

      1. System Access

        1. System access refers to a user being able to access the data contents and applications necessary for the PGCP to function

        1. Each user will be given a unique user ID with a temporary password.

          1. Users must be instructed to immediately change their temporary password upon receiving their account details.

          1. The new password must conform to the recommended methods in creating a secure password, as prescribed by the appropriate regulatory bodies.

        1. It is the responsibility of the user to safeguard his password, and he must not share his password with anyone.

          1. If a user has reasons to believe that his password has been compromised, he should report this immediately to the proper authorities in order to hold his account.

          1. Sharing of passwords by an individual will be sanctioned accordingly.

        1. If a user account has been inactive for more than two (2) months, the GCP Office must suspend the account as a safety precaution. The GCP must then inform the user and his agency of the suspension via official communication. If the user is still connected to his agency and is still their designated user for the GCP, the agency must inform the GCP in order to reactivate said account and restore its former privileges.

        1. Once a user is no longer connected with his agency, the agency must inform the GCP Office at once. The GCP Office must then immediately revoke all of the former user’s privileges in the PGCP system. The user account however should remain archived for the purposes of auditing, as per section 8.5.2.2 of this document.

      1. Physical Access

        1. The system must have an additional means of verifying a user’s identity besides password authentication. There should be at least one more verification system that relies on something an authorized user possesses.

        1. The PKI of a user will serve as the second means of verifying the identity of the user, based on Executive Order 810.

          1. The PKI must not be stored in his workstation. It should be stored instead in an external storage device, that will serve as his PKI Key.

          1. It is the responsibility of each user to safely store his PKI key. Should a user misplace his PKI key or have reasons to believe it has been compromised, he should immediately notify the proper authorities in order to temporarily suspend his account.

    1. System Auditing

      1. The system must have a means of monitoring the activities of the users in their system. It should be capable of capturing the following user information:

      • User ID and role

      • Time the user logged in and out, which will be referred to as a session.

      • The activities of the user’s sessions in the PGCP. This includes data files that were accessed, their location and if any changes were done to them and Applications that were used during the user’s session

Permission to examine the specific changes to the data by the PGCP security personnel will depend on the rules of the collaborative group.

      1. The system must have a means of archiving these activities in order for them to be easily accessed by the personnel in charge of the security of the PGCP. The system must have a means of attaching a time stamp to the activities of each account for the purposes of referencing. The time stamp must reflect the exact time the activity was performed.

        1. This archive will be used for monitoring user activities while in the system and for any investigations that may be conducted in relation to the PGCP.

        1. Information logged into this archive shall be retained for six (6) years from the time stamp of the activity.

  1. Data Center Standards

    1. This section will cover the actual physical buildings that will house the components of the PGCP and the personnel on premises

    1. The data center must meet the following standards for the purpose of meeting security standards.

      1. Room Space Requirement:

        1. Must be located inside a highly secured area of the data center but separated from the common co-location area;

        1. Must provide biometric authentication and PIN entry. DICT authorized personnel must have physical door access control to the leased room space;

        1. Must provide CCTV facilities with at least 30 days of retention period. Must provide DICT a web-based real time view-only access to CCTV feed and recorded CCTV feeds as requested. Traceroute from the web-based CCTV feed going to DICT’s network (and vice-versa) must route through our peering via PhOpenIX;

        1. Provide 2x30Amp power source per rack

        1. Must have separate pathways for power and network cabling of at least 2 meters separation;

        1. With redundant PACU system;

      1. Structure:

        1. Data Center building structure that is Seismic Zone 4 compliant (corresponding to highest earthquake-risk zone);

        1. Must be free from flooding and water leaks;

        1. Must possess industry standard dedicated telecommunications and electrical lines

        1. Must have grounding and anti-static flooring systems to protect equipment from electro-static discharge

        1. All equipment cabinets and racks housing computing equipment should be seismically braced and bolted to the ground providing stability and to guard against equipment damage

      1. Security, Access and Site Availability

        1. The facility must have a designated single point of entry

        1. Physical access control mechanisms:

          1. Special issue Proximity Card Readers

          1. Biometric authentication and PIN entry for highly secured areas

          1. Man-trap doors equipped with CCTV cameras and/or infrared sensors for highly secured areas

          1. Video surveillance using CCTV security cameras monitoring and recording movements in all areas of the Data Center

          1. 24×7 controlled and supervised access for the installation, testing and maintenance of co-located equipment

      1. Continuous Power Supply

        1. Redundant and high availability of commercial power from two (2) separate paths.

        1. UPS systems in parallel-redundant configuration efficiently distributing clean power throughout the computer/server rooms

        1. Capable of 30 minutes back-up time considering 80% load or better

        1. Equipped with harmonic filters to eliminate power abnormalities (current spikes)

        1. Failure of 1 or 2 UPS shall be backed up by the other unit without interrupting the critical load operation

        1. Fully redundant prime-duty Power Generators (N+1 configuration or better)

        1. Maximum 5 minutes activation lead time after commercial power failure

        1. Can ensure up to 5 days continuous operation without commercial power.

      1. Facilities Management

        1. All building facilities should be centrally and automatically monitored via an Intelligent Facility Management System (FMS);

        1. Automatic system alerts to Facilities personnel in the event of building equipment failure and 24 x 7 roving facilities inspection;

        1. Redundant (N+1 configuration) or better commercial grade cooling systems

        1. Fire-suppression system that is environment and equipment friendly

        1. Equipped with automated fire detection and alarm system, discharge nozzles, manually discharge device, smoke detectors, horns, bells and strobe lights throughout the facility; fire escape plan/route with exit signs provided

        1. The proposed data center must be certified with ISO 9001 and ISO 27001

    1. All personnel entering the facilities that house components necessary to the GCP must be subjected to inspection by the security officer on duty. All bags must be presented for inspection and pockets must be emptied as well.

    1. Visitors must present any legal ID card they may have as proof of identity. Visitors must also sign in to the visitor’s log book, giving their name, organization, contact information and purpose of their visit. A temporary pass should be issued to the visitors and this pass must be visible at all times. Security personnel reserve the right to deny entrance or expel any visitor who fails to comply with these procedures.

    1. Personnel in-charge of Facilities Security shall be the only ones who may issue passkeys and enroll the biometrics information of personnel assigned to the key areas in the data center. Passkeys and Biometric access shall be issued to personnel depending on their function within the GCP. Personnel without the proper means to access such areas are prohibited from entering them.

      1. It is the responsibility of the employees to care for these and they must report the loss or damage of their access cards to the authorized unit.

      1. Personnel are not allowed to lend their access cards to others, those who are found to have lent their access cards shall be sanctioned accordingly.

    1. All personnel leaving the facilities must be subjected to inspection by the security officer on duty. All visitors must surrender their temporary pass to the officer for their ID. Visitors must also sign out of the visitor’s logbook.

    1. It is highly recommended that the facilities have a means of biometric access at critical portions of the facilities. Individuals who fail to present the proper biometric authentication must be denied access to these areas. The system must also be capable of tracking who is logged in and those who have logged out.

    1. Storage media that is the personal property of a user may not be brought into areas which house components critical to the GCP. These must be left at areas of less critical functions or surrendered to the personnel on duty.

      1. Users may not install any third-party applications used for cloud storage or file sharing on any workstation or server critical to the GCP. Users are also forbidden from accessing other third-party file sharing services from workstations critical to the GCP. Personnel in charge of system security must ensure that these services cannot be accessed from the workstations.

      1. Users who have been found to have violated the preceding 2 items will be sanctioned accordingly.

    1. Security must keep a record of all personnel entering and leaving the facilities. There should be a means of monitoring visitors in the facility and the means to identify their name, organization, purpose of visit/ person visited and the time they arrived and left the facility. The facility must also keep a log of the time a particular passkey was used and where it was used.

  1. Communications

    1. Data that will be a part of the GCP must only be transferred through the applications within the GCP. The transmission of data via email is strictly forbidden. Email will only be used for the purposes of coordination and issuing advisories concerning the GCP. Those who violate the above items shall be sanctioned accordingly.

    1. All official messages and advisories with regard to the GCP must be sent via the official email of the GCP Office to the agency email accounts of the members. Official communications should not be sent to the personal email accounts of the members. Advisories include updates to the system, system downtime, security bulletins and other concerns related to the GCP.

      1. All email which directly concerns the GCP or its contents must be encrypted in order to prevent unauthorized access. The sender must use proper encryption methods using their PKI.

      1. The receiver must open said email in a computer that has the proper certificates capable of recognizing the signature of the sender. The opening of email which pertains to the GCP over a public network is prohibited.

    1. Other Forms of Communication

      1. Other forms of communication that directly concern the GCP must be conducted discretely through the proper official channels. All devices used for this purpose must be encrypted based on the recommendation of the appropriate regulatory bodies.

  1. Storage Equipment Policy and Disaster Recovery

    1. Storage Media Policies (important: define what type of data is stored. Please Tech Team how they intend to operationalize GCP. In certain models, the GCP is treated as a backbone / “crossroad” or platform that is used to share data, but not store data. Depending on how the GCP team designs GCP, we may not even need much storage space)

      1. Only servers or storage media that have been procured for the purposes of the GCP by duly authorized bodies may be used to store the contents of the system.

      1. The devices must conform to the hardware standards stated in the GCP document.

      1. The partition alloted to each component of the system must be determined beforehand prior to the allotment of the storage space. The size of the partition must be based on the amount of content needed to be uploaded, the applications that will be running in the system, and other technical needs as determined by the agencies, the GCP Office and the Steering Committee.

      1. Storage alloted for a particular purpose may not store content for another purpose. This is to ensure that data integrity is preserved.

      1. Should an agency or other group within the GCP require additional storage space, they must send an official request to the Steering Committee and the GCP Office.

        1. They should submit their intention at the start of the year to GCP office and Steering Committee, in order to give the GCP Office time for procurement (if necessary)

        1. They must state their intention, the reason for the expansion and how much space they would need. Once their request has been approved, the GCP Office should inform the requesting party and facilitate the allotment of the requested space.

    1. Transfer of Contents to New Storage Media

      1. The systems administration may sometimes need to transfer the contents of a storage device or server to a different device, when the equipment in question is no longer capable of functioning as part of the system or it must undergo sanitation due to the harmful content inside the device.

      1. Only duly appointed personnel are allowed to transfer data from one storage media into another

      2. Before the transfer, the appointed personnel must notify the GCP Office and the agencies with data stored in the media of their intent. They must state through official communication the reasons for doing so and must give an estimated duration in order to complete the process. Once this has been approved by the agencies, the personnel should complete the transfer no later than the date they have given.

      1. The personnel in charge of the data transfer must inform the users of any down time in the system and how long it will take prior to the start of the process. They must also notify the users as soon as the system is fully operational again.

      1. The personnel in-charge of the transfer must take the necessary preparations to ensure that the contents are not corrupted during the process. All hardware that will be used during the transfer must be in good, working order. A back-up power supply must be ready to take over at a moment’s notice in case of power outages.

      1. The original storage media must not be disposed until the verification of the successful transfer of all its relevant contents. Once confirmed, the data must be subjected to the sanitation procedures in Section 12.

    1. Movement of Storage Devices

      1. Storage devices must sometimes be moved to different locations for different reasons, such as renovations to the facility, the need for additional servers at other DICT facilities or other factors that affect the GCP.

      1. Storage media, whether stationary or portable may only be moved by personnel authorized to handle the hardware.

      1. Before moving storage media outside their facilities, the personnel in charge must submit an official request to the GCP Office and the agencies with content in the storage media. They must state their reason for doing so, the location they intend to move the device and if it is temporary or permanent. The process of moving may only begin after the approval is given.

      1. The personnel in charge of the data transfer must inform the users of any down time in the system and how long it will take prior to the transfer. They must also notify the users as soon as the system is fully operational again.

      1. Once movement commences the personnel in charge must make sure all precautions are taken to assure the safety of the media and their content. The process of moving the device must conform to the methods as prescribed by the appropriate regulatory bodies.

      1. Once the transfer process is complete, personnel in-charge must notify the administration. For stationary devices, this must be verified as well by an officer on-site.

    1. Disaster Recovery (DR) Policies

      1. The GCP must have a Disaster Recovery plan in order to ensure the continuity of its operations despite the interruption of normal services.

      1. The physical facilities of the site must conform to the standards listed in Section 8.2 of this document.

  1. Sanitation of Storage Media

    1. Storage media that contains components of the GCP may be subjected to sanitation procedures in order to ensure that no sensitive data is left in the device prior to re-use or disposal.

    1. Only duly appointed personnel may carry out the sanitation of storage media or devices that were part of the GCP system

    1. Storage media must be subjected to methods of sanitation as prescribed by the appropriate regulatory bodies.

    1. The GCP Office must inform the agencies with data stored in the storage device due for sanitation. They must inform them of the reason for sanitation and what will happen to the device after sanitation.

    1. Sanitation can only be carried out once the contents have been completely transferred to a new storage device.

    2. The sanitation must be carried out in the presence of a duly appointed representative of the GCP Office knowledgeable in storage sanitation procedures. This officer must confirm that the device has been properly sanitized and its contents are completely unreadable.

  1. Incident Reports

    1. Personnel must report any unusual incidents they may encounter in the system or in the facilities. Unusual incidents cover the following:

      1. Occurrences that do not follow the normal work-flow process;

      2. Errors in the execution of processes in the system;

      3. Unauthorized individuals in work-critical areas; and

      4. Other occurrences of a similar nature.

    1. The GCP Office must assign personnel to handle the Help-desk and to handle internal security reports.

      1. Those assigned to the Help-desk will receive any incident reports from the end-users of the GCP system, such as users from other agencies.

        1. The Help-desk personnel must handle and resolve these issues as per the [GCP Help-desk] policy

        1. Once resolved, the Help-desk must notify the user that reported the incident and of the action taken to resolve the incident.

      1. Those assigned to the internal security will handle cases that are reported by administrators. These are incidents that fall outside the day-to-day operations of the GCP, such as malware, attacks on the system, and other similar incidents.

        1. Administrators must notify personnel in charge of internal security as soon as possible. Internal Security shall conduct an investigation of the incident under the guidance of the GCP Office and Steering Committee.

        1. After the investigation, Internal Security must then report its findings and recommendations to the GCP Office and the Steering Committee for action.

  1. Non-compliance and Sanctions

    1. The GCP Steering Committee and the GCP Office reserves the right to suspend the privileges of a user. After suspension of a user, they must inform the user and the agencies concerned of the cause of the suspension in writing via official communication immediately.

    1. The GCP Office and the Steering Committee will oversee any investigations regarding violations of the policies outlined in this document. The investigation may be conducted with the assistance of the National Bureau of Investigation’s Anti-Cybercrime Task Force if there is reasonable cause to believe the incident is criminal in nature.

    1. Any offenders proven to have committed an act that is in violation of the GCP’s policies will have their user privileges revoked permanently and may no longer be given user access to the GCP system. The offender may face other administrative sanctions, depending on the result of the investigation.

    1. If the GCP office and the Steering Committee have reasonable justification to believe that the offense was performed with criminal intent, offenders may be persecuted under RA 10175 or the Anti-Cybercrime Act of 2012.

  1. Review and Revision of Policies

    1. Being a living document, the GCP Security Policy must under go annual review and revision to ensure that its contents are still up to the current standards and practices of data security and to make sure that it is still aligned with the direction of the GCP.

    1. The review shall be conducted by representatives of the GCP Office and the different Steering Committees.

    1. The GCP Office may hire field experts to assist in the revision of the document. These experts must meet the qualifications as determined by the GCP Office and the Steering Committee and must be hired according to the Hiring procedures of the DICT. Due to security concerns, these hired experts will not be given user access to the actual system itself.

    1. The GCP Office and the Steering Committees must create a draft with the proposed changes and subjected to consultation (?). Once the changes have been approved, the document must be received and signed by representatives of the GCP Office, the Steering Committees and the DICT.

    1. Once the new policies have been approved, the GCP Office and Steering Committees must start the implementation of the new policies immediately.

Download the GCP Security Policy Draft here