DPA - IT Matters

Which Is More Valuable?
or
1
This briefing material is a property of the Bureau of Internal Revenue (BIR)
Which Is More Valuable?
“Data is more valuable, people are trying to get
more of it.“
With your personal information or data -- Identity
thieves can:
 Get a loan (example: Filipino teacher posted his
2
PRC license in FB and thieves got a loan
amounting to P800k+ using his identity)
 Open credit cards
 Commit crime or fraud etc.
Impact on Victims: Lawsuits, stress/anxiety,
denial of credit and loans and time/expenses
spent on recovery steps.
How is Data Collected?
 Application Forms
 Questionnaires
 Survey Forms
 Interviews
 Mailing List 3
 Registration Forms
 Social Media
 Raffle Tickets

Data Privacy and Security
 As required in RA 10173 – as per Rule VI of the Implementing Rules
and Regulations (IRR) of the DPA Security Measures for the
Protection of Personal Data must be in place.
 Data Privacy and Security. Personal information controllers and
personal information processors shall implement reasonable and
appropriate organizational, physical, and technical security
measures for the protection of personal data.
 The personal information controller and personal information
processor shall take steps to ensure that any natural person
acting under their authority and who has access to personal data,
does not process them except upon their instructions, or as
required by law.
4
Data Privacy and Security
The security measures shall aim to maintain the availability,
integrity, and confidentiality of personal data and are
intended for the protection of personal data against any
accidental or unlawful destruction, alteration, and
disclosure, as well as against any other unlawful processing.
These measures shall be implemented to protect personal
data against natural dangers such as accidental loss or
destruction, and human dangers such as unlawful access,
fraudulent misuse, unlawful destruction, alteration and
contamination.
5
Security is All About Risk Management
It’s About DAD and Safety
Information security is about managing threats involving:

 Disclosure of Sensitive Information (breach of
confidentiality)
 Alteration of that information, so that one cannot rely on
its integrity
 Destruction of that information or disrupting its
availability
6
“Authorization is given to the right people to access the
information and Access Control is preventing the wrong
people from accessing that information.”
Risk management is the identification, assessment and
prioritization of risks followed by coordinated and
economical application of resources to minimize, monitor,
and control the probability and/or impact of unforeseen
events.
7
How can we protect the
personal information and
sensitive personal
information entrusted to
us?
8
Security Measures
PHYSICAL SECURITY
To Attain
TECHNICAL SECURITY
9
Physical Security: Technical Security:
 Prevention from theft  Protection from viruses
 Protection from fire  Backing up data
 Protection from  Protecting files
environmental hazards  Encryption
10
Physical Security Measures
As required in RA 10173 – Section 27 of the Implementing Rules and
Regulations (IRR)
Section 27. Physical Security Measures. Where appropriate, personal
information controllers and personal information processors shall comply
with the following guidelines for physical security:
a. Policies and procedures shall be implemented to monitor and limit
access to and activities in the room, workstation or facility, including
guidelines that specify the proper use of and access to electronic
media;
b. Design of office space and work stations, including the physical
arrangement of furniture and equipment, shall provide privacy to
anyone processing personal data, taking into consideration the
environment and accessibility to the public;
11
a. The duties, responsibilities and schedule of individuals involved in the
processing of personal data shall be clearly defined to ensure that only
the individuals actually performing official duties shall be in the room or
work station, at any given time;
b. Any natural or juridical person or other body involved in the processing
of personal data shall implement policies and procedures regarding the
transfer, removal, disposal, and reuse of electronic media, to ensure
appropriate protection of personal data; and
c. Policies and procedures that prevent the mechanical destruction of
files and equipment shall be established. The room and workstation
used in the processing of personal data shall, as far as practicable, be
secured against natural disasters, power disturbances, external
access, and other similar threats.
12
This Could Happen to Us
Loss of PCs Office Fire in office
submerged in
floodwaters
13
 Keep files in secured location  Practice clean-desk policy

14
Physical Security
1. The most obvious choice of protecting data is to keep it
in a safe locked room/building.
2. Protected room can be safeguarded by:
￭ Lock-and-key
￭ ID card scanning
￭ Biometrics (retina scan, fingerprint scanning)
￭ Using a safe
￭ Alarm systems
15
Technical Security Measures
As required in RA 10173 – Section 28 of the Implementing
Rules and Regulations (IRR)
Section 28. Guidelines for Technical Security Measures.
Where appropriate, personal information controllers and
personal information processors shall adopt and establish
the following technical security measures:
a. A security policy with respect to the processing of
personal data;
16
b. Safeguards to protect their computer network against accidental,
unlawful or unauthorized usage, any interference which will affect
data integrity or hinder the functioning or availability of the system,
and unauthorized access through an electronic network;
c. The ability to ensure and maintain the confidentiality, integrity,
availability, and resilience of their processing systems and
services;
d. Regular monitoring for security breaches, and a process both for
identifying and accessing reasonably foreseeable vulnerabilities in
their computer networks, and for taking preventive, corrective, and
mitigating action against security incidents that can lead to a
personal data breach;
17
e. The ability to restore the availability and access to
personal data in a timely manner in the event of a
physical or technical incident;
f. A process for regularly testing, assessing, and
evaluating the effectiveness of security measures; and
g. Encryption of personal data during storage and while in
transit, authentication process, and other technical
security measures that control and limit access.
18
Examples of Security Breaches and
Practices to Avoid Them
Data Breach Recommended Practices
Theft or loss: 1. Ensure proper physical security of electronic and physical
Computers and restricted data wherever it lives.
laptops,  Lock down workstations and laptops as a deterrent.
portable  Secure your area, files and portable equipment before
electronic leaving them unattended.
devices,  Do not leave papers, computers or other electronic
electronic devices visible in an empty car or house.
media, paper  Shred sensitive paper records before disposing of them.
files.  Do not leave sensitive information lying around
unprotected, including on printers, fax machines,
copiers, or in storage.
19
Theft or loss: 2. Laptops should be secured at all times. Keep it with you or
Computers and lock it up securely before you step away -- and make sure it is
laptops, locked to or in something immovable.
portable 3. Use extra security measures for portable devices (including
electronic laptop computers) and portable electronic media containing
devices, sensitive or critical info:
electronic  Encryption
media, paper  Extra physical security
files.
20
Insecure  Be sure you know who has access to folders before you put
storage or restricted data there.
transmission of  Be certain you do not put sensitive information in locations
information and that are publicly accessible from the Internet. Double check.
other sensitive If you can access it online without a password, so can others.
information.  Do not use open/unencrypted wireless when working with or
sending this data.
 Do not email or IM (instant message) unencrypted restricted
data.
21
Password  Use good, cryptic passwords that are difficult to guess, and
hacked or keep them secure.
revealed.  Never share or reveal your passwords, even to people or
organizations you trust.
 Use different passwords for accounts that provide access to
restricted data than for your less-sensitive accounts.
 Use different passwords for work and non-work accounts.
 Change initial and temporary passwords, and password
resets, as soon as possible whenever possible. These tend to
be less secure.
22
Missing "patches" and  Make sure all systems connected to the
updates: Hackers can take network/Internet have all necessary operating
advantage of vulnerabilities in system (OS) and application security “patches”
operating systems (OS) and and updates.
applications if they are not
properly patched or updated.
This puts all of the data on
those system and other
connected systems at risk.
23
Computer infected with a  Install anti-malware software and make sure it
virus or other malware: is always up-to-date.
Computers that are not  Do not click on unknown or unexpected links or
protected with anti-malware attachments. These can infect your computer.
software are vulnerable. Out-  Do not open files sent via chat/IM or P2P
of-date anti-malware may not software on a machine that contains
detect known malware, restricted data – these files can bypass anti-
leaving your computer virus screening.
vulnerable to infection.
24
Improperly configured or risky  Do not install unknown or suspicious programs
software: on your computer. These can harbor behind-
This can open your computer the-scenes computer viruses or open a “back
up to attackers. door” giving others access to your computer
without your knowledge.
 Do not put sensitive information in places
where access permissions are too broad.
25
Insecure disposal & re-use.  Destroy or securely delete restricted data prior
to re-use or disposal of equipment or media.
 Shred sensitive paper records before
disposing of them. Do not re-use them where
the information could be exposed.
26
Implementation of Information Security
in the BIR
To ensure compliance with RA 10173, revenuers are duty-
bound and mandated to follow:
 Section 270 of the NIRC as Amended by RA10021 –
Unlawful Divulgence of Trade Secrets
 RMO No. 50-2004 – Policies & Guidelines on the BIR’s
Information & Technology Security Infrastructure
 RMO No. 67-2010 – Policies & Guidelines on Information &
Communication Technology Security Offense
27
in the BIR
 RMO No. 12-2014 – Information Asset Classification
Guidelines
 RMO No. 15-2014 – Revised Information & Communication
Technology Security Policy
 ISG Memorandum Order 2-2017 – Personal Computer (PC)
Baseline Standards (Confidential to ISG)
28
in the BIR
1. Various guidelines in compliance with RA 10173 are being reviewed
for release to BIR Users:
￭ Password and Login Control Guidelines
￭ Email Security Guidelines
￭ Internet Security Guidelines
￭ Application System Security Guidelines
￭ Secure Application Development Guidelines
￭ Network Security Guidelines
2. Various Baseline Security Standards and Procedures were also
prepared and for review: Information Security Incident
Management Procedures
29
in the BIR
3. IT SOLUTIONS in-place to ensure compliance with RA 10173
￭ Anti-virus
￭ Firewall
￭ Intrusion Detection and Prevention System
￭ Active Directory
￭ eMail Security
￭ Distributed Denial of Service (DDOS)
￭ Web Content Filtering
￭ Vulnerability Assessment
￭ Transport Layer Security (TLS) and Secure Sockets Layer (SSL)
Solution
30
Bureau’s Compliance with RA 10173
In line with the Data Privacy Committee created under RSO 395-
2017, the following teams were formed at the National Office to
comply with the Data Privacy Accountability and Compliance
Framework and to attain the Five Pillars/Commandments of the
National Privacy Commission:
 Privacy Impact Assessment (PIA)  Breach and Security Incidents
 Privacy Management Program  Third Parties
and Privacy Manual  Manage HR
 Day-to-Day (Privacy Notice)  Projects
 Data Security  Manage Legal
31
Practical Data Protection Tips
 Retention and storage – safe and secure place for storing
paper documents, preferably with environmental
controls. Same requirements apply to paper documents
that are stored offsite at warehouses.
 Disposal and destruction – secure disposal or destruction
of the paper documents when the retention periods are
reached.
 Do not recycle papers containing personal data or
confidential information.
32
 Train your employees on the data protection law and your
organization’s policies and practices.
 Have a document classification scheme so that the
appropriate level of confidentially and protection can be
accorded to each type of document.
 Restrict employees’ access to classified documents
based on job roles or “need to know’ basis.
 Train new employees on the organization’s policies and
practices in handling classified documents.
33
Visitors’ record book
 Shield the personal data of earlier visitors from
subsequent visitors.
 Use individual paper forms or individual screens on
electronic devices.
Face-to-face meetings
 Prevent eavesdropping by locating the discussion area
away from the flow of human traffic.
 Shield discussion notes and computer screens to prevent
unauthorized viewing.
34
Service Counter
 Shield confidential documents from the public eye.
 Tilt computer screen away from the line-of-sight of the
public.
 Do not leave personal data lying around.
35
Practical Data Protection
Tips
Organization and individuals handling
paper documents containing personal
data or other confidential information
should understand that while IT- 36
related risks of data breaches might

be significant; paper document-
related risks should not be
overlooked.

Organization and individuals who make use of digital copiers
should take the following precautionary measures:
 Understand that digital copiers and printers contain a
hard disk and ensure that it is removed or that all data is
securely deleted from it before your organization parts
with possession of the device.
 Ensure that personnel are not careless about leaving
personal data exposed in, on or around the office copier.
Discarded copies must be securely shredded.
37
 Ensure that the necessary due diligence with the copier
vendor or lessor is in place from a contractual
perspective.
 Put in place security measures within the copier unit that
prevent data leakage.
38
VIDEO
Handle Personal Info
with Care
Instruction:
Before proceeding to the next slides, watch the
video Amazing mind reader. Click the link
https://youtu.be/F7pYHN9iC9I to watch the video.
39
Given the volume of
taxpayer transactions, data
and information that BIR
handles on a regular basis,
we are mandated to comply
with the Data Privacy Act of
2012 – RA 10173
40
41

DPA - IT Matters

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DPA - IT Matters

Uploaded by

Copyright:

Available Formats

Which Is More Valuable?

This briefing material is a property of the Bureau of Internal Revenue (BIR)

Information security is about managing threats involving:

 Keep files in secured location  Practice clean-desk policy

related risks of data breaches might

This briefing material is a property of the Bureau of Internal Revenue (BIR)

You might also like