Professional Documents
Culture Documents
INTRODUCTION
Republic Act 10844, the law that identifies the power and responsibilities of the
Department of Information and Communications Technology (DICT) has listed down in its
section 2 the policy of the state or government related to cyber security, namely:
The implementing rules and regulations of R.A. 10844 obligate the following objectives
to be achieved in order to execute the state policy related to cyber security, namely:
The business organization or enterprise that are subject to government regulations are
made to participate in ensuring the security of people, process, data, application and
infrastructure in the cyberspace of doing business. The Security and Exchange Commission,
Bangko Sentral ng Pilipinas, Cooperative Development Authority, National Privacy Commission,
and similar agencies have issued policy guidance on the implementation of the national cyber
security plan and to ensure the confidentiality, integrity, and availability of information in the
cyber connected business systems.
CYBER SECURITY COMPETENCY FRAMEWORK
A RULE AND STANDARD-BASED GUIDANCE TO IMPLEMENT A NATIONAL CYBER SECURITY PLAN
At the end of the training, the designated accountable and responsible of securing the
cyberspace of the organization must be able to:
1. Recognize the cybersecurity threats and data privacy violations that must be identified,
evaluated, analyzed and mitigated by the business organization in order to prevent the
legal, financial, reputational, and business impact of cybercrime and data privacy
violations.
3. Review the valid and verifiable legal, management and technical measures to plan-do-
check-act the cyber security risk management that is aligned with the mandated
requirements provided by
R.A. 10844 National Cybersecurity Plan BSP IT Risk Management Standards and
Guideline
R.A. 10173 Data Privacy Act ISO, NIST, ETSI, PCI DSS, HIPAA, GDPR, and
other international standards of practice.
4. Formulate, review and implement the security and privacy policies that guide the
whole-of-organization to control the cybercrime and data privacy violations that are
identified in R.A. 10175 and R.A. 10173 with corresponding penalties.
CYBER SECURITY COMPETENCY FRAMEWORK
A RULE AND STANDARD-BASED GUIDANCE TO IMPLEMENT A NATIONAL CYBER SECURITY PLAN
5. Organize, acquire, and operate the security incident management system that enable
the business organization to validly perform the mandated incident response activities
of preparation, identification, containment, eradication, recovery, and lesson learned.
6. Create the documentary evidences that represent the commitment of leadership and
management to implement the mandated requirements of cybersecurity and data
privacy rules, regulation, and policies. Compliance reports, like business impact
assessment, incident response plan, disaster recovery plan, business continuity plan,
incident response team, etc, are made available and done right in accordance with
recognized standards.
CYBER SECURITY COMPETENCY FRAMEWORK
A RULE AND STANDARD-BASED GUIDANCE TO IMPLEMENT A NATIONAL CYBER SECURITY PLAN
TRAINING PROGRAM
Learning Learning Topic Training Learning Output
Session Duration
Session 1 Cyberspace and Cybersecurity Threat Context of 3 hours Security Incident Indicators
Government and Private Organization Checklist Security Risk
Control Criteria
Session 2 R.A. 10844 -Cybersecurity Function, CyberSecurity 3 hours National Cyber Security Key
Plan and Computer Emergency Response Team Result Areas and
Requirement for Computer
Emergency Response Team
Session 3 Cloud First Policy Cyber Security Framework 3 hours Cloud Computing Approach
to Digital Transformation
Framework and the
CyberSecurity Controls
Session 5 Cyber Security Incident Management and Security 3 hours Security incident
Operation Requirements and Standards management organization,
policies, activities,
documentation and
technologies
CYBER SECURITY COMPETENCY FRAMEWORK
A RULE AND STANDARD-BASED GUIDANCE TO IMPLEMENT A NATIONAL CYBER SECURITY PLAN
Goal: Understand the rules and standards of a valid and verifiable implementation of cybersecurity mandated activities and outcomes.
2. Cybersecurity 2. Cybersecurity 2. Cloud First 2. Cybersecurity 2. Cyber Threat Intelligence and Security
Threats According Management Policy Control Knowledge Ecosystem
to R.A. 10175- Function and -Security Standards and
Cybercrime, R.A. Performance Framework Regulatory
10173-Privacy Indicators and Data Guidance
Violation, and Protection
R.A. 10844- Standard
National
Cybersecurity
Plan
CYBER SECURITY COMPETENCY FRAMEWORK
A RULE AND STANDARD-BASED GUIDANCE TO IMPLEMENT A NATIONAL CYBER SECURITY PLAN
Session 1:
Cyberspace and Cybersecurity Threat Context of Government and Private Organization
1. Common Question and Definition on 2. Cybersecurity Threats According to 3. Information Security Risk
Cybersecurity According to Practice R.A. 10175-Cybercrime, R.A. 10173- Management Framework for
Standards Privacy Violation, and R.A. 10844- Cybersecurity
National Cybersecurity Plan
a. ISO 27000 – Information a. R.A. 10175 – Cybercrime a. ISO 31000 - Risk Management:
Security Management System: Prevention Act of 2012 Guidelines
Overview and Vocabulary b. R.A. 10173 – Data Privacy Act b. ISO 27015 – Information
b. ISO 27032 – Guidelines for of 2012 Security Risk Management
Cybersecurity c. R.A, 10844 – National Cyber c. ISO 29134 – Privacy Impact
c. ISO 27100 – Cyber Security and Security Plan Assessment
Concepts d. ISO 22307 – Financial Services:
Privacy Impact Assessment
CYBER SECURITY COMPETENCY FRAMEWORK
A RULE AND STANDARD-BASED GUIDANCE TO IMPLEMENT A NATIONAL CYBER SECURITY PLAN
Session 2:
R.A. 10844 -Cybersecurity Function, CyberSecurity Plan and Computer Emergency Response Team
1. Cybersecurity Management Framework 2. Cybersecurity Management Function 3. National Cybersecurity Plan and its
- Look Up Standards and Performance Indicators Implementation Advisory
‘
CYBER SECURITY COMPETENCY FRAMEWORK
A RULE AND STANDARD-BASED GUIDANCE TO IMPLEMENT A NATIONAL CYBER SECURITY PLAN
Session 3:
Government Cloud First Policy Cyber Security Framework
1. Cloud First Policy 2. Cloud First Policy 3. Cloud Computing Security Services
-Implementation Requirement -Security Framework and Data and Control Standards
Protection Standard
a. DICT Dept Circular 2017-002 a. DICT Dept. Circular 2017-002 – a. ISO 27017 – Cloud Security
– Prescribing the Philippine Prescribing the Philippine b. ISO 27018 – Cloud Privacy
Government’s Cloud First Government’s Cloud First Policy c. ISO 27036-4 - Information
Policy b. DICT Dept. Circular No. 010, s Security Supplier
b. DICT Dept. Circular No. 010, 2020 – Amendment of Dept. Relationship: Guidelines for
s 2020 – Amendment of Circular 2017-02 Security of Cloud Services
Dept Circular 2017-02 d. ISO 19086 -4 – Cloud
Computing Service Level
Agreement Component of
Security and Protection of
Personal Information
CYBER SECURITY COMPETENCY FRAMEWORK
A RULE AND STANDARD-BASED GUIDANCE TO IMPLEMENT A NATIONAL CYBER SECURITY PLAN
Session 5:
Cyber Security Incident Management and Security Operation Requirements and Standard
1. Security Incident Management Process 2. Cyber Threat Intelligence and Security 3. Digital Technologies of
and Incident Response Team Services Knowledge Ecosystem Cybersecurity Management
Functions
a.
.
Session 4:
Cybersecurity Information Security and Data Privacy Control Standards and Global Practices
CYBER SECURITY COMPETENCY FRAMEWORK
A RULE AND STANDARD-BASED GUIDANCE TO IMPLEMENT A NATIONAL CYBER SECURITY PLAN
4. Common Security Incident Indicators 5. Cybersecurity Control Standards and 6. Professional Body Competency
Regulatory Guidance Framework to Secure the
Cyberspace
a. R.A. 10175 – Cybercrime b. ISO 27001 – Annex A a. CYBOK – Cybersecurity Body
b. ETSI Security Incident Indicators c. ISO 27002 – Security Code of of Knowledge
c. OWASP Web Application Practice b. ISC2 CISSP – Certified
Exploitation d. ISO 29151 – Privacy and Security Information Security
d. NIST National Vulnerability Code of Practice Professional
Database e. ISO 27701 – Privacy and Security c. ISACA CISM – Certified
e. MITRE ATTACK Threat Model Management System Information Security
f. ISO 27036 - Information Security Manager
Supplier Relationship d. SANS –GIAC Cybersecurity
g. Center for Internet Security Certification
Control Framework e. EC-Council – Certified Ethical
h. CSA Cloud Control Matrix Hacker
i. SCF Secure Control Framework
Prescribed Policies, Rules and Regulations on the Protection of Critical Information Infrastructure with National Cyber Security Plan
CYBER SECURITY COMPETENCY FRAMEWORK
A RULE AND STANDARD-BASED GUIDANCE TO IMPLEMENT A NATIONAL CYBER SECURITY PLAN
2 Conduct annual risks and security DICT Department Circular 005 and 003
assessment https://dict.gov.ph/wp-content/uploads/2017/09/Memorandum-Circular-005.pdf
https://dict.gov.ph/wp-content/uploads/2020/03/Dept-Circular-No-003-3062020.pdf
ISO 27000 – Information Security Management System Overview
https://standards.iso.org/ittf/PubliclyAvailableStandards/c073906_ISO_IEC_27000_201
8_E.zip
ISO 31000 – Risk Management -Guidelines
https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-2:v1:en
ISO 19791 – Security Assessment of Operational Systems
https://www.iso.org/obp/ui/#iso:std:iso-iec:tr:19791:ed-2:v1:en
4 Create CERT – National, Sectoral and DICT Department Circular 005 and 003
Organization Level https://dict.gov.ph/wp-content/uploads/2017/09/Memorandum-Circular-005.pdf
https://dict.gov.ph/wp-content/uploads/2020/03/Dept-Circular-No-003-3062020.pdf
.
CYBER SECURITY COMPETENCY FRAMEWORK
A RULE AND STANDARD-BASED GUIDANCE TO IMPLEMENT A NATIONAL CYBER SECURITY PLAN