C S C F: Yber Ecurity Ompetency Ramework

CYBER SECURITY COMPETENCY FRAMEWORK
A RULE AND STANDARD-BASED GUIDANCE TO IMPLEMENT A NATIONAL CYBER SECURITY PLAN
INTRODUCTION
Republic Act 10844, the law that identifies the power and responsibilities of the
Department of Information and Communications Technology (DICT) has listed down in its
section 2 the policy of the state or government related to cyber security, namely:
1. To ensure the rights of individuals to privacy and confidentiality of their

personal information;
2. To ensure the security of critical ICT infrastructures including information
assets of the government, individuals and businesses; and
3. To provide oversight over agencies governing and regulating the ICT
sector and ensure consumer protection and welfare, data privacy and
security, foster competition and the growth of the ICT sector.
The implementing rules and regulations of R.A. 10844 obligate the following objectives
to be achieved in order to execute the state policy related to cyber security, namely:
1. To formulate a national cybersecurity plan

2. To extend immediate assistance for the suppression of real-time
commission of cybercrime offenses through a computer emergency
response team (CERT)
3. To provide pro-active government counter-measure to address and
anticipate all domestic and transnational incidents affecting the
Philippine cyberspace and cybersecurity threats to the country
The business organization or enterprise that are subject to government regulations are
made to participate in ensuring the security of people, process, data, application and
infrastructure in the cyberspace of doing business. The Security and Exchange Commission,
Bangko Sentral ng Pilipinas, Cooperative Development Authority, National Privacy Commission,
and similar agencies have issued policy guidance on the implementation of the national cyber
security plan and to ensure the confidentiality, integrity, and availability of information in the
cyber connected business systems.
TRAINING PARTICIPANTS AND OBJECTIVES:

The training is designed for person or entity that is identified by the government agency
or business organization to ensure safety in the cyberspace of doing business that involves
digitally networked people, product, process, data, application, and infrastructure.
At the end of the training, the designated accountable and responsible of securing the
cyberspace of the organization must be able to:
1. Recognize the cybersecurity threats and data privacy violations that must be identified,
evaluated, analyzed and mitigated by the business organization in order to prevent the
legal, financial, reputational, and business impact of cybercrime and data privacy
violations.
2. Examine the applicable use of established and tested framework, methodology,

intelligence and technologies to secure the cyberspace of people, process, data,
application, connectivity and storage of a business enterprise against cyber crime and
data privacy violations.
3. Review the valid and verifiable legal, management and technical measures to plan-do-
check-act the cyber security risk management that is aligned with the mandated
requirements provided by
R.A. 10844 National Cybersecurity Plan BSP IT Risk Management Standards and
Guideline
R.A. 10175 Cybercrime Prevent Security and Exchange Commission Cyber

Security Framework
R.A. 10173 Data Privacy Act ISO, NIST, ETSI, PCI DSS, HIPAA, GDPR, and
other international standards of practice.
4. Formulate, review and implement the security and privacy policies that guide the
whole-of-organization to control the cybercrime and data privacy violations that are
identified in R.A. 10175 and R.A. 10173 with corresponding penalties.
5. Organize, acquire, and operate the security incident management system that enable
the business organization to validly perform the mandated incident response activities
of preparation, identification, containment, eradication, recovery, and lesson learned.
6. Create the documentary evidences that represent the commitment of leadership and
management to implement the mandated requirements of cybersecurity and data
privacy rules, regulation, and policies. Compliance reports, like business impact
assessment, incident response plan, disaster recovery plan, business continuity plan,
incident response team, etc, are made available and done right in accordance with
recognized standards.
TRAINING PROGRAM
Learning Learning Topic Training Learning Output
Session Duration
Session 1 Cyberspace and Cybersecurity Threat Context of 3 hours Security Incident Indicators
Government and Private Organization Checklist Security Risk
Control Criteria
Session 2 R.A. 10844 -Cybersecurity Function, CyberSecurity 3 hours National Cyber Security Key
Plan and Computer Emergency Response Team Result Areas and
Requirement for Computer
Emergency Response Team
Session 3 Cloud First Policy Cyber Security Framework 3 hours Cloud Computing Approach
to Digital Transformation
Framework and the
CyberSecurity Controls
Session 4 Cybersecurity Information Security and Data 3 hours Normative Reference in

Privacy Control Standards and Global Practices creating security and data
privacy in cyberspace of
government and business
Session 5 Cyber Security Incident Management and Security 3 hours Security incident
Operation Requirements and Standards management organization,
policies, activities,
documentation and
technologies
Cyber Security Competency Framework – Detailed Training Content
Goal: Understand the rules and standards of a valid and verifiable implementation of cybersecurity mandated activities and outcomes.
Session 1 Session 2 Session 3 Session 4 Session 5

Cyberspace and R.A. 10844 Government Cloud Cybersecurity Cyber Security Incident Management and Security
Cybersecurity Threat -Cybersecurity First Policy Cyber Information Security Operation Requirements and Standards
Context of Government Function, CyberSecurity Security Framework and Data Privacy
and Private Plan and Computer Control Standards
Organization Emergency Response and Global Practices
Team
Learning Topics
1. Common 1. Cybersecurity 1. Cloud First 1. Common 2. Security Incident Management Process and
Question and Management Policy Security Incident Response Team Services
Definition on Framework - Look -Implementation Incident 3. https://www.incidentresponse.com/playbooks/
Cybersecurity Up Standards Requirement Indicators
According to
Practice
Standards
2. Cybersecurity 2. Cybersecurity 2. Cloud First 2. Cybersecurity 2. Cyber Threat Intelligence and Security
Threats According Management Policy Control Knowledge Ecosystem
to R.A. 10175- Function and -Security Standards and
Cybercrime, R.A. Performance Framework Regulatory
10173-Privacy Indicators and Data Guidance
Violation, and Protection
R.A. 10844- Standard
National
Cybersecurity
Plan
3. Information 3. National 3. Cloud 3. Professional 3. Digital Technologies of Cybersecurity

Security Risk Cybersecurity Computing Body Management Functions
Management Plan of 2022 and Security Competency
Framework for its Services and Framework to
Cybersecurity Implementation Control Secure the
Advisory Standards Cyberspace
Rules and Standards for the Question of Understanding
Session 1:
Cyberspace and Cybersecurity Threat Context of Government and Private Organization
1. Common Question and Definition on 2. Cybersecurity Threats According to 3. Information Security Risk
Cybersecurity According to Practice R.A. 10175-Cybercrime, R.A. 10173- Management Framework for
Standards Privacy Violation, and R.A. 10844- Cybersecurity
National Cybersecurity Plan
a. ISO 27000 – Information a. R.A. 10175 – Cybercrime a. ISO 31000 - Risk Management:
Security Management System: Prevention Act of 2012 Guidelines
Overview and Vocabulary b. R.A. 10173 – Data Privacy Act b. ISO 27015 – Information
b. ISO 27032 – Guidelines for of 2012 Security Risk Management
Cybersecurity c. R.A, 10844 – National Cyber c. ISO 29134 – Privacy Impact
c. ISO 27100 – Cyber Security and Security Plan Assessment
Concepts d. ISO 22307 – Financial Services:
Privacy Impact Assessment
Session 2:
R.A. 10844 -Cybersecurity Function, CyberSecurity Plan and Computer Emergency Response Team
1. Cybersecurity Management Framework 2. Cybersecurity Management Function 3. National Cybersecurity Plan and its
- Look Up Standards and Performance Indicators Implementation Advisory
a. NIST Cybersecurity a. R.A, 10844 – National Cyber a. National Cybersecurity Plan of

Framework V. 1.1 Security Plan 2022
b. ITU National Cybersecurity b. NIST Cybersecurity Framework b. DICT Memorandum Circular
Strategy Guide V. 1.1 005, 006, 007: 2017
c. ISO 27000 Information c. DICT Memorandum Circular
Security Normative 003: 2020
References
‘
Session 3:
Government Cloud First Policy Cyber Security Framework
1. Cloud First Policy 2. Cloud First Policy 3. Cloud Computing Security Services
-Implementation Requirement -Security Framework and Data and Control Standards
Protection Standard
a. DICT Dept Circular 2017-002 a. DICT Dept. Circular 2017-002 – a. ISO 27017 – Cloud Security
– Prescribing the Philippine Prescribing the Philippine b. ISO 27018 – Cloud Privacy
Government’s Cloud First Government’s Cloud First Policy c. ISO 27036-4 - Information
Policy b. DICT Dept. Circular No. 010, s Security Supplier
b. DICT Dept. Circular No. 010, 2020 – Amendment of Dept. Relationship: Guidelines for
s 2020 – Amendment of Circular 2017-02 Security of Cloud Services
Dept Circular 2017-02 d. ISO 19086 -4 – Cloud
Computing Service Level
Agreement Component of
Security and Protection of
Personal Information
Session 5:
Cyber Security Incident Management and Security Operation Requirements and Standard
1. Security Incident Management Process 2. Cyber Threat Intelligence and Security 3. Digital Technologies of
and Incident Response Team Services Knowledge Ecosystem Cybersecurity Management
Functions
a.
.
Session 4:
Cybersecurity Information Security and Data Privacy Control Standards and Global Practices
4. Common Security Incident Indicators 5. Cybersecurity Control Standards and 6. Professional Body Competency
Regulatory Guidance Framework to Secure the
Cyberspace
a. R.A. 10175 – Cybercrime b. ISO 27001 – Annex A a. CYBOK – Cybersecurity Body
b. ETSI Security Incident Indicators c. ISO 27002 – Security Code of of Knowledge
c. OWASP Web Application Practice b. ISC2 CISSP – Certified
Exploitation d. ISO 29151 – Privacy and Security Information Security
d. NIST National Vulnerability Code of Practice Professional
Database e. ISO 27701 – Privacy and Security c. ISACA CISM – Certified
e. MITRE ATTACK Threat Model Management System Information Security
f. ISO 27036 - Information Security Manager
Supplier Relationship d. SANS –GIAC Cybersecurity
g. Center for Internet Security Certification
Control Framework e. EC-Council – Certified Ethical
h. CSA Cloud Control Matrix Hacker
i. SCF Secure Control Framework
Prescribed Policies, Rules and Regulations on the Protection of Critical Information Infrastructure with National Cyber Security Plan
Implementation Requirements Implementation Guidance or Standards Compliance

Status
1 Adopt ISO/IEC 27000 family of DICT Department Circular 005
information security and other https://dict.gov.ph/wp-content/uploads/2017/09/Memorandum-Circular-005.pdf
relevant international standards of ISO 27001 – Information Security Management System - Requirement
mandatory of compliance https://www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1:en
ISO 27002 – Information Security Management System - Controls
https://www.iso.org/obp/ui/#iso:std:iso-iec:27002:ed-2:v1:en
2 Conduct annual risks and security DICT Department Circular 005 and 003
assessment https://dict.gov.ph/wp-content/uploads/2017/09/Memorandum-Circular-005.pdf
https://dict.gov.ph/wp-content/uploads/2020/03/Dept-Circular-No-003-3062020.pdf
ISO 27000 – Information Security Management System Overview
https://standards.iso.org/ittf/PubliclyAvailableStandards/c073906_ISO_IEC_27000_201
8_E.zip
ISO 31000 – Risk Management -Guidelines
https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-2:v1:en
ISO 19791 – Security Assessment of Operational Systems
https://www.iso.org/obp/ui/#iso:std:iso-iec:tr:19791:ed-2:v1:en
3 Ensure system integrity and security DICT Department Circular 003

with vulnerability assessment and https://dict.gov.ph/wp-content/uploads/2020/03/Dept-Circular-No-003-3062020.pdf
penetration test that matches CERT-
PH requirements
4 Create CERT – National, Sectoral and DICT Department Circular 005 and 003
Organization Level https://dict.gov.ph/wp-content/uploads/2017/09/Memorandum-Circular-005.pdf
.
Connect to CERT-PH security DICT Department Circular 003

operation center https://dict.gov.ph/wp-content/uploads/2020/03/Dept-Circular-No-003-3062020.pdf
Report cybersecurity incident within DICT Department Circular 005

24 hours with NCERT https://dict.gov.ph/wp-content/uploads/2017/09/Memorandum-Circular-005.pdf
Use F.I.R.S.T. traffic light protocol to DICT Department Circular 005

guide information sharing https://dict.gov.ph/wp-content/uploads/2017/09/Memorandum-Circular-005.pdf
FIRST TLP v1
https://www.first.org/tlp/docs/tlp-v1-letter.pdf
Secure certificate of cybersecurity DICT Department Circular 005 and 003

compliance from NCERT https://dict.gov.ph/wp-content/uploads/2017/09/Memorandum-Circular-005.pdf
Conduct cyber hygiene activity for

telecommunication operator
a. Obtain seal of cybersecurity from DICT

b. Develop and implement disaster recovery and business continuity plan
c. Participate in national cyber drills and exercise
d. Comply with National Privacy Commission issuance on privacy of personal data
e. Agency or organization head acts as “cybersecurity officer” (CYSO)
f. Integrate cybersecurity courses in the education sector
g. Train trainors on cybersecurity
h. Include cybersecurity awareness content in government websites

C S C F: Yber Ecurity Ompetency Ramework

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

C S C F: Yber Ecurity Ompetency Ramework

Uploaded by

Copyright:

Available Formats

CYBER SECURITY COMPETENCY FRAMEWORK

A RULE AND STANDARD-BASED GUIDANCE TO IMPLEMENT A NATIONAL CYBER SECURITY PLAN

1. To ensure the rights of individuals to privacy and confidentiality of their

1. To formulate a national cybersecurity plan

TRAINING PARTICIPANTS AND OBJECTIVES:

2. Examine the applicable use of established and tested framework, methodology,

R.A. 10175 Cybercrime Prevent Security and Exchange Commission Cyber

Session 4 Cybersecurity Information Security and Data 3 hours Normative Reference in

Cyber Security Competency Framework – Detailed Training Content

Session 1 Session 2 Session 3 Session 4 Session 5

3. Information 3. National 3. Cloud 3. Professional 3. Digital Technologies of Cybersecurity

Rules and Standards for the Question of Understanding

a. NIST Cybersecurity a. R.A, 10844 – National Cyber a. National Cybersecurity Plan of

Implementation Requirements Implementation Guidance or Standards Compliance

3 Ensure system integrity and security DICT Department Circular 003

Connect to CERT-PH security DICT Department Circular 003

Report cybersecurity incident within DICT Department Circular 005

Use F.I.R.S.T. traffic light protocol to DICT Department Circular 005

Secure certificate of cybersecurity DICT Department Circular 005 and 003

Conduct cyber hygiene activity for

a. Obtain seal of cybersecurity from DICT

You might also like