Excerpt from the Minutes of the 92nd Regular Board of Trustees Meeting of the Camarines Sur Polytechnic Colleges held on August 19, a : Resolution No. 2020-42 + vs 22 By APPROVING THE POLICY GUIDELINES ON THE a UTILIZATION OF INFORMATION RESOURCES OF THE COLLEGE. WHEREAS, RA 8292 provides that the Board of Trustees shall approve the policies, programs and projects of the College: WHEREAS, with the commitment of the College to protect its information resources consistent with the Philippine Standard, CSPC has crafted the Policy Guidelines on the Utilization of Information Resources: WHEREAS, the College shall take appropriate measures to protect the College information resources against accidental or unauthorized disclosure, contamination, modification, or destruction and to assure the confidentiality, authenticity, utility, integrity and availability of College information; WHEREAS, the proposed policy guidelines was endorsed by the Administrative Council and by the Finance/Infrastructure/Administration Committee to the Board of Trustees for approval; NOW, THEREFORE, BE IT RESOLVED to approve the Policy Guidelines on the Utilization of Information Resources of the College, subject to compliance with the Freedom of Information and the Data Privacy Act. Certified Correct Vivian €. Lastrotio Board Secretary V Attested: HON. CHARLITO P. CADAG, PhD. SUC President III/Vice-Chair |CAMARINES SUR POLYTECHNIC COLLEGES) CONTROLLED COPY“Republic of the Philippines 7 CAMARINES SUR POLYTECHNIC COLLEGES -£) Nabua, Camarines Sur Policy Guidelines on the Utilization of Information Resources of the College |. Policy Statement The College commits to protect its information resources by establishing an information security program consistent with Philippine standards. In compliance with the required standard, the college intends to promote the appropriate management of College servers and, in doing so, achieve consistency, increase availability and security, facilitate disaster-recovery, coordinate technical operations and apply sound information technology management practices consistently throughout the Colleges. All servers connected to the College network must support and be consistent with the institutional network. To ensure this requirement, a server's purpose and other detailed information is registered and maintained in an internal server list to facilitate compliance with the mandated security efforts and assist in diagnosing, locating and investigating security incidents on the College network. The College shall take appropriate measures to protect the College information Tesources against accidental or unauthorized disclosure, contamination, modification, or destruction, and to assure the confidentiality, authenticity, utility, integrity, and availability of College information. CAMARINES SUR POLYTECHNIC CoLLEAES| Il. Purposes and Objectives CONTROLLED COPY; ‘The purposes and objectives ofthese policy quidelines atone A. To provide a reliable College network and internet connection in the conduct of business of the College; B, To provide only authorized access to institutional research or personal data and information on the College network; C. To protect computer system and network integrity at the College; D. To ensure compliance with applicable statutes, regulations and mandates regarding the management of information resources; E. To establish prudent and acceptable practices regarding the use of information resources; and F. To educate officials and employees who may use information resources with respect to their responsibilities associated with such use. lll Scope and Coverage These policy guidelines apply to officials and employees including students, contract of service and job order staff of the College. These cover the usage of College information resources whether administered centrally or departmentally; and whether on campus or off campus. Information resources include hardwares, softwares, communication networks and access devices, electronic storage media, manuals, and the electronic documentation. Also included are data files that reside on hardwares or madia owned! ar sunnier hy tha CallanA Republic of the Philippines CAMARINES SUR POLYTECHNIC COLLEGES Nabua, Camarines Sur IV. Definition of Terms A. CSPC Account — stands for the Camarines Sur Polytechnic Colleges Network Identification. This is the name used to identify a person or other entity when connecting to certain applications and services available on the College network CSPC account has an associated password that serves to authenticate the identity of the owner. . College Net ID — stands for the College Network Identification which is the name used to identify a person or other entity when connecting to certain applications and services available on the College network. It has an associated password that serves to authenticate the identity of the Net ID owner. College Network — refers to the data and communications infrastructure of the College which includes campus backbone, local area network, and all equipment connected to this network. Device — refers to any hardware component involved with the processing, storage, or forwarding of information and use of the College information technology infrastructure or attached to the College network Device Registry — refers to a database of College network devices maintained by the Database Administrator to assist with incident response and alerts which includes information about the device such as device name, function, operating system, primary, and secondary contact information Information Resources ~ refers to all devices capable of receiving, storing, managing, or transmitting electronic data including mainframes, servers, personal computers, notebook computers, handheld computers, personal digital assistant (PDA), pagers, distributed processing systems, network connected display devices Network attached and computer-controlled medical and laboratory equipment (ie. embedded technology) telecommunication resources, network environments, telephones, fax machines, printers, computer printouts, storage media. It includes the systems, procedures, equipment, facilities, softwares, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display and transmit information. . Network Address — is a unique number associated with ceed used for the routing of traffic across the internet or arjethesinelworio:ttisvalea:kndes) as Intemet Protocol Address or IP address. | | . Server — refers to a Networked SSM MERE WP Xsribute data to other networked resources 3 Server Administrator —is an individual with principal responsibility for the installation, configuration, security, and ongoing maintenance of an information technology device, including network registration Server Management — refers to functions associated with the oversight of server operations which include controlling user access, establishing/maintaining security measures, monitoring server configuration and performance, and risk assessment andRepublic of the Philippines CAMARINES SUR POLYTECHNIC COLLEGES Nabua, Camarines Sur must designate an individual to serve as the primary system administrator and may designate a backup system administrator. L. System Compromise ~ refers to a compromised system in any device that is no longer entirely under its owner's control. The two major forms of compromise are: 1. Infection by a worm, virus or trojan horse; and 2, Exploitation of an operating system or application vulnerability by another user giving that user remote control of the computer M. User ~ refers to an individual or automated application or process that is authorized access to an information resource by its owner, in accordance with the owner's procedures and rules. N. VPN Account — stands for CSPC’s Virtual Private Network (VPN) Account Identification. This is the name used to identify a person or other entity when Connecting to certain application and services available on the College network from the public internet. It has an associated password that serves to authenticate the identity of the owner. ©. Vulnerability Patch — is an update provided by a vendor to correct a flow or weaknesses in a system's design, implementation, or operation and management that Could be exploited to violate the system's security policy. All softwares and hardwares are subject to vulnerability and firmware patches: (MARINES SUR POLYTECHNIC COLLEGES} . Use of Information Resources CONTROLLED COPY| A. General Guidelines i ements Fi The College, through the Management information and Communications Technology (MICT) Office, will provide each of its authorized users with a computer account, known as a College Net 1D, which facilitates access to the College information resources. In accepting a College Net ID or any other access. ID, the user agrees to abide by applicable policies, rules and regulations. The College reserves the right at any time to limit, restrict, or deny access to its information resources and to take disciplinary and/or legal action against anyone in violation of these policy guidelines. 2. The College faculty, staff and student will be given a system generated Net ID. In order to change the system generated Net ID, written approval must be obtained from the Director of MICT. The approved request shall form part of the individuals associated College files. 3. The College provides information resources for the purpose of accomplishing tasks related to College mission. Use of or access to the College computers, networks, data and softwares may be restricted due to specific research, teaching or other purposes in keeping with the College mission. The College computer information resources are not a public forum. 4. The College considers email to be a significant resource and an appropriate mechanism for official College communication. The College provides official College email addresses and services to its students, staff, faculty and organizational unit for this purpose to enhance efficiency of educational andRepublic of the Philippines CAMARINES SUR POLYTECHNIC COLLEGES. Nabua, Camarines Sur to an alternate email address at their own risk, however, the College is not responsible for an email that has been forwarded to any other address. 5. Subject to applicable policies, rules and guidelines, students who have registered are allowed to use the College information resources for school-related and personal purposes. Personal use must not result in any additional expense to the College or violate restrictions. Continuing students may retain their College Net D as long as they remain enrolled for the current or a future semester. 6. Employees of the College are allowed to use the College information resources in the performance of their duties and functions as long as they adhere to all applicable policies and rules. Incidental personal use of the College information resources by an employee is permitted, subject to review and restrictions by the employee's immediate supervisor. Such personal use must not violate any applicable policies and rules, must not interfere with the employee's Performance, and must not result in any additional expense to the College. Employees may obtain a College Net ID upon verification of employment by the appropriate office head. ‘An employee's access to the College information resources will be terminated upon the employee's separation from employment at the College The following are limited exceptions to their access termination requirement a. College retiree retains access to the information resources; b. former employee retains access to the College-web for his self-service functions only, e.i retrieval of remuneration statements, mailing address updates, and similar functions that afford access only to the former employee's personal information; and ©. other exceptions require specific, prior authorization from the College President 7. Censorship is not compatible with the goals of the College. The College will not limit access to any information due to its content, as long as it meets the standard of legality. The College reserves the right, however, to place reasonable time, lace and manner restrictions of-expensive activities its information ae AWARITE® SiR PORTTECEC OLLEAES| 8. The College generally prohibits ACPO TDN E> EOPY Communications by anyone other than: a. the designated owner of the account of electronic resource containing the records or communication; or b. the sender or recipient of a particular connection Unless, prior consent from the applicable account owner, sender or recipient is provided, 9. _ Intellectual property law extends to the electronic environment. Users should assume that works communicated through the College computer networks are subject to copyright laws, rules specifically stated otherwise. 10. Information resources are considered valuable assets of the College. Further, computer software purchased or licensed by the College is theRepublic of the Philippines CAMARINES SUR POLYTECHNIC COLLEGES. Nabua, Camarines Sur 11. Students, staff and faculty using information technology resources for purposes of exchanging, publishing or circulating official institutional documents must follow the College requirements concerning appropriate content. B. Inappropriate Use of Information Resources The following actions constitute inappropriate use of College information resources and are strictly prohibited for all users’ 1 Use of College information for illegal activities or purposes. The College may deal with such use appropriately, and may report such use to law enforcement authorities. Illegal activities or purposes include unauthorized access, intentional corruption or misuse of information resources, theft, obscenity, and child pornography; Failure to comply with laws, policies, procedures, license agreements, and contracts that pertain to or limit the use of College information resources; The abuse of information resources includes any willful act that endangers or damages any specific computer software, hardware, program, network, data or the system as whole, whether located on campus or elsewhere on the global internet; creates or allows a computer malfunction or interruption of operation; injects a computer virus or worm into the computer system; sends a message with the intent to disrupt College operations or the operations of outside entities; produces output that occupies or monopolizes resources for an unreasonable time period to the detriment of other authorized users; consumes an unreasonable amount of communications bandwidth, either on or off campus, to the detriment of other authorized users; or fails to adhere to time limitations that apply at particular computer facilities on campus. Use of College information resources for personal financial gain or commercial a femsrocemicenn VI. Network Use | CONTROLLED COPY 1 A. Specific Guidelines All devices connected to th or wireless) must be associated units in support of the mission of the College. The integrity, security, and proper operation of the College network require an orderly assignment of network addresses and the correct configuration of devices attached to the network. Network access, performance and security are put at risk when devices are introduced into the network environment without appropriate coordination Therefore, all connections to the College network must be managed with accessibility, performance, and security concerns taken into consideration The Director of MICT is responsible for the College network, including routing, switching, domain name service, etc., The office coordinates all connections to the College network including the assignment of addresses. Network users should not alter, extend, or re-transmit network services in any way. Users are prohibited from attaching or contracting a service provider to attach equipment such asRepublic of the Philippines 7 CAMARINES SUR POLYTECHNIC COLLEGES 72’ Nabua, Camarines Sur B. 3. The use of devices connected to the College network is accompanied by certain responsibilities. Specifically, all users, when presented with automated update (.., windows OS) communications, are required to allow the updates to occur in order to minimize risks associated with computer hacking and other threats such as worms and viruses, The Director of MICT will provide mechanisms to facilitate such updates to the extent reasonably possible. 4. All devices placed on the College network acting in any role other than an individual workstation or printers (e.g. servers regardless of function, hardware or software) must be registered and placed by MICT in the centralized data center (server rooms) to ensure compliance with the College best practices. Response to Threats and Policy Violators 1. Devices posing an immediate threat to the College network will be disconnected from the network to isolate the intrusion or problem and minimize risk to other systems, until the device is repaired and the threat is removed. In coordination with the concemed offices, the Director of MICT will cause the investigation of any incident involving unauthorized access of the College network, Devices involved in these and other security incidents which do not have security clearance will remain disconnected from the College network until the device can be brought into compliance. The MICT will notify appropriate office personnel when its device is to be disconnected from the network. 2. Devices that are involved in repeated incidents may be disconnected from the College network for longer periods of time as required, The affected users will be required to show that they understand the policy guidelines and certain protocols and commit to implement them through an audit review or other assessment of the network attached devices for which they are responsible. If the affected user lacks the knowledge or training needed to comply with the policy, the MICT personnel will work with the concerned office to help plan an appropriate training or orientation program. camarnes sve powrrecianc coutzoes Vil. Server Management CONTROLLED Copy) A. Specific Guidelines ee 4 Before the MICT staff connects a server to the College network, it must comply with the College server management practices. The concerned office should contact the MICT office to determine what alternatives may exist to satisfy any server needs. If adequate resources do not yet exist, the MICT will purchase and/or budget for a server adequate to address the requirements. 2. The MICT staff are responsible for the placement, management, operation and security of the College servers. These responsibilities and management practices include: a. automated threat mitigation (e.g., anti-virus software, host base firewall, etc); b. licensing, support, and update management for the operating system and all hosted services and applications;Republic of the Philippines 7) CAMARINES SUR POLYTECHNIC COLLEGES re 3. Nabua, Camarines Sur physical and electronic access controls that support role-based access, appropriate separation of duties, and the principle of “least privilege’: g. backup and recovery; h. user authentication; i. activity and event logging; and J. network connection requirements and standards (e.g., server list) While these policy guidelines are meant to be definitive policy and guide to effective server management at the College, it is recognized that not all specific situations and/or problems can be addressed by a policy. Exceptions to these policy guidelines require collaboration with the MICT and may be granted only by the College President as recommended by the MICT Director. B. Response to Threats and Policy Violators 1 The Information Security Management Officer (ISMO) routinely scans the network to monitor compliance with these policy guidelines. Devices discovered acting in a server capacity will be removed from the College network with the concurrence of the MICT Director. The ISMO security will notify the server administrator when it determines that a server presents an acceptable risk to College information resources, i.e., when a server has been compromised, when it is a threat to other network users, or when its defenses against compromise are adequate for its purpose it serves. If the server administrator cannot be contacted or will act immediately, the MICT Director may remove the offending server from the network and work with the server owner to remedy the threat and recertify the S¢FXBknwes sun ponrecwc culzoee| VII. Information Resources Security { CONTROLLED COPY; A. Specific Guidelines 1 The College information security program is positioned within the MICT office and administered by the Director of MICT and implemented by the MICT staff in collaboration with all College constituents that use and support the College information resources. Information resources residing at the College are strategic and vital assets belonging to the government of the Philippines. These assets must be available when needed and protected commensurate with their value. All officials and employees, regardless of position or role, share responsibility for protecting the College information resources. All individuals are accountable for the use of information resources and shall comply with applicable laws, College policies and rules in their use. Information that is sensitive or restricted/ confidential must be protected from unauthorized access or modification. Data that are essential to critical College functions must be protected from loss, contamination, or destruction. Risks to information resources must be managed. The expense of security safeguards must be appropriate to the value of the assets being protected,Republic of the Philippines } CAMARINES SUR POLYTECHNIC COLLEGES. Nabua, Camarines Sur 10, " The integrity of data, their source and destination, and processes applied to them are critical to their value. Changes to data must be made only in authorized and acceptable ways. Information resources must be available when needed. Continuity of information systems supporting critical College functions must be ensured in the event of a disaster or disruption in normal operations. Security requirements shall be identified, documented, and addressed in all phases of development or acquisition of information resources ‘Security awareness of employees must be continually emphasized and reinforced at all levels of management. Officials and employees must be accountable for their actions relating to information resources. The information security program must be responsive and adaptable to changing vulnerabilities and technologies affecting information resources. Its components shall be reviewed and modified in a timely fashion to meet emerging and evolving threats, The College must ensure adequate controls and separation of duties for tasks that are susceptible to fraudulent or eetmnertsaee| B. Information Security Organization 1 CONTROLLED COPY The MICT Director oversees the acquisiti nd directs the College information technology security functions. An ISMO shall be designated to administer the College information security program. As such, the ISMO is responsible for all aspects of the College information security program. Specifically, the ISMO shall have the following duties and responsibilities: a. develop, recommend, and establish policies, procedures, and practices as necessary to protect the College information resources against unauthorized or accidental modification, destruction or disclosure: b. identify and implement proactive and reactive technical measures to detect vulnerabilities and to defend against external and internal security threats: ¢. provide consulting and technical support services to owners, custodians, and users in defining and deploying cost effective security controls and protections; 4. establish, maintain, and institutionalize security incident response procedures to ensure that security events are thoroughly investigated, documented, and reported, that damage is minimized, that risks are mitigated, and that remedial actions are taken to prevent recurrence; e. establish and publicize a security awareness program to achieve and maintain a security conscious user community; f. document, maintain and obtain ongoing support for all aspects of the information security program; 9. monitor the effectiveness of strategies, activities, measures, and controls designed to protect the College information resources;"Republic of the Philippines 1! CAMARINES SUR POLYTECHNIC COLLEGES 3. Nabua, Camarines Sur serve as the College internal and extemal point of contact for information security matters; and J: report frequently (at least annually) on the status and effectiveness of the information security program Individual responsibilities can vary significantly according to an individual's relationship with any given information resource. In recognition of those variances, the College has defined and assigned three (3) generic roles with respect to the security of information resources: 1) the owner role, 2) the custodian role, and 3) the user role. C. Risk Assessment 4 Risk assessment is a vehicle for systematically identifying and evaluating the vulnerabilities of an information system and its data to the threats facing in its environment. It is an essential component of any security and risk management program. Absolute security that assures protection against all threats is unachievable. Risk assessment provides a framework for weighing losses that might occur in the absence of an effective security control against the costs of implementing the control. Risk management is intended to ensure that reasonable measures are employed to protect against the most probable and impactful threats Owners and their designated custodians shall annually complete or commission a comprehensive risk assessment of their assigned information sources, including departmentally assigned computing resources that store, process and access information. The assessment, f their information smntist-incacte-a-cleassIneation according to its need for sol Gh BE REIRRT TENE for confidentiality, integrity, and availabilty. | CONTROLLED COPY The assessment should also identify reasonable and foresbeable internal and extemal risks to the security, fentialty, integrity and availability of those resources. Owners and custodians should assess the sufficiency of safeguards in place to control these risks and document their level of risk acceptance (ie., the exposure remaining after implementing appropriate protective measures, if any). Additional mitigation measures should be taken as necessary to protect the resources from risks considered unacceptable. The risk assessment should include consideration of employee training and management, information systems architecture and processes, business continuity planning, and prevention, detection and response to intrusions and attack. The assessment results shall be documented in a written report, protected from unauthorized disclosure, modification, or destruction, and retained until suspended by a subsequent documented assessment, plus one (1) year. The ISMO shall periodically (at least annually) complete or commission a risk assessment of the information resources considered essential to the Colleges critical mission and functions, and shall recommend, to the owners and custodians of these resources, appropriate risk mitigation measures, technical controls, and procedural safeguards. The assessment may incorporate self-assessment¢ Republic of the Philippines j! CAMARINES SUR POLYTECHNIC COLLEGES Nabua, Camarines Sur information assets and shall also be presented to the College President as appropriate, D. Information Asset Management 1 As stated, the College information resources are strategic and vital assets that must be available when needed and protected commensurate with their value. The College has identified specific actions required to achieve those objectives and has also articulated the owner, custodian and user roles to clearly distinguish the Parties responsible and accountable for taking those actions. The College is the legal owner of all the information assets. For practical purposes, the College delegates specific ownership responsibilities to the day-to-day oversight of the information asset. For example, for a shared file system hosted on a departmentioffice server, both the file share and the computer are owned by the departmentioffice. Conversely, ownership is split for department/office file shares hosted on the MICT office servers in the data center, i.e., the shared directories and their contents are owned by the departmentloffice and the host computer and related disk storage is owned by the MICT. Owners have been designated for data assets based upon the general subject matter of the data such as the following a, Human resources data - Human Resources Management Officer (HRMO) b. Learning and Development data - Human Resource Development Director (HRDO) Student disciplinary data including scholarships and financial assistance — Office of Student Affairs and Services Director (OSASD) d. Student grades including basic personal inf = rf e. Financial records data - Accountant It !¢AMARIVES SUR POLYTECHNIC ce f Health records data -College Nurse SONTROLLED COPY g. Student electronic data - Database Administrator Ownership responsibility for network, hardware, and Sofware assels 1s assigned to the party accountable for the assets through memorandum receipts (MR). Owners are specifically responsible for: a. keeping abreast of laws and policies related to the information assets they own and classifying these assets according to their need for security protection; b. determining the value of, authorizing user access to, and establishing procedures for authorized disclosure of their information assets; ¢. specifying data control requirements for their information assets and conveying their requirements to co-owners, custodians and users; 4. specifying appropriate controls, based on risk assessment, to protect their information assets from unauthorized use, modification, deletion, or disclosure; . selecting and assigning custody of information assets in consultation with appropriate IT Staff, to custodians capable of implementing the necessary security controls and procedures; f. contractually binding non-College custodians to implement and comply with °Republic of the Philippines ) CAMARINES SUR POLYTECHNIC COLLEGES Nabua, Camarines Sur 10. h. reviewing and maintaining access authorization lists based on documented security risk management decisions. Custodians provide information assets services to both owners and users. A custodian maybe an official, staff, a team or a third-party provider of information Tesource management services (such as a website or application hosting firm) Custodians are expected to: a. assist the owners in identifying cost effective controls, along with monitoring techniques and procedures for detecting and reporting control failures or violations; b. implement the controls and monitoring techniques and procedures specified by the owner(s); and ©. provide and monitor the viability of physical and procedural safeguards for the information resources. The user role is the default role possessed by all users of College information resources. Users of information resources shall use those resources for defined purposes that are consistent with their institutional responsibilities and always in compliance with established controls. Users are expected to comply with the College's published security policies and procedures, as well as with security bulletins and alerts that may be issued by the MICT in response to specific risks and threats. The use of the C irces implies that the user has knowledge of and Renées!to WrNSIY WI thEEBifuge policies governing such i ° Employee users are GOMER A laSAGORY ivacy and securty of the information they access i#-the-nermat COUTSE Gf thelr work. Employees are also responsible for the security of any terminal, workstation, printer or similar electronic device utilized in the normal course of their work. Employees are authorized to use only those resources and materials that are appropriate and consistent with their duties and functions and must not violate or compromise the privacy or security of any data or systems accessible via the College computer network. Any attempted violation of information security or privacy is a ground for revocation of computer access privilege, suspension or discharge of employees, suspension or expulsion of students, and prosecution to the full extent of the law. Users are responsible for the security of any account (e.g., College network username or administrative systems username) issued to them and are accountable for any activity that takes place in their account. Users who discover or suspect that the security of their account has been compromised must immediately change their password and report the incident to the ISMO for initial investigation. The ISMO shall escalate the incident to IT security of the compromise may increase the risk to other College information resources. Any suspected or attempted violation of system security should be reported, immediately to the ISMO. By virtue of their duties and responsibilities (e.g. the review and monitoring activities), designated employees may require and may be entrusted with elevatedRepublic of the Philippines CAMARINES SUR POLYTECHNIC COLLEGES, Nabua, Camarines Sur b. access, disclose, and discuss the information only to the extent required to perform the mandated duty for which the privileges were granted. 11. The College information resources are subject to monitoring, review and disclosure in accordance with the following criteria: @. satisfy the requirements of the Freedom of Information Manual, Data Privacy Manual of the College, National Privacy Commission (NPC) issuances or other regulations; b. allow College officials to fulfil their responsibilities when acting in their assigned capacity; ©. protect the integrity of the College information technology resources, and the rights and other property of the College; d. allow system administrators to perform routine maintenance operations, security services and respond to emergency situations; or © protect the rights of individuals yeeking jp Aol ETS where information and files are shared. CONTROLLED COPY 12. Users of the College information resources expressly consent to. Initoring by the College for these purposes and are advised that, if such monitoring reveals Possible evidence of criminal activity, College administration may provide that evidence to law enforcement officials. Further, all users should understand that while the College takes reasonable precautions, as evidenced by its information security program, it is unable to guarantee the protection of electronic files, data, or emails from unauthorized or in appropriate access or disclosure. 1. Individuals seeking non-consensual access to electronic records or communications residing within a user account or College information resources assigned to another user shall make such request in writing to the Director of MICT. The request must fully describe the requested records by type and date, and must specify the authorization that permits the access, The Director of MICT, in consultation with the College President or any authorized representative, as appropriate to the circumstances, will approve or deny the request. This provision applies to all user accounts and information resources. 14. When sensitive or restricted/confidential information from another college or university or government agency is received by the College in connection with the transaction of official business, the College shall maintain the confidentiality or security of the information in accordance with the conditions imposed by the providing agency or institution. 15. Prior to releasing, publishing, or disclosing any college information, the designated ‘owner of the information shall classify the information as Public, Sensitive, or Restricted/Confidential, according to its need for confidentiality. Moreover, the information owner should ensure that disclosure controls and procedures are implemented and followed to afford the degree of protection required by the assigned classification. Information shall be assigned one of the three (3) classifications:Republic of the Philippines CAMARINES SUR POLYTECHNIC COLLEGES Nabua, Camarines Sur Prospective of confidentiality, public information may be disclosed as published by any person at any time. Examples of public information include: advertising and marketing literature, degree program descriptions, course offerings and schedules, campus maps, job postings, press releases, descriptions of College products and services, and certain types of unrestricted directory information as specified by the Data Privacy Act and the Philippine Health Insurance Act, b. sensitive information can be difficult to classify as it often presents attributes of both public and restricted/confidential information. Sensitive information may be deemed “public” in the sense that, under certain circumstances, disclosure may be required under the provisions of the Data Privacy Act. However, the disclosure of sensitive information also requires assurances that its release is both controlled and lawful. Sensitive information is often intended for use within a specific workgroup, department or group of individuals with a legitimate need- to-know. Likewise, access to sensitive information may be controlled by identity authentication and authorization measures (e.g. Net ID or College account and password). Unauthorized disclosure of sensitive information could adversely impact the College, individuals or affiliates. Examples of sensitive information include: some employee records (such as performance evaluations, date of birth, and email addresses), departmental policies and procedures that might reveal otherwise protect information, the contents of email, voicemail, instant messages and memos, unpublished research, information covered by non-disclosure agreements, and donor information. Generally speaking, sensitive information should not be published or disclosed to the public oxceGl ee TEER PRE aaa Palen of the information in accordance with the owner's established practices, or after consultation with the College President.. CONTROLLED COPY ©. testricted/confidential information refers to information that is accepted from disclosure requirements under the provisions of applicable Philippine laws. Restricted/confidential information is generally intended for a very specific Purpose and shall not be disclosed to anyone without a demonstrated need-to- know, even within a workgroup or department. Disclosure of restricted/confidential information is generally regulated by specific legal, Published opinion by the office of the Solicitor General, College Board of Trustees, or contractual agreement. Unauthorized disclosure of this information could have a serious adverse impact on the College, individuals, or affiliates, and presents the most serious risk of harm if properly disclosed. Examples of restricted/confidential information include: student education records, credit cards and financial account information, social security numbers, driver's license numbers, personally identifiable medical records, passport information, crime victim information, library transactions (eg., circulation records), and access control credentials (e.g., PINS and passwords). Restricted/confidential information must not be disclosed to theRepublic of the Philippines CAMARINES SUR POLYTECHNIC COLLEGES. Nabua, Camarines Sur persons with a questionable need-to-know should be directed to the College President. 16. Because of the harm that can result from improper disclosure, sensitive and restricted/confidential College information shall be afforded the following special protections by owners, custodians and users: @. a person's social security number, driver's license number, or other widely- used government issued identification number shall not be captured, stored, or used as a person identifier unless such use is required by an extemal, governmental, or regulatory system that is authorized for use at the College, where use of such numbers are required and authorized, owners, custodians and users shall store those numbers in encrypted form or behind other compensating controls with the advice and consent of the ISMO. b. payment cardholder data (.e., the primary account number or the magnetic. stripe contents together with anyone of: cardholder name, expiration date, or the 9-digit service code) shail not be-stored-on-any-device-ponnected to the College data network for ong Ran MS Oe a transaction using that information. { ©. sensitive or restctedteontde RQ! Heo stat Dah) be transmitted electronically in unencrypted tomm—ENtner-tieTHTGMTaTON tse must be encrypted prior to transmission or an encrypted connection must be established and maintained for the duration of the transmission. Authorized encrypted connection examples include the College implementation of: VPN - virtual private network, SSL - secure socket layer, and SSH - secure shell. Note that most electronic mail systems do not establish and maintain encrypted connections and thus, are not appropriate for use in transmitting unencrypted sensitive or restricted/confidential information d._ sensitive or restricted/confidential information should not be stored on portable devices or media such as notebook or tablet computers, PDAs, smart phones, USB drivers, CDs, DVDs, tape cartridges, etc. If such storage is required, the sensitive or restricted/confidential information must be protected by encryption or by other compensating controls with the advice and consent of the ISMO. @. sensitive or restricted/confidential information must not be accessed from remote location in an unauthorized manner. Examples of authorized remote access solutions include the College implementation of VPN, SSL and SSH. Third party remote access solutions like PCAnywhere* and GoToMyPC are not authorized and the use of similar software must be reviewed and approved by the ISMO. f. sensitive or restricted/confidential information should not be stored on personally-owned devices or media. If such storage is required, the sensitive or restricted/confidential information must be protected by encryption or by other compensating controls with the advice and consent of the ISMO. Q. sensitive or restricted/confidential information shall not be stored or any devices external to the campus network except as provided under contract with"Republic of the Philippines yp CAMIARINES SUR POLYTECHNIC COLLEGES. Nabua, Camarines Sur employ non-proprietary, industry standard mechanisms; be implemented through widely used and tested libraries; utilize at least 128bits of complexity for symmetric encryption: and utilize at least 1024bits for asymmetric key-based encryption h. sensitive or restricted/confidential information shall not be shared, exposed or transmitted via any peer-to-peer (P2P) file sharing mechanism prior to completion of a comprehensive risk assessment, including penetration testing of the proposed P2P file sharing mechanism by the ISMO. 17. The sale, transfer, or disposal of old, obsolete, damaged, non-functional, or otherwise unneeded electronic devices and media pose information risks for the College. These risks are related primarily to the media contents that might be exposed, which can be sensitive or restricted/confidential information, licensed and non-transferable softwares, copyrighted intellectual property, or other protected information. Even supposedly deleted data can be retrieved through contemporary data recovery techniques. Concerned officials and employees of the College are required to permanently remove data from data processing equipment before disposing of or otherwise transferring the equipment to an entity that is not a government agency or other agent of the government. Owners, custodians, and users shall contract IT for media sanitization assistance prior to transferring ownership or otherwise disposing of any magnetic media (e.g., hard disk drives, USB drives, back up tape cartridges, DVDs, CDs, etc.) or any devices containing such media (e.g., computers, PDAs, and smart phones, printers, copiers, etc.). It will surely sanitize or destroy the media, at its sole discretion, and maintain appropriate records of the action taken Owners, custodians, and users shall not repurpose or reassign any electronic device or electronic media contained within a device without first fully sanitizing the media using a tool sanctioned by the ISMO. Examples of currently sanctioned tools include Ghost Gdisk and DBAN for Windows devices and Disk Utility (for OS X). Reformatting the media does not constitute, by itself, a satisfactory sanitization process, (cavannes sum PoNTECtane cuLEREs| E. Human Resources Security CONTROLLED COPY 1. In any organization, people represent both the greatest infgtmation security assets as well as the greatest information security threats, Consequently, employee awareness and motivation are integral parts of any comprehensive information security program. 2, To emphasize security awareness and the importance of individual responsibility with respect to information security, College officials and employees shall explicitly affirm their agreement to abide by the College information security, copyright, and appropriate use policies each time they change their College domain-level password. 3. The ISMO shall provide orientation program for all new employees, as well as aooe. Republic of the Philippines 7 CAMARINES SUR POLYTECHNIC COLLEGES F. Physical and Environmental Security CONTROLLED COPY 1. Nabua, Camarines Sur valuable repository of information security policies, procedures, guidelines, and best practices. The heads of offices shall continually reinforce the valuing security consciousness in all employees whose duties entail access to sensitive or restrictedi/confidential information resources. Office heads are responsible for implementing the measures necessary to ensure that faculty and staff maintain the confidentiality of information used in office operations. Examples of such information include personnel and payroll records, transcript and grade records, financial aid information, and other sensitive or restricted/confidential information. Such information shall not be used for unauthorized purposes or accessed by unauthorized individuals. Office heads are required to obtain a signed non-disclosure agreement for their employees prior to granting those employees access to departmental information resources. Office heads are responsible for ensuring that access privileges are revoked or modified as appropriate for an employee in their charge who is terminating, transferring or changing duties. Office heads should provide written notification to the Director of MICT whenever an employee's access privileges should be revoked or changed as a result of the employee's change in status. Owners of information resources shall obtain and retain signed new disclosure agreements from all temporary and contract of service personnel, consultants, contractors, and other external parties prior to their obtaining access to the College information resources. The agreements shall affirm their compliance with I id UTES the College security policies and proc ‘in cessmcraed au Physical access to mission critical information resource facilis shall be managed and documented by the faciliiy’s custodian. The facilities must be protected by physical and environmental controls appropriate for the size and complexity of the operations and the criticality or sensitivity of the systems operated within those facilities. Reviews of physical security measures shall be conducted annually by the custodian in conjunction with each facility risk assessment, and whenever facilities or security procedures are significantly modified. Physical access to information resource facilities administered by the MICT is restricted to individuals having prior authorization from the Director of MICT. The responsibility for securing department administered computer facilities or equipment from unauthorized physical access ultimately rests with the designated owner and designated custodian of the facility or equipment. A log will be maintained of all persons entering or leaving the College primary database center (server room), including the date, time and purpose of the visit Access to the equipment room in this data center shall be controlled through keyed access and monitoring. Employees and information resources shall be protected from the environmental hazards posed by information resources facilities, Employees with duty stationsore Republic of the Philippines CAMARINES SUR POLYTECHNIC COLLEGES Nabua, Camarines Sur 6. Terminals, computers, workstations, mobile devices (e.g., PDAs, portable Storage devices, smart phones, etc.), communication switches, network components, and other devices outside the College primary data center shall receive the level of protection necessary to ensure the integrity and confidentiality of the College information accessible through them. The required protection may be achieved by physical or logical controls, or a combination thereof. 7. No authenticated work session (i.e., a session in which the user's identity has been authenticated and authorization has been granted) shall be left unattended on one of these devices unless appropriate measures have been taken to prevent unauthorized use. Examples of appropriate measures include a. activation of password - protected keyboard or device locking: b. automatic activation of password - protected screen saver after a brief inactivity period; and ©. location or placement of the device in a locked enclosure preventing access to the device by unauthorized parties. The creator of the work session is responsible for any activity that occurs during a work session logged-in under his or her account. COMARINES SUIR POLYTECHNIC COLLEGES} G. Communications and Operations Management (TROLLED COPY 1. Network resources used to exchange sensitive or restricted/confidehtial information shall protect the confidentiality of the Information or the duration of the session, Controls shall be implemented commensurate with the highest risk. Transmission encryption technologies (e.g., VPN, SSL, https, SSH, etc. shall be employed to accomplish this objective. 2. Sensitive or restricted/confidential College information must not be transmitted in unencrypted form. Either the information itself must be encrypted prior to transmission or an encrypted connection must be established and maintained for the duration of the transmission. Authorized encrypted connection examples include the College's implementation of VPN, SSL, and SSH, as well as any wireless network connection utilizing the WI-FI Protected Access 2 (WPA 2) - Advanced Encryption Standard (AES). These restrictions apply regardless of the user's location and include transmissions over any private or public network accessible to the user, including in-home networks. The MICT shall establish and maintain a WPA 2-AES encrypted (or equivalent/superior) wireless network for use on the College campus. 3. To facilitate security of the campus network, owners, custodians, and users of information resources shall adhere to the provisions of the College network use policy 4, Owners of distributed information resources within the campus network shall prescribe sufficient controls to ensure that access to those resources isRepublic of the Philippines. 7 CAMARINES SUR POLYTECHNIC COLLEGES Nabua, Camarines Sur identification and authentication (e.g., password, smart card/token), physical access controls, or a combination thereof. 5. Owners of applications containing or with access to sensitive or restricted/confidential information, or applications involving automated transmissions of such information to other applications, shall require authentication of user identity prior to granting access to the application. H, Information Resources Identity and Access Management 1. The College provides restricted access to its information resources to persons that meet any one of the following institution's defined requirements: students; faculty members; regular and non-student/non-regular employees; retired faculty, administrators, and employees —_____———, consultants and contractors; | CAMARINES SUR POLYTECHNIC ‘oLLEaes| trustees, administrators, and staff; ani CONTROLLED COPY | sponsored guests, Individuals may meet multiple requirements-etany One THE [6.G.,a staff member enrolled in courses is also a student). The scope of authorized access and use may vary over time in accordance with the various requirements an individual may meet. 2. Prior to obtaining access to the College network, any device connected to that network, any service provided via that network, or any application hosted on that network, individuals shall be required to authenticate themselves as authorized users of the network, service, device, or application. This requirement may be waived in situations where a formal risk assessment has determined that access to the resource does not require individual user identification, authorization, or accountability. 3. A college - assigned network identifier (e.g., College Net ID or College 1D number) and its corresponding "secret" (e.g., a Password/PIN) shall be used to accomplish the authentication. The network identifier shall be unique to an individual in all cases except for authorized “administrator” accounts that must be accessible to a team of owners charged with supporting a breadth of resources. enmpaoge 4. Based upon security risk assessment, and excepting administrator accounts as described in the preceding paragraph, owners shall implement audit trails and transaction logs as necessary to provide individual accountability for changes to mission critical information, hardware, software, and automated security or access rules. 5. Self-service systems must incorporate in security procedures and controls to ensure the data integrity and protection of sensitive or restricted/confidential information. Self-service systems must authenticate the identity of individuals that utilize the systems to retrieve, create or modify sensitive or¢ Republic of the Philippines yp CAMARINES SUR POLYTECHNIC COLLEGES. 27 Nabua, Camarines Sur “Use of computer and network facilities owned or operated by the College requires prior authorization. Unauthorized access is prohibited. Usage may be subject to security testing and monitoring, and affords no privacy guarantees or expectations except as otherwise provided by applicable laws and other issuances. Abuse is subject to administrative action. Use of these facilities implies agreement to comply with the policies of the College.” 7. Auser’s Net ID shall be deactivated whenever the user's current affiliation with the College no longer qualifies the user to possess an active Net ID 8. Sensitive and restricted/confidential information shall be accessible only to Personnel with authorization from the information owner on a strict ‘need-to- know’ basis in the performance of their assigned duties. Such information shall be disclosed only by the information owner, consistent with the College policy ‘on the appropriate release of information. 8. The College systems that employ passwords for authenticating user identities shall comply with the following minimum password acceptability standards (where possible) minimum password length is 8 characters; previous passwords are renumbered and ineligible for use; passwords expire every year; passwords are case sensitive; passwords cannot match any part of the College Net ID; passwords cannot match any part of the user full name; passwords must contain 3 out of the character types: 1) atleast 1 uppercase character 2) atleast 1 lowercase character _CAMARINES SIP POLYTECHNIC. COLLEGE: 3) at least 1 numeric character CONTROLLED COPY 4) atleast 1 special character as: |@#S%*&"(L-+=00\ h. password repositories must utilize one-way encryption and, once assigned, the password must not be retrievable by anyone. Thus, when a password is lost or forgotten, the existing password will not be retrieved but rather, reset to the specific user default. i. passwords shall be distributed from the password source to the owner in a confidential manner. The password shall be distributed from the password source to the owner in a confidential manner. The password for the College Net ID must be changed by the owner every year, at a minimum. System owners and custodians may require more frequent password changes based upon risk assessment results. Passwords shall be changeable by their owners at will emepa0ge |. Information Systems Acquisition, Development and Maintenance 1. Test functions shall be kept either physically or logically separate from production functions. Copies of production data shall not be used for testing unless all“Republic of the Philippines 1) CAMARINES SUR POLYTECHNIC COLLEGES 7’ Nabua, Camarines Sur corresponding development or assurances of security controls. The movement of systems components through various life cycle phases shall be tracked and more specifically, the movement of any software component into production shall be logged 3. After a new system has been placed into production, all program changes shall be authorized and accepted by the system owner (or the owner's designee) prior to implementation 4. To the extent practicable, the principle of separation of duties shall be applied to the system development and acquisition life cycle, The developer/maintainer of a component should not also have the ability to place the component into production. 5. Modifications to production data by custodians or developer shall be authorized in advance by the data owner. If advance authorization is not possible in a real or perceived emergency, the owner shall be notified as soon as possible after the fact and notification logged. The notification log entry shall contain the notification date and time, a description of the data modified, the justification for the modification, and the identities of the owner and the custodian. J. Information Security incident Management 1. The ISMO is charged with establishing and maintaining an effective security incident response program to ensure that: @. security events are thoroughly investigated and documented; b. immediate damage is minimized, latent risks are identified, and subsequent exposures are mitigated; incident reporting and notification are timely and legally compliant; and d. remedial actions are taken to prevent recurrence. As part of the incident response program, the ISMO will develop an Incident Response Procedure (IRP) for responding to incidents that may require notification of impacted parties. 2. The Director of MICT will activate the IRP when in his or her judgement, sensitive Personal information was, or is reasonably believed to have been acquired by an unauthorized person. The response team associated with the IRP. will include, at the minimum: a. the Director of MICT, as the team leader; b. the owner(s) and custodian(s) of the breached information resourcealong with their respective immediate supervisorica aries SUR POLYTECHNIC COLLEGES| c. the Data Privacy Officer; and - d. Database ‘Administrator, asmembers. CONTROLLED COPY | To facilitate rapid activation of the IRP, +he4SMO-shalltothe-extent practicable, maintain resources appropriate for use by the Team. At the discretion of the Director of MICT, the IRP will be tested annually in a table-top exercise developed by the ISMO. Test results will be evaluated by the Participants and IRP will be modified in response to those evaluations. 9“Republic of the Philippines y! CAMARINES SUR POLYTECHNIC COLLEGES Nabua, Camarines Sur 4. Except as provided in item b above, information security incident response will be managed by the ISMO and will involve, at a minimum, MICT staff and the owner(s) and custodian(s) of the compromised information resources. The ISMO shall fully document the incident, the investigation itself, and the results of the investigation. A draft incident report will be prepared and shared with the owner(s) and custodian(s) of the compromised resources, their respective immediate supervisors, and the College President. The draft report's completeness and accuracy will be reviewed in a meeting of the report recipients and modifications noted in that meeting. The final report will be released to all recipients subsequent to the review meeting, If required, the results will be included in the ISMO's report to the MICT Director. 5. The ISMO shall report any incident to the National Privacy Commission within twenty-four (24) hours, and to other entities as may be appropriate to the incident, if the initial incident investigation reveals a critical threat that might Propagate beyond the confines of the campus network and threatens other networks. 6. Office heads responsible for delivery critical services should maintain written Business Continuity Plan (BCP) that provide for continuation or restoration of such services following a distuption—in—critical—information systems, communication systems, utility systsMetIeRsIRIaRrEGURGGRLEBBSHt systems, The BCP should incorporate: a. a business impact analysis thé COMB. EI, GORY. ble downtime for critical service delivery Compenents—and—resourcesincluding: key Personnel, facilities, components, of electronic information and communication systems (e.g., voice and data network, hardware and software), and vital electronic and hard copy records and materials; b. to the extent practicable, altemate methods and procedures for accomplishing its program objectives in the absence of one or more of the critical service delivery components; ©. a security risk assessment to weigh the cost of implementing preventive measures against the risk of loss from not taking preventive actions; d. a recovery strategy assessment that documents realistic recovery alternatives and their estimated costs; and ©. reference to a disaster recovery plan that provides for the continuation or restoration of electronic information and communication systems. Key aspects of the BCP should be tested at least annually and updated as necessary to assure the plan’s continued viability. Results of such tests and exercises should be documented and retained until the end of the current fiscal year, plus three (3) years. 7. The MICT shall prepare and maintain a written and cost-effective Disaster Recovery Plan (DRP) that addresses key infrastructure components in its custody. The plan should provide for the prompt and effective continuation or restoration of critical College information systems and processes if a disaster