m

Republic of the Philippines

NATIONAL POLICE С0ММ155ЮМ
NATIONAL HEADQUARTERS. PHILIPPINE NATONAL POLICE
DIRECTORATE FOR INFORMATION AND COMMUNICATIOMS TECHNOLOGY MANAGEMENT
Camp BGen Rafael T Crame, Quezon City

DICTM
NOV 01 im
Standard Operating Procedure
Number 2023-01

Technical Security Measures in Safeguarding Data

1. REFERENCES:
a. Republic Act No. 10173 “Data Privacy Act of 2012 and its
II,

Implementing Rules and Regulations

b. National Privacy Commission (NPC) Circular 16-01 “Security of

Personal Data in Government Agencies”:

c. Memorandum Circular No.; 2021-179 entitled, "Privacy

Management Program Guidelines and Procedures in Compliance
with Data Privacy Act of 2012”; and

d. ISO/IEC 27701:2019 entitled “Privacy Information Management

System (PIMS).”

2. BACKGROUND:

In an era dominated by digital technologies and data-driven operations,

these measures play a crucial role in safeguarding the confidentiality, integrity, and
availability of sensitive Information. The evolution of technical security measures has
been driven by the need to protect against a wide range of cyber threats, ensuring that
the PNP and individuals can operate securely in the digital landscape. The rapid
expansion of data, coupled with the rising complexity of Data Processing Systems
(DPS), underscores the paramount importance of prioritizing data security.

3. PURPOSE:

The purpose of this SOP is to provide a comprehensive framework for

personal information controllers and processors to establish robust technical security
measures, ensuring the protection, integrity, and confidentiality of persona! data
throughout its processing lifecycle.

4. SCOPE:

This SOP shall be mandatorify implemented to all data processing system

being maintained and managed by PNP.

Page 1 of 9
 ЯеГ. No. DICTM (Db23103(M)243

5. DEFINITION OF TERMS:

For purpose of this SOP, the following terms are defined as follows:

a. Access Control - A fundamental component of data security that

regulates who can access and use an organization’s information and
resources:

b. Access Log - A record of activities and interactions related to accessing

and using a resource or service;,

c. Anti-Virus - A type of security software designed computers and other

devices from malicious software or malware;

d. Audit Log — Concise records that capture and document activities,

events, and changes within a system or network. They senre as a
chronological trail of actions performed by users, applications, or system
processes;

e. Backup - A copy of data or files that is created and stored separately

from the original source;

f. Compliance to Privacy Officer (CPO) - A crucial aspect of the

organization’s effort to ensure compliance with applicable laws and
regulations for the protection of data privacy and security under the
direct supervision of the Data Protection Officer;

g. Data - Raw, unprocessed information or facts that are typically in the

form of numbers, text, images, audio, or other formats. Data is the
foundation upon which computer systems operate and make decisions;

h. Data Breach Response Team (DBRT) - A group of information

technology and cybersecurity experts responsible in handling and
mitigating the impact of data breach;

i. Data Protection Officer (DPO) - A designated role or position within an

organization responsible for overseeing the data protection and privacy
matters and ensuring the compliance with the data protection laws and
regulation;

j. Data Privacy Team (DPT) - A group of individuals responsible for

managing and ensuring compliance with data privacy practices and
regulations. Formulate a privacy manual and measures to prevent or
minimize occurrence of breach or security incidents and implement data
privacy and protection measures;

k. Encryption - A method by which information is converted into a secret

code that hides the information's true meaning;

Page 2 of 9
 No.OKTM(D)-23103(M)243

I. Firewall - A network security device or sdtware application that is

designed to monitor and control incoming and outgoing network
traffic based on predetermined securfty rutes. Firewalls act as a
barrier between a trusted internal and untrusted external network to
protect against unauthorized access, data breaches, malware, and
other cyber threats;

m. Network Security - Set of techniques that protects the usability and

integrity of the organization's infrastructure by preventing the entry
or proliferation within the network of potential threats;

n. Network Traffic - Amount of data moving across a network at any given

time;

o. Patch Management- Systematic notification, identification, deployment,

installation, and verification of operating system and application
software code revisions;

p. Personal Information Controller (PIC) - A person who controls the

collection, hoiding, processing or use of personal information, including
a person or organization who instructs another person to collect, hold
process, use, transfer or disclose personal information on his or her
behalf;

q. Personal Information Processor (PIP)- Any natural or juridical person

qualified to act as such under the DPA to whom a personal infornnation
controller may outsource the processing of personal data pertaining to
a data subject;

r. Personally Identifiable Information (PM)- Any data that can be used to

identify or distinguish an individual;

s. Secure Socket Layer (SSL) - A cryptographic protocoi used to

authenticate internet connections and enables data encryption and
decryption for network communication,

t. Security Audit - Independent review and examination of system,

system's records, and activities to determine the adequacy of system
controls, ensure compliance with established security policy and
procedures, detects breaches in security services and recommends any
changes that are indicative for countermeasures;

u. Technical Controls - Hardware and software components that protect

a system against cyberattacks: and

V. Transport Layer Security(TLS)- A cryptographic protocol that protects

internet communications.

Page 3 of 9
 Ref. No. DICTM (D)>231030-0243

6. TECHNICAL SECURITY MEASURES

Thè following are the basic technical securily measures in reference to

the IRR of RA No. 10173 that must be implemented m all PNP Data Processing
Systems(DPS),
a. The use of anti-virus and anti-malware software which are
designed to detect, prevent, and remove malicious software that could damage
the network and/or steal data.

b. The organization shall encrypt all sensitive data in storage and in

transit using approved encryption algorithms. Encryption is an essential
component of data security that involves encoding data to prevent unauthorized
access.
Using any of the following encryption methods will ensure the
safeguarding of sensitive data, preventing unauthorized access especially during
transmission over public networks:
1) Symmetric Encryption. Type of encryption where a single key
is used to both encrypt and decrypt the data. This key must be
kept secret from anyone who should not have access to the
data;

2) Asymmetric Encryption. Also known as public key encryption,

uses two separate keys, a public key for encryption and a
private key for decryption. The public key can be shared freely
with anyone who wants to encrypt data, but the private key
must be kept secret;

3) Transport Layer Security/Secure Socket Layer (TLS/SSL)

Protocols that provide secure communication over the
internet. They use a combination of symmetric and
asymmetric encryption to secure data transmission between
Clients and servers.

4) Pretty Good Privacy (PGP). It Is a data encryption program

used for email and file encryption. It employs both symmetric
and asymmetiic encryptions to provide secure data
transmission;

5) Disk Encryption. It is the process of encrypting the entire hard

drive to prevent unauthorized access to the data on the drive;
and

6) File/Folder Encryption. It is the process of encrypting

individual files or folder to ensure that only authorized users
can access.

c. Use of long, easy to remember and strong password with a minimum

of 12 characters, a combination of letters, numbers, and symbols, and periodically
change the password.
Page 4 of 9
 Itef. Na DtCTM(0^231030-0243

Creation of password security poiqr for all Data Processing

Systems (DPS)- password complexity, minimum teigth, password expiration,
trigger password history, and automatic account lockout for multiple attempts to
prevent brute force attack;

d. Passphrase. It is a sequence of words or a longer, more complex

phrase used for authentication, data encryption, or security purposes. It is often
longer and includes a combination of words, numbers, and special characters,
making them more resilient to brute-force attacks and easier for users to
remember;

e. Multifactor Authentication (MFA). Also known as two-factor

authentication (2FA), is a security process that requires users to provide two or
more distinct authentication factors before granting access to a system,
application, or account. The goal of MFA is to enhance security by adding layer of
verification beyond the traditional username and password combination;

f. Implement network security to prevent unauthorized access to

internai systems such as but not limited to;
1) Intrusion Detection/Prevention Systems (IDS/IPS). These are
network security devices that detect and prevent unauthorized
access, attacks, and intrusion attempts by analyzing network
traffic;

2) Virtual Private Network(VPN). It provides a secure connection

over the internet between two devices, allowing users to
access a private network remotely;

3) Virtual Local Area Network(VLAN). A network technology that

allows network administrators to logically divide a physical
network into multiple isolated virtual networks. Each VLAN
operates as if it were a separate physical network, even
though devices in different VLANs may be physically
connected to the same network infrastructure. VLANs are
primarily used for segmentation, security, and traffic
management within a larger network; and

4) Access Control. Set of policies and procedures that control

access to the network and its resources, ensuring that only
authorized users have access to resources.

g. The organization shall implement a monitoring and logging

process to track access to data and information systems. This shall include the
collection and analysis of audit logs and event data.

Page 5 of 9
 No.nCTM(Db23103(H)243

The following steps will ensure that the organization has a

comprehensive monitoring and logging process to effecfiveiy trarck access to data
and information systems and quickly detect any unaulhoriz^ access:

1) Define Audit Requirements. Identity the data and information

systems that require monitoring as well as the audit
requirements for each system, including which users require
access access rights for each user, and events that need to
be monitored;

2) Define Security Audit Policies: Develop security audit policies

and procedures that detail events to be audited, how often
auditing will occur, and the data to be collected;

3) Implement a monitoring system that can track all events and

activities in the system,from the user login events to database
changes and network traffic;

4) Configure the monitoring System to continuously track all

system events and activities, generate alerts when suspicious
activities are detected, and provide dashboard of real-time
monitoring and status updates;

5) Collect ail relevant logs data from the system as well as

securely retaining logs for a defined retention period;

6) Analyze logs data and system monitoring alerts to identify any

unauthorized access to data or information systems;

7) Analyze identified breaches and communicate the appropriate

actions to be taken. Respond to breaches by blocking or
isolating any unauthorized access to prevent further data
leakage or compromise;

8) Regularly review and update the monitoring and Logging

processes to ensure that they remain aligned with changes to
the system and the risk profile of the organization; and

9) Each log must contain information such as but not limited to

the time the request was received, the client’s IP address,
latencies, request paths and server responses,

h. Regular and frequent backups of the organization's data shall be

undertaken by creating a regular schedule of backups and disaster recovery plans
shall be in place to ensure that data can be restored in case of disaster:
1)Identify all critical data and resources, such as database,
applications, user's files, and system configuration to include
Business Continuity Plan and Disaster Recovery Plan;

Page 6 of 9
 stet No.DfCTM (D)^2310S0-0243

2) Conduct a risk assessment to understand the potential risks

and threats tothe data and resoceoesand prioritize them based
on their criticality;

3) Develop a backup strategy that outlines the frequency of

backup, retention period, backup location and backup method.
It is important to review and update the backup strategy to
ensure it remains effective and capable of meeting the
changing needs of the organization;

4) Implement reliable back technology, such as hardware

appliances, software solutions, cloud services, or hybrid data
backup solutions based on the size and complexity of the ICT
environment:

5) Test and validate the backup solution to ensure its effective

and reliable in case of disaster recovery:

6) implement server virtualization to create virtual copies of the

production environment, making it easier to restore data and
resources in case of disaster; and

7) Store backup copies offsite to prevent loss of data and

resources in the event of physical disaster.

8) Train Personnel about the importance of backups and how to

perform data restoration in the event of disaster,

i. To ensure the software remains secure, reliable, and up to date,

providing users with a better experience and reducing the risk of potential
vulnerabilities and issues. Concerned offices/units must implement a patch
management program to ensure that all systems and software are up- to-date with
the latest security patches. Patch Management is a critical part of IT security.

Implement the following patch management practices that will

ensure the organization's systems and software security and will protect from
known vulnerabilities and reduce the risk of security incidents;
1) Establish a patch management plan that outlines the
processes and procedures for keeping systems and software
up to date with the latest security patches:

2) Maintain an inventory of all systems and software in the

organization to ensure that all assets are accounted for and
patched appropriately;

3) Prioritize patches based on the severity, criticality, and

potential impact on the organization;

Page 7 of9
 Ret No.OiCTM(Db23103CK)243

4) Test patches thoroughly before deploying them in a production

environment to ensure that ttiey are compatible with existing
systems and software;

5) Use automated tools and processes to streamline the patch

management process and reduce the risk of human error;

6) Monitor when latest updates or patches becorne available for

critical systems and software used in the organization; and

7) Enforce patch compliance by ensuring that all systems and

software are up to date with the latest security patches,

j. Conduct Vulnerability Assessment and Penetration Testing as

needed for all information systems in coordination with ITMS and ACG;

k. Implement Rule-Based Access Control(RBAC)to ensure access

is granted to authorize users only;

I. Time-Based Access Control (TBAC) to ensure that access to

sensitive data may only be granted during business hours; and

m. Other security measures can be implemented as needed.

5. RESPONSIBILITIES

a. Compliance to Privacy Officer (CPO) - responsible for

safeguarding the organization's data assets and ensure
implementation of that the security controls and procedures outlined
in this SOP;

b. Data Privacy Team (DPT) - responsible for implementing and

maintaining the technical security controls outlined in this SOP and
for the technical implementation and configurations of all Technical
Security measures;

c. Personal Information Controller(PIC)-responsible for ensuring the

implemenlation of appropriate technical security measures to protect
their respective assets; and

d. Personal Information Processor (PIP) - Responsible for following

the security measures and procedures outlined In this SOP.

6. SANCTIONS:

Any personnel who shall violate, intentionally or negligently on the

prescribed guidelines and procedures of this SOP shall be held administratively
liable and shall be meted with appropriate sanction in accordance with
NAPOLCOM Memorandum Circular No.2016-002 as the case may be.

Page 8 of 9
 itec. No. ОКГШ (D)-23103(K)243

7. REPEALING CLAUSE;

All policies in conformity with this SOP are heieby rescinded.

8. TRAINING AND AWARENESS:

Personnel handling sensitive data and information system on data

security, confidentiality, and privacy shall undergo regular training and awareness
seminars. Office/unit shall provide regular training and awareness programs to all
personnel, especially those personnel handling sensitive data and information
systems on data security, confidentiality, and privacy.
9. RÉVIEW:

This SOP shall be reviewed annually or when there are significant

changes to the organization’s information security environment.
10.EFFECTIVITY:

This SOP shall take effect immediately upon atòroval.

BERNA№M BANAC
Police Major General
TDICTM

Distribution:
tG. IAS
Cmdr. APCs
D-Staff
P-Staff
D. NSUs
RD. PROS

Copy furnished:
Command Group
SPAtoSILG

Page 9 of 9