IT 311

Information
Assurance &
Security 2
Prepared by: Ms. Sherryl Ann A. Casusi
Course Description
▪ This course topics include leading practices for information security and
assurance governance and risk management; network architecture and design of
systems to maximize assurance; business continuity, disaster recovery planning,
resiliency; data privacy risks and laws; understanding legal, investigation,
information security incident response and management processes; and
developing secure application software.
Introduction to Information
Security and Assurance
What is Information Security and Assurance?
▪ Information Security (InfoSec) -
The practice of protecting
information from unauthorized
access, use, disclosure, disruption,
modification, or destruction.
▪ Information Assurance (IA) -
Ensures that information systems
are available, reliable, and secure
for authorized users.
CIA Triad
Additional Security Objectives

Authentication Authorization Non-repudiation Accountability

 The Philippine
Cyber Threat Landscape
Common Threats in the
Philippines
Phishing Ransomware Data breaches

Online scams Website Defacements

Philippine Case Studies
COMELEC Data Breach (2016) – Over 55 million
voters' data leaked ("Comeleak")
What Happened?
• March 27, 2016: COMELEC website was defaced by a hacker group claiming to be
from Anonymous Philippines, demanding better election security.
• March 31, 2016: A hacker (LulzSec Pilipinas) posted a link to a leaked database
containing millions of Filipino voter records.
• April 4, 2016: COMELEC confirmed the breach and launched an investigation.
• April 20, 2016: The NBI arrested a suspect linked to the attack.
• August 12, 2016: The DOJ indicted the suspect, a 23-year-old IT graduate.
• March 29, 2018: The suspect was convicted under the Cybercrime Prevention
Act and sentenced to up to six years in prison.
Sensitive Data Exposed
▪ Full names
▪ Addresses
▪ Birth dates This information was made publicly accessible
through a website called
▪ Passport numbers
"wehaveyourdata.com”
▪ Fingerprint records
▪ Email addresses
Technical Weaknesses
▪ Attack method: SQL injection
▪ Website built with outdated Joomla CMS
▪ Weak passwords
▪ No data encryption or strong security controls
Perpetrators

Paul Biteng Joenel de Asis

(23-year-old IT graduate) 23-year-old Computer Science graduate
Initial Denial

“There was no sensitive information

leaked.”
Challenging the Narrative

“Experts fear identity theft, scams due to

Comelec leak”
What Was Actually Leaked?
• More than 55 million voter records were exposed.
• 1.3 million passport numbers, and 15.8 million records with fingerprint data
were part of the dump.
• The breach did in fact include sensitive and private information, despite
COMELEC’s earlier statements.
PhilHealth Ransomware Attack (2023) – Disruption
of healthcare operations; patient records exposed
What Happened?
▪ On September 22, 2023, PhilHealth was hit by Medusa ransomware
▪ Systems encrypted; operations disrupted
▪ Hackers demanded $300,000 ransom
Impact on Operations
▪ Website, member portal, and claims system shut down
▪ Frontline services stalled
▪ Employee workstations also infected
Data Breach
▪ Over 734 GB of personal data leaked
▪ Names, addresses, birthdates, PhilHealth IDs

▪ Data posted on dark web & Telegram

▪ Public concern over identity theft
Investigation and Response
▪ National Privacy Commission (NPC) launched an investigation
▪ PhilHealth claimed its core database was safe, but many files were compromised
▪ NPC probing for possible Data Privacy Act violations
DICT & Government Website Defacements
DICT’s Response to Persistent Cyberattacks
▪ DICT Secretary Ivan John Uy addressed the situation in January 2025.
▪ The DICT confirmed that there has been an increase in cyberattacks, especially
with the upcoming 2025 midterm elections.
▪ DICT works proactively to defend government systems against daily attacks and
is monitoring potential vulnerabilities across government websites.
Local Cybersecurity Response
National Cybersecurity Plan
by DICT
Cybercrime Prevention Act of 2012 (RA 10175)
▪ The Cybercrime Prevention Act of 2012, also known as Republic Act No.
10175, is a law in the Philippines that aims to combat and prevent crimes
committed through the use of computers and other digital technologies. It is a
key piece of legislation designed to address the growing issue of cybercrime
and provide legal frameworks for the protection of digital spaces.
Data Privacy Act of 2012 (RA 10173)
▪ The Data Privacy Act of 2012 (Republic Act No. 10173) is a law in the
Philippines designed to protect an individual’s personal data and privacy in the
face of growing digital information usage. It provides the legal framework for how
personal information should be collected, processed, and stored, ensuring that
individuals' privacy rights are respected.
Information Security
Governance and Risk
Management
Information Security Governance

▪ Information security governance

refers to the formalized policies,
procedures, and leadership structures
used by organizations to ensure data
protection, regulatory compliance, and
cyber resiliency, aligned with national
standards like the Data Privacy Act
(RA 10173) and the National
Cybersecurity Plan 2022 (NCSP).
Goals of Information Security Governance
▪ Protect Personal Data
▪ Follow Government Guidelines
▪ Define Who Is Responsible
▪ Get Ready for Cyber Threats
▪ Meet Legal Requirements
 Governance Roles in Philippine Organizations
Role Description Philippine Context
Required to designate a Data
Top Management (Board, Oversees and funds cybersecurity
Protection Officer (DPO) under
Executives) programs
RA 10173
Chief Information Security Develops and enforces security Often a shared or outsourced role
Officer (CISO) strategy in SMEs
Ensures compliance with the Data
Data Protection Officer (DPO) Mandatory under NPC guidelines
Privacy Act
Issues security guidelines and
Policy-making, national operates NCERT (National
DICT (Gov’t)
cybersecurity coordination Computer Emergency Response
Team)
National Privacy Commission Investigates data breaches and
Regulator for privacy compliance
(NPC) enforces RA 10173
Features of Good Governance
▪ Leadership involvement – Top managers must support and fund security
initiatives.
▪ Security policies – Written rules about how to protect information.
▪ Defined roles – Everyone, from managers to staff, knows what they are
responsible for.
▪ Compliance – Following legal requirements, especially RA 10173.
▪ Continuous improvement – Updating practices as threats evolve.
Government Support & Frameworks
National Cybersecurity Plan (NCSP) 2022
• Focuses on protecting Critical Information Infrastructure (CII), including
energy, healthcare, banking, and government.
• Promotes public-private partnerships, awareness campaigns, and skills
development.
DICT Cybersecurity Frameworks
• Minimum Information Security Standards (MISS)
• Security Incident Management Guidelines
• PKI (Public Key Infrastructure) for secure digital signatures
Risk
▪ Risk refers to the likelihood that a
threat will exploit a vulnerability in
a system, leading to negative
consequences—such as financial
loss, legal issues, reputational
damage, or operational failure.
▪ It’s not just about bad things
happening—it’s about
understanding what could go
wrong, how likely it is, and how
serious the consequences would
be.
Risk = Threat × Vulnerability × Impact
Types of Risk

Type Description Example

Risk that affects long-term A school loses trust due to
Strategic Risk
goals repeated data breaches
Malware shuts down payroll
Operational Risk Disruption in daily activities
systems
Violation of laws or Failing to report a breach to
Compliance Risk
regulations NPC under RA 10173
Customers stop using a
Reputational Risk Damage to public trust
service after a leak
Paying a ransom or facing
Financial Risk Loss of money
legal penalties
EXAMPLE
Scenario:
▪ A private university in Cebu City stores students’ personal data (names,
addresses, grades, ID numbers) in an internal web-based system. However, the
system uses outdated software and doesn’t require strong passwords. One day,
an unauthorized user accesses student data and posts it online.
Asset Student personal information (protected under RA 10173)

Threat Cybercriminals, or even a curious student who knows basic hacking

Vulnerability Outdated system, no multi-factor authentication, weak passwords

Impact Violation of the Data Privacy Act (RA 10173), possible investigation by the
National Privacy Commission, loss of trust from students and parents,
reputational damage, and financial penalties
 So, What’s the Risk?

There is a high risk that student data will be exposed due to poor
system security, which can lead to legal consequences and
reputational damage for the university.
Risk Management
▪ Risk management is the
systematic process of
identifying, assessing, and
addressing risks to an
organization’s information systems.
In the Philippines, this must be
done in a way that aligns with local
laws and industry-specific
threats.
 Risk
Management
Life Cycle
Risk Identification
▪ Assets (e.g., customer databases,
eHealth systems)
▪ Threats (e.g., ransomware, phishing,
insider leaks)
▪ Vulnerabilities (e.g., outdated software,
lack of encryption)
Risk Assessment
▪ Qualitative: Classify risk levels
(e.g., High, Medium, Low)
▪ Quantitative: Estimate ₱-value
impact (rare in PH, but growing in
adoption)
Risk Treatment Options
▪ Mitigate: Apply controls (e.g.,
firewalls, encryption, security
training)
▪ Avoid: Discontinue high-risk
activities
▪ Transfer: Use cyber insurance,
outsource to vendors
▪ Accept: If risk is low or cost to fix is
too high
Monitor & Review
▪ Regularly update risk
registers
▪ Conduct internal
audits and NPC
compliance checks
Risk Management Standards and Guidance
Standard Description PH Relevance

Provides a structured Used by larger PH

ISO/IEC 27005 approach to information organizations (e.g., banks,
security risk management telcos)

US framework, adopted in
Common in BPOs and
NIST RMF global firms including PH
multinational firms
branches

Provide localized compliance Important for schools,

NPC Advisory Opinions
guidance hospitals, LGUs, SMEs
Common Risks in Philippine Sectors
Sector Threats Real Incidents
Data breaches, ransomware, PhilHealth ransomware
Healthcare
privacy leaks attack (2023)
COMELEC breach (2016) –
Web defacements, data
Government personal data of 55M voters
leaks, hacktivism
leaked
Phishing, SIM swap fraud, BDO/UnionBank scam
Banking/Finance
malware (2021)
Weak security controls, data Student data exposed due to
Education
loss unprotected portals