teamphilhealthwww.facebook.com/PhilHealth actioncenter@philhealth.gov.phwww.youtube.com/teamphilhealth Republic of the Philippines PHILIPPINE HEALTH INSURANCE CORPORATION Citystate Centre, 709 Shaw Boulevard, Pasig City Call Center (02) 441-7442 Trunkline (02) 441-7444 www.philhealth.gov.ph NARRATIVE/POST-ACTIVITY REPORT Information Security Awareness Series for Area II BSA Twin Towers, Ortigas Center, Mandaluyong City March 25-26, 2015 I.Introduction Pursuant to Special Order No. 1553, series of 2014 and in conformity with Office Order No. 0143,seriesof2012entitledStrengtheningofCorporateInformationSecuritythroughSecurity EducationTrainingandAwareness(SETA)Program,theactivityservedasanavenueto communicatesecurityrequirementsandprovidedopportunitytodiscussrelevant existing corporate policies and agreed on vital concerns concerning the confidentiality, integrity,andavailabilityofCorporateinformation.Italsoaimedtocapacitatethe participantsinimprovingtheirknowledgeininformationsecuritymanagement,each onebeinganinformationmanagerthroughinvitingexpertresourcespeakersinthe field of information security, Data Privacy Act of 2012, and Cybercrim Prevention Act. The activity was held on March 25-26, 2015 at the BSA Twin Towers, Ortigas Center, Mandaluyong City. II.In attendance TheeventwasparticipatedbyRegionalVicePresidents(RVPs),DivisionChiefs,and LHIO Heads from Area II. Furthermore, President and CEO Alexander A. Padilla also graced the event and imparted an enlightening message as well as the recent Corporate developmentsintermsofemployeebenefits.Foracompletelistofparticipants, attached is a copy of SO # 453 series of 2015. III. Event Proper DAY 1 TheeventcommencedonMarch25,2015at9:00AM.FranciscoE.SarmientoIIIof theInfoSec,asthemasterofceremoniesandfacilitatorforthetwo-dayactivity.At 9:00AM,aprayerwasledbyDr.CynthiaCamachofromPRONCR-North.ImmediatelyensuedtheprayerwasthesingingoftheNationalAnthemandthe PhilHealth Hymn led by Mr. Sarmiento. Afterward,welcomeremarkswereimpartedbyAVPShirleyB.Domingo,MD.AVP DomingotooktheopportunitytopublicizeherplansforAreaIIconsideringthatall the participants were from Area II. teamphilhealthwww.facebook.com/PhilHealth actioncenter@philhealth.gov.phwww.youtube.com/teamphilhealth In any event, the most important consideration are the participants. With this, Irene P. MartinezfromtheInfoSecacknowledgedalltheparticipants.Afteracknowledging andwelcomingeachother,OIC-SMRonaldAllanC.Pablopresentedallabout information security including its history, mandate, and others. A.Introduction to Information Security RonaldAllanC.Pablo,OIC-SeniorManagerofInfoSec,presentedallaboutthe CorporateInformationSecurityDepartment(InfoSec),itshistoryandmandate. Mr.Pablodiscussedbrieflythewhat,who,andhowofInformationSecurity.Furthermore, hementioned that the event is just a start of a series of information security awareness undertakings. B.Data Privacy Act of 2012 and Cybercrime Prevention Act After Mr. Pablos presentation, the first speaker, Atty. Wendell Bendoval from the DepartmentofJusticewasintroducedbyInfoSecDivisionChief,AnnieRoseB. Gaffud.Atty. Bendoval discussed on the Cybercrime Prevention Act as well as the Data Privacy Act of 2012.At 12:00PM, the participants had a lunch break and the event resumed at 1:30PM. At1:30PM,anopenforumensued.Thesucceedingtableshowsthe questions/clarifications/issues raised by the participants: Questions/Clarifications/IssuesAnswers/Remarks from Atty. Bendoval Intermsofnationalsecurityandpublic interest, are the following actions justifiable? 1.DuringPopeBenedictsvisitinthe Philippines,telecomsignalswere jammed 2.Wire-tapping Yes.Thegovernmentisjustifiedforjammingthe signalswithinaspecifictimeonly.Takinginto consideration the damage that will be result in the act, e.g. cellphones can trigger a bomb. With regard to the Garci case, the law shall prevail.Therecordingofsuchconversationisnot admissible because it violated the anti wire-tapping law.Anyconversationshouldnotberecorded without the consent of both parties. IntheabsenceofanIRRoftheDataPrivacy Act, can we use it as a legal basis? Yes.Therighttoprivacyisalreadyembeddedin ourConstitution.Thelawisalreadyeffective.In theabsenceoftheIRR,thereisaSupremeCourt issuancespecificallythe WritofHabeasDatathat can be used as a remedy. Cybercrime Prevention ActIn the absence of an IRR, the law is still effective.Inadministrativeaspect,IRRserveonlyas guidelines to fill-in the gaps. Arewenotviolatinganylawconsideringthat weprocesstransactionsusingthePMRF withoutanydocumentaryrequirement?(Leniency to attain universal coverage) Itisrecommendedthattheidentityshouldbe verified. teamphilhealthwww.facebook.com/PhilHealth actioncenter@philhealth.gov.phwww.youtube.com/teamphilhealth What will be the liability of the employee who alteredtheinformationconsideringthatthe employee complied just with PhilHealth policy The good faith defense that be used as a remedy. Request PhilHealth data for researches The general rule is open government.Data should beclassifiedtodeterminewhichinformationcan be disclosed or not. If anonymized aggregate data, no restrictions.Re-visit and reiterate Office Order No. 0042, series of 2014 Who is the owner of the data that is being submitted to us? In the general principle of open government, since this is where we are heading for, the owner of the shareddatashouldbePhilHealth.Theconcept of proportionality should be considered. Opendatapolicy,statesthatallinformation collected by the government is a government data aslongasitsallowedbyexistingpolicyis complied. Mr. Pablo mentioned that it was never included in ourpurposethattheinformationcollectedby PhilHealth be shared. Data used in politicsLets bear in mind that benefits should redound to our clients TherebeingnomoreissuesandconcernsraisedaddressedtoAtty.Bendoval,his discussion ended at 2:00PM C.Information Security-Related Policies MonalizaToledo,ISAIIIoftheInfoSecdiscussedsomeoftheinformationsecurity-related policies through a game called as the Jeopardy.The participants were grouped intoseven(7)andplayedthegame.Thequestionsincludedinformationsecurity-relatedpolicies.Afterthegamethewinninggroupwasproclaimedandthe questionnaires were discussed by Ms. Toledo which likewise explained the policies. Also,IreneMartinezoftheInfoSecgroupedtheparticipantsintofour(4)andasked themtoanswerquestionspostedatthewall.Thequestionslikewiseinvolved information security-related policies.Upon completion of the game, the group of RVP PaoloJohannPerezwasdeclaredthewinner.Thepolicieswerealsodiscussed afterwards. There being no other questions related to information security-related policies, day 1 of the activity ended at 4:30PM. teamphilhealthwww.facebook.com/PhilHealth actioncenter@philhealth.gov.phwww.youtube.com/teamphilhealth Day 2 On the next day, the activity continued at 9AM.Another resource speaker expert in the field of Information Security was introduced by Mike Gerard Rey C. Pea of the InfoSec. JohnI.MacasioisamanageratRedfoxTechnologiesPhilippinesIncorporated.Heleadsthe groupresponsibleineducationtechnologydevelopment,strategicpartnershipandcustomer engagementforthecompanyfocusedonresearchanddevelopment,manufacturingand distribution of innovative technologies of information and communication. Mr. Macasio underscored that each of the participant is an information security manager.This management has just became complicated due to technology and the network society. Subsequent paragraphs show some of the topics he discussed: I.Information Security Essentials -Safety in Workplace Context of Information Security- Networked Society Inthenetworkedsociety,informationisasharedandstoredcriticalassetfor whatiscreated,whatisconsumed,whatisbelieved,whatisrecorded,whatis known, what is decided, what is acted, and what is reused. Being connected to the networkedsocietymeansenablingtheconditionofsafetyandsecurityin information.The information driven service providers in the networked society are obligatedtomakesafeandsecuretheperson(organization),process,data, application and infrastructure of information. Amidst the session, a workshop to assess how the participants think and feel onthe following indicators was undertaken. IndicatorsSecurePartially SecureI do not Know Data Privacy Access Availability System Integrity Cybercrime Theresultoftheworkshopshowedthatmajorityoftheparticipantsagreedthatfromamong theindicators,theythinkandfeelthattheyarePartiallySecure.Inanotherworkshop conducted,itsoughttoassesswhatparticipantshaveforsecurityandhowtheyaremeantto secure. teamphilhealthwww.facebook.com/PhilHealth actioncenter@philhealth.gov.phwww.youtube.com/teamphilhealth IndicatorsFully KnownPartially KnownI do not Know 1. Standards & Policies 2. Physical Facility 3.Access&Identification 4. Data Processing 5. DocumentHandling 6. Computer Network For while the SETA Program activity such as the one conducted is just a start of a seriesofawarenessundertakings,itwasastoundingthattheparticipantsanswered that they Partially Know of the indicators stated above. Essential Questions of Information Security Whatparticularprocedurethateverybodymustknowtoidentifythe security risk of information? What particular policy that everybody must know to speak of principles and guidance of assuring confidentiality, availability and integrity in the creation, safekeeping and release of information? Whoisresponsibleinauditingthecomplianceofin-houseandout-source information systems to the defined information security requirements? How is the integrity of information validated and verified? How is the confidential value of information defined and assured? Who investigates when information is compromised? Whatprocessinsuresthedetectionofbreachinconfidentialityof information? When do you consider information is misrepresented? Basic Methods and Tools of Information Security Layered Approach to Security Mitigating Information Security Risk Security Policy Requirement Information Security Risk Assessment The session of Mr. Macasio on Information Security ended at 4:30PM. teamphilhealthwww.facebook.com/PhilHealth actioncenter@philhealth.gov.phwww.youtube.com/teamphilhealth Closing Remarks

A closing remarks imparted by Mr. Pablo marked the finale of the first run of the Information Security Awareness Series activity of the InfoSec for Area II. Subsequent page contains some of the pictures taken during the event. Prepared by: Irene P. Martinez ISA III, InfoSec Noted by: Annie Rose B. GaffudRonald Allan C. Pablo Division ChiefOIC-SM, InfoSec teamphilhealthwww.facebook.com/PhilHealth actioncenter@philhealth.gov.phwww.youtube.com/teamphilhealth PCEO Atty. Alexander A. Padilla imparts his message of inspiration for the attendees Ronald Allan C. Pablo, OIC-SM of InfoSec presents All About InfoSec The participants pose for a group picture during the event John I. Macasio, Resource Speaker, discusses on Information Security in a Networked Society Atty. Wendell Bendoval of DOJ, Resource Speaker, presents lecture on Data Privacy Act of 2012 and Cybercrime Prevention Act