Belief on Cybersecurity Competency

Building

The Cybersecurity Officer CYSO and

CISO team of a government agency or
business enterprise have to find their
cybersecurity performance baseline and
associated knowledge requirement from
the identification, analysis, and
application of national policies and
globally recognized standards of practice.
Belief on Cybersecurity Competency
Building

Get right the cybersecurity training with

rules and standards of implementing R.A.
10844 national cybersecurity plan and
NCERT to prevent cybercrime as listed in
R.A. 10175, and the security measures of
personal information protection provided
by R.A. 10173.
Belief on Cybersecurity Competency
Building
Value
Risk to to
Mitigate Protect
(Threats) Cybersecurity
Performance (Assets)
Context

Controls to
Enforce
(Governance)
Belief on Cybersecurity Competency
Building
People

• Value
Product Policy
• Risk
• Control

Provide
Process
r
Belief on Cybersecurity Competency
Building

We examine the applicable use of

established and tested framework,
methodology, intelligence and
technologies to secure the cyberspace of
people, process, data, application,
connectivity and storage of a government
agency or business enterprise against
cyber crime and data privacy violations.
Belief on Cybersecurity Competency
Building

We review the valid and verifiable legal,

management and technical measures to plan-
do-check-act cyber security in accordance with
mandated requirements to implement R.A.
10844, R.A. 10175, R.A. 10173, Cloud First
Policy, BSP IT Risk Management, and SEC
Cyber Security Framework for regulated
corporation.
Belief on Cybersecurity Competency
Building

The clear, coherent, complete, and consistent

knowledge of laws, rules, and standards secure
the proper implementation of cybersecurity and
data privacy protection requirements and
control activities.
Belief on Cybersecurity Competency
Building
A. Security by Design (SbD)
1. International Organization for Standardization (ISO)
2. National Institute for Standards & Technology (NIST)
3. US Government (HIPAA, FedRAMP, DFARS, FAR & FTC Act)
4. The
Information Systems Audit
clear, coherent, and Control
complete, Association (ISACA)
and consistent
5. knowledge
Cloud Security Alliance
of laws, (CSA)
rules, and standards secure
6. the
Center for Internet
proper Security (CIS)
implementation of cybersecurity
7. and
Security
dataControl
privacyFramework
protection(SCF)
requirements and
8. Open Web Application Security Project (OWASP)
control activities.
9. Payment Card Industry Data Security Standard (PCI DSS)
10. European Union General Data Protection Regulation (EU GDPR)
11. European Union Agency for Cybersecurity (ENISA)
12. European Telecommunications Standards Institute (ETSI)
13. International Telecommunication Union (ITU)
14. Cybersecurity Body of Knowledge (Bristol CYBOK)
Belief on Cybersecurity Competency
Building
B. Privacy by Design (PbD)
1. Generally Accepted Privacy Principles (GAPP)
2. AICPA (SOC2)
3. Fair Information Practice Principles (FIPPs)
4. Organization for the Advancement of Structured
Information Standards (OASIS)
5. International Organization for Standardization (ISO)
6. National Institute for Standards & Technology (NIST)
7. Information Systems Audit and Control Association
(ISACA)
8. European Union General Data Protection Regulation
(EU GDPR)
9. US Government (HIPAA & FTC Act)
Belief on Cybersecurity Competency
BuildingC. Cybersecurity and Privacy Regulations
1. R.A. 10844 - National Cybersecurity Plan and NCERT
https://dict.gov.ph/wp.../uploads/2016/10/DICT-IRR.pdf...

2. National Cybersecurity Plan of 2022

https://dict.gov.ph/.../2019/07/NCSP2022-rev01Jul2019.pdf

3. National Cybersecurity Plan Implementation Requirements

https://dict.gov.ph/.../03/Dept-Circular-No-003-3062020.pdf

4. CERT and CYSO

https://dict.gov.ph/.../2017/09/Memorandum-Circular-006.pdf

5. Cybersecurity Plan Implementation Standards

https://dict.gov.ph/.../2017/09/Memorandum-Circular-005.pdf

6. Cybersecurity Plan Training

https://dict.gov.ph/.../2017/09/Memorandum-Circular-007.pdf

7. Cybercrime
https://www.officialgazette.gov.ph/.../20150812-IRR-RA...

8. Privacy Violations
https://www.privacy.gov.ph/implementing-rules.../

9. Cloud First Policy Security

https://dict.gov.ph/wp-content/uploads/2020/06/Department_Circular_No_10_Amendments_to_DC_No_2017_002_re_Prescribing.pdf

10. NPC Circular 16-01 – Security of Personal Data in Government

Agencies
Belief on Cybersecurity Competency
Building
National Cybersecurity Plan Implementation
The department circular 003-2020 of the Department of
Information and Communications Technology on the
implementation of the national cybersecurity plan has
prescribed the following cybersecurity requirements:
1. National, Sectoral and Organizational CERT
2. Escalation Protocol
3. Certificate of Cybersecurity Compliance
4. Security Operations Center
5. Vulnerability Assessment and Penetration Testing
6. Annual Risk and Security Assessment
7. National Cyber Drill Exercise
8. Cybersecurity Training
Belief on Cybersecurity Competency
Building
National Cybersecurity Plan Implementation
The memorandum circular 005-2017 of the Department of Information
and Communications Technology on the implementation of the
national cybersecurity plan has prescribed the following international
standards for adoption:
1. Security controls and management System
1.1 ISO 27001 - Information security management system
1.2 ISO 27002 - Information security controls
2. Risk and vulnerability assessment
2.1 ISO 27000 - Information security concepts and vocabulary
2.2 ISO 31000 - Risk management guidelines
2.3 ISO 27005 - Information security risk management
3. Security Assessment
3.1 ISO 19791 - Security assessment of operational systems
Belief on Cybersecurity Competency
Building
Cloud Computing Approach Security
The department circular 010-2020 on cloud-first
policy has identified the following security
requirements in using the cloud services
technology in government service delivery:

1. Data Security Classification Model

2. International and Local Security Standards
3. Data Residency
4. Data Ownership
Belief on Cybersecurity Competency
Building

Cybersecurity
Body of Knowledge
(Bristol CYBOK)

https://www.ncsc.gov.uk/blog-post/full-version-of-the-cyber-security-body-of-knowledge-
published
 Send now
your question messages
in the chat box.
Cybersecurity Competency Framework Guide
www.facebook.com/jmlogicconsultancy
[email protected]
+639173297993
Part 2:
Cyber Security
Risks Management
Question of Understanding

• How to identify, analyze, evaluate,

report, and mitigate the cyber
security risk?
Normative References of
Understanding
• ISO 31000 – Risks Management
Guidelines
• ISO 27005 – Information Security Risk
Management
• ISO 29134 – Privacy Impact
Assessment
• ETSI Information Security Indicators
Common Concept
Information Security Governance
Principles
ISO 27014
1. Establish organization-wide information security
2. Adopt a risks-based approach
3. Set the direction of investment decision
4. Ensure conformance with internal and external
requirements
5. Foster a security-positive environment
6. Review performance in relation to business
Common Concept
Cyber refers to a computer or a
computer network, the electronic medium
in which online communication takes
place
(R.A. 10175)
Common Concept
Critical Infrastructure refers to the
computer systems, and/or networks, whether
physical or virtual, and/or the computer
programs, computer data and/or traffic data that
are so vital to this country that the incapacity or
destruction of or interference with such system
and assets would have a debilitating impact on
security, national or economic security, national
public health and safety, or any combination of
those matters
Common Concept
Cyber Security refers to the collection of
tools, policies, risk management approaches,
actions, training, best practices, assurance
and technologies that can be used to protect
the cyber environment, and organization and
user’s assets.
(R.A. 10175)
Common Concept
Information Security is preservation
of confidentiality, integrity and availability 
of information

In addition, other properties, such

as authenticity, accountability, non-
repudiation, and reliability can also be
involved.
(ISO 27000)
Common Concept
Information Security Event is
identified occurrence of a system, service or
network state indicating a possible breach of
information security policy or failure
of controls, or a previously unknown
situation that can be security relevant
Common Concept
Information Security Incident is
about single or a series of unwanted or
unexpected information security events that
have a significant probability of
compromising business operations and
threatening information security.
(ISO 27000)
Common Concept
Cybercrime is criminal activity where
services or applications in the Cyberspace
are used for or are the target of a crime, or
where the Cyberspace is the source, tool,
target, or place of a crime
(ISO 27032)
Common Concept
Vulnerability is intrinsic properties of
something resulting in susceptibility to
a risk source  that can lead to an event with
a consequence
Common Concept
Asset is anything that has value to an
individual, an organization or a government
(ISO 27032)
Common Concept
Information asset
• knowledge or data that has value to
the individual or organization
(ISO 27032)
Common Concept
Risk is effect of uncertainty on objectives
• An effect is a deviation from the expected.
It can be positive, negative or both, and can
address, create or result in opportunities and
threats.
• Objectives can have different aspects and
categories, and can be applied at different
levels.
(ISO 31000)
Common Concept
Risk is usually expressed in terms of risk
sources , potential events,
their consequences  and their likelihood.
• (ISO 31000)
Common Concept
• Risk Criteria are terms of reference
against which the significance of a risk is
evaluated
• Risk criteria are based on organizational
objectives, and external and internal context
• Risk criteria can be derived from standards, laws,
policies and other requirements.
(ISO 27005)
Common Concept
• Risk Management is coordinated
activities to direct and control an
organization with regard to risk.
(ISO 31000)
• 3.3
 Risk Management Concepts
1.Threat - Any potential danger to information life
cycle.
2.Vulnerability -Any weakness or flaw that may
provide an opportunity to a threat agent.
3.Threat Agent -An entity that may act on a
vulnerability
4.Risk –The probability (likelihood) of a threat agent
exploits a discovered vulnerability, and severity 6.Treatment – An
(impact) of harm the threats may create. administrative, legal,
5.Exposure - An instance of being compromised by a physical, operational, and
threat agent.
technical remedy,
mitigation, countermeasure
or safeguard against the
What is management of
security risks
Common Concept
Risk Management Process involves
the systematic application of policies,
procedures and practices to the activities of
communicating and consulting, establishing
the context and assessing, treating,
monitoring, reviewing, recording and
reporting risk.
(ISO 31000)
Common Concept
Risk Management
Process
 Risk Assessment Concept (ISO 31000)
1. Risk identification - It applies risk identification tools and
techniques, the organization should identify risk sources,
areas of impacts, events and causes, and their potential
consequences.
2. Risk analysis - It involves the development of understanding
of the risk, consideration of the causes and risk sources, their
positive and negative consequences, the likelihood that those
consequences can occur, provides an input to risk evaluation
and decision whether risks need to be treated, and on the most
appropriate risk treatment strategies and methods.
 Risk Assessment Concept

3. Risk evaluation -It assist in decision making about

which risks need treatment and priority for treatment
implementation.
4. Risk treatment -It determines, describes, documents
and demonstrate the risk treatment options. The
selected action to remedy the evaluated impact of the
risks must be based on the outcome of the risk
assessment, the expected cost for implementing and
benefiting from the available options.
 Send now
your question messages
in the chat box.
Cybersecurity Competency Framework Guide
www.facebook.com/jmlogicconsultancy
[email protected]
+639173297993
Content Review of the Standard
Information Security Risks
Management
ISO 27005
Cyber Asset
Stakehold Asset Artifacts
ers
Consumer 1. Information Personal data
Financial data
Provider 2. Reputation Brand name
Regulators 3. Software Application program
4. Hardware Devices
Network
5. Services CRM, ERP
6. People Skills
Cyber Asset
Stakehold Asset Artifacts
ers
Consumer 1. Personal Mobile Phone
Personal data
Provider 2. Organizational Reputation
Authority
Regulators 3. Physical Facilities
4. Virtual Bitcoins
Digital records
 Cyber Crime Against Information Security
1. Illegal Access
2. Illegal Interception
3. Data Interference
4. System Interference
5. Misuse of Devices
6. Forgery
7. Fraud
8. Identity Theft
9. Cyber Squatting
10. Libel
ct: imprisonment and fines – Cyber Crime Prevention Law of 2012
Systems to watch to be involved in breaches (SANS Survey)
oBusiness applications (e.g., Web apps, line-of-business systems) and services (e.g., email, file
sharing) in the cloud
oCorporate-owned laptops, smartphones, tablets and other mobile devices
oInternal network (on-premises) devices and systems
oBusiness-related databases hosted locally
oCorporate data center servers hosted locally (on-premises)
oEmployee-owned computers, laptops, tablets and smartphones (BYOD)
oBusiness-related databases in the cloud
oUnapproved systems (shadow IT), applications or services hosted locally
oCorporate data center servers hosted in the public cloud (e.g., Azure or Amazon EC2)
oUnapproved systems (shadow IT), applications or services hosted in the cloud
oEmployee social media accounts
oEmbedded, or non-PC devices, such as media and entertainment boxes, printers, smart cards,
connected control systems, etc
oBusiness-related social media accounts or platforms
 Security Threat Incidents and Controls
Violation/Threat Vulnerability/Exploitation Control Measures
(ETSI ISG ISI) (CIS Security Controls)
Cyber Crime Prevention Law 1. Website Forgery 1. Inventory and Control of Hardware Assets
-R.A. 10175 2. Spam 2. Inventory and Control of Software Assets
3. Phishing 3. Continuous Vulnerability Management
1. Illegal access
4. Intrusion 4. Controlled Use of Administrative Privileges
2. Illegal interception 5. Website Defacement 5. Secure Configuration for Hardware and Software on
3. Data interference 6. Misappropriation of Resources Mobile Devices, Laptops, Workstations and Servers
4. System interference 7. Denial of Service 6. Maintenance, Monitoring and Analysis of Audit Logs
5. Misuse of device 8. Malware 7. Email and Web Browser Protections
6. Fraud 9. Physical Intrusion 8. Malware Defenses
7. Forgery 10. Malfunction 9. Limitation and Control of Network Ports, Protocols
11. Loss or theft of mobile device and Services
8. Identity Theft
12. Trace Malfunction 10. Data Recovery Capabilities
9. Cyber-squatting 13. Internal Deviant Behavior 11. Secure Configuration for Network Devices, such as
10. Libel 14. Rights or Privileges Usurpation or Abuse Firewalls, Routers and Switches
15. Unauthorized access to servers through remote access 12. Boundary Defense
points 13. Data Protection
16. Illicit Access to Internet 14. Controlled Access Based on the Need to Know
17. Deactivating of Logs Recording 15. Wireless Access Control
18. Non-patched or poorly patched vulnerability 16. Account Monitoring and Control
exploitation 17. Implement a Security Awareness and Training
19. Configuration vulnerability exploitation Program
20. Security incidents on non-inventoried and/or not 18. Application Software Security
managed assets 19. Incident Response and Management
20. Penetration Tests and Red Team Exercises
Cyber Threat
Review of ETSI Security Incident
Indicators
1. Website Forgery
2. Spam
3. Phishing
4. Intrusion
5. Website Defacement
Cyber Threat
Review of ETSI Security Incident
Indicators
6. Misappropriation of Resources
7. Denial of Service
8. Malware
9. Physical Intrusion
10.Malfunction
Cyber Threat
Review of ETSI Security Incident
Indicators
11.Loss or theft of mobile device
12.Trace Malfunction
13.Internal Deviant Behavior
14.Rights or Privileges Usurpation
or Abuse
15.Unauthorized access to servers
through remote access points
Cyber Threat
Review of ETSI Security Incident
Indicators
16.Illicit Access to Internet
17.Deactivating of Logs Recording
18.Non-patched or poorly patched
vulnerability exploitation
19.Configuration vulnerability
exploitation
20.Security incidents on non-
inventoried and/or not managed
 Send now
your question messages
in the chat box.
Cybersecurity Competency Framework Guide
www.facebook.com/jmlogicconsultancy
[email protected]
+639173297993
Cyber Security Risks Assessment
Asset Source of Kind of Threat
Threat
1.
Information
2.
Reputation
3. Software
4. Hardware

5. Services
6. People
Cyber Security Risks Assessment
Asset Source of Kind of Threat
Threat
1. Personal
2.
Organization

3. Physical
4. Virtual
CyberSecurity Risks Assessment
Asset:
CYBERCRIME SOURCE OF EXPLOITED IMPACT PROBABILI REMEDY
SECURITY VULNERABILITIES TY TREATMEN
THREAT T

1. Illegal Access
2. Illegal
Interception
3. Data Interference
4. System
Interference
5. Misuse of Device
6. Computer Fraud
7. Computer Forgery
 Send now
your question messages
in the chat box.
Cybersecurity Competency Framework Guide
www.facebook.com/jmlogicconsultancy
[email protected]
+639173297993
• http://ce.sharif.edu/courses/95-96/2/ce746-
1/resources/root/Resources/ISO-IEC%2027005-2011-
Risk%20Management.pdf