IN 2003, the adoption of the information security management system (ISMS) in the Commission on Elections (COMELEC) was a good start to ensure compliance with the Automated Election System (AES) Law at that time (i.e., RA 8436 of 1997, the predecessor of RA 9369 of 2007). The training conducted at the COMELEC by a German-based professional service provider of ISMS then was an eye-opener for the COMELEC’s en banc, senior staff, and information technology (IT) personnel vis AES implementation.
What was the intention of former COMELEC Commissioner Rex Borra to in adopting ISMS? His primary concern was compliance with the automation law in conjunction with best practices in securing COMELEC data, including that of election results. I can remember two simple sentences that struck me when he said, “Automation is management din yan, eh! Only that it is technical!” Aside from being a remarkable lawyer, the good commissioner knows the meaning of the four functions of management—planning, leading, organizing, and controlling.
Information security vis data privacy
There’s a basic question which anyone can ask to determine whether a private or government organization is secure or not; that is, secure in terms of information security covering the information systems operations and databases.
What is this basic question? Let’s consider the following questions that you might think of now as being basic:
1. Does the organization have a firewall system that filters out hackers or viruses that would try to reach its computerized systems over the net?
2. Does the organization have an intrusion prevention system (IPS) that averts malicious inputs to gain control of its computerized systems?
3. Does the organization have a disaster recovery site that an organization can use to restore its IT operations when its primary data center bogs down?
4. Does the organization have expert IT people managing the computerized information systems?
5. Does the organization use the latest and the best IT equipment?
6. Does the organization have efficient information systems which generate accurate output?
There could be more questions to add to the above list. But are these questions really that basic that they would give you a clue that such an organization is really secure? Nope!
The right question is not technical in nature. It is simply asking the specific question: Does your organization have an information security policy? If an organization says, “None,” they are definitely not secure and their computerized systems are vulnerable to information security threats like hacking, thereby compromising data privacy. The above questions become relevant only when the information security policy is already defined.
To illustrate, one good example of a policy statement from https://sitehelpdesk.com/itil/Information_Security_Policy_Statement.pdf goes like this:
“Information security policy statement
Information is an important business asset of significant value to the company and needs to be protected from threats that could potentially disrupt business continuity. This policy has been written to provide a mechanism to establish procedures to protect against security threats and minimize the impact of security incidents.
The Chief Executive has approved the Information Security Policy.
The purpose of this Policy is to protect the company’s information assets from all threats, whether internal or external, deliberate or accidental.
The Policy Scope covers Physical Security and encompasses all forms of Information Security such as data stored on computers, transmitted across networks, printed or written on paper, stored on tapes and diskettes or spoken in conversation or over the telephone.
All managers are directly responsible for implementing the Policy within their business areas, and for adherence by their staff.
It is the responsibility of each employee to adhere to the policy. Disciplinary processes will be applicable in those instances where staff fail to abide by this security policy.
It is the policy of the company to ensure that:
Information will be protected against unauthorized access.
Confidentiality of information is assured.
Integrity of information is maintained.
Regularity and legislative requirements regarding Intellectual property rights, Data protection and privacy of personal information are met.
Business Continuity plans will be produced, maintained and tested. Staff receive sufficient Information Security training.
All breaches of information security, actual or suspected are reported and investigated by the Security Policy Review Team.”
By now, one has an idea already of the difference between information security and data privacy. Information security, as defined in Wikipedia, is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information: it is a general term that can be used regardless of the form the data may take (e.g. electronic, physical). On the other hand, data privacy, also known as information privacy as defined in https://www.cleverism.com/lexicon/data-privacy/, is the necessity to preserve and protect any personal information, collected by any organization, from being accessed by a third party; it is a part of information technology that helps an individual or an organization determine what data within a system can be shared with others and which should be restricted.
Hence, when information security is in place, data privacy is safeguarded. That means, information security positively influences data privacy.
Question: Does COMELEC have an information security policy?
(To be continued)