Republic of the Philippines

PHILIPPINE HEALTH INSURANCE CORPORATION

Citystate Centre, 709 Shaw Boulevard, Pasig City
Call Center (02) 441-7442 Trunkline (02) 441-7444
www.philhealth.gov.ph

NARRATIVE/POST-ACTIVITY REPORT
Information Security Awareness Series for Area II
BSA Twin Towers, Ortigas Center, Mandaluyong City
March 25-26, 2015

I. Introduction
Pursuant to Special Order No. 1553, series of 2014 and in conformity with Office Order No.
0143, series of 2012 entitled Strengthening of Corporate Information Security through Security
Education Training and Awareness (SETA) Program, the activity served as an avenue to
communicate security requirements and provided opportunity to discuss relevant
existing corporate policies and agreed on vital concerns concerning the confidentiality,
integrity, and availability of Corporate information. It also aimed to capacitate the
participants in improving their knowledge in information security management, each
one being an information manager through inviting expert resource speakers in the
field of information security, Data Privacy Act of 2012, and Cybercrim Prevention Act.
The activity was held on March 25-26, 2015 at the BSA Twin Towers, Ortigas Center,
Mandaluyong City.
II. In attendance
The event was participated by Regional Vice Presidents (RVPs), Division Chiefs, and
LHIO Heads from Area II. Furthermore, President and CEO Alexander A. Padilla also
graced the event and imparted an enlightening message as well as the recent Corporate
developments in terms of employee benefits. For a complete list of participants,
attached is a copy of SO # 453 series of 2015.
III. Event Proper
DAY 1
The event commenced on March 25, 2015 at 9:00AM. Francisco E. Sarmiento III of
the InfoSec, as the master of ceremonies and facilitator for the two-day activity. At
9:00AM, a prayer was led by Dr. Cynthia Camacho from PRO NCR-North.
Immediately ensued the prayer was the singing of the National Anthem and the
PhilHealth Hymn led by Mr. Sarmiento.
Afterward, welcome remarks were imparted by AVP Shirley B. Domingo, MD. AVP
Domingo took the opportunity to publicize her plans for Area II considering that all
the participants were from Area II.

teamphilhealth

www.facebook.com/PhilHealth

www.youtube.com/teamphilhealth

actioncenter@philhealth.gov.ph

In any event, the most important consideration are the participants. With this, Irene P.
Martinez from the InfoSec acknowledged all the participants. After acknowledging
and welcoming each other, OIC-SM Ronald Allan C. Pablo presented all about
information security including its history, mandate, and others.
A. Introduction to Information Security
Ronald Allan C. Pablo, OIC-Senior Manager of InfoSec, presented all about the
Corporate Information Security Department (InfoSec), its history and mandate.
Mr. Pablo discussed briefly the what, who, and how of Information Security.
Furthermore, he mentioned that the event is just a start of a series of information
security awareness undertakings.
B. Data Privacy Act of 2012 and Cybercrime Prevention Act
After Mr. Pablos presentation, the first speaker, Atty. Wendell Bendoval from the
Department of Justice was introduced by InfoSec Division Chief, Annie Rose B.
Gaffud. Atty. Bendoval discussed on the Cybercrime Prevention Act as well as the
Data Privacy Act of 2012. At 12:00PM, the participants had a lunch break and the
event resumed at 1:30PM.
At 1:30PM, an open forum ensued.
The succeeding table shows the
questions/clarifications/issues raised by the participants:
Questions/Clarifications/Issues
In terms of national security and public
interest, are the following actions justifiable?
1. During Pope Benedicts visit in the
Philippines, telecom signals were
jammed

Answers/Remarks from Atty. Bendoval

Yes. The government is justified for jamming the
signals within a specific time only. Taking into
consideration the damage that will be result in the
act, e.g. cellphones can trigger a bomb.

2. Wire-tapping
With regard to the Garci case, the law shall prevail.
The recording of such conversation is not
admissible because it violated the anti wire-tapping
law. Any conversation should not be recorded
without the consent of both parties.
In the absence of an IRR of the Data Privacy Yes. The right to privacy is already embedded in
Act, can we use it as a legal basis?
our Constitution. The law is already effective. In
the absence of the IRR, there is a Supreme Court
issuance specifically the Writ of Habeas Data that
can be used as a remedy.
Cybercrime Prevention Act
In the absence of an IRR, the law is still effective.
In administrative aspect, IRR serve only as
guidelines to fill-in the gaps.
Are we not violating any law considering that It is recommended that the identity should be
we process transactions using the PMRF verified.
without any documentary requirement?
(Leniency to attain universal coverage)

teamphilhealth

www.facebook.com/PhilHealth

www.youtube.com/teamphilhealth

actioncenter@philhealth.gov.ph

What will be the liability of the employee who

altered the information considering that the
employee complied just with PhilHealth policy The good faith defense that be used as a remedy.
Request PhilHealth data for researches
The general rule is open government. Data should
be classified to determine which information can
be disclosed or not.

Who is the owner of the data that is being

submitted to us?

If anonymized aggregate data, no restrictions. Revisit and reiterate Office Order No. 0042, series of
2014
In the general principle of open government, since
this is where we are heading for, the owner of the
shared data should be PhilHealth. The concept
of proportionality should be considered.
Open data policy, states that all information
collected by the government is a government data
as long as its allowed by existing policy is
complied.

Data used in politics

Mr. Pablo mentioned that it was never included in

our purpose that the information collected by
PhilHealth be shared.
Lets bear in mind that benefits should redound to
our clients

There being no more issues and concerns raised addressed to Atty. Bendoval, his
discussion ended at 2:00PM
C. Information Security-Related Policies
Monaliza Toledo, ISA III of the InfoSec discussed some of the information securityrelated policies through a game called as the Jeopardy. The participants were grouped
into seven (7) and played the game. The questions included information securityrelated policies. After the game the winning group was proclaimed and the
questionnaires were discussed by Ms. Toledo which likewise explained the policies.
Also, Irene Martinez of the InfoSec
them to answer questions posted
information security-related policies.
Paolo Johann Perez was declared
afterwards.

grouped the participants into four (4) and asked

at the wall. The questions likewise involved
Upon completion of the game, the group of RVP
the winner. The policies were also discussed

There being no other questions related to information security-related policies, day 1 of

the activity ended at 4:30PM.

teamphilhealth

www.facebook.com/PhilHealth

www.youtube.com/teamphilhealth

actioncenter@philhealth.gov.ph

Day 2
On the next day, the activity continued at 9AM. Another resource speaker expert in the field
of Information Security was introduced by Mike Gerard Rey C. Pea of the InfoSec.
John I. Macasio is a manager at Redfox Technologies Philippines Incorporated. He leads the
group responsible in education technology development, strategic partnership and customer
engagement for the company focused on research and development, manufacturing and
distribution of innovative technologies of information and communication.
Mr. Macasio underscored that each of the participant is an information security manager. This
management has just became complicated due to technology and the network society.
Subsequent paragraphs show some of the topics he discussed:
I. Information Security Essentials -Safety in Workplace

Context of Information Security- Networked Society

In the networked society, information is a shared and stored critical asset for
what is created, what is consumed, what is believed, what is recorded, what is
known, what is decided, what is acted, and what is reused. Being connected to the
networked society means enabling the condition of safety and security in
information. The information driven service providers in the networked society are
obligated to make safe and secure the person (organization), process, data,
application and infrastructure of information.
Amidst the session, a workshop to assess how the participants think and feel on the following
indicators was undertaken.
Indicators

Secure

Partially Secure

I do not Know

Data Privacy
Access Availability
System Integrity
Cybercrime
The result of the workshop showed that majority of the participants agreed that from among
the indicators, they think and feel that they are Partially Secure. In another workshop
conducted, it sought to assess what participants have for security and how they are meant to
secure.

teamphilhealth

www.facebook.com/PhilHealth

www.youtube.com/teamphilhealth

actioncenter@philhealth.gov.ph

Indicators

Fully Known

Partially Known

I do not Know

1. Standards & Policies

2. Physical Facility
3.
Access
Identification

&

4. Data Processing
5. Document Handling
6. Computer Network
For while the SETA Program activity such as the one conducted is just a start of a
series of awareness undertakings, it was astounding that the participants answered
that they Partially Know of the indicators stated above.
Essential Questions of Information Security
What particular procedure that everybody must know to identify the
security risk of information?
What particular policy that everybody must know to speak of principles and
guidance of assuring confidentiality, availability and integrity in the creation,
safekeeping and release of information?
Who is responsible in auditing the compliance of in-house and out-source
information systems to the defined information security requirements?
How is the integrity of information validated and verified?
How is the confidential value of information defined and assured?
Who investigates when information is compromised?
What process insures the detection of breach in confidentiality of
information?
When do you consider information is misrepresented?
Basic Methods and Tools of Information Security
Layered Approach to Security
Mitigating Information Security Risk
Security Policy Requirement
Information Security Risk Assessment
The session of Mr. Macasio on Information Security ended at 4:30PM.

teamphilhealth

www.facebook.com/PhilHealth

www.youtube.com/teamphilhealth

actioncenter@philhealth.gov.ph

Closing Remarks
A closing remarks imparted by Mr. Pablo marked the finale of the first run of the Information
Security Awareness Series activity of the InfoSec for Area II.
Subsequent page contains some of the pictures taken during the event.

Prepared by:
Irene P. Martinez
ISA III, InfoSec

Noted by:
Annie Rose B. Gaffud
Division Chief

teamphilhealth

www.facebook.com/PhilHealth

Ronald Allan C. Pablo

OIC-SM, InfoSec

www.youtube.com/teamphilhealth

actioncenter@philhealth.gov.ph

PCEO Atty. Alexander A. Padilla imparts

his message of inspiration for the attendees

Ronald Allan C. Pablo, OIC-SM of InfoSec

presents All About InfoSec

The participants pose for a group picture during

the event

Atty. Wendell Bendoval of DOJ, Resource

Speaker, presents lecture on Data Privacy Act
of 2012 and Cybercrime Prevention Act

John I. Macasio, Resource Speaker, discusses on

Information Security in a Networked Society

teamphilhealth

www.facebook.com/PhilHealth

www.youtube.com/teamphilhealth

actioncenter@philhealth.gov.ph