Share |
Download: Flyer - Black&White (.PDF 406kb)
                          Course Outline (.PDF 366kb)


THURSDAY, AUGUST 26, 2021 * 1:30PM TO 4:45PM * via zoom logo
There are mandated laws, compliance regulations, and penalties when organizations fail to provide cybersecurity measures to control offenses against the confidentiality, integrity and availability of computer data and systems.

This 3-hour SEC-accredited webinar is to enable the leadership and management of a business enterprise or government institution to fully understand what is mandated by law to implement the rules and standards on cybersecurity governance and management.

This will feature the international standards and framework for best practice information security for you to apply the published rules, measures, and policies to control cybercrime and protect your organization from cybersecurity risks.

Enroll, be proactive, and compliant for the benefit of your organization!
Course Director & Lecturer: John Macasio is the trainer and consultant at the Information and Communications Technology Literacy and Competency Development Bureau of the Department of Information and Communications Technology.

He has recently done capability building of management and workforce on privacy impact assessment and privacy and security management manual with the following organizations among many others:

   1. Department of Finance and some of its attached agency
   2. Department of Agriculture – National Meat Inspection Services
   3. Philhealth - Information Security Group
   4. Light Rail Transit Authority
   5. Philippine Fish Port Authority
   6. MAA General Assurance
   7. PHIVIDEC Industrial Authority

He co-authored the United Nations ESCAP/ APCICT published guidance on ICT Project Management – Theory and Application. The academy module has been introduced and translated in six (6) countries.

Who Should Attend:

    1. Personal Information Controller
     (All those who set policies)
     - Business Owners, BODs
     - CEOs, GMs, Administrators
     - HR Leaders
   2. Personal Information Processor
     (Those who process information)
     - Sales People, Agents
     - Record Keepers, Registrars
   3. Data Protection Officer
   4. Compliance Officer for Privacy
   5. IT Directors/ IT Managers

Limited Slots Only, Pre-Registration Required

*Training investment is P 3,880 inclusive of an e-certificate and a printed learning material

*Optional: Add P450 for a printed copy of a certificate of attendance inclusive of delivery charge


   Contact Person: Aiza Cuenca
   Telephone: (+632) 8556-8968 or 69


THURSDAY, AUGUST 26, 2021 * 1:30PM TO 4:45PM * via zoom logo

This SEC-accredited executive briefing provides the valid, verifiable, acceptable and actionable understanding of cybersecurity as a critical outcome of good corporate governance.

It identifies, analyzes and applies the published rules and standards that provide clear, coherent, complete and consistent view of the policies, organization, process and metrics that enable control of cybercrime and protection of the business enterprise from cybersecurity risks that violate the confidentiality, integrity and availability of digital information assets.

The Leadership and management of a business enterprise or government institution have to fully understand their mandated participation and legal liability in the implementation of the rules and standards on cybersecurity governance and management.

A. Why is the need for Cybersecurity?

Cybersecurity is defined as safeguarding the entities associated with people, society, organization and nation from cyber risks. Cyber risks are associated with threats that exploit the vulnerabilities of the computers, network, storage, and application of digital information and thereby threaten the safety of entities located in the cyberspace. (ISO 27100 -3.2)

Cyber threats are considered potential cause of unwanted cybersecurity incident that can harm people, society, organization or country that resides in the digital environment of networks, services, system, people, processes, organization, and traverses public infrastructure called Internet. (ISO 27100 – 3.6)

Cyber threats are manifested by security incidents in the networked people, process, data, application or infrastructure of a business enterprise and considered as cybercrime.

Cybercrime is identified in R.A. 10175, Cybercrime Protection Act of 2012 as punishable offenses associated to the following (Section 4):

        1. Illegal activities against confidentiality, integrity and availability of computer data and system
        2. Computer related forgery
        3. Computer related fraud
        4. Computer related identity theft
        5. Content related offenses like cybersex, child pornography and libel
        6. All crimes defined and penalized by the Revised Penal Code, as amended, and special laws,
            if committed by, through and with the use of information and communications technologies

If the commission of the cybercrime was made possible due to lack of supervision or control by the judicial person or organization, “the juridical person shall be held liable for a fine equivalent to at least double the fines imposable in Section 7 up to a maximum of Five million pesos (PhP5,000,000.00)” –R.A. 10175, Section 9.

Failure in cybersecurity may also result in data loss, breach or similar incident that are considered penalized violation of data privacy as described in Rule VIII of R.A. 10173 – Data Privacy Act of 2012. The fine for data breach that violates privacy ranges from one hundred thousand pesos to five million pesos and imprisonment from six months to six years.

The leadership and management of the business enterprise who failed to implement the required security measures have administrative, civil, or criminal liability under pertinent provisions of the Data Privacy Act of 2012.

"If the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission of the crime.( R.A. 10173, Section 34)"

Cybersecurity is a critical function of leadership and management that are doing business with cyber. Cyber means computer or a computer network, the electronic medium on which online communication takes place, according to R.A. 10175, section 3i)

Cybersecurity is described in R.A. 10175, section 3k, as:

"Collection of tools, policies, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets. (Section 3-k)"

Associated with cybersecurity is security measures to protect personal Information that are described in Chapter V of R.A. 10173 – Data Privacy Act of 2012. It obligates the personal information controller to implement the following:

1. "Reasonable and appropriate organizational, physical and technical measures intended for the protection of
    personal information against any accidental or unlawful destruction, alteration and disclosure, as well as
    against any other unlawful processing" (section 20a).

2. "Reasonable and appropriate measures to protect personal information against natural dangers such as
    accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse,
    unlawful destruction, alteration and contamination" (section 20b).

The personal information controller of a corporation is identified as "person or organization that controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf." The personal information controller is commonly recognized as the governing board, chief executive officer, president, or head of the organization.

B. Why is there a need for cybersecurity governance and management?

B.1 Cybersecurity Framework Requirement for Regulated Entities

The Securities and Exchange Commission has released a drafted guidance for regulated entities to establish and maintain a cybersecurity framework. The guidance was posted for public comment on December 16, 2020 in SEC website. It identifies the practices that must be implemented in order to demonstrate cybersecurity governance.

The guidance has determined and described the cybersecurity functions that a regulated entity must implement in order to control the cybersecurity risks.

        1. Identification - It is making visible the assets and the cyber threats. It connects cybersecurity
                                    to the enterprise risk management system.
        2. Protection     - It is adoption of security measures and cybersecurity risks assessment methodology
                                    to ensure protection of the enterprise assets critical to the business mandates.
        3. Detection      - It is maintaining monitoring system to alert the regulated entities of abnormal pattern
                                    of access and other anomalies.
        4. Response     - It is development, maintenance and implementation of an incident response plan
                                    that addresses any breach of cybersecurity.
        5. Recovery      - It is development, maintenance and implementation of a disaster recovery plan
                                    and business continuity plan that integrate cybersecurity risks.

The regulated entities are provided guidance on their implementation of data protection in accordance with R.A. 10173 rules and regulations.

B.2 Security Incident Management Requirement of Data Privacy Law

National Privacy Commission Circular 16-03, Guidelines for Personal Data Breach Management identifies the requirement for the personal information controller to implement policies and procedures to manage security incidents, which includes personal data breach.

The governing body reviews and approves the cyber security incident management policy and the corresponding security incident response plan and the associated insuring resources and costs.

C. What are the governance competency that enables corporate leadership and management to direct and
    control cybersecurity implementation in order to protect the business critical assets associated with
    people, process, data, application, infrastructure?

1. Cybersecurity Threats and the Regulatory Compliance Context of a Corporation
        a. R.A. 10175 - Cybercrimes
        b. R.A. 10173 - Data Privacy Violations
        c. R.A. 10844 - National Cybersecurity Plan
        d. Draft SEC Guidance on Cybersecurity Framework

2. Cybersecurity and Business Risks Management
        a. Cybersecurity and Enterprise Risk Management
        b. Privacy Impact Assessment

3. Cybersecurity and Enterprise Policy Management
        a. Cybersecurity Functions of a Corporation
        b. Cybersecurity Enterprise Policies and Normative Standards

4. Cybersecurity Organization
        a. Cybersecurity Governance
        b. Chief Information Security Officer Organization

5. Cybersecurity Incident Management
        a. Security Incident Management Framework
        b. Cybersecurity Incident Response and Operation Center
        c. Cybersecurity and Enterprise Disaster Recovery and Business Continuity Plan

D. What are the learning content of the three hours executive briefing for the governing body and
    management officers of a business enterprise?

Learning Session Learning Topic Learning Output
Session 1
(Duration 45 minutes)
Cybersecurity Threats and Enterprise Risk Management Assessment of the enterprise cybersecurity risks
Session 2
(Duration 1 hour)
Cybersecurity Policies and Standards Cybersecurity control policy requirement
Session 3
(Duration 1 hour)
Security Incident Management and the Chief Information Security Officer Organization Cybersecurity incident management policy, plans and organization

Who should attend:

• Personal Information Controller (Those decision makers who set policies)
        - Business Owners and Board Directors
        - CEOs /COOs and other C-Level Executives
        - GMs, Administrators
        - HR Leaders

• Personal Information Processor (Those who process information)
        - HR Managers and Supervisors
        - Business Managers
        - Sales People, Agents
        - Record keepers, Registrars

• Data Protection Officer
• Compliance Officer for Privacy
• IT Directors, IT Managers
• Business Consultants

This 3-hour training is applicable to all types of business organizations and government institutions.



The Center for Global Best Practices also provides in-house training and offers professional consulting service to help organizations comply with the mandated requirement of the National Privacy Commission.

Contact details for your training or consulting requirement/s:
(+63 2) 8842-7148 or 59
(+63 2) 8556-8968 or 69


*Training investment is P 3,880 inclusive of an e-certificate and a printed learning material

*Optional: Add P450 for a printed copy of a certificate of attendance inclusive of delivery charge

Share |
Download: Flyer - Black&White (.PDF 406kb)
                          Course Outline (.PDF 366kb)