DATA PROCESSING SYSTEM CONFORMITY TEST TO RULES AND STANDARDS

Name of Filing System, Automation, or Technology Service: Assessment Date:

Statutory, Regulatory and Agreement Basis of the Business Process: Assessor:
Data Subject: 1.Personal Information Controller: 1. Technology Use: Manual or Automated
2.Personal Information Processor: 2.Sourcing: In-Source, Out-Source, Offshore. or
Data Subject Country: 3. 3rd Party of Data Share: Mixed
4. Compliance Officer: 2.Location: On-Premise, On-Cloud, or Hybrid
Personal Data Requirement: 5. Business Process Owner 3. Service Agreement Reference
6. IT Services Security Management: 4. Project Management
Personal Data Processing Rules and Regulations Practice Standards
Regulated Process Event or Privacy Right Privacy Principles Lawful Processing ISO 29100 ISO 27001 Annex A or ISO
Data Processing System Function Indicators Indicators Indicators ISO 29151 27002
RA 10173 RA 10173 RA 10173 Privacy Controls Security Controls
1.Collection 1.Data capturing 1. Right to be informed 1.General privacy 1.Consent 1. Consent and choice 1. Policy
2.Processing 2. Data use 2. Right to give consent principles 2.Contractual Agreement 2. Purpose legitimacy and 2. Organization
3. Retention 3. Data storage 3. Right to access 2.Principles of 3.Legal Obligation specification 3. Human Resource
4. Sharing 4.Data disclosure 4. Right to object transparency, legitimate 4.Vitally Important Interest 3. Collection limitation 4. Asset Management
5. Disposal 5. Data transfer 5.National Emergency, 4. Data minimization 5. Access Control
5. Right to rectify purpose and
6. Data deletion 6.Public Order and Safety 5. Use, retention and 6. Cryptography
6. Right to erase or proportionality 7.Constitutional or disclosure limitation 7. Physical and
block 3.Principles in collection, Statutory Mandate 6. Accuracy and quality Environment Security
7. Right to data processing, and retention 8.Legitimate Interest 7. Openness, transparency 8. Operations Security
portability 4.Principles for data and notice 9. Communications
8. Right to complaint sharing 8. Individual participation Security
9. Right to claim damages and access 10. System Acquisition,
9. Accountability Development
10. Information security 11. Supplier Relationship
11. Privacy compliance 12. Incident Management
13. Business Continuity
14. Compliance
PRIVACY AND SECURITY RISKS IDENTIFICATION , ANALYSIS AND EVALUATION
Threat List Vulnerability List Impact List Impact Probability Remediation
Dangers Weaknesses Negative Effect Scale Scale Priority Scale
Privacy Related Threats [] No compliance officer [] Penalty 1. Negligible 5. Unlikely [2] High – Not
[] Unauthorized processing [] No published privacy and security policies [] Imprisonment 2. Limited 6. Possible acceptable risk –
[] Negligence in access [] No maintained registry of data processing system [] Business closure 3. Significant 7. Likely requires immediate
[] Improper disposal [] No privacy impact assessment [] Negative image 4. Maximum 8. Almost prevention or
[] Unauthorized purpose [] No privacy management program [] Destroyed facility Certain response.
[] Unauthorized access []No privacy and security capability training of [] Lost customer
[] Intentional breach management and personnel [] Lost data The impact and
[] Concealed breach [] No data privacy standards [] Lost revenue probability scales
[] Malicious disclosure [] No information security standards [] Lost partnership are vulnerability
[] Unauthorized disclosure [] Undermined data privacy right processes [] Lost opportunity items rated 4 & 3
[] Combination of unwanted act [] Non application of privacy principles, lawful criteria,
and exclusion principles in the designed and operated [1] Low –
Security Related Threats filing system, automation program and technology Acceptable risks –
[] Illegal access services of personal information and sensitive personal requires monitoring
[] Illegal interception information collection, processing, retention, sharing action
[] Data interference and disposal
[] System interference [] No end-to-end security measures to prevent or react The impact and
[] Misuse of device to security incidents caused by failure in the probability scales
[] Fraud organizational, physical and technical privacy and are vulnerability
[] Forgery security controls items rated 2 & 1
[] Identity Theft [] Non observance privacy and security control
requirements in IT project management and service
operation
[] Non observance of privacy and security requirements
in the supplier relationship and service level agreement
[] Non compliance to cyber security threat notices and
guidance
[] Lack of threat intelligence coming from the security
and privacy ecosystem of knowledge and solution
 RISKS FROM UNDERMINED SECURITY MEASURES OF R.A. 10173 IMPLEMENTATION RULES
# Risk Criteria Risk Control Risk Threat Vulnerability Impact Probability
(Violation) (Weakness) (Effect) (Likelihood)
1 Organizational 1. Compliance Officer  Malicious breach  Absence of data privacy 1. Negligible 1. Unlikely
IRR -Rule VI 2. Data Protection Policies  Intentional breach rights processes 2. Limited 2. Possible
Section 26 3. Records of Processing Activities  Non-monitoring of 3. Significant 3. Likely
4. Processing of Personal Data personal data processing 4. Maximum 4. Almost Certain
5. Personal Information Processor  No Processor Contract
Contracts

2 Physical 1. Policies and Procedures on  Illegal disposal  Office workspace is not

IRR- Rule VI Limited Physical Access security and privacy by
Section 27 2. Security Design of Office Space design
and Room  No fireproofing of data
3. Person Duties, Responsibility store location
and Schedule Information
4. Policies on transfer, removal,
disposal, and re-use of
electronic media
5. Prevention policies against
mechanical destruction of files
and equipment
6. Security features against
natural disasters, power
disturbances, external access,
and other similar threats.
# Risk Criteria Risk Control Risk Threat Vulnerability Impact Probability
(Violation) (Weakness) (Effect) (Likelihood)
Technical  Security policy in processing  Illegal access
IRR- Rule VI personal data
Section 28  Safeguards to protect
computer network again
unlawful, illegitimate, and
destructive activities
 Confidentiality, integrity,
availability, and resilience of
the processing systems and
services
 Vulnerability assessment and
regular monitoring for security
breaches
 ability to restore the
availability and access to
personal data 
  regularly testing, assessing,
and evaluating the
effectiveness of security
measures
 Encryption of personal data
during storage and while in
transit, authentication process