Skip to main content

Information Security Policy

1. Purpose

This policy ensures the protection of Pitaka’s information assets, covering both centralized e-wallet fiat transactions and decentralized blockchain wallets. It aims to safeguard against unauthorized access, data breaches, and ensure compliance with Philippine regulatory standards.

2. Scope

This policy applies to all employees, contractors, third-party vendors, and any personnel with access to Pitaka systems, including those handling sensitive fiat or blockchain-related data.

3. Policy Framework

3.1 Access Control

Role-Based Access: Implement the least privilege principle. Only necessary access should be granted based on the user’s role. Multi-Factor Authentication (MFA): All users must enable MFA for accessing the Pitaka platform. Blockchain Access: Private keys must be stored securely in user-controlled environments and never on centralized servers.

3.2 Data Protection

Encryption: All sensitive data must be encrypted at rest and in transit using AES-256 and TLS 1.2+ standards. Private Key Storage: Private keys should be managed securely, preferably via Hardware Security Modules (HSMs) or secure user hardware wallets. Data Classification: Classify data into categories such as Public, Internal, Confidential, and Restricted, with proper handling for each.

3.3 Network Security

Firewalls and IDS/IPS: Use firewalls and intrusion detection/prevention systems (IDPS) to monitor and filter network traffic. VPN: Remote access to Pitaka’s internal systems must occur over a secure VPN. Network Segmentation: Segment networks to separate critical systems (e.g., fiat and blockchain processes).

3.4 Incident Response

Reporting: Report all incidents immediately to the Information Security team. Response Plan: A formal incident response plan must be in place to handle breaches and security incidents. Backup and Recovery: Regular encrypted backups should be maintained, with tested disaster recovery processes.

3.5 User and Customer Protection

Customer Awareness: Educate users on identifying phishing attacks and securing their accounts using strong passwords and MFA. Anti-Phishing Measures: Implement protections such as email filtering and browser-based anti-phishing alerts. Fraud Monitoring: Continuous monitoring should detect potential fraudulent activities in both fiat and blockchain transactions.

Pitaka must comply with applicable Philippine laws and international standards, including but not limited to:

Data Privacy Act of 2012 (RA 10173): Ensures the protection of personal data within the Philippines. Anti-Money Laundering Act (AMLA) of 2001 (RA 9160): Compliance with anti-money laundering standards for fiat transactions. E-Commerce Act of 2000 (RA 8792): Ensures legality and security for electronic transactions, including blockchain. Bangko Sentral ng Pilipinas (BSP) Circular 944: Implements guidelines on virtual currency exchanges and wallets.

3.7 Security Audits and Monitoring

Penetration Testing: Regular tests to uncover and address security vulnerabilities. Continuous Monitoring: Employ real-time monitoring for threat detection. Third-Party Audits: Conduct annual security audits by independent firms to verify the strength of Pitaka’s security controls.

3.8 Vendor Management

Risk Assessments: All third-party service providers must undergo risk assessments to ensure they meet Pitaka's security standards. Service Level Agreements (SLA): SLAs should include provisions for security, audit, and incident response procedures.

3.9 Secure Development and Testing

Secure Coding: All code must adhere to secure coding standards, including regular reviews and vulnerability testing. Environment Separation: Development and testing environments must be isolated from production, with no real data used in non-production systems.

4. Enforcement

Non-compliance with this policy will result in disciplinary action, which may include termination of employment or legal consequences. All personnel must adhere to the provisions set forth to maintain access to Pitaka systems.

5. Policy Review

This policy will be reviewed annually or whenever significant technological, legal, or business changes occur.