General Cybersecurity Best Practices

Purpose:

To provide guidance on maintaining strong cybersecurity hygiene and protecting Pitaka’s systems, data, and users from potential security threats. This policy aims to prevent, detect, and mitigate cybersecurity risks in compliance with relevant Philippine regulations such as the Data Privacy Act of 2012.

Scope:

This policy applies to all Pitaka employees, contractors, third-party service providers, and any other users who have access to Pitaka’s systems and data.

Policy

1. Password and PIN Management:

Users must choose strong and unique PINs for system authentication. PINs must be a minimum of 6 digits. PINs and passwords should not be shared or written down in easily accessible locations. Two-factor authentication (2FA) should be enabled wherever possible to add an additional layer of security. Users should update their PINs and passwords regularly, especially after any potential security incidents or system compromises.

2. Secure Email and Communication Practices:

All communications related to Pitaka business must be conducted through secure channels, such as encrypted email services. Avoid clicking on links or downloading attachments from unknown or suspicious sources. Report any phishing emails or suspicious communications to the IT security team immediately.

3. Device Security:

All devices used to access Pitaka systems must be password or PIN protected, and encryption must be enabled. Automatic lockouts should be set for devices after a period of inactivity. Antivirus software and firewalls should be kept up-to-date on all devices accessing Pitaka systems. Only authorized devices are allowed to access Pitaka systems; the use of personal or unsecured devices is prohibited without prior approval.

4. Software Updates and Patch Management:

All software, including operating systems, applications, and security tools, must be kept up-to-date. Critical security patches must be applied immediately after they are released, especially if they address vulnerabilities that could compromise the system. Employees should avoid using unsupported or outdated software that no longer receives security updates.

5. Data Encryption:

All sensitive data stored on Pitaka systems must be encrypted, both in transit and at rest, to protect it from unauthorized access. Encryption keys must be securely managed, and only authorized personnel should have access to them. Communication between Pitaka users, systems, and third-party providers should utilize encrypted channels such as HTTPS, SSL/TLS, or other secure communication protocols.

6. Access Control and Privilege Management:

Access to Pitaka’s systems and data is granted based on the principle of least privilege, ensuring that users only have access to the resources necessary for their roles. Role-based access control (RBAC) will be enforced, with regular reviews of user permissions to ensure appropriateness. Unauthorized access attempts should be logged, monitored, and promptly investigated.

7. Network Security:

Pitaka’s internal and external networks must be segmented and secured using firewalls, VPNs, and intrusion detection/prevention systems. All remote access to Pitaka systems must be conducted over a secure VPN connection. Regular network scans must be performed to identify and address any vulnerabilities or unauthorized devices.

8. Incident Response and Reporting:

Any cybersecurity incident, such as a data breach, malware infection, or unauthorized access, must be reported immediately to the IT security team. An incident response plan will be in place to mitigate damage, investigate the cause, and prevent future occurrences. All incidents should be documented, and users will be informed of any actions they need to take to secure their accounts and data.

9. Security Awareness Training:

All employees and contractors will undergo regular cybersecurity awareness training to understand the best practices for securing systems and data. Training will cover topics such as phishing prevention, secure communication, and the safe use of devices and software. Users will be tested periodically to assess their understanding of cybersecurity practices.

10. Monitoring and Auditing:

Continuous monitoring of Pitaka’s systems, networks, and user activities will be conducted to detect suspicious behavior or security threats. Regular audits will be performed to ensure compliance with cybersecurity policies and best practices. Audit logs must be kept for an appropriate period to support incident investigations and regulatory compliance.

11. Compliance with Legal and Regulatory Requirements:

This policy is aligned with the Data Privacy Act of 2012 and other relevant cybersecurity laws in the Philippines. Pitaka will regularly review and update its cybersecurity practices to remain compliant with changing legal and regulatory environments.

12. Policy Enforcement:

Any violation of this policy will result in disciplinary action, which could include suspension of access, termination of employment, or legal consequences. Violations and incidents will be reviewed by the IT security team, and corrective measures will be implemented to strengthen cybersecurity defenses.

Purpose:​

Scope:​

Policy​

1. Password and PIN Management:​

2. Secure Email and Communication Practices:​

3. Device Security:​

4. Software Updates and Patch Management:​

5. Data Encryption:​

6. Access Control and Privilege Management:​

7. Network Security:​

8. Incident Response and Reporting:​

9. Security Awareness Training:​

10. Monitoring and Auditing:​

11. Compliance with Legal and Regulatory Requirements:​

12. Policy Enforcement:​