[ BIR MEMORANDUM ORDER NO. 44-98, May 22, 1998 ]
SECURITY REQUIREMENTS IN THE TECHNICAL COMPUTING ENVIRONMENT
I. Objectives
This Order is being issued to:
1. Develop personnel awareness on the security requirements of the Bureau relative to the technical computing environment and the consequences involved when said requirements are not met.
2. Set the guidelines in reporting and evaluating cases of security violations.
3. Set the policies for the imposition of sanctions for such cases.
4. Prescribe areas from which security violation(s) may arise.
II. Definition of Terms
In order to have a common understanding of the provisions of this Order, the following are hereby defined:
| Security Breach/Violation | refers to non-compliance to set policies and guidelines as embodied in the Physical Security Manual. |
| Gravity of Offense | refers to the seriousness of an offense which is classified into Grave Offense, Less Grave and Light. |
| Technical Sanction | penalties to be imposed including any of the following: suspension/deletion of account, change of assignment, etc. |
| Functional Sanction | penalties to be imposed pursuant to Executive Order No. 292 (Civil Service Law) and its implementing rules and regulations such as: suspension of personnel, dismissal from service, etc. Such cases are usually coursed through the Internal Affairs Service. |
1. Any act which has adverse effects to the following areas are considered as security breach/violation:
1.1 Hardware2. Each Head of Office is required to designate a Security Officer who shall monitor strict implementation of the set security guidelines.
1.2 Software
1.3 Data
1.4 Network
1.5 Operating System
1.6 Printed Data
1.7 Computer Media
1.8 Computing Environment
3. Non-compliance to the set policies and guidelines embodied in the Security Manual (refer to Annex A) constitutes a security violation which shall be reported immediately by the Security Officer to the ACIR of Information Planning & Quality Service (IPQS) who, upon receipt of reported violation(s), shall:
3.1 Ask for written explanation from respondent.4. The Security and Access Committee shall:
3.2 Request to convene the Security and Access Committee (SAC) in order to determine the gravity and the nature of the violation committed and the corresponding penalty (whether technical or functional sanctions) to be imposed based on initial reports as well as respondent's explanation.
4.1 Classify violation committed based on list of nature of offense(s) stated above.4.3.1 Only one penalty shall be imposed for each case. "Each case" means one administrative case which may involve one or more charges or counts.
4.2 Determine severity of any known violation and recommend corresponding sanctions as stated above.
4.3 Be guided by the policies set forth in Executive Order No. 292 (Civil Service Law) and its implementing rules and regulations:
4.3.2 In the determination of penalties to be imposed, mitigating and aggravating circumstances may be considered. The fact that an offender is an IT personnel will be considered as an aggravating circumstance.
4.3.3 If the respondent is found guilty of two or more charges or counts, the penalty imposed should be that corresponding to the most serious charge or count and the rest may be considered as aggravating circumstances.
4.3.4 The second or third offense committed need not be the same offense previously committed but any offense of the same classification.
5. The action of the SAC shall later on be elevated to the ACIR of Internal Affairs Service (IAS) for appropriate action.
6. Infractions may be classified into Grave, Less Grave and Light Offenses. Their corresponding penalties pursuant to Executive Order No. 292, and its implementing Rules and Regulations are:
6.1 GRAVE OFFENSES:
NATURE OF OFFENSE |
SANCTIONS |
||
1st offense |
2nd offense |
3rd offense |
|
| Gross neglect of duty | Dismissal | ||
e. g. Unsecured superuser and other powerful accounts |
|||
| Grave misconduct | Dismissal | ||
| e.g. -installation of unauthorized software -unauthorized copying of BIR software -unauthorized physical access to machines(PCs and servers) holding applications or data -unauthorized access to external storage media (tape cartridges, floppy disks, etc) -adding an unauthorized PC to the network -unauthorized user access to Other BIR offices -unauthorized access to the Operating System -unauthorized access to the Integrated Tax System -unauthorized access to sensitive data in the database -unauthorized access to printed output from database (reports, correspondence, etc.) -unauthorized users gaining access to the system via logged-in workstations |
|||
| Falsification of official document | Dismissal | ||
| e.g. -tampering with Operating System files -unauthorized tampering of applications, alteration of text files - reports. correspondences, etc. - created or used by other applications -tampering with the database structures and permissions -tampering of database records by unscrupulous users |
|||
| Receiving for personal use of fee, gift or other valuable thing m the course of official duties or in connection therewith when such fee, gift or other valuable thing is given by any person in the hope of expectation of receiving a favor or better treatment than that accorded to other persons or committing acts punishable under the anti-graft laws | Dismissal | ||
| e.g. -connivance with technical personnel to get their desired results |
|||
NATURE OF OFFENSE |
SANCTIONS |
||
| 1st offense | 2nd offense | 3rd offense | |
| Disclosing or misusing confidential or classified information officially known to him by reason of his office and not made available to the public, to further his the public interest undue advantage to anyone, or to prejudice private interests or give | Suspension for six (6) mos. & one (1) day to one f 1) year | Dismissal | |
| Directly or indirectly having financial and material interest in any transaction requiring the approval of his office.Financial and material interests is defined as pecuniary or proprietary interest by which a person will gain or lose something | Suspension for six (6) mos. S one (1) day to one (1) year | Dismissal | |
| Conduct grossly prejudicial to the best interest of the service | Suspension for six (6) mos. & one (1) day to one (1) year | Dismissal | |
| e.g. theft of technical handbooks |
6.2 LESS GRAVE OFFENSES:
NATURE OF OFFENSE |
SANCTIONS |
|
| 1st offense | 2nd offense | |
| Simple misconduct | Suspension for one month and one day to six months | Dismissal |
| e.g. unauthorized access to communication links dissemination of false information |
6.3 LIGHT OFFENSES:
NATURE OF OFFENSE |
SANCTIONS |
||
| 1st offense | 2nd offense | 3rd offense | |
| Violation of reasonable rules and regulations | Written reprimand to be included in respondent s 201 files | Suspension for one to thirty days | Dismissal |
| e.g. mis-labeling of tapes loading of virus infected files to network environment unauthorized access to technical manual |
This Order takes effect immediately and shall apply to all types of security violations.
Adopted: 22 May 1998
Commissioner of Internal Revenue