wow
Mr GM
🛡️ ISO/IEC 27001 & 27002 – Ang Guide sa ISMS at Security Controls
Kung sa Marvel may Avengers na nagbabantay sa Earth, sa cybersecurity world naman, meron tayong ISO/IEC 27001 & 27002 — mga OG na standards para siguraduhin na ang Information Security Management System (ISMS) mo ay hindi basta-basta mababasag ng mga cyber villain.
📜 Ano ba ang ISO/IEC 27001?
Think of 27001 as yung master plan mo sa buong security strategy — para siyang Professor X ng ISMS.
Dito naka-set ang framework kung paano mag-establish, mag-maintain, at mag-improve ng information security sa isang org.
Kasama dito ang:
📋 Policies & Objectives – rules na sinusunod ng lahat
🔄 Continuous Improvement – kasi sa security, walang forever na safe
🚨 Risk Assessment – hanapin ang weak spots bago pa mahanap ng kalaban
🛠️ Ano naman ang ISO/IEC 27002?
If 27001 is the plan, si 27002 naman ang weapons manual.
Dito mo makikita ang listahan ng mga security controls at best practices — parang X-Men Danger Room training guide.
Kasama dito:
🔑 Access Control – para walang basta-basta makapasok sa X-Mansion (a.k.a. system mo)
🗂️ Cryptography – parang invisibility cloak para sa data mo
🏢 Physical Security – kasi minsan ang kalaban, nasa labas lang ng pinto mo
🕹️ Real-World Example
Isipin mo na may FinTech company na may online banking app.
Gamit ang 27001, magse-set sila ng policy na lahat ng customer data ay encrypted at may multi-factor authentication.
Gamit ang 27002, mag-implement sila ng specific control tulad ng AES-256 encryption at regular vulnerability scans.
Result: kahit si Magneto pa ang mag-attempt ng data breach, wala siyang makukuha.
📌 Bakit Importante ‘To?
✅ Global Standard – recognized worldwide, so kung certified ka, level up cred mo sa clients
✅ Compliance Friendly – mas madaling i-align sa ibang batas tulad ng GDPR o HIPAA
✅ Business Booster – trust = more customers
🤓 Tip:
Kapag gusto mong maging legit sa cybersecurity game, mastering ISO/IEC 27001 & 27002 is like having your own Cerebro — kita mo lahat ng threats at ready ka to neutralize them.
📚 References:
International Organization for Standardization – ISO/IEC 27001 & 27002
NIST Cybersecurity Framework
Center for Internet Security (CIS) Controls
📚 NIST SP 800-18 Rev. 1 - The Ultimate Guide sa Paggawa ng Security Plans 🔐💾
Kung may “Recipe ng Crabby Patty” ang mga cybersecurity peeps pagdating sa paggawa ng System Security Plan (SSP), eto na yun — NIST Special Publication 800-18 Revision 1.
Parang Dungeons & Dragons Player’s Handbook, pero imbes na dragons, ang kalaban mo ay hackers, malware, at misconfigurations. 🐉➡💻
💡 Ano nga ba ang NIST SP 800-18 Rev. 1?
In short, ito ay official guide ng National Institute of Standards and Technology (a.k.a. NIST) kung paano gumawa ng Security Plans para sa Federal Information Systems.
Think of it like a recipe book — pero instead of cookies, ang gagawin mo ay document na kayang ipasa sa audit at makaligtas sa cyber attacks.
May template, may step-by-step, at may best practices para walang butas ang security mo.
🛠️ Mga Core Concepts (a.k.a. Cheat Codes)
1. System Boundaries
Para kang gumuguhit ng mapa ng base mo sa Starcraft. Kailangan alam mo lahat ng servers, apps, devices, at kung paano sila nag-uusap.
2. Security Controls
Ito yung mga “defense towers” mo. Encryption, firewalls, access control — lahat documented, kasama paano sila ini-implement.
3. Roles & Responsibilities
Sino ang Tank, sino ang Healer, at sino ang DPS sa cybersecurity team mo. 😆
4. Compliance Evidence
Parang receipts mo sa Shopee — proof na ginawa mo talaga yung sinabi mong ginawa mo. Logs, screenshots, audit trails.
5. Maintenance & Updates
Hindi pwedeng “set and forget.” Lahat ng systems may patching schedule, review dates, at update logs.
🖥️ Example: Kung OSI Model Gamer Ka 🎮
Let’s say federal system na may:
Layer 1: Physical servers in a gov data center
Layer 3: Private IP ranges + segmentation
Layer 7: Web portal with MFA + TLS encryption
Sa NIST SP 800-18, idodocument mo yan lahat, with diagrams, security policies, at kung anong controls ang meron.
📦 Bakit Importante?
Audit-ready ka lagi – kahit biglang may compliance check, goods ka.
May playbook ka – kung may incident, hindi ka nagpa-panic, may guide ka na.
Less drama – kasi malinaw ang roles, rules, at boundaries.
🧠 Tip:
Kung gamer ka, isipin mo na ang SSP ay parang save file ng security state ng system mo.
Pag walang SSP = permadeath mode pag inatake ka. 💀
Pag may SSP = may respawn ka, may backup strat ka, at may cheat sheet ka para sa next game. 🎯
References:
NIST SP 800-18 Rev. 1 – Guide for Developing Security Plans for Federal Information Systems
CIS Controls – Inventory and Control of Enterprise Assets
Maintenance and Update Cycles "Para Laging Buhay ang Security Plan mo 🚀"
Sa mundo ng cybersecurity, walang forever… lalo na pagdating sa security plans. Kahit gaano ka-solid ang System Security Plan (SSP) mo today, bukas pwedeng outdated na ‘yan. Bakit? Kasi may bagong vulnerabilities, mas malupit na attack techniques, at nagbabagong business needs.
Kaya andito ang maintenance at update cycles—para siguradong updated at aligned pa rin ang security mo sa current threats at requirements.
Bakit Kailangan ng Maintenance?
Security is not “set and forget.” Kapag hindi minemaintain, posibleng mangyari:
Luma na controls na hindi na epektibo sa bagong cyber attacks.
Policy misalignment kapag may binago sa infra o process pero hindi na-update ang plan.
Compliance fails kapag expired na certifications o walang documentation sa mga changes.
Halimbawa: May hospital na gumawa ng security plan 2 years ago, pero wala silang protocol para sa telemedicine (na naging uso after pandemic). Resulta? Risk na ma-expose ang patient data.
Paano Gawin ang Solid Maintenance Cycle?
Ito ang mga dapat kasama:
Scheduled Reviews – May regular check-up (quarterly or yearly) kung match pa rin ang policies sa actual environment.
Patch Management – Siguraduhin na lahat ng hardware, software, at firmware ay updated.
Control Testing – Regular na vulnerability scan, penetration testing, at incident drills.
Documentation Updates – Lahat ng changes, dapat nasa SSP.
Training Refreshers – Turuan ulit ang staff para alam nila ang bagong threats at policies.
Real-World Example: Banking Industry
Sa isang bank na sumusunod sa PCI-DSS rules, usually ganito:
Monthly patching ng payment processing servers.
Review ng firewall rules tuwing may bagong branch.
Update ng encryption standards kapag obsolete na yung luma.
The Compliance Connection
Standards tulad ng ISO/IEC 27001 at NIST SP 800-53 ay mahigpit sa maintenance. Gusto nila may proof na active ang monitoring, updates, at adaptation sa threats.
Bottom Line
Security plan na walang maintenance? Parang superhero na walang training—magiging reactive imbes na proactive. Kaya maintenance and update cycles ang sikreto para laging handa laban sa cyber villains. 💪
HIPAA-Compliant Encryption (Layer 7 – Application Layer) 🛡️
Sa ilalim ng Health Insurance Portability and Accountability Act (HIPAA), required ang mga healthcare orgs na i-secure ang electronic Protected Health Information (ePHI) — both habang naka-store at habang pinapadala sa network.
Sa Layer 7 ng OSI model (Application Layer), gumagana ang encryption sa mismong application level, para siguradong kahit ma-intercept ang data, hindi ito mababasa ng walang access o key.
Example in Practice:
Isang hospital may patient portal na naka-encrypt ng medical records gamit ang AES-256 bago ito ipadala via HTTPS. Kahit makuha ng attacker ang traffic, magiging scrambled lang ito at unreadable kung walang decryption key — pasok sa HIPAA compliance.
Bakit Importante:
Pinoprotektahan ang confidentiality ng patient records
Panalo sa compliance sa U.S. federal regulations
Iwas sa mabigat na penalties at data breach damages
Secure VLAN Segmentation (Layer 2/3 – Data Link & Network Layers) 🔒
Yung mga medical devices sa hospital network — tulad ng MRI machines, infusion pumps, at patient monitors — kadalasan kulang sa built-in security.
Dito pumapasok ang VLAN segmentation sa Layer 2 (Data Link) at Layer 3 (Network). Nilalagay sa hiwalay na virtual networks ang mga devices para mas ligtas.
Example in Practice:
Isang hospital may hiwalay na VLAN para sa:
Admin workstations
Patient Wi-Fi
Connected medical equipment
May firewall at Access Control Lists (ACLs) para siguruhin na yung medical devices ay pwedeng makipag-usap lang sa mga authorized systems. Resulta: mas maliit ang chance ng lateral movement ng attacker.
Bakit Importante:
Pigil sa pagkalat ng malware sa iba’t ibang network zones
Mas maliit ang attack surface ng critical devices
Pasok sa healthcare cybersecurity standards
Bringing It Together ⚡
Kapag pinagsama, Layer 7 encryption + Layer 2/3 VLAN segmentation = solid defense-in-depth strategy.
Encryption: pinoprotektahan mismo ang data
Segmentation: kontrolado kung sino lang makaka-access sa critical devices
Industry Example:
Sa isang malaking metro hospital, naka-encrypt ang patient health records sa application layer, habang naka-segment sa network ang admin systems, public Wi-Fi, at medical equipment. Kahit ma-compromise ang isang layer, may harang pa rin sa susunod na layer.
References:
U.S. Department of Health & Human Services – HIPAA Security Rule
National Institute of Standards and Technology (NIST) – SP 800-53 Security Controls
Center for Internet Security (CIS) – CIS Controls for Healthcare
System Boundaries and Environment “Defining the Front Lines of Cybersecurity” 🛡️💻
Sa mundo ng cybersecurity, mahalaga hindi lang kung paano ka magpoprotekta, kundi ano ang pinoprotektahan mo.
Kaya sa kahit anong System Security Plan (SSP), isa sa pinakaunang—and pinaka-critical—na parte ay ang System Boundaries and Environment.
Dito mo ginagawa ang “mapa” ng digital territory mo — kung saan mo ililista at ipapakita lahat ng assets, connections, at interfaces na bumubuo sa system.
Kasi kung hindi malinaw ang boundaries, kahit gaano ka-advance ang security controls mo, may chance na may matatagong vulnerabilities na hindi mo napapansin.
Bakit Importante ang System Boundaries
Isipin mo yung system mo na parang kastilyo (castle 🏰).
Boundaries = walls, gates, at tulay na nagsasabi kung saan nagsisimula at natatapos ang teritoryo mo.
Sa cybersecurity, boundaries:
Clarify scope – malinaw kung ano ang sakop ng security controls.
Prevent scope creep – iwas na maprotektahan ang assets na hindi naman part ng system.
Support compliance – patunay sa regulators na kabisado mo ang perimeter at interconnections ng system mo.
Key Elements na Dapat I-define
1. Network Diagrams
Visual map kung paano magkakakonekta ang servers, clients, devices, at networks.
Isama ang IP ranges, VLAN segments, at firewalls.
2. System Components
Hardware: servers, routers, IoT devices.
Software: OS, databases, web apps.
3. External Connections
Partner systems, cloud services, third-party vendors.
Detalye ng encryption, authentication, at protocols.
4. Operational Environment
Physical location: data centers, remote offices.
Environmental factors: redundancy, backup power, disaster recovery.
Example gamit ang OSI Model
Halimbawa, nagdo-document ka ng boundaries para sa logistics company’s warehouse management system:
Layer 1 (Physical): Barcode scanners at RFID readers via Ethernet.
Layer 3 (Network): Private IP range para sa warehouse devices, hiwalay sa office network.
Layer 7 (Application): Cloud-based inventory app gamit ang HTTPS + TLS 1.3 encryption.
Sa SSP diagram, makikita lahat ito kasama ang gateways papunta sa cloud at connections sa partner carriers’ tracking APIs.
Industry Example: E-Commerce
Boundary: E-commerce platform, payment gateway, CRM system.
Components: Web servers, database clusters, load balancers, payment API.
External Connections: Payment card networks (PCI DSS compliance), shipping provider APIs.
Dahil malinaw ang mapa, mas madali mag-apply ng security controls tulad ng:
Encrypt data in transit
Restrict API access
Segment payment systems mula sa marketing databases
Best Practices sa Pag-define ng Boundaries
I-update diagrams tuwing may system changes.
Gumamit ng standard network symbols para malinaw.
Isama ang logical (software, IPs) at physical (hardware, locations) views.
Tukuyin ang trust zones – areas na may iba’t ibang security levels kahit nasa loob ng parehong boundary.
References:
NIST SP 800-18 Rev. 1 – Guide for Developing Security Plans for Federal Information Systems
CIS Controls v8 – Inventory and Control of Enterprise Assets
