Question & AnswerQ&A (BIR MEMORANDUM ORDER NO. 44-98)
The main objective is to develop personnel awareness on security requirements in the technical computing environment, set guidelines for reporting and evaluating security violations, establish policies for sanctions, and prescribe areas where security violations may arise.
Security Breach/Violation refers to non-compliance with the set policies and guidelines as embodied in the Physical Security Manual.
Security breaches can occur in Hardware, Software, Data, Network, Operating System, Printed Data, Computer Media, and the Computing Environment.
Each Head of Office is required to designate a Security Officer responsible for monitoring the strict implementation of the security guidelines.
The Security Officer must immediately report the security violation to the Assistant Commissioner in Charge of Information Planning & Quality Service (IPQS).
The SAC classifies the violation, determines its severity, recommends appropriate sanctions, and is guided by the Civil Service Law and implementing rules in determining penalties.
Offenses are classified as Grave, Less Grave, and Light. Sanctions include technical sanctions (e.g., suspension or deletion of account, change of assignment) and functional sanctions (e.g., suspension or dismissal from service as per Executive Order No. 292).
For a first offense that is a Grave Offense, the prescribed penalty is dismissal from service.
Examples include unauthorized access to operating systems, unauthorized copying of BIR software, unauthorized physical access to machines holding applications or data, tampering with OS files, and disclosing or misusing confidential information.
The second or third offense need not be the same as the previous offense but must be of the same classification. Repeat offenses lead to increasing penalties, including dismissal for grave offenses.
Being an IT personnel is considered an aggravating circumstance when determining penalties.
The SAC's action is elevated to the Assistant Commissioner in Charge of Internal Affairs Service (IAS) for appropriate action.
Examples include unauthorized access to communication links and dissemination of false information. The penalties for a first offense are suspension for one month and one day to six months, and dismissal for a second offense.
Examples include mis-labeling of tapes, loading virus-infected files to the network, and unauthorized access to the technical manual. The sanctions start with a written reprimand, suspension for one to thirty days, and dismissal for a third offense.
Executive Order No. 292 (Civil Service Law) and its implementing rules and regulations guide the imposition of functional sanctions.