The document outlines Comelec's computer access policy. The policy aims to (1) ensure only authorized users can access computers and information, (2) define rules to achieve protection and secure operation, (3) outline equipment use, and (4) outline use of personal devices. It covers scope, definitions, policy statements, guidelines, responsibilities, and compliance. Policy statements address computer use, passwords, software installation, network connection, file sharing, backups, and more. Guidelines provide details on user roles, anti-virus use, and personnel changes. The policy references related standards and policies.

1. EVALUATING
POLICIES AND
PROCEDURES -
COMELEC
GIBRAN D. KWAN
M6805

2. COMELEC COMPUTER ACCESS POLICY
 Section 1. Overview
 There is a need to secure the personal information and restricted
information of COMELEC by securing access to computers and other
devices. Aside from the computers used in the processing of voter and
candidate databases, computers used by the personnel of COMELEC and
may contain confidential or restricted information, should also be secured.
This policy shall ensure that all computers used in the COMELEC and
personal devices brought to the office shall be secured.

3. COMELEC COMPUTER ACCESS POLICY
 Section 2. Purpose This Policy shall serve the following objectives:
 1. To ensure that only authorized users gain access to computers and
COMELEC information resources;
 2. To define the rules necessary in order to achieve this protection and to
ensure a secure and reliable operation of the Commission's information
system;
 3. To outline the use of computer equipment including but not limited to
hardware and software, peripherals, storage device that may be attached;
and
 4. To outline the use of own device (laptop, mobile phones, modem
router).

4. COMELEC COMPUTER ACCESS POLICY
 Section 3. Scope and Limitation This Policy shall be applicable to the
following:
 1. All computers in COMELEC whether officially issued or personally owned
by employees but partially used for official purposes.
 2. All computers received for repair or disposal from the various offices
(main and field office).
 3. All employees who are paid salaries, wages and renumeration by
COMELEC and authorized service providers.

5. COMELEC COMPUTER ACCESS POLICY
 Section 4. Definition of Terms
 The following terminologies are used in this Policy document in the following context:
 1. Information resources: all computer and communication devices, and other technologies which access, store or
transmit COMELEC information;
 2. Information: includes COMELEC memorandum, reports, spreadsheets, letter and databases;
 3. Digitization: to convert data or information into digital form that can be processed by a computer.
 4. Computer/s: COMELEC-owned computer desktops or laptops;
 5. User role or access level: A user role or access level determines functionalities or menu items accessible to a user;
 6. Anti-virus: a computer software used to prevent, detect and remove malicious software;
 7. Malicious programs or applications: any software that brings harm to a computer system;
 8. Port scanning: is a series of messages sent by someone attempting to break into a computer to learn which
computer network services, each associated with a "well-known" port number, the computer provides
 9. Personal data: refers to personal information, sensitive information or privileged information, collectively, which
are in an information communication system, or relevant filing system, or intended to form part of the same.
 10. Bring Your own Device (BYOD) -policy of permitting employees to bring personally owned devices (laptops,
tablets, and smart phones) to their workplace, and to use those devices to access COMELEC information and
applications

6. COMELEC COMPUTER ACCESS POLICY
 Section 5. Policy Statements
 All activities related to access to computers shall be governed by the
following Policy Statements:
 1. Only computers owned and officially issued by COMELEC shall be used
in processing office information and personal information.
 2. All computers shall be used only for official business.
 3. All computers shall be password-protected with corresponding
username identifiable to employee concerned.
 4. All computers shall maintain up-to-date and properly configured anti-
virus software.

7. COMELEC COMPUTER ACCESS POLICY
 5. Only authorized software shall be installed in the COMELEC computer.
 5.1 Software for installation must be selected from an authorized software list, maintained by
the ITD
 5.2 Only authorized ITD personnel are allowed to install software in all COMELEC computer
systems
 6. The computers connected to the COMELEC network shall be controlled using the 3rd
party system and the COMELEC approved settings.
 6.1 The stand-alone computers which are not connected to the COMELEC network shall
be configured by the authorized ITD personnel reflecting the same security setting as
the computers connected in the network.
 6.2 No changes in the setting shall be made in the stand-alone computers without the
approval of the Head of the Office.
 7. Sharing of files shall be allowed provided that the file or directory is protected with a
password or if the specific directory/ file can be accessed only by the authorized users

8. COMELEC COMPUTER ACCESS POLICY
 8. Owners of the computers shall back-up the files regularly.
 9. All computers shall be secured with a password subject to the Password
Policy.
 9.1 A standby of at most 5 minutes inactivity of the computer shall also be set
by ITD.
 10. Unauthorized copying of personal data is strictly prohibited.
 11. In case a computer being used by an employee or computer not yet
allocated is temporarily used for processing of personal data, data installed
including but not limited to generated reports and transaction files shall be
removed immediately after the processing.
 12. All computers with internet connections shall adhere to the policy and
guidelines stated in the Internet and Email Usage Policy.

9. COMELEC COMPUTER ACCESS POLICY
 13. All defective hard disks received from the field office and main office shall be checked for proper disposal pursuant
to the Field Office Systems and Data Policy and Data Policy.
 14. BYOD shall be allowed. This includes laptop, mobile devices, and tablets.
 14.1 Employees may use their personal mobile device to access official email, calendars, contacts, documents
 14.1.1 Employees shall be accountable and shall ensure security of the information downloaded in their mobile devices
 14.2 Employees own device may, upon approval by the Director IV of the ITD, may be connected to the network
infrastructure of the COMELEC provided that it will be used to perform work-related duties or officially authorized activities
for official business
 14.2.1 Upon approval of the request, devices must be presented to System Administrator for inspection and configuration purposes.
 14.3 COMELEC reserves the right to revoke this privilege if users do not abide by the policies and procedures hereunder.
 14.4 The employees' downloaded files in their devices must be removed in case of termination of employment, breach is
detected or infected by virus.
 15. Employee is allowed to access COMELEC information and COMELEC network using non-COMELEC equipment and
communication facility. However he she,
 15.1 shall be responsible for securing downloaded COMELEC information in said IT resources
 15.2 shall be accountable to any breach or loss of COMLEC information as a result of such action.

10. COMELEC COMPUTER ACCESS POLICY
 Section 6. General Guidelines
 The following Guidelines shall be implemented in support of the above Policy
Statements:
 1. The Head of the department/ office shall submit to the IT the list of
personnel in his/her department, the authorized users of computers with
corresponding functions, for approval.
 2. The ITD shall maintain a directory listing of those users whose computer is
connected to the COMELEC network and users with stand-alone computers.
 3. The ITD shall configure all stand-alone computers with the same setting as
the computers connected in the network
 3.1. Level 1 - from Director III to the Commissioners and Chairman
 3.2. Level 2 - Technical personnel from ITD (in case of installation of software,
enabling/ disabling of computer ports, access to control panels, etc.)
 3.3. Level 3 - Regular users

11. COMELEC COMPUTER ACCESS POLICY
 4. All personnel of the COMELEC with computer access shall be required to
set their username and password.
 4.1. Names of personnel with computer access (network-connected or stand-
alone) shall be submitted to ITD for the monitoring of this policy
 5. Each user shall be required to change the password at least once a year.
 6. Anti-virus shall be installed by ITD in all computers and shall be
configured and updated regularly.
 6.1. In case of Anti-virus expiration, the user shall notify the IT for its update.
 7. The users of the computer shall be responsible for protectecting their
own files by restricting access to their files.
 8. The users shall be responsible for the back-up of his/ her files.

12. COMELEC COMPUTER ACCESS POLICY
 9. Upon termination or separation from COMELEC, the personnel user access shall be
immediately revoked. For this purpose, the Personnel Department shall forward to ITD,
list of COMELEC personnel who were terminated or separated from COMELEC.
 10. In case of computer malfunction or defect, the ITD technician shall be authorized
to access the computers from other departments/ offices.
 11. Personal devices which shall be used for official purposes must be presented to ITD
for proper job provisioning and configuration of standard applications, such as
browsers and security tools, before they can access the network.
 11.1. In order to prevent unauthorized access, said personnel devices must be password
protected using the features of the device and a strong password is required to access the
COMELEC network.
 11.2. It shall lock itself with a password or PIN if it's idle for a maximum of five (5) minutes.
 11.3. COMELEC reserves the right to disconnect devices or disable services without
notification.

13. COMELEC COMPUTER ACCESS POLICY
 Section 7. Responsibilities
 1. Systems Administrator shall review the list of allowed and authorize software
at least once a year
 2. Users are responsible to back-up their files and to secure and their computer
system
 Section 8. Policy Compliance
 1. Compliance Measurement: Compliance to this Policy shall be verified
through the checking of the reports and others requirements as indicated in
the corresponding Compliance Matrix.
 2. Exceptions: Exceptions to the Policy shall only be entertained upon prior
written or e-mailed instruction from the Executive Director or the Commission
en Banc.
 3. Non-Compliance: Any personnel fail to comply with this Policy shall be
subjected to the rules sets by the Personnel Department

14. COMELEC COMPUTER ACCESS POLICY
 Section 9. Related Standards, Policies and Processes The following policies,
standards, guidelines and processes are referenced in this Policy and form
part of the Policy as applicable:
 1. Field Office Systems and Data Policy
 2. Data Policy
 3. Republic Act 10173,its IRR and other NC issuances
 4. Internet and Email Usage Policy
 5. Password Policy

15. ISO 270001:2013
 5.1 Leadership and commitment
 Top management shall demonstrate leadership and commitment with respect to the information security
management system by:
 a) ensuring the information security policy and the information security objectives are established and are
compatible with the strategic direction of the organization;
 b) ensuring the integration of the information security management system requirements into the
organization’s processes;
 c) ensuring that the resources needed for the information security management system are available;
 d) communicating the importance of effective information security management and of conforming
 to the information security management system requirements;
 e) ensuring that the information security management system achieves its intended outcome(s);
 f) directing and supporting persons to contribute to the effectiveness of the information security
management system;
 g) promoting continual improvement; and
 h) supporting other relevant management roles to demonstrate their leadership as it applies to their areas
of responsibility.

16. ISO 270001:2013
 5.2 Policy
 Top management shall establish an information security policy that:
 a) is appropriate to the purpose of the organization;
 b) includes information security objectives or provides the framework for setting
information
 security objectives;
 c) includes a commitment to satisfy applicable requirements related to information security;
 d) includes a commitment to continual improvement of the information security management
system.
 The information security policy shall:
 e) be available as documented information;
 f) be communicated within the organization;
 g) be available to interested parties, as appropriate.

17. ISO 270001:2013
 8 Operation
 8.1 Operational planning and control
 The organization shall plan, implement and control the processes needed to meet
requirements, and to
 implement the actions determined in Clause 6, by:
 — establishing criteria for the processes;
 — implementing control of the processes in accordance with the criteria.
 Documented information shall be available to the extent necessary to have confidence
that the processes have been carried out as planned.

18. ISO 270001:2013
 taking action to mitigate any adverse effects, as necessary.
 The organization shall ensure that externally provided processes, products or services
that are relevant to the information security management system are controlled.
 8.2 Information security risk assessment
 The organization shall perform information security risk assessments at planned
intervals or when significant changes are proposed or occur, taking account of the
criteria established in 6.1.2 a).
 The organization shall retain documented information of the results of the information
security risk assessments.
 8.3 Information security risk treatment
 The organization shall implement the information security risk treatment plan.
 The organization shall retain documented information of the results of the information
security risk treatment.

19. ISO 270001:2022 Features
 10 Improvement
 10.1 Continual improvement
 The organization shall continually improve the suitability, adequacy and
effectiveness of the information security management system.
 10.2 Nonconformity and corrective action
 When a nonconformity occurs, the organization shall:
 a) react to the nonconformity, and as applicable:
 1) take action to control and correct it;
 2) deal with the consequences;
 b) evaluate the need for action to eliminate

20. ISO 270001:2022 Features
 the causes of nonconformity, in order that it does not recur or occur elsewhere,
by:
 1) reviewing the nonconformity;
 2) determining the causes of the nonconformity; and
 3) determining if similar nonconformities exist, or could potentially occur;
 c) implement any action needed;
 d) review the effectiveness of any corrective action taken; and
 e) make changes to the information security management system, if necessary.
Corrective actions shall be appropriate to the effects of the nonconformities
encountered. Documented information shall be available as evidence of:
 f) the nature of the nonconformities and any subsequent actions taken,
 g) the results of any corrective action.

22. THANK YOU!