Information Security Governance and Data Privacy
Information, Communication, and Technology Governance
The Board, through its Risk Management Committee, oversees the governance process around IT issues including disruption, cyber security, disaster recovery, to ensure that all key risks are identified, managed, and reported to the board.
The Management, through ICT Governance Office and ICT Planning and Program Management Office, uses Control Objectives for Information and Related Technology (COBIT) framework to ensure that IT goals and objectives are in line with the overall business strategy of MERALCO. This involves delivering value from IT investments, managing IT risks, optimizing IT resources, measuring performance, and communicating with stakeholders. ICT Governance Office provides a comprehensive approach to aligning IT with business objectives, mitigating risks, and ensuring compliance with policies and standards.
Management is likewise accountable to the Board for the Company’s information security governance. Through the Cybersecurity Office, the Management provides the strategic direction and adequate resources to manage appropriately the information security risks of the organization. Management reviews and approves the information security policies ensuring that the implementation of information security management system requirements is coordinated and integrated in the relevant processes across the organization, and adequate resources are in place and establishes clear assignment and designation of authority for the information security roles and responsibilities across line organizations.
The Company adopts an Information Security Policy that adheres with the ISO/IEC 27001 Information Security Management System standards. This policy guides the MERALCO workforce in supporting the company thrust and in managing and protecting the Company's information assets. This forms the foundation for building strategies and controls for mitigating cybersecurity risk within MERALCO. The policy provides mechanisms to help identify areas for improvement, protect from possible cyber threats, detect cyber related attacks, quickly respond and recover during incidents that may compromise the security of information assets and critical infrastructure.
The Policy consists of fourteen (14) parts as adopted from the ISO 27001 standard:
- 1. Security Policy
- 2. Organizational Security
- 3. Mobility and Teleworking and Human Resource Security
- 4. Asset Management
- 5. Access Management
- 6. Physical and Environmental Security
- 7. Communications Security
- 8. Operations Security
- 9. Cryptography
- 10. Supplier Relationship
- 11. System Acquisition Development and Management
- 12. Information Security Incident Management
- 13. Business Continuity Management
- 14. Compliance
Accordingly, Meralco implements a Corporate Information Security governance framework dealing with the following areas:
Security Policy to provide reasonable protection for information confidentiality and integrity, ensure availability of information assets, and address disruption and cybersecurity issues.
Organizational Security framework that defines the roles, responsibilities, processes, and methodologies to initiate, control, and manage the implementation of information security across the Company, including correlation with external parties.
Mobility and Teleworking Security for the protection of information assets accessed, processed, transmitted, and stored using mobile devices.
Human Resource Security where all users and custodians are made aware of security threats and concerns on information assets and are equipped to support the organizational security policy in the conduct of their normal work.
Asset Classification and Control where information assets have designated custodians and are appropriately classified according to their sensitivity and criticality to the business of the Company, to ensure that the information assets receive an appropriate level of protection.
Access Control where access and use of information assets are controlled, authorized, monitored, and restricted to persons with a legitimate business need.
Physical and Environmental Security where information assets are provided with suitable physical protection to prevent unauthorized access, compromise, damage, theft, and interruption to business activities.
Communications Security are in place for the protection of information in networks and its supporting information processing facilities during transfer within the organization and with any external entity.
Operations Security being performed to ensure information assets and critical infrastructure are protected against malware and loss of data, ensuring events are recorded, and maintaining its integrity to prevent any exploitation of vulnerabilities.
Cryptography ensuring proper and effective use of encryption of data and key management to protect the confidentiality, authenticity, and/or integrity of information.
Supplier Relationship Security being exercised for the protection of the organization’s information assets which are accessible by suppliers, maintaining an agreed level of information security and service delivery in line with supplier agreements.
System Acquisition, Development, and Maintenance providing for appropriate security controls and audit trails being integrated in business process management and application systems management to prevent loss, unauthorized alteration, destruction, or misuse of data.
Information Security Incident Management in responding immediately to address security incidents, preventing further damage, ensuring proper communication is in place, and most importantly, determining their root cause and implementing appropriate corrective actions to prevent their recurrence.
Business Continuity Management to protect critical business processes from the effects of security failures and major disasters.
Compliance process where the Company is ensured to comply with all applicable legal requirements to avoid breaches of any criminal and civil laws, statutory, regulatory and contractual obligations; and security requirements.
Data Privacy
Our Company is committed to ensuring that all personal data collected from our data subjects – customers, employees, vendors, shareholders, visitors, and other pertinent third parties, are processed in adherence to the general principles of transparency, legitimate purpose, and proportionality, and are protected to ensure the data’s confidentiality, integrity, and availability.
Accordingly, in 2017, Meralco adopted a Data Privacy Manual providing for the data privacy and protection practices of the Company, and delineating the respective roles and responsibilities of different business responsibility units in the planning, implementation, monitoring, and continuous improvement of the data privacy management framework in compliance with the DPA and its IRR, other related issuances of the NPC, and any changes to the foregoing.
The framework aligns and harmonizes DPA compliance with the Company’s operations, structures, systems, and processes.
Atty. Francis Euston R. Acero serves as the Company’s Data Protection Officer and is supported by the Data Privacy Office which was established in 2020.