Republic of the Philippines DEPARTMENT OF SCIENCE...

Integrated Government Philippines Project

ICTO Tel. nos. (02) 920-0101 ; 928-6105 C.P. Garcia Ave., U.P. Diliman, Quezon City

Information and Communications Technology Office (ICTO)

Advanced Science and Technology Institute (ASTI)

Republ ic of the Phi l ipp ines DEPARTMENT OF SCIENCE AND TECHNOLOGY

I. Introduction

a. Definition of terms

i. Subscribers - A subscriber is an individual or juridical entity whose

name appears as the subject in a certificate. The subscriber asserts that

he or she uses the keys and certificate in accordance with the certificate

policy.

ii. CP - A Certificate Policy is a named set of rules that indicates the

applicability of a certificate to a particular community and/or class of

application with common security requirements.

iii. CPS - The Certificate Practice Statement contains a detailed

description of the practices followed by a CA in issuing and otherwise

managing certificates. In general, CPSs also describe practices relating

to all certificate lifecycle services.

iv. Relying parties -A relying party is the entity that relies on the validity

of the binding of the subscriber’s name to a public key. The relying

party is responsible for deciding whether or how to check the validity

of the certificate by checking the appropriate certificate status

information. A relying party may use the information in the certificate

to determine the suitability of the certificate for a particular use. The

relying party must at all times ensure that the digital certificates are

used with the following in mind:

1. Purposes for which certificate is used;

2. Digital signature verification responsibilities;

3. Revocation and suspension checking responsibilities;

4. Acknowledgement of applicable liability caps and warranties.

b. Systems Overview: An RA is a component of the Issuing CA that collects and

processes Digital certificates requests and certificate revocation / suspension

requests. It comprises both staff and webs based tools. The RA manages the

life cycle of the application process.

c. Basic Functions

i. Identify the user and register the user information

ii. Transit the certificate request to the CA

iii. Validate certificates from the CA directory server and CRL

iv. Request revocation of certificates.

d. Roles and Responsibilities - The RA is primarily responsible for managing the

registration function, the initial authentication, verification of applicant,

approving / denying applicants for digital certificates. The RA provides an






application form used by applicants to initiate the application process. In

circumstances where the PKI will be issuing the applicant a digital certificate,

certain information provided by the applicant in this form will be used for

generating the associated personal digital certificate.

i. Agency Head – the agency head is the highest officer in the agency,

department, or juridical entity which functions as an RA. The Agency

head is also designated as a member of the PKI committee. As a

member of the PKI committee, the agency head liaises and

communicates information, plans, and updates about the system as

discussed during PKI Committee meetings, to the agency’s own RA

administrator. The agency head also communicates to the PKI

committee any issues that the particular agency RA faces in a timely

manner. The agency head also has supervisory powers over the agency

RA.

ii. RA Administrator – the RA administrator is the direct supervisor

overseeing the entire local RA operations. The RA administrator has

direct control over all facets and aspects of operations. Any issues and

questions with regard to protocol and procedure may be addressed by

subordinates to the RA administrator, unless the subordinates have an

intermediate supervisor who may handle such queries. Following the

organizational structure of the local agency RA, the RA administrator

is directly accountable for the actions of all employees. The RA

administrator also has quasi judicial powers over matters involving

certificate disputes, at the RA level. This power is delegated and

shared with the Review Committee, which operates under the RA

administrator.

iii. External Auditor – the external auditor ensures the integrity of data

collection, processing, and storage, as well as the RA officers’ fidelity

to security controls and procedures. The external auditor shall use

access logs generated from the RA system to determine whether the

agency RA complies with all pertinent rules and regulations.

iv. Systems Administrator – provides access control to other RA

employees, and maintains the operations of the servers and other PKI

systems-related equipment. System administrators are authorised to

install, configure and maintain trust worthy systems, but with

controlled access to security-related information. This user does not

have access to the EJBCA web interface.

v. System Operators - Are responsible for operating trust worthy system

on a day-to-day basis. System Operators are authorised to perform

system backup and recovery.






vi. Database administrator - The database administrator has privileged

access to the database and can create users, databases and manipulate

tables. The DBA has access during installation. During normal

operations, the DBA is not allowed to log into the system.

vii. Archiving and Office Administrator – facilitates the systematic storage

of all documents that are processed for certificate-related requests. This

includes the hard copy of documents and other requirements submitted,

as well as the soft copy of these files generated by the agency RA

office. The archiving officer also ensures data integrity by making sure

that the soft and hard copy of files are accurate. The archiving officer

may also function as the office administrator, in charge of facilitating

clerical work within the office, including the sending of hard and

electronic mail to applicants and subscribers, office work for basic

office functions, and other clerical duties that may arise from day to

day operations, or which may be imposed by the RA Administrator.

viii. Review Committee / Officer – shall perform quasi-judicial functions

within the agency RA. All disputes, conflicts, and controversies

involving digital certificates shall be forwarded to the review

committee or officer for resolution. The review committee shall use

documentary evidence to resolve the controversies. The review

committee shall also be primarily in charge of deciding revocation and

suspension requests. Disputes which the review committee cannot

resolve shall be forwarded to the RA administrator for decision.

Decisions which are not resolved by the RA administrator shall be

forwarded to the PKI Committee for review and decision.

ix. Facility Security Officer – the Facility Security Officer shall maintain

the physical and procedural security of the agency RA. The FSO or SO

shall also have overall responsibility for administering the

implementation of the security policies and practices herein stated.

This ensu8res defining the physical controls, physical protection, and

determining actions in cases of breach of physical security. In terms of

procedural controls, the Facility Security Officer shall also oversee the

definition of trusted roles, documentation of amendment procedures,

logical access controls, configuration management, archiving and

recovery, control of removable media, storage and handling

procedures, and emergency and standard destruction procedures, and

incident management.

x. Process Officers

1. Submissions Officer - accepts applications and requests related






to digital certificates determine whether the required forms are

filled out and whether the attached documents are complete and

accurate. The Submissions officer shall reject the application in

case there are missing requirements or missing information in

the application and request forms. The submissions officer may

also forward the applications to the Help Desk to defer but not

reject the processing of applications with missing documentary

requirements. The Submissions officer shall handle the

following primary applications and requests with regard to

digital certificates:

a. Application for authentication certificate

b. Application for signing certificate

c. SSL

d. Revocation

e. Suspension

2. Verification Officer – shall ensure that all of the information

provided in the application and requests forms is accurate. The

verification officer shall also check all submitted documentary

requirements and determine authenticity and accuracy. The

Verification Officer shall work in coordination with the human

resource department of agencies applying for digital certificates

and use the HRD’s endorsement as proof of verification. The

Verification Officer may also individually check the

information provided in any document or form. Encoder – shall

process all files and forms submitted by applicants and create

digital copies of the files for storage, using web-based tools.

The application personnel may also function as the encoder,

after the documents have been verified, in case the volume of

applicants is low.

3. Quality Control – shall countercheck the hard copy of forms

and documentary requirements submitted with the soft copy

produced by the encoder. Quality control shall ensure that there

are no clerical errors with the encoded version of the

application information. Once the information is approved, a

PIN mailer containing the password to the digital certificate

shall be sent to the verified home address, which will be used in

activating and accessing the digital certificates. After approval,

the certificate request shall be forwarded to the review

committee for secondary approval, before the certificate request

is sent to the CA for generation of certificate. The quality

control officer shall also coordinate with the office

administrator in generating emails informing applicants of the






result of their application, the other details such as the

username, password, and website where the certificate may be

downloaded.

4. Help Desk – shall answer all questions regarding application

and requests for digital certificates, including in-office visits

from applicants, phone calls, and electronic or actual mail sent

to the office. The Help Desk officer may also act as the

relations officer representing the agency RA in promotional and

related events.

II. Publications and Repository Responsibilities

a. The publicly accessible directory system shall be designed and implemented

so as to comply with the following requirements:

i. A general-purpose repository shall be made available at all times of the

day, and on all days of every year;

ii. A general-purpose repository shall have an aggregate uptime not less

than 99.7% (or aggregate downtime not exceeding 0.3%) at any period

in one (1) month

iii. Any downtime, whether scheduled or not, shall not exceed 30 minutes

duration at any one time; and

iv. A specific-purpose repository may be made available with specific

hours of operation.

III. Identification and Verification

a. Types of application requests

i. Application for authentication certificate

ii. Application for signing certificate

iii. SSL

iv. Revocation

v. Suspension

b. Limits to applications and requests: appropriate certificate usage is those that

are for lawful and intended purposes only. Limitations on applications and

requests include the appropriateness of the use of the certificate for any given

purpose that must not be prohibited by the CP, certificate must be used in

accordance with its key-usage field extensions, and the certificate is valid at

the time of reliance by reference to an online certificate status protocol or CRL

checks. Relying parties are required to seek further independent assurances

before any act of reliance is deemed reasonable.






c. Application process. The application process shall only apply to end users who

have undergone the verification process and enrolment process. During

verification and enrolment, the identity of the end user must be ascertained

and the accuracy of the information provided by the end user must be verified.

The application process shall cover processing of the submitted documents,

identification and authentication, approval or rejection of the request, and

sending of the certificate. The application process shall be conducted within

five days.

i. Steps Involved

1. The end user shall fill up the application form, which shall be

provided at the GovRA office, or which may be downloaded

online at _____.

2. The end user shall submit the fully accomplished application

form along with the following documentary requirements

_______ to the Submissions Officer. The submissions officer

shall process the documents and submit these to the verification

officer who shall ______....

ii. Location. The submissions shall take place at the GovRA office. All

GovRAs must provide office space where applicants may submit their

requests. The location must be freely accessible and must be open

during regular business hours. All applicants who arrive at the office

premises during business hours shall be entertained until their requests

have been admitted by the submissions officer.

iii. Acceptance – failure to object to the certificate or its contents within

five days, after notification of the issuance of the certificate, constitutes

acceptance of the certificate. Acceptance requires the acceptance by

the subscriber of the Certificate Policy and Certificate Practice

Statement, a copy of which is available online at _____. The

application form shall likewise contain the subscriber's acceptance of

the terms defined in the CP and CPS.

iv. Publication – all certificates shall be published in the CAs' repository

system.

d. Verification, Authentication, and Validation Process

i. Purpose. Verification, authentication and validation are integral to the

issuance of certificates, since the certificates issued work on the

premise of trustworthy information and identities that are verified,

authenticated, and validated.






ii. Steps. VERIFICATION (recap of the internal activities of the process

officers)

iii. Location. Verification, authentication, and validation shall take place

within the GovRA premises whenever possible. The Verification (or

QC?) Officer has the reserved right to make ocular inspections

whenever necessary to determine the

iv. Circumstances for Renewal: A certificate may be renewed if the public

key has not reached the end of its validity period, the associated private

key has not been compromised and the subscriber name and attributes

are unchanged.

v. Circumstances for revocation. A certificate shall be revoked when the

binding between the subject and the subject’s public key defined

within a certificate is no longer considered valid. There are several

circumstances under which a CA certificate will be revoked:

1. Key Compromise - The CA private key has been compromised

2. CA Compromise - The CA database has been compromised

3. The CA is determined not being compliant with its CP /CPS

4. Cessation Of Operation - The CA shall cease operation

5. Privilege Withdrawn - The CA can no longer issue certificates

6. Reasonable Belief in Unreliability – the CA has reasonable

grounds to believe that the certificate is unreliable regardless of

whether the subscriber consents to the suspension or not; but

the CA shall complete its investigation into the reliability of the

certificate and decide within a reasonable time ether to reinstate

or to revoke the certificate.

7. Other - the CA may also revoke the digital certificates if :

a. the CA determines that its policy requirements are no

longer being met by the subscriber

b. an authenticated request is received by a CA or RA

from an individual subscriber or an authorized

representative of a juridical entity subscriber

c. An authorized employee, named under Section 4.3.2 of

DTI DAO No. 10-09, determines that an emergency

specified under Section 12.12 of DTI DAO No. 10-09

has occurred that may impact the integrity of the

certificates issued by the CA. Under this circumstance,

the official performing the duty specified under Section

12.15.1 of DTI DAO No. 10-09 shall authorize the

immediate revocation of the certificate.

vi. Circumstances for Suspension: suspension shall be an alternative to






revocation in case the review committee or the RA or CA upon

investigation does not find sufficient proof to either revoke or affirm

the certificate.

vii. Steps for RENEWAL

1. Digital certificates shall have a functional life of _____, after

which, the digital certificates shall expire. Certificate renewal

consists of issuing a new certificate with a new validity period

and serial number while retaining all other information in the

original certificate including the public key and shall follow the

requirements of Section 12.5 of DTI-DAO No. 10-09, s2009.

Upon expiration, the digital certificates must be renewed.

Renewal requires a re-application of for a digital certificate.

During the re-application, the applicant must fill out the

application form with updated information, and must submit all

the necessary documents required for application. The

processing shall likewise take five days; acceptance policies

apply (check).

2. In case of revocation, CA, RA, the subscriber, authorized

representative (or any interested party) must fill up the

revocation form; the revocation form must be submitted to the

_____ officer; upon submission, the revocation request shall be

submitted to the Review Committee; the review committee

shall act upon the revocation request within 24 hours; if the

revocation request is approved, the digital certificate shall be

revoked; upon the review committee's approval, the revocation

request shall be forwarded by the GovRA to the GovCA; the

GovCA shall validate the request and then perform the

revocation; the GovCA shall publish and issue the CRL; the

GovRA shall inform the relying parties of the revocation; the

relying parties should validate any presented certificate against

available CRL or through OCSP; the SSL CA shall publish its

CRL at least once every twenty four hours. Special purpose

CAs shall public its CRL based on the importance to provide

correct status information; if the revocation request is

disapproved, the requesting party shall be notified by e-mail or

through the contact information provided by the requesting

party in the revocation request form; denied revocation requests

may be appealed through the same review committee through

another application for revocation; thee (3) revocation requests

based on the same reason and which has been duly rejected

each time by the review committee shall place the requesting

party in a revocation request black list; blacklisted parties may

not apply for revocations on the same digital certificates using






the same grounds; all revocation requests shall be documented

and recorded;

viii. Steps for SUSPENSION

1. request for suspension shall follow the same process as

revocation; a suspension shall be temporary and limited with a

maximum time; a suspended certificate may be terminated

before the maximum suspension time under the following

conditions: the purpose of the certificate is no longer applicable

and the holder shall no longer entitled to use the certificate OR

the holder requests immediate termination.

ix. Steps for CERTIFICATE MODIFICATION

1. Certificate modification is performed when change occurs in

any of the information of an existing certificate. After

modification, the original certificate may or may not be

revoked but it must not be re-keyed, renewed, or modified

anymore; request for certificate modification may be done by

the CA, RA, subscriber, or a representative; the requesting

party must submit relevant documents proving the changes in

information; upon verification of the changed information, the

RA shall issue a new certificate which reflects the changed

information from the subscriber; the digital certificate shall be

published, and if the previous certificate has been revoked, the

same shall be published in a CRL;

IV. RA Operational Requirements

a. Hours of Operation. GovRA offices shall be open from Monday to Friday

during regular business hours, from 8 AM to 5 PM to accept requests for new

certificates, certificate modification, suspensions, and revocation. (What about

requests for revocation on weekends?)

b. Business Continuity Plan

V. Facility Management and Operational Controls

a. Physical and Security Controls. The GovRA office shall implement the

following security measures:

i. All computers and other electronic devices used to store subscriber

information shall be secured by password and must be authenticated

with digital certificates. The computers must be encrypted to prevent

unauthorized access. All information must be stored in the cloud.






ii. Hard copies of the documents submitted by applicants and subscribers

must be kept in secure, locked cabinets.

iii. Logs, minutes of reviews, and other documentation must be stored in

secure, locked cabinets.

iv. The GovRA office shall be under 24/7 CCTV surveillance and shall

regularly be patrolled by designated security guards.

v. Any technicians, repair crew, service personnel or other outsiders must

secure authorization from the security officer before proceeding within

the GovRA office. Outsiders must likewise be accompanied by the

security officer or a designated official at all times.

b. Procedural Controls

i. Trusted roles. Trusted Roles shall be implemented. Access to certain

functions shall only be given to appropriate officials, especially with

regard to accessing subscriber information and data, server services,

and other certificate related functions. All GovRA personnel that need

access to the PKI system are assigned individual accounts with a role

attached to achieve privileges in the system;;; certain roles shall require

the separation of duties. The system in this case will enforce role

separation based on access controls and rights in both software as well

as hardware. Every role provides the access and privileges needed for

all tasks associated with the role. No user shall be assigned multiple

roles. The following roles have access to some part of the PKI system:

a.) security officer b.) System administrator c.) System operator d.)

System auditor e.) Database administrator f.) Registration authorities.

ii. Document amendment process. Any amendment in the GovRA

Manual shall be done by the PKI Committee no more than once a year.

Any proposed amendments or changes to the GovRA manual shall be

submitted by the GovRA branch or other proposing party to the RA

administrator. The RA administrator shall then forward the document

to the Agency Head. The Agency Head shall submit the document to

the PKI Committee for discussion. Any changes and amendments to

the GovRA manual may only be made by a majority vote from all the

members of the PKI Committee. ;;;; Other documents pertaining to

GovRA operations shall likewise be changed through a proposal

submitted and voted upon by the PKI Committee.

iii. Logical access control. A multi-layer access system shall be

implemented to secure the GovRA office and the individual

components within the office, especially the computer rooms and the

file storage rooms. The multi-layer access system shall include the use

of passwords, finger print recognition, and other software to limit

access to the GovRA office. ;;;; the RA Administrator shall authorize

the personnel’s' access to the rooms. The records room in particular

shall only be accessible to the Archiving and Office Administrator.






The computer room, if any, shall be accessed by the Systems

administrator, system operators, and the database administrators. The

computers shall be configured so that over-all administrator account

shall only be accessed by the Systems administrator. The database

accounts shall only be accessed by the database administrator.

iv. Configuration management

1. All GovRA offices must abide by the GovRA manual, CP-CPS

and other relevant PKI documents and standards at all times.

The RA Administrator shall be tasked with ensuring that the

entire GovRA operations are in keeping with the standards set

forth by these documents.

2. All software and applications used in the office shall be

updated by the systems administrator. The systems

administrator shall consult with the RA administrator to

determine which version to install or implement in the office.

Applications and software must follow the same versions

across all GovRA offices.

3. All hardware and equipment used in the office shall be updated

by the ________. The _________ shall consult with the RA

administrator to determine which version to install or

implement in the office. The hardware must be compatible with

the software currently set as the standard across all GovRA

offices.

v. Archiving and recovery.

1. All applicant and subscriber information shall be digitized for

digital storage.

2. All data and information shall be managed by the Archiving

and Office Administrator;

3. All data shall be stored in the GovCloud for safety and backup.

4. GovRA offices may also install separate servers for data

backup.

vi. Control of removable media

1. The use of removable media, including magnetic media, flash

drives, CDs, and other legacy hardware, inside GovRA offices

shall be monitored strictly. Security guards shall check

personnel before coming in and before leaving the GovRA

office for any removable media. All removable media must be

approved and authorized by the RA administrator first.

Otherwise, these must be deposited with the security guards.






2. The contents of removable media that are brought inside must

be scanned by the systems administrator before being allowed

to leave the facility. No part information or data, in part or in

whole, from the GovRA systems and databases may be stored

or taken outside without prior authorization from the RA

Administrator;

3. unauthorized copying of GovRA – related data shall be

sanctioned;

4. Any data pertaining to the GovRA authorized to be stored in

removable media or taken outside of the office must be

digitally signed by the officer taking the data out of the office,

for tracking and reference.

vii. Storage / handling procedures

1. the office shall be opened during the start of shift by the

security guard;

2. Security guards shall check all personnel and officials before

entry into the office. Any prohibited items such as removable

media shall be stored in lockers outside of the office. Any

personnel who shall access the lockers shall need to be checked

by the security guard again before entry into the main GovRA

office.

3. Security guards shall check all personnel and officials before

leaving the office.

4. Security guard shall close the office. The name of the security

guard who opens and closes the office shall be kept in the

security guard log books. During non-business hours, the

security guards shall inspect the office premises at least once

every half hour. Any irregularities or disturbances shall be

logged in detail and immediately reported to the RA

Administrator the following day.

viii. Emergency and standard destruction procedures

1. All documents processed by GovRA offices shall be sorted by

the Archiving officer and classified. Confidential materials

shall only be accessed by officers with the appropriate security

privilege or upon authorization by the RA administrator.

2. All documents upon classification shall undergo digitization.

GovRAs shall utilize the NARMIS for file storage and

management, and shall tag or label documents according to

their appropriate classification.

3. Hard copies of documents shall be stored for a maximum of

one (1) year, after which they shall be disposed of through a






shredder. Files may also be sent to the National Archives of the

Philippines for disposal.

c. Personnel security controls

i. Trusted Roles

Security Officer Having overall responsibility for administering the

implementation of the security policies and practices.

System

Administrator

Authorized to install, configure and maintain

trustworthy systems, but with controlled access to

security-related information. This user does not have

access to the EJBCA web interface.

System Operator Responsible for operating trustworthy system on a

day-to-day basis. A System Operator is authorized to

perform system backup and recovery.

System Auditor Authorized to view archives and audit logs of the

trustworthy system.

Database

Administrator

Has privileged access to the database and can create

users, databases and manipulate tables. The DBA has

access during installation. During normal operations,

the DBA is not allowed to log into the system.

Registration

Officer

Responsible for approving end entity Certificate

generation, revocation, suspension, renewal and

re-key

ii. Facility Security officer (FSO)

1. The Facility Security Officer shall supervise the

implementation of security procedures and protocols in the

GovRA offices.

2. FSO shall ensure that all the security procedures found in the

GovRA Operations Manual, CP-CPS, and other standards and

documents pertaining to the operations of GovRAs shall be

implemented within the FSO's office.

3. The FSO shall conduct security audits on a monthly basis,

which shall include a check of all security logs, including the

logs of the security personnel.

4. The FSO shall be notified of any breach in security, whether

physical or procedural. The FSO, in coordination with the RA

Administrator, shall address security breaches.

iii. Separation

1. All personnel working in GovRAs who resign must submit a






resignation letter to be approved by the direct supervisor.

2. Upon approval by the direct supervisor, the resigning employee

shall be given one month before separating from the office.

3. An assessment and evaluation of the employee’s work shall be

conducted. All assigned tasks must have been finished, unless

the assigned task is not yet due, in which case, only the

deliverable milestone is required.

4. The immediate supervisor or a Human Resources

Representative shall facilitate an exit interview and other

formalities.

iv. Audit logging procedures.

1. The following are auditable events

a. System Access – certificate serial number will occur in

the log for system access to GovRA. User name and

certificate serial number will occur in the log for system

access

b. Physical Access – Card number and user name shall be

logged in for the Physical Access whenever premises or

office rooms shall be entered

2. Audit logs shall be reviewed daily by the FSO or the Systems

Administrator. Signed log files are validated to verify the

authenticity of the information. Any irregularities, failed

validations, or other suspicions are reported to the manager of

Philippine PKI organization for further investigation.

3. Digital copies of audit logs shall be kept encrypted and

archived permanently;

4. Audit logs shall only be accessible by personnel with the

correct privilege level. In general, only Auditors, FSO, and

Systems Administrators shall have access to the audit logs.

5. Any access to audit log files shall automatically be added by

the system to the audit logs.

6. Editing and rewriting of audit logs shall not be permitted by the

system.

7. Subjects who have caused an audit event shall only be notified

of the audit action when the subject is involved in the audit

action.

8. The systems administrator and the PKI Committee shall

conduct vulnerability assessments to ensure that the audit logs

are protected and encrypted against unauthorized access,

editing, and deletion.






v. Records archival

1. All documents submitted by applicants and subscribers shall be

digitized using the iGovPhil’s NARMIS application;

2. Digitized documents shall be stored in the GovCloud;

3. No active subscriber information may be deleted;

4. Inactive subscriber or applicant information shall be retained

for a period of at least two (2) years, but in no way more than

ten (10) years.

5. All documents and other records must be time-stamped.

vi. RA Termination

1. GovRAs shall remain active until mutual agreed upon with the

GovCA.

2. Upon termination or revocation of GovRA status, all files,

archives, records, and logs must be forwarded to the GovCA;

3. A public notice announcing the termination of the GovRA

office must be published.

4. Subscribers must be notified. In the notification, the alternate

GovRA office where subscribers can file their requests or ask

for assistance must be provided.

vii. Compliance Audits and Other assessments

1. GovRAs must be audited at least annually;

2. A third party auditor shall be commissioned for the auditing, to

ensure no conflict of interest.

3. A background check shall be enforced upon all auditors to

ensure that there is no relationship, business, commercial, or

other interest in the matter.

4. The following shall be the core subject of the audit:

5. The following shall be the actions taken as a result of the audit:

viii. Confidentiality of Information

1. All information provided by subscribers and applicants are

considered confidential and may not be shared by the GovRA

with any person or agency.

2. Access to subscriber or applicant information shall only be

granted upon court warrant.

3. Under no other circumstances may a GovRA disclose any

information belonging to an applicant or a subscriber.

Date post:	20-Apr-2018
Category:	Documents
Upload:	lamkiet
View:	218 times
Download:	5 times

Republic of the Philippines DEPARTMENT OF SCIENCE...

Documents