BIR Issuances – RMO 5-2024
The BIR issued the Policies and Procedures for the Implementation of Multi-Factor Authentication (MFA) for Virtual Private Network (VPN) Access
Revenue Memorandum Order (RMO) No. 5-2024
13 February 2024
Multi-Factor Authentication (MFA) is a stronger authentication method to enhance security by requiring a user to provide two or more verification factors before gaining access to a BIR resource. Through MFA a user will be required to identify themselves by more than a username and password thus reducing the risk of unauthorized access in case passwords are compromised. All VPN users with access to BIR system shall be authenticated using two or more verification factor before gaining access to BIR resources.
OBJECTIVE
To strengthen the security control in place when accessing application system by implementing a stronger authentication method on BIR’s VPN.
DEFINITION OF TERMS
- Authentication refers to the identification requirements associated with an individual using a computer system. Identification information must be securely maintained by the computer system as it can be associated with an individual’s authorization and system activities. Three types of factors are used to provide authentication: a) something you know (e.g. a password) b) something you have (e.g. a certificate or smart card) c) something you are aware (e.g. a fingerprint or retinal pattern).
- Multi-Factor Authentication (MFA) refers to an authentication method that requires a user to provide at least two factors of verification in order to be granted access to a website, application or resource.
- Virtual Private Network (VPN) refers to a method of providing secure remote access when accessing BIR resources.
- VPN User refers to a BIR user/Contractors with remote access to a BIR resource.
- Server Network Access Request Form (SNARF) refers to a request from being filled out by a user when requesting access on BIR network.
- One-Time Password (OTP) refers to a one-time pin, one-time authorization code or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device.
- User Interface (UI) refers to a point of human-computer interaction and communication in a device. This can include display screens, keyboards, a mouse and the appearance of a desktop.
- User Portal refers to a webpage where users can create an account, change their personal information, and choose a two-factor authentication method.
POLICIES
- MFA shall be required for all users of the BIR’s VPN.
- VPN user shall be responsible for all activities identified with the account.
- One-time password/pin shall be generated using a mobile application or sent through the registered BIR email address.
- VPN users with existing access or requesting for new access (both BIR employees and third party service providers) shall accomplish two (2) copies of SNARF with appropriate Network Diagram attached.
- Accomplished/Signed SNARF with appropriate Network Diagram shall be submitted to Security Management Division (SMD). Other necessary documents maybe required upon evaluation, if needed (e.g. NDA(3rd party), Justification letter, etc.). VPN access request shall only be evaluated by SMD upon submission of complete documentary requirements.
- Account locked out shall be imposed after a maximum of three (3) consecutive invalid log in attempts. User with locked account or forgotten password shall be logged in BIR Service Desk System for unlocking of account or resetting of password.
- Any issue or difficulties encountered associated with the use/enrollment of MFA shall be reported to SMD.
PROCEDURES
- The VPN requestor/user shall:
- Accomplish the SNARF/
- Forward the duly accomplished two (2) copies of form with corresponding attachment to the Head of Office/Project Manager for approval.
- Receive thru email the vulnerabilities that needs to be addressed, if any.
- Remediate vulnerabilities found.
- Inform SMD of the remediation done and request to repeat conduct of Vulnerability Assessment (VA).
- Receive thru email the login/password for VPN and MFA.
- Proceed with their individual account creation on the MFA User Portal following the step-by-step procedure on the email notification sent by SMD.
- The Head of Office/Project Manager shall:
- Evaluate and sign the accomplished request form (beside signature of requesting party).
- Endorse the request form and corresponding attachment to SMD.
- SMD Security Analyst shall:
- Receive the request forms with corresponding attachment and review/ evaluate the SNARF with regard to information accuracy and completeness.
- Perform Vulnerability Assessment (VA) to the Desktop/Laptop of the VPN user, if needed.
- If found to have vulnerabilities, email VPN user with the findings.
- Reconduct VA after remediation/fixes have been applied by the VPN user.
- Process the SNARF within one (1) working day from evaluation and/or reconduct of VA and endorse request to SMD Chief for approval.
- Endorse the SNARF and corresponding attachment to concerned offices:
- System Administration (Sys Ad) from Data Warehousing and Systems Operations Division (DWSOD) for evaluation and affix their initial/signature to the form.
- DWSOD Sys Ad shall transmit the signed SNARF within one (1) working day from evaluation to Network Administration (Net Ad) Network Management and Technical Support Division (NMTSD) after their initial/signature.
- NMTSD Net Ad shall evaluate the SNARF and affix their initial/signature to the form.
- NMTSD Net Ad shall transmit the signed SNARF within one (1) working day from evaluation of Office of the ACIR-Information Systems Development and Operations Service (ISDOS) for final approval.
- ACIR-ISDOS shall evaluate the SNARF and affix their signature to the form as the final approver.
- Upon approval, OACIR-ISDOS shall transmit signed SNARF within one (1) working day from evaluation to SMD.
- SMD shall transmit approved SNARF and corresponding attachment to NMTSD Net Ad for implementation of VPN request within one (1) working day from receipt of approved SNARF.
- NMTSD Net Ad shall implement request within twenty-four (24) hours upon receipt of approved SNARF.
- NMTSD Net Ad shall notify VPN suer through email of his/her login credentials.
- Perform Vulnerability Assessment (VA) to the Desktop/Laptop of the VPN user, if needed.
- Receive the request forms with corresponding attachment and review/ evaluate the SNARF with regard to information accuracy and completeness.
- Enroll VPN user/requestor with approved SNARF on the MFA Management UI.
- Notify VPN user through email of his/her MFA login credential and the procedure for account enrollment on MFA User Portal,
- The DWSOD Sys Ad shall:
- Receive the SNARF and evaluate request.
- Endorse the SNARF to DWSOD Chief for approval.
- Route the SNARF to NMTSD.
- The NMTSD Net Ad shall:
- Receive the SNARF and evaluate request.
- Endorse the SNARF to NMTSD Chief for approval.
- Route the SNARF to OACIR-ISDOS for final approval.
- Email the VPN login credentials to requesting user.
- The ACIR-ISDOS shall:
- Receive the SNARF and evaluate request.
- Sign the SNARF as the final approver.
- Route the approved SNARF to SMD for endorsement to NMTSD for implementation.
REPEALING CLAUSE
All other issuances and/or portions thereof inconsistent herewith are hereby revoked and/or amended accordingly.
EFFECTIVITY
This RMO shall take effect IMMEDIATELY
Copy of the RMO can be access below.
Contact us today. We’ll schedule a complimentary assessment of your company.
Let RT&Co help your business. Send your request for a proposal of services here.