Free guides, checklists, and templates to help Philippine schools protect student data and comply with the Data Privacy Act.
“The Philippines needs 180,000 more cybersecurity professionals.”
Step-by-step guides for school cybersecurity
A plain-English guide to the Data Privacy Act of 2012 and what it means for your school. No legal jargon, just what you need to know.
A guide to evaluating the security and suitability of school management software before trusting it with student data. Includes questions to ask and red flags to watch for.
Step-by-step instructions for enabling multi-factor authentication on your school's Google Workspace or Microsoft 365 accounts.
How to safely retire old computers, servers, and vendor contracts without leaving student data behind. Includes lessons from the PH Army data exposure incident.
A step-by-step guide for school administrators to find out if their institution's data has been leaked — and what to do if it has.
Actionable security checklists
A printable, actionable checklist covering the 10 most critical cybersecurity measures every Philippine school should implement today.
A printable checklist for evaluating any software vendor or cloud service before trusting them with student data. Covers security, privacy, and contract requirements.
Understand threats and regulations
A step-by-step response guide for school administrators dealing with a data breach. Covers the critical first 72 hours and beyond.
Based on tracked incidents, here are the most common ways Philippine schools get breached — and how to defend against each one.
What ransomware is, how it reaches Philippine schools, and the concrete steps you can take to prevent it — and survive it if it hits.
When a school website accidentally exposes admin panels, config files, or backup archives, attackers don't need to hack — they just browse. Here's what to look for and how to lock things down.
HTTPS encrypts traffic between your school website and visitors. Without it, login credentials, student data, and form submissions travel in plain text — readable by anyone on the same network.
HTTPS encrypts your site, but HSTS ensures browsers never even try to connect over plain HTTP. It's a one-line header that closes a real attack window — and every school site running HTTPS should have it.
A Content Security Policy (CSP) header tells browsers which scripts, styles, and resources your site is allowed to load. It's one of the most effective defenses against cross-site scripting (XSS) attacks.
X-Frame-Options stops attackers from embedding your school's website inside a hidden iframe to trick users into clicking buttons or submitting forms they can't see. A one-line header, a real threat prevented.
When your web server announces its software name and version in every response header, you're handing attackers a shortcut. Here's what server information disclosure is, what it reveals, and how to suppress it.
Session cookies are the keys to your school's admin panels, portals, and CMS. Missing Secure and HttpOnly flags make them easy to steal. Here's what each flag does and how to set them.
Cross-Origin Resource Sharing (CORS) controls which websites can call your school's APIs. A misconfigured CORS policy can let any website on the internet read your student data or trigger admin actions.
Without an SPF record, anyone can send email that appears to come from @yourschool.edu.ph. SPF is a DNS record that tells mail servers which servers are authorized to send on your behalf — and it takes 10 minutes to set up.
DKIM adds a digital signature to every email your school sends. Receiving mail servers use this signature to verify the message was genuinely sent by you and hasn't been altered in transit.
SPF and DKIM check your email, but DMARC tells receiving servers what to do when those checks fail — and sends you reports of who's sending email as your school. It's the final piece of the email security puzzle.
RA 10173 requires schools to inform individuals about how their data is collected and used. Missing a privacy policy, cookie notice, or consent language isn't just a gap — it's a compliance violation that can trigger NPC investigation.
Many school websites broadcast their WordPress, Drupal, or Joomla version number in the page source. Attackers use this to target known vulnerabilities. Here's where it leaks and how to hide it.
Shared hosting is cheap and easy — but when attackers compromise one account, every site on it falls. Here's how web shell attacks work and what schools can do instead.
Ready-to-use policy templates
A ready-to-customize privacy policy template that meets DPA requirements. Just fill in your school's details and you're compliant.
A ready-to-use incident response plan template covering the full breach lifecycle — from detection to recovery. Customize with your school's contacts and procedures.
The Data Privacy Act of 2012 (RA 10173)protects all Filipino citizens, including students and parents. Schools are considered "personal information controllers" and must:
Report breaches to the National Privacy Commission (NPC) at privacy.gov.ph
Use our free cybersecurity tools to assess your school's security posture and identify areas for improvement.
Try Free Security Tools