Within All Government Websites
Frequently Asked Questions
All of these words
This exact phrase
Any of these words
Without these words
Whole of Government
Top 5 Most Popular FAQs
What is the profile of the Critical Information Infrastructure (CII) in Singapore?
The Cyber Security Agency of Singapore (CSA) has worked closely with Sector Leads to identify the Critical Information Infrastructure (CII) supporting the provision of essential services across 11 critical sectors.
The critical sectors are Energy, Water, Banking & Finance, Healthcare, Transport (which includes Land, Maritime, and Aviation), Government, Infocomm, Media, and Security & Emergency Services. The list of essential services in these sectors are published in the First Schedule of the Act.
Under Section 7 of the Act, CII efers to specific computers and computer systems that are explicitly designated by the Commissioner of Cybersecurity. It is not the case that firms and sectors will be considered as CII.
The list of CII and CII owners will be finalised, before CSA and Sector Leads implement the Cybersecurity Act in the second half of 2018. The list of CII and CII owners are secret for national security reasons.
When will the licensing framework be implemented?
The implementation of the licensing framework will be communicated at a later date.
What are the licensing conditions that licensed cybersecurity service providers have to comply with?
We intend to keep licensing requirements simple to minimise the operational costs on businesses. The requirements that licensed service providers have to comply with include:
Ensure that their key executive officers performing the licensable services are fit and proper persons as defined in S26(8). For example, ensure that the individual has not been convicted of any offence involving fraud, dishonesty or moral turpitude.
Keep for at least 3 years, basic records on the cybersecurity services that it has provided. This was reduced from the earlier proposed 5 years, so as to lighten the administrative requirements on licensed cybersecurity service providers.
Why did the Cyber Security Agency of Singapore (CSA) decide to license only providers of penetration testing and managed security operations centre (SOC) services?
The Cyber Security Agency of Singapore (CSA) intends to adopt a light-touch approach to license penetration testing and managed security operations centre (SOC) monitoring because these services:
Have access to sensitive information from their clients and could have significant impact if not delivered well or misused, and
Are also relatively mainstream in our market and hence have a significant impact on the overall security landscape.
CSA will continue to monitor international and industry trends and assess if new types of cybersecurity services are considered high-risk, and evaluate whether the providers of such services should be licensed.
Why is there a need for a new Cybersecurity Act?
There are no laws in Singapore today that directly ensures the routine protection of Critical Information Infrastructure (CII). Today, Section 15A of the Computer Misuse and Cybersecurity Act (CMCA) empowers the Minister for Home Affairs to issue a certificate to authorise or direct a person or an entity to take measures to comply with requirements necessary to prevent, detect or counter a threat to the national security, essential services, defence or foreign relations of Singapore if the Minister is satisfied that it is necessary for the purpose of preventing, detecting or countering any threat to the national security, essential services, defence or foreign relations of Singapore. However, the CMCA, which mainly deals with cybercrimes such as the unauthorised access of computer material, does not provide a regulatory framework for the routine and proactive protection of CII.
The Cybersecurity Act will enhance the powers available in Section 15A of the CMCA by providing more powers and which focus explicitly on cybersecurity. For instance, Section 15A allows the Government to request for information to protect against cybersecurity threats, but does not mandate CII incident reporting or facilitate the sharing of cybersecurity information with the Government. The Cybersecurity Act will address these gaps.
Today, the Cyber Security Agency of Singapore (CSA) works with sector regulators to coordinate cybersecurity efforts to protect CII within their own sectors. The sectors have varying levels of cybersecurity readiness, and sector regulators have varying powers under their respective legislation and regulations to regulate CII within their sectors on cybersecurity matters.
While some Sector Leads have powers to regulate CII owners, such regulation tends to be outcome-based and was not designed with cybersecurity in mind. For example, rail operators and telcos are largely regulated based on their ability to meet service standards, not based on their compliance with cybersecurity requirements.
Other Sector Leads do not see themselves as regulators as their relationship with the CII are contractual, or they are CII owners themselves. These sectors are unlikely to have strong incentives to invest in cybersecurity of their own accord.
If you are unable to find an answer to your query, please submit your
to let us know how we can help you.
Rate this Website
© 2019, Government of Singapore