Within All Government Websites
Frequently Asked Questions
All of these words
This exact phrase
Any of these words
Without these words
Whole of Government
Licensing of Cybersecurity Service Providers
Globally, Singapore would be one of the first countries to license cybersecurity service providers. What are some views from such providers?
There is a breadth of views from cybersecurity service providers. Some welcome the regulation, as it professionalises the industry at a time when more organisations are searching for and consuming cybersecurity services. However, there were some who expressed concerns that licensing regime could increase the operational costs of service providers and impact the development of a vibrant cybersecurity ecosystem in Singapore. In response to concerns, CSA has simplified the licensing regime following consultation, such as by doing away with the need for specific licensing of individual practitioners.
What are the Cyber Security Agency of Singapore's (CSA) justifications for introducing the licensing framework?
The licensing framework is only one part of the Cyber Security Agency of Singapore (CSA)'s overall strategy to develop and strengthen the cybersecurity industry in Singapore. It will be complemented by CSA's partnerships with the industry and professional association partners to establish voluntary accreditation regimes for cybersecurity professionals.
CSA's considerations for the licensing framework are to help:
Provide greater assurance of security and safety to consumers of cybersecurity service providers, as such services become more common and sought after;
Raise the quality of the standards of these service providers over time; and
Address information asymmetry between service providers and consumers of cybersecurity services.
Why did the Cyber Security Agency of Singapore (CSA) decide to license only providers of penetration testing and managed security operations centre (SOC) services?
The Cyber Security Agency of Singapore (CSA) intends to adopt a light-touch approach to license penetration testing and managed security operations centre (SOC) monitoring because these services:
Have access to sensitive information from their clients and could have significant impact if not delivered well or misused, and
Are also relatively mainstream in our market and hence have a significant impact on the overall security landscape.
CSA will continue to monitor international and industry trends and assess if new types of cybersecurity services are considered high-risk, and evaluate whether the providers of such services should be licensed.
What are the licensing conditions that licensed cybersecurity service providers have to comply with?
We intend to keep licensing requirements simple to minimise the operational costs on businesses. The requirements that licensed service providers have to comply with include:
Ensure that their key executive officers performing the licensable services are fit and proper persons as defined in S26(8). For example, ensure that the individual has not been convicted of any offence involving fraud, dishonesty or moral turpitude.
Keep for at least 3 years, basic records on the cybersecurity services that it has provided. This was reduced from the earlier proposed 5 years, so as to lighten the administrative requirements on licensed cybersecurity service providers.
When will the licensing framework be implemented?
The implementation of the licensing framework will be communicated at a later date.
If you are unable to find an answer to your query, please submit your
to let us know how we can help you.
Rate this Website
© 2019, Government of Singapore