SINGAPORE Law and Practice Contributed by: Lim Chong Kin, David N Alfred, Albert Pichlmaier and Goh Boon Yeow, Drew & Napier LLC
• Access control – CII owners must implement authentication techniques for access into the CII, maintain logs of all access into a CII and of all attempts to access the CII, and review these logs for anomalous activities on a regu - lar basis. • System hardening – CII owners must estab - lish security baseline configuration standards for the CII. • Remote connection – CII owners must ensure that all remote connections to the CII have effective cybersecurity measures to prevent and detect unauthorised access. • Removable storage media – CII owners shall ensure that strict control is exercised over the connection of removable storage media and portable computing devices to a CII. • Vulnerability assessment and penetration testing – CII owners shall conduct a vulnera - bility assessment of their CII to identify secu - rity and control weaknesses within 12 months from when the CII is designated under the Cybersecurity Act, and at least once every 12 months thereafter for CII that are IT systems; each vulnerability assessment should include (i) a host security assessment, (ii) a network security assessment, and (iii) an architecture security review. Following the passing of the Cybersecurity (Amendment) Bill, the upcoming Cybersecurity Act will cover four new classes of entities. • Designated providers of essential services that do not own the CII used for the continu - ous delivery of the essential services they are responsible for (third-party-owned CII): the providers of such essential services are required to obtain legally binding commit - ments from the third-party to provide the nec - essary information or adhere to prescribed standards relating to cybersecurity, etc. The
Commissioner may order such providers to cease using the third-party-owned CII if they do not obtain the legally binding commit - ments. • Owners of computers or computer systems designated as systems of temporary cyber - security concern: for example, the temporary systems used to support the distribution of critical vaccines during a pandemic could fall under this category. • Designated entities of special cybersecurity interest: if the function of such designated entitles perform is disrupted, or if the sensi - tive information contained in their computer systems is disclosed, there will be a signifi - cant detrimental effect on the defence, for - eign relations, economy, public health, public safety or public order of Singapore. • Designated providers of major foundational digital infrastructure services: these services promote the availability, latency, throughput or security of digital services, and relate to cloud computing services and data facility services. The upcoming amendments to the Cybersecu - rity Act impose obligations on these new entities that are similar to those already in force relating to CIIs, such as: • providing the Commissioner with information; • complying with any codes of practice, stand - ards of performance or written directions that may be issued or approved by the Commis - sioner; and • notifying the Commissioner of any prescribed cybersecurity incident – the exact scope of incident reporting and the applicable cyberse - curity codes of practice/standards/guidelines applicable to these new entities have not been published at the time of writing.
231 CHAMBERS.COM
Powered by FlippingBook