SINGAPORE Law and Practice Contributed by: Lim Chong Kin, David N Alfred, Albert Pichlmaier and Goh Boon Yeow, Drew & Napier LLC
4.2 Key Obligations Under Legislation Please refer to 1.2 Cybersecurity Laws , 2.2 Critical Infrastructure Security Requirements , 3.2 ICT Service Provider Contractual Require- ments , 3.3 Key Operational Resilience Obliga- tions and 4.1 Cyber-Resilience Legislation . 5. Security Certification for ICT Products, Services and Processes 5.1 Key Cybersecurity Certification Legislation While there is no prescribed cybersecurity certi - fication legislation in Singapore, the CSA offers, administers and supports the use of certification schemes to provide assurance to customers that the product has been objectively assessed from a cybersecurity standpoint. The CSA Cybersecurity Certification Centre operates three schemes which cover ICT prod - uct security in general. For example, besides the CLS, the Singapore Common Criteria Scheme (SCCS) provides a cost-effective regime to evaluate and certify the security of IT products in Singapore against the Common Criteria (CC) standards (ie, ISO/IEC 15408 series). CC is a common set of standards initially developed through a collaboration among national security and standards organisations in Canada, France, Germany, the Netherlands, the UK and the USA. Under the Arrangement on the Recognition of Common Criteria Certificates in the Field of IT Security (also known as Common Criteria Rec - ognition Arrangement (CCRA)), which forms the basis of international recognition of CC certifica - tions, Singapore’s SCCS is recognised as a Cer - tificate Authorising Scheme. The CC harmonises the evaluation (which ranges from document review to deep penetration testing) of IT prod - ucts by defining a common set of security func -
• uplifting operational technology cybersecurity resilience beyond CII; and • promoting secure-by-development principles. ICT Systems Containing Personal Data As Section 24 of the PDPA requires organisa - tions to protect personal data in their posses - sion or under their control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks, pen - etration testing may be helpful in determining whether the organisation is in compliance with the PPDA. Furthermore, the PDPC’s Guide to Data Protection Practices for ICT Systems and Guide to Data Protection by Design for ICT Systems generally recommend the conduct of penetration testing to ensure data protection measures operate as intended and to detect any vulnerabilities. The Singapore Cybersecurity Strategy 2021 emphasises enhancing response capabilities for the state, organisations and individuals rather than an emphasis on expanding legislation relat - ing to cyber-resilience (please refer to 1.1 Cyber- security Regulation Strategy for more details). As such, apart from the Cybersecurity Act, and the patchwork of other cybersecurity and sec - toral legislation mentioned in 1.2 Cybersecurity Laws , the legislative status of cyber-resilience in Singapore remains relatively sparse compared to other jurisdictions such as the European Union which has the dedicated Cyber Resilience Act. 4. Cyber-Resilience 4.1 Cyber-Resilience Legislation
239 CHAMBERS.COM
Powered by FlippingBook