peach_fotolia – stock.adobe.com
Singapore’s Cyber Security Agency (CSA) is to start licensing cyber security service providers in the city-state to safeguard consumer interests and improve service standards over time.
Announcing the new licensing framework today, the CSA said the move will address the “information asymmetry” between consumers and cyber security service providers, starting with those that offer penetration testing and managed security operations centre (SOC) services.
The CSA said these two services were prioritised because service providers delivering such services can have significant access into their clients’ computer systems and sensitive information. In the event that the access is abused, the client’s operations could be disrupted.
Also, it noted that the two types of services are already widely available and adopted in the market, so have the potential to cause significant impact on the overall cyber security landscape.
The licensing framework was developed following a month-long consultation process, during which 29 responses were received from industry players, industry associations, and members of the public.
For example, some respondents suggested penetration testing should be defined, given the potential confusion with vulnerability assessment.
The CSA noted that penetration testing has already been defined in the Second Schedule to the Cybersecurity Act and that vulnerability assessments usually involve scanning IT systems or networks to identify flaws that may be exploited and do not compromise cyber defences.
This serves as a “common distinction” between vulnerability assessment and penetration testing, for which the former is not a licensable cyber security service, said the CSA. However, those that provide red teaming services that include penetration testing should be licensed.
Existing cyber security service providers that already offer licensable cyber security services will be given six months to apply for a licence. Those that do not apply for a licence – which will be valid for two years – in time will have to stop providing licensable services until they get a licence.
Anyone in the business of providing licensable cyber security services without a licence after 11 October 2022 could be liable to a fine not exceeding S$50,000 or to imprisonment for a term not exceeding two years, or both.
To administer the new licensing framework, the CSA has set up a new Cybersecurity Services Regulation Office, which will manage licensing processes and share resources on licensable cyber security services with consumers, among other activities.
The CSA said it will continue to monitor international and industry trends and engage the industry where necessary, as so to assess whether any new types of cyber security service should be included in the licensing framework.
Teo Xiang Zheng, head of advisory at Ensign InfoSecurity, a Singapore-based cyber security firm, said the new licensing framework is a step in the right direction towards elevating the overall standards for penetration testing and managed SOC services in Singapore.
“These cyber security services are currently offered by a wide variety of providers in the market, with varying competency levels. The licensing framework ensures these services are carried out by qualified service providers proficient in these areas,” he added.
Teo noted that the licensing regime will also bring potential business benefits to cyber security service providers.
“For Ensign, the licence from CSA complements the other industry accreditations we have attained to provide additional assurance for clients and prospects. The licensing framework can establish us as a trustworthy service provider and make us more competitive in the sector,” he said.
Numerous organizations wrote to the Federal Trade Commission Friday, raising data privacy and competition concerns about Amazon’s…
High-profile lawsuits and the potential for new FTC data privacy rules should be a warning to businesses to ensure that internal …
The Inflation Reduction Act increases incentives for clean energy, but there is concern that it doesn’t address existing …
Preparing for the CompTIA Advanced Security Practitioner certification or refreshing your knowledge to renew your cert? Use these…
This in-depth cybersecurity planning guide provides information and advice to help organizations develop a successful strategy to…
Are you pursuing the CompTIA Advanced Security Practitioner certification? The author of a CASP+ cert guide offers advice on how …
With its rebranded Explore conference, VMware made it clear its focus is on supporting customers’ multi-cloud and edge computing …
Steps in DNS server troubleshooting include checking the DNS status, looking at zone configurations and evaluating logs. Follow …
‘Emerging Green Technologies’ details how technology is a flexible tool organizations can use to make business operations more …
Following the lead of competitors including Dell and HPE, IBM has debuted an all-in-one subscription plan for iSeries that …
File classification with File Server Resource Manager enables admins to classify and organize data. This tutorial shows how to …
Even with government money soon headed their way, top-tier semiconductor companies will still have to deal with a range of …
The open source Apache Kafka streaming technology and commercial vendor Confluent have grown over the last decade as …
Data quality is essential to operate a successful data pipeline and enable data-driven decision-making. These seven data quality …
The Facebook parent company, along with multiple contributors, including Ahana, Voltron Data and Intel, are developing a new open…
All Rights Reserved, Copyright 2000 – 2022, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info