IMDA Launches New Advisory Guidelines for Cloud Service Providers and Data Centres in Singapore

Businesses have more data and digital assets than ever before, and Singapore’s business landscape is awash with cloud service providers and data centres to support organisations to store their data and provide applications and software to run their operations. System downtime or data loss by a cloud service provider or data centre can have a significant impact or an organisations’ ability or deliver is products and services. That’s why the Infocomm Media Development Authority (IMDA) have introduced new advisory guidelines for both cloud service providers and data centres.

Although this guidance is not yet mandatory, it is advisable that cloud service providers and data centres in Singapore align their processes with the advisory guidelines to ensure they provide reliable services that protect client data. In this blog we look at what the new guidance means for both cloud service providers and data centres and detail how you can implement bast-practice processes for cyber risk management, cyber incident management, governance and controls to align with the requirements.

 What Are the IMDA Advisory Guidelines for Cloud Service Providers?

The IMDA advisory guidelines for cloud service providers are designed to align with existing IT security standards like ISO 22301 and ISO 27001. They are broken down into 7 core focus areas:

1. Cloud Governance Measures – This section covers information security management, roles & responsibilities, risk management & third-party risk, regulatory compliance, data governance, acceptable usage policies, implementing an ISMS, managing cyber incidents, implementing data governance controls etc.
2. Cloud Infrastructure Security – This section outlines measures pertaining to audit logging, user tracking and security access. It also provides guidance regarding security control secure configuration, security testing, system development and encryption.
3. Cloud Operations Management – This section shares measures regarding operations, security control, policies, procedures, resilience measures, and change management.
4. Cloud Services Administration – This section stipulates guidance on the management of privileged accounts through the implementation of controls and governance processes.
5. Cloud Service Customer Access – This section includes measures pertaining to user access controls for customers requiring the implementation of controls, policies, and governance procedures.
6. Tenancy and Customer Isolation – This section includes measures pertaining to tenancy and customer isolation – requiring user access isolation controls and policies to ensure customers don’t pose a threat to one another.
7. Cloud Resilience – This section outlines measures on setting controls and implementing governance to ensure physical and environmental security, as well as implementing business continuity and disaster recovery plans.

Read the full IMDA Guidance for cloud service providers.

What Are the IMDA Advisory Guidelines for Data Centres?

The IMDA Advisory Guidelines want data centres to focus on managing a variety of different risk factors to ensure data centres remain operational. This includes:

• Infrastructure Risk – Relating to power, cooling, connectivity, and building security.
• Governance Risk – Relating to robust operations, fast incident resolution, and change management protocols.
• Cyber Risk – Relating to cyberattacks and the need for sufficient controls.

The guidelines suggest that data centres should implement a business continuity management system to resolve unexpected incidents and adopt a continuous process loop of Plan, Do, Check and Act to maintain and continuously improve resilience and security measures. The IMDA guidance also suggests that firms should implement measures to manage cybersecurity risk, by implementing an Information Security Management System (ISMS), effective controls, and policies. They must also ensure any third-party service providers conform to the relevant information security and risk management policies, standards, procedures and contractual obligations through regular reviews – making a robust third-party risk management program essential.

Read the full IMDA Guidance for data centres.

How Can Cloud Service Providers and Data Centres Implement Processes to Align With the IMDA Guidance?

A lot of the requirements outlined in the IMDA guidance require firms to have best-practice procedures for cyber risk management, cyber incident management, and business continuity and disaster recovery. Many of the requirements also require cloud service providers and data centres to implement strict governance procedures, cybersecurity controls, and policies. Cloud service providers and data centres should also have measures in place to manage the risks associated with third-party service providers.

Luckily for cloud service providers and data centres there are software platforms available that offer a best-practice framework to manage all of these areas. Here’s how it works…

Cyber Risk Management – Firms can use software to build a cyber risk register in the platform. Each potential risk is then categorised and rated based on its likelihood and severity and Key Risk Indicators (KRIs) are defined. Risk levels are then monitored to ensure they remain within the desired risk appetite. If risk levels exceed the tolerable levels staff are alerted and automated workflows enable them to escalate the risk and implement remediating actions. Risk levels are monitored in several ways. Staff can complete risk assessment forms online – automated workflows circulate the forms and all data feeds into the platform. Alternatively, the platform can integrate with your other systems and IT data via API integrations and pull operational data into the platform that can be used to track risk levels.

Controls – Of course to manage risk levels and cybersecurity compliance firms need to implement a variety of controls. Controls might be a policy or procedure, they might be a regular check or test, or they might be IT security measures like firewalls, backups or encryption. What ever the control is it needs to be documented, mapped to the relevant risk or regulatory requirement, and checked and tested regularly. By using GRC software, firms can build a control library and easily map controls to the relevant risks or regulations. Software can also automate the entire control check and testing process, automated workflows notify staff when control checks and tests are due, and they complete the information in the platform. This enables leadership teams to easily understand if controls are effective.

Cyber Incident Management – Software can also automate the cyber incident management process. Firms simply log cyber incidents in the platform or in some cases incidents can be created based on tickets in your existing IT support function.  Forms dynamically adapt based on the type of incident logged to ensure the relevant data can be captured – photos, voice recordings, URLs, and files can also be added as evidence. Once an incident is logged, automated workflows escalate the incident to the relevant stakeholder and capture all remediating actions, steps and any root cause analysis needed until the incident is resolved. The system can integrate with your active directory enabling you to map staff, sites, and equipment to related incidents. Management can easily view the source of recurring incidents – enabling them to implement preventive measures. They can also understand the progress of incidents and understand which incidents are open or outstanding. When using GRC software for cyber incident management, incidents can easily be mapped back to any associated risks or regulatory requirements.

Cyber & IT Policy Management – Software can also be used to centralise your library of IT policies. Once a policy is created, it is uploaded into the system, capturing critical details about the owner, applicability, and expiry or revision dates.  Automated workflows are used to automate policy, approvals, escalations, changes, and revisions.  Staff always know which policy is current, they can view previous copies for version control, and staff can even attest to policies online to confirm they have read and understood the policy.

Business Continuity & Resilience – Software can also be used to automate business continuity and resilience. Organisations build out a business process register to identify their critical processes and any dependencies or inefficiencies.  The software can also be used to automate business impact assessments – workflows send out BIA forms and staff complete them online. Regular plan updates can also be automated – workflows are set up to prompt staff to check and update the plans for their area on a regular basis – ensuring plans remain current. You can also use the BCM platform to carry out resilience testing exercises against different scenarios and vulnerabilities to identify gaps. These platforms typically offer add on modules for crisis management and emergency communication to ensure organisations can communicate effectively with staff in a crisis. Some solutions even offer integrations with third-party threat intelligence providers – to get insights into emerging threats.

Third-Party risk Management – Many GRC software platforms can also automate third party risk management. Firms set up a vendor register in the platform – capturing critical details about each vendor including cost, key contacts, SLAs, KPIs and contract terms. The system automates the vendor risk assessment process. Workflow automation sends notifications to suppliers to complete risk assessments via an online portal with all data feeding into the platform. Vendor performance is also tracked against SLAs and KPIs by pulling transactional and operational data into the platform via API integrations. Many third-party risk solutions integrate with third-party risk intelligence providers to alert firms when their vendors hit the headlines for the wrong reasons. These systems also formalise the onboarding and offboarding process to ensure that no contract clauses are missed. This entire process ensures that cloud service providers and data centres are working with reputable third parties.

Why Cloud Service Providers and Data Centres Need to Act Now to Align Processes With IMDA Guidance

Although the IMDA advisory guidelines are not mandatory, cloud service providers and data centres should still follow the guidance to protect themselves from unexpected risks and incidents and ensure their services remain operational.   With many firms relying on a largely digital operating model, cloud service providers and data centres form part of our critical infrastructure, and a data breach or failure could be catastrophic for those affected. Following this guidance will also likely secure new business for cloud service providers and data centres – as they can prove they have adequate security measures in place to protect customer data and ensure they remain operational in a crisis.

If your organisation is looking to implement best practice processes for cyber risk management, cyber incident management, third-party risk management, business continuity & resilience, and cyber governance, controls and policies, contact us today or request a demo.