Cybersecurity Agency of Singapore: New Licensing Framework Consultation
The potentially far-reaching implications of a new licensing framework proposed by the Cyber Security Agency of Singapore (CSA) are being examined by CREST members.
The Industry Consultation Paper on the Licensing Framework for Cybersecurity Service Providers, issued by the CSA on 20 September, proposes a licensing structure that would apply to many cybersecurity service providers (CSPs) doing business in Singapore.
It is an offence for a CSP to offer a licensable cybersecurity service without a licence. Only two types of services are specified as licensable cybersecurity services at present: a penetration testing service and a managed SOC monitoring service.
Licensing is one of four objectives introduced by the Cybersecurity Act 2018 which established a framework for the legal oversight and maintenance of national cybersecurity in Singapore.
The framework seeks to address three main considerations: improve assurance on security and safety; raise quality and improve the standing of CSPs; address information asymmetry.
It is intended that the framework is light-touch and is described by the CSA as “akin to a registration regime”. The two main requirements that CSPs must comply with are ensuring that their key officers are fit and proper and keeping of service records.
The consultation document states that it is envisaged that licensing could be used to raise the quality of CSPs over time.
The proposed key licence conditions cover: licence period; professional conduct of licensee; provision of information; notification on changes to information; application for grant or renewal of licence; licence fee; keeping of records; appeals.
Some CREST members have raised questions in relation to the context and possible implications of the proposed framework including:
- What determines quality under this new framework? In ascertaining quality, will it take into account of the type of services offered? For instance will a company offering specific or niche and non-traditional approaches, or a subset of services, be marked to have a lower quality compared to a company that offers a larger spectrum of services?
- How prescriptive will the framework be in terms of determining the services and approaches that CSPs believe will best fit their clients’ requirements and/or environments?
- Will the licensing framework allow innovative offerings of cybersecurity services to be delivered, such as continuous assurance, various amalgamations of pentesting in various forms with threat modelling built in, objective-based activities (APM), Managed SOCs, etc?
- Will future plans include evaluating technical capability?
- Does the CSA have a definition of what penetration testing is, given that a pentest increasingly means a spectrum of things based on your business and the industries in which your business operates.
“The proposed framework has potentially significant implications for the way the cybersecurity industry operates in Singapore,” said Rowland Johnson, acting President of CREST.
“CREST members far surpass the quality measures for CSPs as set out in the consultation document, and we also evaluate the technical capabilities of professionals through our certifications.
“We are already working hard and in partnership to support the development of the cybersecurity industry in Singapore and believe that, by drawing on the knowledge and experience of the CREST member community, the CSA’s proposals will meet Singapore’s needs now and in the future.”
Read the full consultation document here:
Licensing Industry Consultation Document
We are gathering members’ responses as part of our consultation submission so that we can harness the voice of the CREST community.
Please email your feedback on the consultation to [email protected] by close of business on Monday 11 October 2021. Any views you have to share will be appreciated. Any supporting materials you may have are also welcomed.