SS584

Last updated

SS 584 (also known as Multi-Tier Cloud Security (MTCS)) is an information security standard, published by Singapore Standards. [1] The standard was last revised in 2020.

Contents

SS 584 specifies a Management system for Cloud Security, to three levels. Organizations that meet the requirements may be certified by an accredited certification body following successful completion of an audit.

Rationale

Although most Cloud Service Providers are certified to ISO 27000, the ISO standard does not focus on the unique risks arising from provisioning via the Cloud. Smaller customers also have difficulty assessing if a CSP's ISMS is sufficient for their needs, as ISO 27001 is risk-based, and may vary significantly between implementations. This may be a barrier to adoption by SMEs, who would like a simpler way to decide if a CSP meets their needs.

To encourage adoption of Cloud Services, the then IDA established a series of groups in 2012 to produce a standard that CSPs could certify to. The standard would have multiple levels of security assurance: [2]

Note that the standard interchangeably uses the terms "tiers" and "levels".

History of SS 584

SS584:2013 was issued in 2013, and the program was initially administered by IDA. [3]

In 2015, the standard was revised (SS 584:2015). At this time, Accreditation was handed over to the Singapore Accreditation Council, a division of Enterprise Singapore, in line with other Singapore Standards.

As of late 2019, the standard is being revised again, with inputs from industry, and a new version will be issued in Oct 2020.

Certification

CSPs that wish to have their services certified must classify each into IaaS, PaaS, or SaaS. They also decide to which level they wish to demonstrate compliance (Tier 1, 2, or 3).

For compliance to Level 3, the CSP must be certified to ISO/IEC 27001.

CSPs must obtain the services of an Accredited Certification Body, who will audit the management system of the CSP for compliance to SS 584. The CB will then issue a Certificate attesting to this, usually valid for three years. Annual Surveillance Audits are required.

A list of Services and CSPs certified is available. [4] Examples of Certified CSPs include IBM [5] and AWS. [6]

Overseas Acceptance

Although the standard is not an International standard, as the first national standard to address Cloud Security, it has seen acceptance outside Singapore. In particular, the Korean RSEFT regulations recognise SS 584 as meeting most of the requirements for CSPs. [7]

Documents from Datamation [8] and CloudwatchHUB [9] describe the international use and impact of this standard.

See also

Related Research Articles

The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification. It is currently in version 3.1 revision 5.

The ISO 9000 family is a set of five quality management systems (QMS) standards by the International Organization for Standardization (ISO) that help organizations ensure they meet customer and other stakeholder needs within statutory and regulatory requirements related to a product or service. ISO 9000 deals with the fundamentals and vocabulary of QMS, including the seven quality management principles that underlie the family of standards. ISO 9001 deals with the requirements that organizations wishing to meet the standard must fulfill. ISO/TS 9002 offers guidelines for the application of ISO 9001. ISO 9004 gives guidance on achieving sustained organizational success.

Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

<span class="mw-page-title-main">Standard of Good Practice for Information Security</span>

The Standard of Good Practice for Information Security (SOGP), published by the Information Security Forum (ISF), is a business-focused, practical and comprehensive guide to identifying and managing information security risks in organizations and their supply chains.

Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

<span class="mw-page-title-main">BSI Group</span> British standards development organization

The British Standards Institution (BSI) is the national standards body of the United Kingdom. BSI produces technical standards on a wide range of products and services and also supplies certification and standards-related services to businesses.

ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information security, cybersecurity and privacy protection — Information security controls.

ISO/IEC 27006 is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Part of the ISO/IEC 27000 series of ISO/IEC Information Security Management System (ISMS) standards, it is titled Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems.

ISO/IEC 27007 is a standard on Information security, cybersecurity and privacy protection that provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011. This standard is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme. It was published on November 14, 2011, and revised on January 21, 2020.

Certification and accreditation is a process for implementing any formal process. It is a systematic procedure for evaluating, describing, testing, and authorizing systems or activities prior to or after a system is in operation. The process is used extensively across the world.

The ISO/IEC 27001 Lead Auditor certification consists of a professional certification for auditors specializing in information security management systems (ISMS) based on the ISO/IEC 27001 standard and ISO 19011.

ISO/IEC 27001 Lead Implementer is a professional certification for professionals specializing in information security management systems (ISMS) based on the ISO/IEC 27001 standard. This professional certification is intended for information security professionals wanting to understand the steps required to implement the ISO/IEC 27001 standard.

IEC 62443 is an international series of standards that address cybersecurity for operational technology in automation and control systems. The standard is divided into different sections and describes both technical and process-related aspects of automation and control systems cybersecurity.

<span class="mw-page-title-main">IASME</span>

IASME Governance is an Information Assurance standard that is designed to be simple and affordable to help improve the cyber security of Small and medium-sized enterprises (SMEs).

ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. A SWOT analysis of the ISO/IEC 27001 certification process was conducted in 2020.

eCOGRA is a London-based testing agency and standards organisation in the realm of online gambling. The company was established in 2003 in the United Kingdom at the behest of the online gaming industry as the first industry self-regulation system. eCOGRA is a testing laboratory, inspection body, and certification body, specializing in the certification of online gaming software and the audit of Information Security Management Systems.

Cyber Essentials is a United Kingdom certification scheme designed to show an organisation has a minimum level of protection in cyber security through annual assessments to maintain certification.

Amazon Neptune is a managed graph database product published by Amazon.com. It is used as a web service and is part of Amazon Web Services (AWS). It was announced on November 29, 2017. Amazon Neptune supports popular graph models property graph and W3C's RDF, and their respective query languages Apache TinkerPop's Gremlin, openCypher, and SPARQL, including other Amazon Web Services products.

ISO/IEC 27701:2019 is a privacy extension to ISO/IEC 27001. The design goal is to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). The standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage privacy controls to reduce the risk to the privacy rights of individuals.

ISO/IEC 27017 is a security standard developed for cloud service providers and users to make a safer cloud-based environment and reduce the risk of security problems. It was published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27. It is part of the ISO/IEC 27000 family of standards, standards which provides best practice recommendations on information security management. This standard was built from ISO/IEC 27002, suggesting additional security controls for the cloud which were not completely defined in ISO/IEC 27002.

References

  1. Tao, Yao-Sing; Lee, Hing-Yan (April 2017). "MTCS for Healthcare". 2017 International Conference on Cloud Computing Research and Innovation (ICCCRI). Singapore, Singapore: IEEE. pp. 14–17. doi:10.1109/ICCCRI.2017.10. ISBN   978-1-5386-1075-6. S2CID   28858337.
  2. "Fact Sheet" (PDF). imda.gov.sg. IDA. Retrieved 9 October 2019.
  3. "New Multi-Tier Cloud Security (MTCS) Standard Launched in Singapore". Infocomm Media Development Authority. Retrieved 9 October 2019.
  4. "Compliance and Certification". Infocomm Media Development Authority. Retrieved 7 December 2019.
  5. "MTCS Certificate for IBM Cloud Services" (PDF). IMDA. Retrieved 7 December 2019.
  6. "MTCS Certificate issued by ISC Singapore to AWS" (PDF). IMDA. Retrieved 7 December 2019.
  7. "With the MTCS, FSI customers in Korea can accelerate cloud adoption by no longer having to validate 109 controls, as required in the relevant regulations (Financial Security Institute's Guideline on Use of Cloud Computing Services in Financial Industry and the Regulation on Supervision on Electronic Financial Transactions (RSEFT)". AWS. Amazon. 16 May 2019. Retrieved 9 October 2019.
  8. Morgan, Lisa (12 July 2019). "How to Ensure Cloud Compliance". Datamation. Retrieved 29 March 2020.
  9. "Multi-Tier Cloud Security (MTCS) - Singapore". CloudwatchHUB. Retrieved 29 March 2020.