Singapore: New advisory guidelines to strengthen resilience of cloud services and data centres

1. Information Security Management: CSPs should ensure that information security is managed within the CSPs’ overall administrative structure. 
2. Information Human Resources: CSPs should ensure that all employees and third parties are suitable for their roles prior to employment or contract and that they understand their responsibilities, employment and contract terms and conditions (including termination) to reduce the risk of theft, fraud or misuse of facilities.
3. Risk Management: CSPs should establish and maintain a cloud-specific risk management programme to identify, quantify, prioritise, and mitigate or resolve risks impacting the cloud service operations and information assets. 
4. Third Party: CSPs should ensure that it has an effective control framework over its third-party service providers supporting the cloud environment. 
5. Legal and Compliance: CSPs should ensure that they and their third-party service providers conform to the CSPs’ information security and risk management policies, standards, and procedures and contractual obligations. 
6. Incident Management: CSPs should implement incident management controls to ensure that information security events and weaknesses impacting the information assets and systems in the cloud environment are communicated in a timely manner. 
7. Data Governance: CSPs should ensure that only authorised users have access to the data stored in the cloud environment at all times.

1. Audit logging and monitoring: CSPs should ensure that activities performed and events occurred in the cloud environment are being tracked and maintained for a period of time to detect any unauthorised activities and to facilitate investigation and resolution in the event of security incidents (e.g., access violations). 
2. Secure configuration: CSPs should ensure that the systems in the cloud infrastructure and the supporting networks are designed and configured securely to prevent against unauthorised entry points or malicious activities through weak system configurations.
3. Security testing and monitoring: CSPs should conduct security testing and implement monitoring controls across the cloud infrastructure including services, VMs and physical infrastructure to detect vulnerabilities and malware in a proactive and timely manner.
4. System acquisition and development: CSPs should implement system acquisitions and development security controls to ensure that security is an integral part of the information systems as well as the business processes associated with these systems. CSPs should establish policies and procedures for the development or acquisition of new applications, systems, databases, infrastructure, services, operations, and facilities.
5. Encryption: CSPs should implement encryption and secure cryptographic key management to ensure that sensitive information in transmission or in storage electronically is being protected against unauthorised use or disclosure.

1. Operations: CSPs should implement operations security controls to ensure that the operations of the cloud are documented, secure, reliable, resilient and recoverable.
2. Change management: CSPs should implement change management controls to ensure that changes to the cloud infrastructure are carried out in a planned and authorised manner.

1. Physical and environmental security: CSPs should implement physical and environmental security controls to prevent unauthorised physical access, damage or interference to the cloud environment and infrastructure with the use of appropriate procedures and assessments.
2. Business continuity and disaster recovery: CSPs should implement business continuity and disaster recovery controls to ensure timely resumption from, and the possible prevention of interruptions to business activities and processes caused by failures of information systems and disasters.

These are risks stemming from insufficient consideration of risk in the design of DCs. 

The key risk areas are:

1. Power management: E.g., risks of power disruption caused by inadequate power redundancy during planned maintenance or inadequate lightning protection leading to power outage;
2. Environmental control management: E.g., risks of loss of cooling due to inadequate redundancy within environmental control systems to ensure continuous cooling;
3. Cable management: E.g., risks of loss of network connectivity due to insufficient bend radius resulting in damaged cables; 
4. Facilities/tenant space protection: E.g., risks of unauthorised access due to inadequate physical controls, and fire due to inadequate fire detection and suppression systems; and 
5. Building site and design suitability: E.g., risks of water intrusion into the DC due to lack of protection against environmental risks such as flooding.

These are risks stemming from insufficient risk oversight of DC operations. 

The key risk areas are: 

1. Operations management: E.g., risks of power or cooling failure due to inadequate monitoring of DC infrastructure elements such as power supply and environmental control systems; 
2. Incident management: E.g., risks of prolonged service disruption due to poor incident management response and service recovery processes; and 
3. Change management: E.g., risks of unauthorised change due to weak change management processes

These are risks of cyberattacks on DC operating systems and controls 

E.g., risks of data centre infrastructure management systems being compromised which may result in unauthorised temperature changes due to inadequate cybersecurity control measures.