The Cyber Security Agency of Singapore (CSA) is rolling out the Critical Information Infrastructure (CII) Supply Chain Programme to enhance the security and resilience of Singapore’s CII sectors.
The programme is a national effort to establish processes and best practices to help CSA, CII owners (CIIOs) and their vendors manage supply chain risks holistically, and strengthen their overall supply chain cybersecurity posture.
For CIIOs, the CII Supply Chain Programme will develop guidelines to enable them to better understand and manage their vendors. This includes mapping their vendors based on the services provided and ranking them by their cybersecurity posture.
For vendors, it will also enable them to maintain an adequate level of cybersecurity. This will be done through implementing measures proposed by the CIIOs and timely reporting of progress.
The CII Supply Chain Programme will be guided by three key principles to manage supply chain cybersecurity risks — assurance, transparency and accountability.
For instance, CIIOs and vendors would be required to conform to security requirements in accordance to best practices and international standards.
Also, the government will introduce reporting mechanisms that reveal the extent to which vendors meet their assurance commitments and contractual obligations.
As for accountability, this could involve invoking consequences, such as payment for damages or termination of contracts, for failure to meet assurance or transparency requirements.
Further, CSA is also launching the SG Cyber Safe Programme to help local enterprises raise their cybersecurity posture, as part of the Safer Cyberspace Masterplan launched in October 2020.
Under this programme, a slate of initiatives will be introduced. These include cybersecurity toolkits targeted at key enterprise stakeholders such as enterprise leaders, technical teams and employees.
These will provide leaders with a deeper understanding of cybersecurity issues and threats. It will also enable them to implement cybersecurity measures, including employee training, within the organisation.
CSA will be rolling out the employee cybersecurity toolkit by the end of 2021. For a start, CSA has worked with Smart Nation and Digital Government Group (SNDGG) and Civil Service College (CSC) to adapt existing cybersecurity modules — originally developed for public officers — for employees in the private sector.
The programme also includes tools for enterprises to self-assess their cybersecurity posture. Part of these tools is the Exercise-in-a-Box Singapore incident response simulation tool, which will be launched in partnership with the United Kingdom’s National Cyber Security Centre in the later half of 2021.
There is also the SG Cyber Safe Trustmark, which will serve as a mark of distinction for enterprises that have put in place good cybersecurity measures that correspond to their risk profiles.