SS 584 Multi-Tier Cloud Security (MTCS) Singapore Standard (SS)
The standard, also known as SS 584, has three levels of security. Tier 1 is designed for non-business critical data and systems with basic security controls to counter certain risks and threats targeting low-impact information systems. Tier 2 addresses the needs of organisations that run their business-critical data and systems in public or third-party cloud systems. Tier 3, which is in the midst of being finalised, is the most secure level and is designed for regulated organisations with specific requirements.
With the new standard, certified CSPs will be able to spell out the levels of security that they can offer to their users, and businesses that rely on services from these CSPs will also be able to use the MTCS SS to understand and assess the cloud security they require.
Funding Provided By IDA
Launched in November 2013, the Infocomm Development Authority of Singapore (IDA) is offering a grant up to 50% or S$15,000, whichever is lower, for the costs of certification and consultancy services for CSPs who are planning to become MTCS SS certified. Even though being MTCS certified is voluntary, it is a requirement for all CSPs participating in future public cloud service tenders provided by the Government.
Be Certified By SGS
With the introduction of MTCS, SGS Singapore is one of only five qualified certification bodies which are identified by IDA and SPRING to certify CSPs against the MTCS SS. IDA is working closely with the certification bodies to cross certify companies which are already certified against the International Standard Organisation (ISO) 27001 Information Security Management Systems (ISMS) and Cloud Security Alliance (CSA) Open Certification Framework (OCF) to be certified against the SS 584 standard.
About The SS 584:2013 Multi-Tier Cloud Security Singapore Standard
SS 584 MTCS SS covers the requirements that cloud service providers shall meet, recognising that individual users may have additional requirements that are specific to them (which would have to be addressed in the agreements or contracts with the cloud service providers).