by Mr. Raju Chellam, Deputy Chairman, COIR, ITSC, Enterprise Singapore, at NUS-ISS SkillsFuture Series Seminar: Secured IoTs and Secured Cloud – Partners in ensuring a Secured Smart Nation Seminar (3 Oct)

1. How MTCS & COIR
Impact You
Raju Chellam

2. Agenda
 What
 Why
 How
 Who
Speaker Profile
• Member:NationalCloudAdvisoryCouncil
• DyChair:CloudStandardsComm,ITSC
• ViceChair:Cloud&Data,SGTech
• Co-Chair:CloudIncidentResponse,CSA
• Fellow:SingaporeComputerSociety
• SeniorAdvisor:CIOAcademyAsia

3. Asean
Cloud
Penetr’n
Index
2017
Source:
AMI
Partners
Inc

4. MTCS
 What
 Why
 How
 Who

5.  MTCS: Multi-Tiered
Cloud Security
 It’s an SS
(Singapore Standard)
 Applicable for CSPs
 Overlays on top of
ISO27001 Base Std
 MTCS is the base for
industry-specific stds
(BFSI, Healthcare,
Government, etc)
MTCS
ISO27001:
2005
What’s MTCS? SS584:2015

6. The Standard
Core
Info Security
Cloud
Governance
Cloud Infra
Security
Cloud Ops
Mgt
Cloud Specific
Info Security
Cloud Services
Admin
Cloud User
Access
Tenancy &
Cust Isolation
What’s MTCS? SS584:2015

7. Why MTCS?
Level Overview Security Control Focus Typical User Typical Usage
1
Designed to be low cost
with min reqd controls
Baseline security controls:
“Security 101”
SMEs
• Hosting website
• T&D / Simulation
• Non-critical biz apps
2
Address needs of most
orgs for data security
More stringent security controls
required at this level
Enterprises
• Majority cloud users
• More critical biz apps
3
Regulated orgs.
Stringent security req.
Mission-critical
High-impact info systems
using cloud services
Regulated
Industries
• Hosting apps
• Sensitive info
• Regulated sectors

8. Why MTCS?
 ISO/IEC27001:2005 has 11 control areas;
39 control objectives & 133 controls
 ISO/IEC27001:2013 has 21 control areas;
35 control objectives & 254 controls
 MTCS SS584 has 19 control areas;
117 control objectives &
296/449/535 controls for L1/L2/L3

9. Each MTCS tier builds upon lower tier either with additional security requirements or more stringent controls
Level 3
535 controls
Level 2
449 controls
Level 1
296 controls
• Data governance (24)
• Cloud services administration (16)
• Tenancy and customer isolation (16)
• Operations (16)
• Business continuity planning (BCP)
and disaster recovery (DR) (7)
• Tenancy and customer isolation (11)
How MTCS Works
 Data Security &
Integrity on the
Cloud has been
a #1 concern
among users
 ISO27001 offers
a good baseline
 SS584:2015
goes deeper
with 3 levels of
requirements

10. Criteria Measures / Disclosure Requirements
Right to audit Ability to conduct own reviews (site assessment, penetration tests, etc) & costs
Compliance List of compliance statuses
Data ownership Data ownership limitations
Data retention Periods for user data, user log data, and infrastructure log data
Data sovereignty Data locations, capability to restrict geographies, and DR locations
Information non-disclosure What if any information may be disclosed
Availability Mean time between failures; service availability
BCP / DR Recovery point objective; Recovery time objective
Liability Limits in-case of incidents/failure to meet service commitment
Change Management Comms plan and procedures for managing changes
On-demand self-service Users can provision compute resources as needed automatically
How MTCS Works
MTCS Self-Disclosure Checklist 1 of 2

11. How MTCS Works
MTCS Self-Disclosure Checklist 2 of 2
Criteria Measures / Disclosure Requirements
Incident & problem mgt Support provided (notification, coop with outside parties, etc)
Billing (Measured Services) Metrics & accuracy
Data portability Mechanisms supported including media and format upon termination
Access to CSP’s network Access Methods (Internet IPV4/6, site-to-site VPN, frame relay, etc)
User management Options for integrating with customer IDM, 2-factor solutions
Lifecycle Automatic or customizable service upgrades and changes
Security config enforcement checks Mechanism to enforce check on security configuration
Multi-tenancy Tenancy options
Capacity elasticity Peak load handling capabilities for capacity
Network resiliency & elasticity Peak load handling capabilities for network
Storage redundancy & elasticity Peak load handling capabilities for storage

12. Who Certifies MTCS
MTCS Partial List of Certifying Bodies
Certification Body Certification Body
DNV Business Assurance Pte Ltd
81 Sc Park Dr, #02-03 Chadwick. S-118257
Certification International (Singapore) Pte Ltd
60 Albert S, #13-03 OG Albert Complex. S-189969
SGS International Certification Services S’pore Pte
3 Toh Tuck Link, #01-02/03. S-596228
TUV SUD PSB Cert
1 Science Park Drive. S-118221
BSI Group Singapore Pte Ltd
1 Robinson Rd, #15-01 AIA Tower. S-048542
TUV Rheinland Singapore Pte Ltd
25 Int’l Biz Park, #05-105, German Centre. S-609916
Singapore ISC Pte Ltd
2 Kim Yam Road, #12-03. S-239320
Full list on IMDA Website

13. Who is Certified on MTCS

14. COIR
 What
 Why
 How
 Who

15.  COIR: Cloud Outage Incident
Response
 It’s a TR (Technical
Reference) or Guideline
 Applicable for
CSPs & CSCs
 Confirms Singapore’s strong
commitment to:
 BCM: Business Continuity
Mgt
 DRM: Disaster Recovery
Mgt
 Crisis Comms Mgt
What’s COIR? TR62:2018

16. In Scope:
Cloud Outages Due To:
 Operational Errors
 Infrastructure Errors
 Infrastructure Failure
 Systems Failure
 Environmental Issues
Out of Scope:
o Cybersecurity Incidents
o Hackings & Malware
o Data Security Breaches
o MTCS SS584:2015
What’s COIR? TR62:2018

17. CSCs:
A set of common parameters &
guidelines for Identification,
Evaluation & Negotiation of
protection needs with CSPs to
incorporate into SLAs
CSPs:
Sharing of COIR practices by CSPs
via the same set of common
parameters to facilitate Comparison &
Matching of outage protection needs
with provisions
What’s COIR? TR62:2018

18. Why COIR?

19. o Osaka-based server rental co
o Subsidiary of Yahoo! Japan
o June 2012, lost 5,698 co’s data
o During its system security upgrade
o Lost data could not be retrieved
 No compensation for lost business
 No lawsuit filed against company
 Had BC/DR procedures on paper
Why COIR?

20. Cat A
Mission
Critical
Impact
Mission Critical to
human safety / stability
of mkt/econ/industry
Impact beyond
the org’s ops (ICU)
Cat B
Business
Critical
Impact
Business Critical to an
organisation’s
operations.
ERP, SCM, eCom
(example)
Cat C
Operational
Impact
Essential to an
organisation’s
operations.
CRM, Email,
etc (example)
Cat D
Minimal
Impact
Least critical to an
organisation’s
operations.
Mkg collateral,
etc (example)
How COIR Works: 4 Categories

21. Group 1
1. Service Availability (% uptime)
2. Historical record of availability
3. RTO: Recovery Time Objective
4. RPO: Recovery Point Objective
Group 2
5. Support Hours
6a. Notification Channel
for Planned Maintenance
6b. Notification Lead Time
for Planned Maintenance
Availability Planned Maintenance
How COIR Works: 5 Groups. 16 Parameters

22. Group 3
7. Frequency of Health Monitoring
of Cloud Service
8. Availability of Health Monitoring
Mechanisms for use by CSCs
Group 4
9. Sharing of CSP’s
COIR Plan
10. Exercise (Dry/Wet Runs)
of CSP’s COIR Plan
Health Monitoring Outage Response Plan
How COIR Works: 5 Groups. 16 Parameters

23. Group 5
11. Notification Time of Cloud
Outage Incident
12. Communication Channel/s
Used for Outage Incident.
13. Communication Channel/s
available for CSCs to report Outage
Group 5
14. Response Time by CSP
15. Frequency of Status Updt
of Reported Outage
16. Communication Channel/s
Used for Status Updates
Outage Handling Outage Handling
How COIR Works: 5 Groups. 16 Parameters

24. Who: Impacted & Implications

25. Be Aware
 About MTCS & COIR
 It’s a Guideline
 Leverage in SLA
Beware
o You need BC/DR
o You need a Plan B
o PDPA is your baby
Final Slide 1 of 2: Aware & Beware

26. Compare
 Cloud Offerings
 Cloud Migration
 Levels for specific apps
 T&T: Trust, Transparency
Prepare
o COIR: Outage: TR62
o MTSC: Security: SS584
o DR: A/A or A/Passive
Final Slide 2 of 2: Compare & Prepare

27. How MTCS & COIR
Impact You
Raju Chellam
raju@cioacademyasia.org