Appropriate Security Assessment Measures in Place for Screening of Cybersecurity Staff and Contractors

33 Mr Dennis Tan Lip Fong asked the Minister for Communications and Information whether the Government will put in place appropriate security assessment measures for cybersecurity staff or contractors working with the civil service, statutory boards, banks and other organisations or businesses, who are foreigners, employment pass holders, Singapore PRs or new citizens, including those originating from the country that is linked to the Advance Persistent Threat group who carried out the recent cyberattack against SingHealth, NUS and NTU.

Mr S Iswaran: All public service staff and contractors dealing with Government cybersecurity matters, who require access to classified Government information, must undergo security screening by the authorities. Similarly, organisations in the Critical Information Infrastructure (CII) sectors such as Banking and Finance as well as Land Transport are required by their respective sectoral regulators to screen all staff and contractors with access to key infrastructure such as IT systems. Such measures go some way to mitigating the ‘insider’ risk, though they are not fool-proof.

The Cyber Security Agency (CSA) will also license organisations offering penetration testing and managed security operations centre monitoring services as well as individuals directly engaged for such services, to ensure they meet certain criteria including that their key executive officers are fit and proper persons. Under the Cybersecurity Code of Practice issued by CSA, all CII owners must calibrate a vendor’s access to their CII, based on their organisations’ business needs and cybersecurity risk profile.