What is the Multi-Tier Cloud Security (MTCS) Singapore standard?

The Multi-Tier Cloud Security (MTCS) Singapore standard that aims to provide businesses with greater clarity on the levels of security offered by different cloud service providers (CSPs). This is standard increases clarity around the security service levels of cloud providers, while also increasing the level of accountability and transparency from these companies.

It has been developed under Information Technology Standards Committee (ITSC) for Cloud Service Providers (CSPs) in Singapore. The IMDA Singapore (formerly IDA Singapore) is the representative government body on media and communications in Singapore that has been leading the development of this standard, along with SpringSingapore who currently manages this standard.

The MTCS standard has a certification assessment that requires service providers to:

• Systematically evaluate their information security risks, taking into account the impact of company threats and vulnerabilities;
• Design and implement a comprehensive suite of information security controls and other forms of risk management to address company and architecture security risks;
• Adopt an overarching management process to ensure that the information security controls meet their information security needs on an ongoing basis.

The IDA will also offer an early adoption grant scheme that will help defray specific costs in MTCS certification. The scheme will provide a grant up to 50% or S$15,000, whichever is lower, for costs of certification and consultancy services (More details)

When and why do organisations need to be certified with the Multi-Tier Cloud Security (MTCS) Singapore standard?

CSPs can certify themselves at any of the five qualifying certification bodies – the British Standard Institute, Certification International Pte Ltd, DNV Business Assurance, SGS International Certification and TUV SUD PSB Certification.

The key reasons for the Government pushing this for the future is for the Singapore Government to lead by example. That is, by requiring organizations to be MTCS compliant, they will encourage other organisations to get on board. I see this as similar to the SOX (Sarbanes-Oxley Act) financial regulations effect.

While the MTCS (Multi Tier Cloud Security Singapore cloud standard) is voluntary, its certification will be a requirement for CSPs participating in future public cloud service bulk tenders from the Government. Timeline-wise, again, the impression I had from the IDA Singapore team was that as this has been in place for two years now, they will be looking to focus on this more in the coming two to four years.