Cybersecurity Health Plan

a. Helping organisations with the ‘people’, ‘process’ and ‘technology’ aspects of cybersecurity holistically

An effective strategy for cybersecurity needs to be built on 3 key pillars – “people”, “process” and “technology”. Smaller or less digitalised organisations, such as Small and Medium Enterprises (SMEs) may have limited IT and/or cybersecurity expertise and resources and may find it challenging to implement even baseline cyber hygiene in-house. For those that prefer to tap on 3rd party providers to support them in their cybersecurity implementation, they may consider the following programmes: 

1. Cybersecurity Health Plans delivered by CISO as-a-Service (CISOaaS) cybersecurity consultants – This programme helps organisations with the “people” and “process” pillars of cybersecurity; and
   
2. IMDA’s SMEs Go Digital – This programme focuses on pre-approved solutions (for cybersecurity, in this context), and helps organisations with the “technology” pillar of cybersecurity.

Eligible organisations are eligible for funding support when they procure pre-approved solutions under SMEs Go Digital and/or develop a cybersecurity health plan with providers onboarded by CSA. Holistically, these initiatives help organisations to overcome key challenges, such as lack of manpower/resources and lack of budget encountered when implementing cybersecurity. 

b. Cybersecurity Health Plan delivered by CISO as-a-Service (CISOaaS) Consultants

i. What you can expect

If you are just getting started in your cybersecurity journey, the cybersecurity consultants (that have been onboarded by CSA) will take on the role to be your “Chief Information Security Officers” (CISO). Such CISO as-a-Service (CISOaaS) providers will

• Perform a cyber health “checkup” on your organisation based on the measures in CSA’s Cyber Essentials mark;
• Develop a cybersecurity health plan tailored for your organisation;
• Help you to close the cyber hygiene gaps identified; and
• Prepare your organisation for minimally Cyber Essentials certification.

If you already have implemented good cyber hygiene, or already achieved CSA’s Cyber Essentials mark, you are ready to progress towards adopting a risk-based approach to cybersecurity with CSA’s Cyber Trust mark.

ii. Funding support for eligible SMEs

Eligible SMEs can enjoy up to 70% co-funding support when you sign up with the CISOaaS cybersecurity consultants onboarded by CSA.

iii. Apply to develop Cybersecurity Health Plan with a CISOaaS Consultant

To sign up for CISOaaS (Cyber Essentials) service with funding support, eligible SMEs may identify its choice of CISOaaS consultant and/or package and sign up at IMDA’s CTOaaS portal here. 

For organisations that are not eligible for funding support but wish to sign up for CISOaaS (Cyber Essentials) service may approach your choice of CISOaaS consultant directly. Please refer to this online listing:

* Please note that CSA does not endorse or recommend any particular organisation, individual, product, process, or service that is linked to the SG Cyber Safe programme, nor can CSA assure the quality of the work of any organisation or individual linked to the SG Cyber Safe programme.

iv. Funding support for other organisations

Organisations that are members of the National Council of Social Services (NCSS) should refer to NCSS’s Tech-and-GO! consultancy programme.

v. Other benefits of signing up for CISOaaS providers

Organisations that have successfully completed developing their cybersecurity health plans with their CISOaaS consultants and have appointed a certification body for Cyber Essentials and/or Cyber Trust certification are eligible to be offered scholarships for the Google Cybersecurity Certificate. Please approach your CISOaaS consultant or your appointed certification body for more information. 

c. Data Security as-a-Service (DSaaS) for Health Information Bill (HIB) 

i. What you can expect

DSaaS (HIB) is intended for organisations in the healthcare sector that are subject to HIB, and this is an add-on to the CISOaaS (Cyber Essentials) service. Collectively, the CISOaaS (Cyber Essentials) and DSaaS (HIB) services help organisations in the healthcare sector to address the “Cyber & Data Security Guidelines for Healthcare Providers" published by the Ministry of Health (MOH) (link). 

ii. Funding support

Funding support is currently not available for the DSaaS (HIB) add-on service, but eligible SMEs can enjoy up to 70% co-funding support when you sign up for CISOaaS (Cyber Essentials).

iii. Apply for DSaaS (HIB) as an add-on to CISOaaS (Cyber Essentials)

To sign up for CISOaaS (Cyber Essentials) service with funding support with the DSaaS (HIB) as an add-on service, eligible SMEs may identify its choice of CISOaaS consultant and/or package and sign up, see (b)(iii) above. 

For organisations that are not eligible for funding support but wish to sign up for CISOaaS (Cyber Essentials) with the DSaaS (HIB) as an add-on service, you may approach your choice of CISOaaS consultant directly, see (b)(iii) above.   

d. Data Protection Officer as-a-Service (DPOaaS)

i. What you can expect

DPOaaS is intended for Social Service Agencies (SSAs) under National Council of Social Service (NCSS):

• To meet Data Protection Officer (DPO) obligations under the Personal Data Protection Act (PDPA); and 
• To implement the prevailing data security measures in the “Data Security Instructions” (DSI) published by the Ministry of Social and Family Development (MSF) Data Governance Office.

iii. Apply for DPOaaS as an add-on to CISOaaS (Cyber Essentials)

For organisations that wish to sign up for CISOaaS (Cyber Essentials) with DPOaaS as an add-on service, you may approach your choice of CISOaaS consultant directly, see (b)(iii) above.   

e. Vulnerability Assessment / Penetration Testing (VA/PT) Service

i. What you can expect

Vulnerability Assessment (VA) is a process of identifying, assessing and discovering security vulnerabilities on a computer systems or networks. The systematic approach of identifying, quantifying, and ranking security vulnerabilities enables an organisation to select critical vulnerabilities to resolve based on its available resources and the risks posed. 

Penetration Testing (PT) is an authorised and intentional attack on a system to identify vulnerabilities that could be exploited by threat actors. This allows organisations to determine exploitable vulnerabilities in their systems and address them. 

Holistically, VA/PT service is intended to help organisations, including SSAs, identify exploitable vulnerabilities and prioritise the key vulnerabilities that need to be resolved. 

ii. Funding support

To be updated.

iii. Apply for VA/PT service

For organisations that wish to engage VA/PT services, you may approach your choice of VA/PT provider directly. Please refer to this online listing:

• CSA Providers Listing – VA/PT Providers (Coming Soon!) 

* Please note that CSA does not endorse or recommend any particular organisation, individual, product, process, or service that is linked to the SG Cyber Safe programme, nor can CSA assure the quality of the work of any organisation or individual linked to the SG Cyber Safe programme.

f. Incident Response (IR) Service

i. What you can expect