From eb86e653a7f03a2d5b757fc78b9312130116e95f Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Tue, 4 Feb 2025 13:16:54 -0500 Subject: [PATCH 1/2] OSCAL compliance --- catalogs/im8-reform.json | 10223 +++++++++++++++++-------------------- catalogs/im8-reform.xml | 33 + 2 files changed, 4629 insertions(+), 5627 deletions(-) create mode 100644 catalogs/im8-reform.xml diff --git a/catalogs/im8-reform.json b/catalogs/im8-reform.json index 2a5e75c..5f95fab 100644 --- a/catalogs/im8-reform.json +++ b/catalogs/im8-reform.json @@ -1,5631 +1,4600 @@ { - "catalog": { - "uuid": "dfad1a6f-1aae-43e6-8fc6-10f1771d6dbc", - "metadata": { - "title": "Instruction Manual 8 Reform", - "last-modified": "2024-05-29T10:17:03.320504+08:00", - "version": "2024.05.30-2", - "oscal-version": "1.1.2", - "props": [ - { - "name": "keywords", - "value": "IM8, GovTech, Singapore, cloud, instruction manual, application security" - } - ], - "roles": [ - { - "id": "creator", - "title": "Creator" + "catalog" : { + "back-matter" : { + "resources" : [ { + "title" : "AWS Startup Security Baseline", + "rlinks" : [ { + "href" : "https://docs.aws.amazon.com/pdfs/prescriptive-guidance/latest/aws-startup-security-baseline/aws-startup-security-baseline.pdf" + } ], + "uuid" : "229a38da-bdc1-4a59-b1cb-8904cb59d0a5" + }, { + "title" : "Centralised SSP Management Guidelines", + "rlinks" : [ { + "href" : "https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/instruction-manual-for-ict-ss-management.html" + } ], + "uuid" : "80bf8bd1-004c-42d9-a810-e3f1fae563bf" + }, { + "title" : "Cybersecurity Toolkit for IT Teams", + "rlinks" : [ { + "href" : "https://isomer-user-content.by.gov.sg/36/91d33a31-d51d-419b-8458-25f901183f19/CSA_Cybersecurity-Toolkit-IT-Team.pdf" + } ], + "uuid" : "d90ebf27-ad15-40c3-84f1-c83c98383d16" + }, { + "title" : "GIROC ICT and Data Incident Reporting Resources", + "rlinks" : [ { + "href" : "https://www.thedigitalacademy.tech.gov.sg/category-giroc" + } ], + "uuid" : "424d176f-09ad-41c5-8a44-a064a9f1e37d" + }, { + "title" : "IM8 Cloud ADO", + "rlinks" : [ { + "href" : "https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/instruction-manual-for-ict-ss-management.html" + } ], + "uuid" : "3402c67f-c59f-440a-b82d-81cf4d92de90" + }, { + "title" : "IM8 Cloud ADS", + "rlinks" : [ { + "href" : "https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/instruction-manual-for-ict-ss-management.html" + } ], + "uuid" : "ee9148b4-3f31-48c8-8503-24fb5cd73db8" + }, { + "title" : "IM8 Cloud Security (IaaS and PaaS)", + "rlinks" : [ { + "href" : "https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/instruction-manual-for-ict-ss-management.html" + } ], + "uuid" : "da71948e-4dff-4a9d-a645-69ced821fe97" + }, { + "title" : "IM8 On-Premise AAS (Non-S)", + "rlinks" : [ { + "href" : "https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/instruction-manual-for-ict-ss-management.html" + } ], + "uuid" : "52e1d19c-bf27-4de8-b66a-c2523c9a0d69" + }, { + "title" : "IM8 On-Premise ADS (Non-S)", + "rlinks" : [ { + "href" : "https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/instruction-manual-for-ict-ss-management.html" + } ], + "uuid" : "9749c983-5562-4a6f-8852-7eecf9b38d2c" + }, { + "title" : "IM8 On-Premise IS (Non-S)", + "rlinks" : [ { + "href" : "https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/instruction-manual-for-ict-ss-management.html" + } ], + "uuid" : "f3057503-f399-4735-9d7b-ea9830f3b2ac" + }, { + "title" : "MCI ICT Circular Minute No 5/2014", + "rlinks" : [ { + "href" : "https://intranet.mof.gov.sg/portal/IM/Circulars/ICT/Circular-Minutes/2014" + } ], + "uuid" : "c83c5d3f-cb13-492b-9028-ab7dc717e396" + }, { + "title" : "MCI ICT Circular Minute No 6/2021", + "rlinks" : [ { + "href" : "https://intranet.mof.gov.sg/portal/IM/Circulars/ICT/Circular-Minutes/2021" + } ], + "uuid" : "f76c8617-eb15-4b80-8911-4abca5ba2d84" + }, { + "title" : "Minimum Viable Secure Product (MVSP)", + "rlinks" : [ { + "href" : "https://www.mvsp.dev/" + } ], + "uuid" : "8723fc45-7378-478f-b61f-2e22a170e98c" + }, { + "title" : "NIST SP 800-53", + "rlinks" : [ { + "href" : "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf" + } ], + "uuid" : "0062e6a3-8ac4-44db-92df-8357b437ca0c" + }, { + "title" : "NIST SP 800-63B", + "rlinks" : [ { + "href" : "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf" + } ], + "uuid" : "e59c5a7c-8b1f-49ca-8de0-6ee0882180ce" + }, { + "title" : "PMO (SNDGO) Circular Minute No 2/2024", + "rlinks" : [ { + "href" : "https://intranet.mof.gov.sg/portal/IM/Circulars/ICT/Circular-Minutes/2024" + } ], + "uuid" : "31761a08-1ca2-48f2-90f5-13fc96128f45" + }, { + "title" : "PMO(SNDGO) Circular Minute No 1/2024", + "rlinks" : [ { + "href" : "https://intranet.mof.gov.sg/portal/IM/Circulars/ICT/Circular-Minutes/2024" + } ], + "uuid" : "824c06dc-a7bb-4d1a-8ea7-7ce2095ff55c" + }, { + "title" : "PMO(SNDGO) Circular Minute No 4/2022", + "rlinks" : [ { + "href" : "https://intranet.mof.gov.sg/portal/IM/Circulars/ICT/Circular-Minutes/2022" + } ], + "uuid" : "17e0e48b-e687-4dbf-afb0-56adfc0bbc3e" + }, { + "title" : "Singapore Government Developer Portal - Innersource", + "rlinks" : [ { + "href" : "https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/innersource.html" + } ], + "uuid" : "59a45aeb-ab47-406c-875f-0ebbc4ec00e1" + }, { + "title" : "Supply-chain Levels for Software Artifacts (SLSA)", + "rlinks" : [ { + "href" : "https://slsa.dev/" + } ], + "uuid" : "438199c5-6b38-4704-88d6-a902ee08a433" + } ] + }, + "groups" : [ { + "title" : "Application Security", + "id" : "as", + "parts" : [ { + "name" : "overview", + "prose" : "Controls to prevent application vulnerabilities caused by insecure coding." + } ], + "controls" : [ { + "title" : "Input Validation", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 2.5: Security libraries" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.7/S1c" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.7/S8b" + }, { + "href" : "#9749c983-5562-4a6f-8852-7eecf9b38d2c", + "rel" : "reference", + "text" : "IM8 On-Premise ADS (Non-S): 1.1/S1b" + } ], + "id" : "as-1", + "parts" : [ { + "name" : "statement", + "id" : "as-1_smt", + "prose" : "Validate all application inputs to ensure that they match the expected type, structure, or format." + }, { + "name" : "guidance", + "id" : "as-1_gdn", + "prose" : "Strictly validating inputs against a comprehensive schema prevents injection attacks caused by inserting special characters or content that would cause the application to perform incorrect operations." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without input validation, there's a heightened risk of injection attacks, data manipulation, or system crashes due to unexpected input, potentially leading to unauthorised access or disruption of services." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-01T01:03:42+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Parameterised Interfaces", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 2.5: Security libraries" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.7/S8c" + }, { + "href" : "#9749c983-5562-4a6f-8852-7eecf9b38d2c", + "rel" : "reference", + "text" : "IM8 On-Premise ADS (Non-S): 1.1/S1c" + } ], + "id" : "as-2", + "parts" : [ { + "name" : "statement", + "id" : "as-2_smt", + "prose" : "Use parameterised interfaces for database queries or system commands." + }, { + "name" : "guidance", + "id" : "as-2_gdn", + "prose" : "Parameterised interfaces such Object-Relational Mapping (ORM) libraries ensure that parameters used in database queries or system commands are properly sanitised and prevent injection attacks." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failure to use parameterised interfaces increases the vulnerability to SQL injection or command injection attacks, posing a significant risk of unauthorised access, data manipulation, or even potential system compromise." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-01T01:03:42+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Output Sanitisation", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 2.5: Security libraries" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.7/S8e" + }, { + "href" : "#9749c983-5562-4a6f-8852-7eecf9b38d2c", + "rel" : "reference", + "text" : "IM8 On-Premise ADS (Non-S): 1.1/S1e,k,l" + } ], + "id" : "as-3", + "parts" : [ { + "name" : "statement", + "id" : "as-3_smt", + "prose" : "Sanitise all application outputs that will be used to render a HTML document." + }, { + "name" : "guidance", + "id" : "as-3_gdn", + "prose" : "Any application outputs that are returned to the requester and used to render a HTML document can lead to cross-site scripting (XSS) attacks if they contain special characters that change the rendering of the HTML document by the browser." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Lack of sanitisation for application outputs used in rendering HTML documents exposes the system to the risk of cross-site scripting (XSS) attacks, allowing malicious code execution in users' browsers." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-01T01:03:42+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Authentication Mechanism Rate-Limiting", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 2.4: Password policy" + }, { + "href" : "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", + "rel" : "reference", + "text" : "IM8 Cloud ADS: 2.2/S1j, 2.2/S5b" + }, { + "href" : "#9749c983-5562-4a6f-8852-7eecf9b38d2c", + "rel" : "reference", + "text" : "IM8 On-Premise ADS (Non-S): 2.2/S5" + } ], + "id" : "as-4", + "parts" : [ { + "name" : "statement", + "id" : "as-4_smt", + "prose" : "Apply rate-limiting on all authentication mechanisms to deter brute-force attacks." + }, { + "name" : "guidance", + "id" : "as-4_gdn", + "prose" : "Consider rate-limiting to a maximum of 3 consecutive failed authentication attempts within 15 minutes. Time delays between log-on attempts reduce the risk of successful brute-forcing attacks. Bot mitigation tools such as CAPTCHA can further reduce this risk." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without rate-limiting, there's an increased risk of unauthorised access as attackers may exploit weak credentials through repeated login attempts." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-01T01:03:42+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "params" : [ { + "guidelines" : [ { + "prose" : "The minimum length of a password." + } ], + "id" : "as-5_prm_1", + "label" : "number of characters", + "class" : "int" + }, { + "guidelines" : [ { + "prose" : "The password policy." + } ], + "id" : "as-5_prm_2", + "label" : "policy", + "class" : "str" + } ], + "title" : "Password Requirements", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 2.4: Password policy" + }, { + "href" : "#0062e6a3-8ac4-44db-92df-8357b437ca0c", + "rel" : "reference", + "text" : "NIST SP 800-53 IA-5(1): Password-based Authentication" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.4/S1a" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.4/S2a" + }, { + "href" : "#9749c983-5562-4a6f-8852-7eecf9b38d2c", + "rel" : "reference", + "text" : "IM8 On-Premise ADS (Non-S): 2.2/S1" + } ], + "id" : "as-5", + "parts" : [ { + "name" : "statement", + "id" : "as-5_smt", + "prose" : "Where SSO or passwordless is not supported, verify that user-defined passwords are at least {{ insert: param, as-5_prm_1 }} characters in length and {{ insert: param, as-5_prm_2 }}." + }, { + "name" : "guidance", + "id" : "as-5_gdn", + "prose" : "Latest NIST [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) guidelines found that password length is a primary factor in determining the strength of a password while composition and complexity rules provide marginal security benefits." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Short or commonly used passwords increase the vulnerability to unauthorised access, potentially leading to compromised accounts and unauthorised activities on the system." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-01T01:03:42+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-09T22:54:15+0800" + } ] + }, { + "title" : "Password Salting and Hashing", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 2.4: Password policy" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.4/S3" + }, { + "href" : "#9749c983-5562-4a6f-8852-7eecf9b38d2c", + "rel" : "reference", + "text" : "IM8 On-Premise ADS (Non-S): 2.2/S3" + } ], + "id" : "as-6", + "parts" : [ { + "name" : "statement", + "id" : "as-6_smt", + "parts" : [ { + "name" : "item", + "id" : "as-6_smt.1", + "props" : [ { + "name" : "label", + "value" : "1" + } ], + "prose" : "Generated using a cryptographically secure pseudo-random number generator in accordance with industry standards;" + }, { + "name" : "item", + "id" : "as-6_smt.2", + "props" : [ { + "name" : "label", + "value" : "2" + } ], + "prose" : "At least 32 bits long; and" + }, { + "name" : "item", + "id" : "as-6_smt.3", + "props" : [ { + "name" : "label", + "value" : "3" + } ], + "prose" : "Randomly generated for each account." + } ], + "prose" : "Store passwords as salted hashes using a password hashing scheme that is resistant to offline attacks such as those described in NIST [SP 800-63b](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce). The salt should be:" + }, { + "name" : "guidance", + "id" : "as-6_gdn", + "prose" : "Refer to NIST [SP 800-90Ar1](#64357b22-9868-4453-9b9e-36c2665d12b3) for suitable pseudo-random number generators. Refer to NIST [SP 800-63b](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) Memorized Secret Verifiers section for suitable hashing schemes, including Argon2, scrypt, and PBKDF2. For application source code, use a cryptographically secure pseudo-random number generator function instead of an insecure one, such as crypto.randomBytes instead of Math.random in Node.js and java.security.SecureRandom.nextBytes instead of java.util.Random in Java." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without salting and hashing, in case of a data breach, exposed passwords can be easily extracted, leading to potential compromise of user accounts and sensitive information." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-01T01:03:42+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Access Control Check Enforcement", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 3.3: Vulnerability prevention" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.7/S8a" + } ], + "id" : "as-7", + "parts" : [ { + "name" : "statement", + "id" : "as-7_smt", + "prose" : "Perform access control checks on all authenticated requests." + }, { + "name" : "guidance", + "id" : "as-7_gdn", + "prose" : "Utilise authorisation filters or middleware to force all authenticated requests to undergo access control checks." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failure to perform access control checks on authenticated requests increases the risk of unauthorised access to sensitive data or functionalities, potentially leading to data breaches and misuse of system resources." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-01T01:03:42+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T00:47:04+0800" + } ] + }, { + "title" : "Application Secrets Management", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.7/S11" + }, { + "href" : "#9749c983-5562-4a6f-8852-7eecf9b38d2c", + "rel" : "reference", + "text" : "IM8 On-Premise ADS (Non-S): 1.1/S1f, 2.2/S4, 3.1/S1 and 3.1/S4" + } ], + "id" : "as-8", + "parts" : [ { + "name" : "statement", + "id" : "as-8_smt", + "prose" : "Encrypt and store application secrets in a secret management solution with appropriate access controls and do not hard-code secrets in source code." + }, { + "name" : "guidance", + "id" : "as-8_gdn", + "prose" : "Secret management solutions include cloud solutions like AWS Secrets Manager and Azure Key Vault as well as cloud-agnostic solutions like HashiCorp Vault and CyberArk Conjur." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Exposure of sensitive information and unauthorised access to system credentials may occur if application secrets are stored without encryption or if hard-coded in source code." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-01T01:03:42+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Content Security Policy (CSP)", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 2.3: Security Headers" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.7/G7" + } ], + "id" : "as-9", + "parts" : [ { + "name" : "statement", + "id" : "as-9_smt", + "prose" : "Set minimally permissive CSP response headers to mitigate cross-site scripting attacks." + }, { + "name" : "guidance", + "id" : "as-9_gdn", + "prose" : "Utilise the relevant fetch directives such as `default-src`, `script-src`, `style-src`, `connect-src`, `img-src`, `media-src` and `object-src` to prevent loading of scripts from malicious sources. Refer to the [OWASP Secure Headers Project](#3101b27c-d39c-49fc-b227-e77df8c5e358) Best Practices for recommended header values." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without minimally permissive Content Security Policy (CSP) headers, the risk of cross-site scripting attacks, leading to unauthorised script execution and potential data theft, is increased." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-01T01:03:42+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T00:47:04+0800" + } ] + }, { + "title" : "HTTP Strict Transport Security (HSTS)", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.7/G4" + } ], + "id" : "as-10", + "parts" : [ { + "name" : "statement", + "id" : "as-10_smt", + "prose" : "Set HTTP Strict Transport Security (HSTS) response headers with a maximum age value of at least 1 year (31536000 seconds) to mitigate protocol downgrade attacks." + }, { + "name" : "guidance", + "id" : "as-10_gdn", + "prose" : "Refer to the [OWASP Secure Headers Project](#3101b27c-d39c-49fc-b227-e77df8c5e358) Best Practices for recommended header values." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failure to implement HTTP Strict Transport Security (HSTS) with a sufficient maximum age may expose the system to protocol downgrade attacks, compromising the security of communication channels." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-10-24T13:54:12+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T00:47:04+0800" + } ] + }, { + "params" : [ { + "guidelines" : [ { + "prose" : "The maximum time period in hours of a user's session." + } ], + "id" : "as-11_prm_1", + "label" : "time period (hours)", + "class" : "int" + } ], + "title" : "Session Management", + "links" : [ { + "href" : "#0062e6a3-8ac4-44db-92df-8357b437ca0c", + "rel" : "reference", + "text" : "NIST SP 800-53 AC-12: Session Termination" + }, { + "href" : "#0062e6a3-8ac4-44db-92df-8357b437ca0c", + "rel" : "reference", + "text" : "NIST SP 800-53 IA-11: Re-authentication" + }, { + "href" : "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", + "rel" : "reference", + "text" : "IM8 Cloud ADS: 2.5/S2" + }, { + "href" : "#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce", + "rel" : "reference", + "text" : "NIST SP 800-63B 4.2.3: Reauthentication" + }, { + "href" : "#9749c983-5562-4a6f-8852-7eecf9b38d2c", + "rel" : "reference", + "text" : "IM8 On-Premise ADS (Non-S): 2.5/S2" + } ], + "id" : "as-11", + "parts" : [ { + "name" : "statement", + "id" : "as-11_smt", + "prose" : "Require users to re-authenticate after their session exceeds {{ insert: param, as-11_prm_1 }} hour(s) or terminate the session." + }, { + "name" : "guidance", + "id" : "as-11_gdn", + "prose" : "NIST SP 800-63B recommends re-authentication once per 30 days for Authenticator Assurance Level 1, 12 hours or 30 minutes inactivity for Authenticator Assurance Level 2, and 12 hours or 15 minutes inactivity for Authenticator Assurance Level 3. In addition to time period, system can consider re-authentication when roles, authenticators or credentials change or when the execution of privileged functions occurs." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Not verifying a user regularly and at suitable checkpoints could allow someone who has access to the user's account to carry out unauthorised actions." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2024-01-02T16:00:00+0000" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-09T22:54:15+0800" + } ] + }, { + "title" : "Malware Scanning of Uploaded Files", + "links" : [ { + "href" : "#0062e6a3-8ac4-44db-92df-8357b437ca0c", + "rel" : "reference", + "text" : "NIST SP 800-53 SI-3: Malicious Code Protection" + } ], + "id" : "as-12", + "parts" : [ { + "name" : "statement", + "id" : "as-12_smt", + "prose" : "Scan file uploads for malware before further processing by the system or users." + }, { + "name" : "guidance", + "id" : "as-12_gdn", + "prose" : "Consider uploading the files to temporary storage for malware scanning on ephemeral compute like serverless functions before moving safe files to another storage for further processing or unsafe files to quarantine storage." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without scanning uploaded files for malware, there's an increased risk of exploits or infection for consumers of the files." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2024-04-16T16:00:00+0000" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-04-16T16:00:00+0000" + } ] + } ] + }, { + "title" : "Software Supply Chain", + "id" : "sc", + "parts" : [ { + "name" : "overview", + "prose" : "Controls to prevent tampering and improve the integrity of the software supply chain." + } ], + "controls" : [ { + "title" : "Code Repository", + "links" : [ { + "href" : "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", + "rel" : "reference", + "text" : "IM8 Cloud ADS: 7.1/S1" + }, { + "href" : "#9749c983-5562-4a6f-8852-7eecf9b38d2c", + "rel" : "reference", + "text" : "IM8 On-Premise ADS (Non-S): 6.1/S1" + } ], + "id" : "sc-1", + "parts" : [ { + "name" : "statement", + "id" : "sc-1_smt", + "prose" : "Manage the codebase in a central code repository with version control." + }, { + "name" : "guidance", + "id" : "sc-1_gdn", + "prose" : "Use common platforms such as SHIP-HATS 2.0 GitLab or equivalents." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Absence of centralised code repository and version control increases the risk of code inconsistencies, loss of code history, and difficulties in collaboration, potentially leading to errors and security vulnerabilities." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-01T01:03:42+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Commit Signing", + "id" : "sc-2", + "parts" : [ { + "name" : "statement", + "id" : "sc-2_smt", + "prose" : "Configure the code repository to reject unsigned commits." + }, { + "name" : "guidance", + "id" : "sc-2_gdn", + "prose" : "Use GitLab's push rules, GitHub's branch protection rules or similar code repository controls to reject unsigned commits on push." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Allowing unsigned commits in the code repository introduces the risk of unauthorised or malicious code changes, compromising the integrity and security of the software development process." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-01T01:03:42+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2023-09-04T21:33:34+0800" + } ] + }, { + "title" : "Peer Review", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.1/S2" + }, { + "href" : "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", + "rel" : "reference", + "text" : "IM8 Cloud ADS: 8.1/G1" + }, { + "href" : "#9749c983-5562-4a6f-8852-7eecf9b38d2c", + "rel" : "reference", + "text" : "IM8 On-Premise ADS (Non-S): 8.1/G1" + } ], + "id" : "sc-3", + "parts" : [ { + "name" : "statement", + "id" : "sc-3_smt", + "prose" : "Require peer review and approval by a designated reviewer before merging into the default branch." + }, { + "name" : "guidance", + "id" : "sc-3_gdn", + "prose" : "Use GitLab's protected branch and merge request settings, GitHub's branch protection settings or similar code repository controls to enforce this." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without peer review and approval before merging, there is an increased risk of introducing undetected coding errors, security vulnerabilities, and maintaining codebase consistency may become challenging." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-02T11:48:56+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Dependency Manifest Version Pinning", + "links" : [ { + "href" : "#438199c5-6b38-4704-88d6-a902ee08a433", + "rel" : "reference", + "text" : "SLSA Build L1: Provenance exists" + }, { + "href" : "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", + "rel" : "reference", + "text" : "IM8 Cloud ADS: 8.1/G4" + }, { + "href" : "#9749c983-5562-4a6f-8852-7eecf9b38d2c", + "rel" : "reference", + "text" : "IM8 On-Premise ADS (Non-S): 8.1/G4" + } ], + "id" : "sc-4", + "parts" : [ { + "name" : "statement", + "id" : "sc-4_smt", + "prose" : "Pin direct and transitive dependency versions in the application's dependency manifest." + }, { + "name" : "guidance", + "id" : "sc-4_gdn", + "prose" : "Dependency manifests such as package-lock.json for npm and Pipfile.lock for pipenv allow you to pin dependency versions." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failure to pin direct and transitive dependency versions in the application's manifest may lead to version drift, introducing compatibility issues, security vulnerabilities, and unpredictability in the software environment." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-02T11:48:56+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Automated Build and Deploy", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 3.5: Build process" + }, { + "href" : "#438199c5-6b38-4704-88d6-a902ee08a433", + "rel" : "reference", + "text" : "SLSA Build L1: Provenance exists" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.7/S22" + }, { + "href" : "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", + "rel" : "reference", + "text" : "IM8 Cloud ADS: 6.1/G4" + } ], + "id" : "sc-5", + "parts" : [ { + "name" : "statement", + "id" : "sc-5_smt", + "prose" : "Provision and operate systems in a consistent manner using automation." + }, { + "name" : "guidance", + "id" : "sc-5_gdn", + "prose" : "Deploy and maintain Infrastructure and Applications with automated and repeatable tools such as CI/CD Pipelines, Infrastructure as Code (IaC) and other scripts. Automated build and deploy pipelines allow for signing and validation of build artefacts. Do not make manual changes directly into production systems." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Inconsistent system provisioning and operation, without automation, may lead to configuration drift, increased likelihood of errors, and heightened vulnerability to security breaches due to manual misconfigurations." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-02T11:48:56+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-16T01:34:37+0800" + } ] + }, { + "title" : "Dependency Installation during Deployment", + "links" : [ { + "href" : "#438199c5-6b38-4704-88d6-a902ee08a433", + "rel" : "reference", + "text" : "SLSA Build L1: Provenance exists" + } ], + "id" : "sc-6", + "parts" : [ { + "name" : "statement", + "id" : "sc-6_smt", + "prose" : "When installing dependencies during deployment, only install pinned versions in the manifest." + }, { + "name" : "guidance", + "id" : "sc-6_gdn", + "prose" : "Use package manager commands such as npm ci for npm and pipenv sync for pipenv that ensure only versions specified in the manifest are installed rather than the latest version." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failure to install only pinned versions of dependencies during deployment increases the risk of introducing unforeseen changes, compatibility issues, and potential security vulnerabilities into the deployed environment." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-02T11:48:56+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-03-31T23:54:33+0800" + } ] + }, { + "title" : "Software Artefact Signing", + "links" : [ { + "href" : "#438199c5-6b38-4704-88d6-a902ee08a433", + "rel" : "reference", + "text" : "SLSA Build L2: Hosted build platform" + }, { + "href" : "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", + "rel" : "reference", + "text" : "IM8 Cloud ADS: 1.7/G9" + }, { + "href" : "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", + "rel" : "reference", + "text" : "IM8 Cloud ADS: 8.1/G1" + } ], + "id" : "sc-7", + "parts" : [ { + "name" : "statement", + "id" : "sc-7_smt", + "prose" : "Sign software artefacts such as code and container images using a trusted source during build." + }, { + "name" : "guidance", + "id" : "sc-7_gdn", + "prose" : "Use tools or services like Cosign or AWS Signer to sign and verify code." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Unsigned code and container images pose a risk of tampering, impersonation, and the injection of malicious code during the build process, compromising the integrity and security of the deployed software." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-02T11:48:56+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-03-31T23:54:39+0800" + } ] + }, { + "title" : "Software Artefact Signature Verification", + "links" : [ { + "href" : "#438199c5-6b38-4704-88d6-a902ee08a433", + "rel" : "reference", + "text" : "SLSA Build L2: Hosted build platform" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud ADS: 1.7/G9" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.7/S20" + }, { + "href" : "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", + "rel" : "reference", + "text" : "IM8 Cloud ADS: 8.1/G12" + } ], + "id" : "sc-8", + "parts" : [ { + "name" : "statement", + "id" : "sc-8_smt", + "prose" : "Verify the signatures of code and artefacts before deployment or runtime." + }, { + "name" : "guidance", + "id" : "sc-8_gdn", + "prose" : "Implement a signature verification step such as a pipeline stage or Kubernetes Admission Controller." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without verifying the signatures of code and artefacts before deployment or runtime, there's an increased risk of deploying tampered or malicious software, compromising the integrity and security of the system." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-02T11:48:56+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-03-31T23:54:45+0800" + } ] + }, { + "title" : "Internal Code Collaboration and Sharing", + "links" : [ { + "href" : "#59a45aeb-ab47-406c-875f-0ebbc4ec00e1", + "rel" : "reference", + "text" : "Singapore Government Developer Portal - Innersource" + } ], + "id" : "sc-9", + "parts" : [ { + "name" : "statement", + "id" : "sc-9_smt", + "prose" : "Share source code within Government to enhance code quality, accelerate innovation, and improve problem-solving efficiency." + }, { + "name" : "guidance", + "id" : "sc-9_gdn", + "prose" : "Adopt Innersource practices for internal collaboration, utilizing platforms like SHIP-HATS GitLab to manage and share code repositories in Government. Source code should be evaluated for suitability for innersourcing, such as the use of confidential algorithms or embedded sensitive data. The Innersource guidelines published in Developers Portal provide a useful framework for code sharing." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Restricting code repositories to closed source can result in duplicated efforts, hinder collaborative learning, and lead to missed bugs or vulnerabilities." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2024-01-25T00:00:00+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-03-31T23:54:54+0800" + } ] + } ] + }, { + "title" : "Security Testing", + "id" : "st", + "parts" : [ { + "name" : "overview", + "prose" : "Controls to validate the security of a system via internal and external testing." + } ], + "controls" : [ { + "params" : [ { + "guidelines" : [ { + "prose" : "The type of vulnerability assessment scanning." + } ], + "id" : "st-1_prm_1", + "label" : "type", + "class" : "str" + } ], + "title" : "Vulnerability Assessment", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.8/S1" + } ], + "id" : "st-1", + "parts" : [ { + "name" : "statement", + "id" : "st-1_smt", + "prose" : "Run regular {{ insert: param, st-1_prm_1 }} vulnerability assessment scans for eligible hosts." + }, { + "name" : "guidance", + "id" : "st-1_gdn", + "prose" : "Select agent-based or network-based scans as necessary. Implement authenticated scans where possible for greater coverage. Use scanners such as Amazon Inspector or Microsoft Defender for Cloud for continuous scanning of cloud systems. For on-premises systems or systems that require periodic scans, subscribe to Vulnerability Management System (VMS)." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without regular vulnerability assessment scans, hosts remain exposed to undetected security vulnerabilities or misconfigurations, increasing the risk of exploitation and unauthorised access to critical systems." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-02T10:22:32+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-05-10T01:26:00+0800" + } ] + }, { + "title" : "Cloud Security Posture Management", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.1/S6" + } ], + "id" : "st-2", + "parts" : [ { + "name" : "statement", + "id" : "st-2_smt", + "prose" : "Set up cloud security posture management that performs continuous configuration scans on cloud assets." + }, { + "name" : "guidance", + "id" : "st-2_gdn", + "prose" : "Use cloud security posture management tools such as CloudSCAPE, AWS Security Hub, and Datadog Cloud Security Posture Management." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Lack of continuous configuration scans through cloud security posture management increases the risk of misconfigurations in cloud assets, leading to security vulnerabilities, data breaches, and unauthorised access." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-02T10:22:32+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T00:47:04+0800" + } ] + }, { + "title" : "Vulnerability Disclosure Programme", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 1.1: Vulnerability reports" + }, { + "href" : "#9749c983-5562-4a6f-8852-7eecf9b38d2c", + "rel" : "reference", + "text" : "IM8 On-Premise ADS (Non-S): 5.1/S4" + } ], + "id" : "st-3", + "parts" : [ { + "name" : "statement", + "id" : "st-3_smt", + "prose" : "Display a way to responsibly disclose vulnerabilities via the Government Vulnerability Disclosure Programme." + }, { + "name" : "guidance", + "id" : "st-3_gdn", + "prose" : "Add a link to https://go.gov.sg/report-vulnerability on all pages, such as in the footer." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Publicly disclosing vulnerabilities without following a responsible disclosure process increases the risk of malicious exploitation; responsible disclosure via the Government Vulnerability Disclosure Programme ensures a coordinated and secure approach to addressing vulnerabilities." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-02T10:22:32+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "params" : [ { + "guidelines" : [ { + "prose" : "The time period in days of penetration testing frequency." + } ], + "id" : "st-4_prm_1", + "label" : "time period (days)", + "class" : "int" + } ], + "title" : "Penetration Testing", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 1.4: External testing" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.8/S1" + }, { + "href" : "#9749c983-5562-4a6f-8852-7eecf9b38d2c", + "rel" : "reference", + "text" : "IM8 On-Premise ADS (Non-S): 4.1/S1" + } ], + "id" : "st-4", + "parts" : [ { + "name" : "statement", + "id" : "st-4_smt", + "prose" : "Conduct and document a penetration test by internal teams or independent external parties every {{ insert: param, st-4_prm_1 }} day(s)." + }, { + "name" : "guidance", + "id" : "st-4_gdn", + "prose" : "A white-box penetration test should be performed to effectively test the application." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without conducting and documenting penetration tests, there's an increased risk of undetected security weaknesses, leaving the application susceptible to exploitation, data breaches, and unauthorised access." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-02T10:22:32+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-09T22:54:15+0800" + } ] + }, { + "params" : [ { + "guidelines" : [ { + "prose" : "The time period in days to remediate or risk accept critical vulnerability findings." + } ], + "id" : "st-5_prm_1", + "label" : "time period (days)", + "class" : "int" + }, { + "guidelines" : [ { + "prose" : "The time period in days to remediate or risk accept high vulnerability findings." + } ], + "id" : "st-5_prm_2", + "label" : "time period (days)", + "class" : "int" + }, { + "guidelines" : [ { + "prose" : "The time period in days to remediate or risk accept medium vulnerability findings." + } ], + "id" : "st-5_prm_3", + "label" : "time period (days)", + "class" : "int" + }, { + "guidelines" : [ { + "prose" : "The time period in days to remediate or risk accept low vulnerability findings." + } ], + "id" : "st-5_prm_4", + "label" : "time period (days)", + "class" : "int" + } ], + "title" : "Vulnerability Management", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 3.4: Time to fix vulnerabilities" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.8/S3" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.8/S4" + }, { + "href" : "#9749c983-5562-4a6f-8852-7eecf9b38d2c", + "rel" : "reference", + "text" : "IM8 On-Premise ADS (Non-S): 5.1/S3" + } ], + "id" : "st-5", + "parts" : [ { + "name" : "statement", + "id" : "st-5_smt", + "parts" : [ { + "name" : "item", + "id" : "st-5_smt.1", + "props" : [ { + "name" : "label", + "value" : "1" + } ], + "prose" : "Critical: {{ insert: param, st-5_prm_1 }} day(s)" + }, { + "name" : "item", + "id" : "st-5_smt.2", + "props" : [ { + "name" : "label", + "value" : "2" + } ], + "prose" : "High: {{ insert: param, st-5_prm_2 }} day(s)" + }, { + "name" : "item", + "id" : "st-5_smt.3", + "props" : [ { + "name" : "label", + "value" : "3" + } ], + "prose" : "Medium: {{ insert: param, st-5_prm_3 }} day(s)" + }, { + "name" : "item", + "id" : "st-5_smt.4", + "props" : [ { + "name" : "label", + "value" : "4" + } ], + "prose" : "Low: {{ insert: param, st-5_prm_4 }} day(s)" + } ], + "prose" : "Triage and then remediate or risk accept all true positive vulnerability findings discovered through security testing within the following timeframe based on severity:" + }, { + "name" : "guidance", + "id" : "st-5_gdn", + "prose" : "Seek approval from the appropriate approving authority for risk acceptance." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failure to promptly remediate vulnerabilities increases the risk of potential exploits, security breaches, and prolonged exposure to known vulnerabilities in the system." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-02T10:22:32+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-09T22:54:15+0800" + } ] + } ] + }, { + "title" : "Network Security", + "id" : "ns", + "parts" : [ { + "name" : "overview", + "prose" : "Controls to secure the network boundaries of a system." + } ], + "controls" : [ { + "title" : "Public and Private Subnet Segmentation", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.5/S1" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.5/S2" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.7/S14" + }, { + "href" : "#f3057503-f399-4735-9d7b-ea9830f3b2ac", + "rel" : "reference", + "text" : "IM8 On-Premise IS (Non-S): 4.2/S1a" + }, { + "href" : "#52e1d19c-bf27-4de8-b66a-c2523c9a0d69", + "rel" : "reference", + "text" : "IM8 On-Premise AAS (Non-S): 1.1/S1, 2.1/S1" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.5/S6b" + } ], + "id" : "ns-1", + "parts" : [ { + "name" : "statement", + "id" : "ns-1_smt", + "prose" : "Place private resources (e.g., databases) in private subnets and public resources (e.g., reverse proxies, web servers) in public subnets within a virtual network." + }, { + "name" : "guidance", + "id" : "ns-1_gdn", + "prose" : "This control does not apply to serverless resources (API Gateways), static sites or assets fronted by CDNs (e.g., CloudFlare, CloudFront) which are located outside of the virtual network. Private subnets do not allow direct connections from the internet while public subnets do. However, resources in private segments can connect to the internet via NAT Gateways in public subnets in the same virtual network." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failure to segregate private and public resources within distinct subnets in a virtual network increases the risk of unauthorised access to sensitive data, as private resources may be exposed to the public internet, compromising the overall security of the infrastructure." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-02T14:26:27+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Access Restrictions on CSP Resources Outside Virtual Network", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.5/S2" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.5/S5" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.7/S23" + } ], + "id" : "ns-2", + "parts" : [ { + "name" : "statement", + "id" : "ns-2_smt", + "prose" : "Restrict access to CSP resources outside of a virtual network (e.g., Lambda, DynamoDb, API Gateways, S3, CloudFront) using access controls or application layer authorisation." + }, { + "name" : "guidance", + "id" : "ns-2_gdn", + "prose" : "Apply access restrictions appropriate to the resource type. Access through interface VPC endpoints is only required if the client is hosted in a private subnet. For example:\n\n- Restrict access to DynamoDB with IAM policies.\n\n- Restrict access to API Gateway with Lambda Authorizers or authorisation middlewares at the application layer. If the API Gateway is exposed to private subnets, create a [private API](#38e183ce-b5ab-420a-b910-94c444e878f3).\n\n- Restrict access to S3 Buckets with IAM policies and block public access from the internet." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Lack of access restrictions raises the risk of unauthorised access, data exposure, and potential misuse of critical services, compromising the overall security posture." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-02T14:26:27+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T00:47:04+0800" + } ] + }, { + "title" : "Deny by Default - Allow by Exception", + "links" : [ { + "href" : "#0062e6a3-8ac4-44db-92df-8357b437ca0c", + "rel" : "reference", + "text" : "NIST SP 800-53 SC-7(5): Deny by Default - Allow by Exception" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.5/S3" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.5/S5" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.6/S1h" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.7/S23b" + }, { + "href" : "#f3057503-f399-4735-9d7b-ea9830f3b2ac", + "rel" : "reference", + "text" : "IM8 On-Premise IS (Non-S): 4.2/S1b" + }, { + "href" : "#52e1d19c-bf27-4de8-b66a-c2523c9a0d69", + "rel" : "reference", + "text" : "IM8 On-Premise AAS (Non-S): 2.2/S1" + } ], + "id" : "ns-3", + "parts" : [ { + "name" : "statement", + "id" : "ns-3_smt", + "prose" : "Deny network communications traffic by default and allow network communications traffic by exception at managed interfaces." + }, { + "name" : "guidance", + "id" : "ns-3_gdn", + "prose" : "Configure network access control lists and security groups to deny all traffic by default. Only allow traffic to and from specific hosts and ports by exception. For egress traffic to the internet, consider whitelisting domains at the application layer or DNS resolver rather than just hosts or ports at the transport layer." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without network access controls, there's an increased risk of unauthorised or malicious network access, leading to potential security breaches and compromise of system integrity." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-11T22:26:01+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-09T22:54:15+0800" + } ] + }, { + "title" : "Inter-Private Network Connectivity", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.5/S7" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.5/S4" + } ], + "id" : "ns-4", + "parts" : [ { + "name" : "statement", + "id" : "ns-4_smt", + "prose" : "Route network traffic between private networks without going through the internet." + }, { + "name" : "guidance", + "id" : "ns-4_gdn", + "prose" : "Use CSP Private endpoint services (e.g., AWS PrivateLink with VPC endpoints) when you want to allow one or more consumer VPCs unidirectional access to a specific service or set of instances in the service provider VPC. Otherwise, use VPC peering and Transit Gateway when you want to enable layer-3 IP connectivity between VPCs. Refer to the [Multi-VPC AWS Network Infrastructure Whitepaper](#9022563f-00b5-48d1-99a6-187503e7f869) for further guidance." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "When routing through the internet, there's an increased risk of man-in-the-middle and spoofing attacks. Allowing bidirectional access between networks without fine-grained access controls increases the risk of unauthorized access, potential data exfiltration, and compromise of network security compared to unidirectional access to specific resources." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-11T22:26:01+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T00:47:04+0800" + } ] + }, { + "title" : "Network and Application Layer Filtering", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.5/S5" + }, { + "href" : "#9749c983-5562-4a6f-8852-7eecf9b38d2c", + "rel" : "reference", + "text" : "IM8 On-Premise ADS (Non-S): 1.1/S4" + } ], + "id" : "ns-5", + "parts" : [ { + "name" : "statement", + "id" : "ns-5_smt", + "prose" : "Filter direct traffic from the internet to protect against network and application layer attacks." + }, { + "name" : "guidance", + "id" : "ns-5_gdn", + "prose" : "Deploy the following as required:\n\n- Web Application Firewall\n\n- Distributed Denial of Service Protection (e.g., AWS Shield)\n\n- Content Delivery Network (e.g., CloudFront)" + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Lack of filtering for direct traffic from the internet exposes the system to the risk of network and application layer attacks, increasing the likelihood of unauthorised access, denial-of-service incidents, and compromise of sensitive data." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-11T22:26:01+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Valid and Trusted SSL/TLS Certificates", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.5/S8" + } ], + "id" : "ns-6", + "parts" : [ { + "name" : "statement", + "id" : "ns-6_smt", + "parts" : [ { + "name" : "item", + "id" : "ns-6_smt.1", + "props" : [ { + "name" : "label", + "value" : "1" + } ], + "prose" : "signed by a trusted root Certificate Authority;" + }, { + "name" : "item", + "id" : "ns-6_smt.2", + "props" : [ { + "name" : "label", + "value" : "2" + } ], + "prose" : "match the domain name of the service they are issued for;" + }, { + "name" : "item", + "id" : "ns-6_smt.3", + "props" : [ { + "name" : "label", + "value" : "3" + } ], + "prose" : "not expired; and" + }, { + "name" : "item", + "id" : "ns-6_smt.4", + "props" : [ { + "name" : "label", + "value" : "4" + } ], + "prose" : "not revoked." + } ], + "prose" : "Ensure that deployed SSL/TLS certificates are:" + }, { + "name" : "guidance", + "id" : "ns-6_gdn", + "prose" : "Configure a certificate manager that auto-renews certificates and sends alerts before expiry (e.g., AWS Certificate Manager). Otherwise, automate these functions separately." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Using invalid SSL/TLS certificates introduces the risk of compromised encryption, man-in-the-middle attacks, and potential unauthorised access to sensitive information." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-11T22:26:01+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-09T23:02:51+0800" + } ] + }, { + "title" : "Secure Inter-Service Communication", + "id" : "ns-7", + "parts" : [ { + "name" : "statement", + "id" : "ns-7_smt", + "prose" : "Ensure communications between services are secure by making them authenticated, authorised and encrypted." + }, { + "name" : "guidance", + "id" : "ns-7_gdn", + "prose" : "Design and build inter-service communications (e.g., databases, microservices) to be authenticated, authorised and encrypted (e.g., via API gateways, proxies, private endpoint services, message queues, or service meshes). It is recommended to log communication (such as access logs, transaction logs or payloads) between services for detection, monitoring and investigation of incidents." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failure to ensure secure communications between services increases the risk of unauthorised access, data breaches, and potential manipulation of sensitive information during transit." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-11T22:26:01+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-01-19T17:00:00+0800" + } ] + }, { + "title" : "Secure Government Enterprise Network (GEN) connectivity", + "id" : "ns-8", + "parts" : [ { + "name" : "statement", + "id" : "ns-8_smt", + "prose" : "Route network traffic between on-premises systems and GCC systems through a secure intermediary." + }, { + "name" : "guidance", + "id" : "ns-8_gdn", + "prose" : "Design and build secure communications to or from on-premises systems (e.g. Government Enterprise Network (GEN)) through a Gateway rather than direct connectivity (e.g. via API gateways, Application proxies or private endpoint services)." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Routing network traffic through a secure intermediary mitigates the risk of unauthorised access and cross-network compromise in the case of bridging or direct connectivity." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-23T23:58:33+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2023-09-18T16:12:40+0800" + } ] + }, { + "title" : "Intrusion Prevention System (IPS)/Intrusion Detection System (IDS)", + "links" : [ { + "href" : "#f3057503-f399-4735-9d7b-ea9830f3b2ac", + "rel" : "reference", + "text" : "IM8 On-Premise IS (Non-S): 4.2/S3d" + } ], + "id" : "ns-9", + "parts" : [ { + "name" : "statement", + "id" : "ns-9_smt", + "prose" : "Set up and configure an Intrusion Prevention System (IPS)/Intrusion Detection System (IDS) in the network." + }, { + "name" : "guidance", + "id" : "ns-9_gdn", + "prose" : "Configure network or host IPS/IDS to detect malicious traffic to/from public or untrusted networks." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Absence of network or host IPS or IDS in the network increases the likelihood of undetected intrusions, putting sensitive data and system integrity at risk." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-10-27T16:02:27+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Private Network Connectivity", + "links" : [ { + "href" : "#f3057503-f399-4735-9d7b-ea9830f3b2ac", + "rel" : "reference", + "text" : "IM8 On-Premise IS (Non-S): 5.4" + } ], + "id" : "ns-10", + "parts" : [ { + "name" : "statement", + "id" : "ns-10_smt", + "prose" : "Implement strong access controls, encryption, and logging for remote developer, maintainer, or administrator access to private network resources." + }, { + "name" : "guidance", + "id" : "ns-10_gdn", + "prose" : "Use strong authentication and MFA (except for mobile GFE). Layered security mechanisms and controls include:\n\nInspect traffic from gateway to private network;\n\nTerminate all remote access connections in a dedicated network segment within the network and restrict access to only systems and services allowed by the Agencies; Implement strong encryption for remote access into school staff network; Only authorised Government Furnished Equipment (GFE) shall be used for remote access connection to SSN; Make sure that remote access connections are not perpetual or to re-authenticate remote users to the VPN gateway on a periodic basis (such as every four hours); Set the maximum number of consecutive failed authentication attempts before account lockout for remote access into SSN; and Make sure that split tunnelling is not implemented." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Weak private network security may expose our network to malicious activities, jeopardizing the confidentiality, integrity, and availability of critical resources." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-10-27T16:06:38+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-09T22:54:15+0800" + } ] + }, { + "title" : "Alerts on Firewall Configuration Changes", + "links" : [ { + "href" : "#f3057503-f399-4735-9d7b-ea9830f3b2ac", + "rel" : "reference", + "text" : "IM8 On-Premise IS (Non-S): 4.3/S2" + } ], + "id" : "ns-11", + "parts" : [ { + "name" : "statement", + "id" : "ns-11_smt", + "prose" : "Generate alerts to inform appointed administrators on changes to firewall rules, including the enabling or disabling of rules." + }, { + "name" : "guidance", + "id" : "ns-11_gdn", + "prose" : "Implement real time alerts to inform administrators of creation, deletion, modification, enabling and disabling of firewall rules. Also alert administrators when unusual or sudden spike/drop in utilisation of firewall's system resources." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Any unintended changes to firewall rules can significantly lower the perimeter defence of a network." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2024-02-29T16:06:38+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + } ] + }, { + "title" : "Backup and Recovery", + "id" : "br", + "parts" : [ { + "name" : "overview", + "prose" : "Controls to support backup and disaster recovery." + } ], + "controls" : [ { + "title" : "Backup", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 4.4: Backup and Disaster recovery" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.2/S2" + }, { + "href" : "#f3057503-f399-4735-9d7b-ea9830f3b2ac", + "rel" : "reference", + "text" : "IM8 On-Premise IS (Non-S): 1.5/S1" + } ], + "id" : "br-1", + "parts" : [ { + "name" : "statement", + "id" : "br-1_smt", + "prose" : "Regularly backup all important data and systems, and store backups in a secure and separate location." + }, { + "name" : "guidance", + "id" : "br-1_gdn", + "prose" : "Use default CSP-managed backup services (e.g., AWS Backup, Azure Backup, GCP Backup and DR Service). Consider alternative backup services only when default CSP services cannot be used. Store backups and snapshots separately to primary data storage with data encrypted-at-rest." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without regular backups stored in a secure and separate location, there is an increased risk of data loss, system failures, and extended downtime in the event of accidental deletion, hardware failures, or malicious attacks." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-10T18:00:44+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Recovery Testing", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 4.4: Backup and Disaster recovery" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.2/S1d" + }, { + "href" : "#f3057503-f399-4735-9d7b-ea9830f3b2ac", + "rel" : "reference", + "text" : "IM8 On-Premise IS (Non-S): 1.5/S1d" + } ], + "id" : "br-2", + "parts" : [ { + "name" : "statement", + "id" : "br-2_smt", + "prose" : "Conduct regular testing of recovery processes to ensure their effectiveness." + }, { + "name" : "guidance", + "id" : "br-2_gdn", + "prose" : "Ensure each test verifies the system's ability to fully restore all data and services." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failure to regularly test recovery processes may result in ineffective response during actual incidents, increasing the risk of prolonged downtime, data loss, and compromised business continuity in the event of a disaster or system failure." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-10T18:00:44+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "params" : [ { + "guidelines" : [ { + "prose" : "The time period in days of backup retention." + } ], + "id" : "br-3_prm_1", + "label" : "time period (days)", + "class" : "int" + } ], + "title" : "Backup Retention", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 4.4: Backup and Disaster recovery" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.2/S1b" + }, { + "href" : "#f3057503-f399-4735-9d7b-ea9830f3b2ac", + "rel" : "reference", + "text" : "IM8 On-Premise IS (Non-S): 1.5/S2c" + } ], + "id" : "br-3", + "parts" : [ { + "name" : "statement", + "id" : "br-3_smt", + "prose" : "Prevent backups from being modified or deleted for {{ insert: param, br-3_prm_1 }} day(s) or as stipulated in the agency's data retention policies." + }, { + "name" : "guidance", + "id" : "br-3_gdn", + "prose" : "Use S3 Object Lock or immutable storage for Azure Blob Storage to enforce time-based retention policies." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Lack of prevention measures against the modification or deletion of backups for the specified duration increases the risk of data loss, unauthorised alterations, and potential inability to recover from incidents, compromising the integrity and availability of critical information." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-28T17:32:36+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-09T22:54:15+0800" + } ] + } ] + }, { + "title" : "Data Protection", + "id" : "dp", + "parts" : [ { + "name" : "overview", + "prose" : "Controls to protect the data of a system." + } ], + "controls" : [ { + "title" : "Data Residency", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 1.6: Compliance" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.3/S3" + }, { + "href" : "#f3057503-f399-4735-9d7b-ea9830f3b2ac", + "rel" : "reference", + "text" : "IM8 On-Premise IS (Non-S): 1.1/S1a" + } ], + "id" : "dp-1", + "parts" : [ { + "name" : "statement", + "id" : "dp-1_smt", + "prose" : "Enforce data residency of primary data in Singapore." + }, { + "name" : "guidance", + "id" : "dp-1_gdn", + "prose" : "Use the Singapore region of cloud service providers for compute and storage of primary data, such as ap-southeast-1 for AWS." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failure to enforce data residency of primary data in Singapore may lead to legal and regulatory compliance issues, privacy concerns, and potential unauthorised access or storage of sensitive data outside the jurisdiction, increasing the risk of legal consequences and data breaches." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-10T23:29:40+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Data at Rest Encryption", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 2.8: Encryption" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.3/S2a" + }, { + "href" : "#9749c983-5562-4a6f-8852-7eecf9b38d2c", + "rel" : "reference", + "text" : "IM8 On-Premise ADS (Non-S): 1.1/S1h" + } ], + "id" : "dp-2", + "parts" : [ { + "name" : "statement", + "id" : "dp-2_smt", + "prose" : "Encrypt data at rest." + }, { + "name" : "guidance", + "id" : "dp-2_gdn", + "prose" : "Many CSP services encrypt data at rest by default but this should be confirmed and validated depending on service usage." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without encrypting data at rest, there's an increased risk of unauthorised access and data exposure in the event of physical theft, unauthorised access to storage media, or compromised security controls, compromising the confidentiality of stored information." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-10T23:29:40+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Data in Transit Encryption", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 2.8: Encryption" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.3/S2b" + }, { + "href" : "#9749c983-5562-4a6f-8852-7eecf9b38d2c", + "rel" : "reference", + "text" : "IM8 On-Premise ADS (Non-S): 3.1/S3" + } ], + "id" : "dp-3", + "parts" : [ { + "name" : "statement", + "id" : "dp-3_smt", + "prose" : "Encrypt data in transit." + }, { + "name" : "guidance", + "id" : "dp-3_gdn", + "prose" : "While some CSP services transparently encrypt data in transit at the network layer, data at the application layer should be encrypted using protocols such as Transport Layer Security (TLS)." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failure to encrypt data in transit increases the risk of unauthorised interception and eavesdropping, potentially leading to data breaches, unauthorised access, and compromise of sensitive information during transmission." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-10T23:29:40+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Government on Commercial Cloud (GCC)", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 1.6: Compliance" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.1/S4" + } ], + "id" : "dp-4", + "parts" : [ { + "name" : "statement", + "id" : "dp-4_smt", + "prose" : "Host systems classified as CONFIDENTIAL (CLOUD-ELIGIBLE), RESTRICTED, or OFFICIAL-CLOSED on Commercial Cloud hosting environments in GCC." + }, { + "name" : "guidance", + "id" : "dp-4_gdn", + "prose" : "GCC allows oversight to be maintained at the Whole-of-Government level and implements several controls by default." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Hosting higher-sensitivity systems in Government on Commercial Cloud (GCC) ensures compliance with security classifications, reducing the risk of unauthorised access and maintaining data confidentiality according to government security standards." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-18T12:51:56+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T00:47:04+0800" + } ] + }, { + "title" : "Sanitisation", + "links" : [ { + "href" : "#f3057503-f399-4735-9d7b-ea9830f3b2ac", + "rel" : "reference", + "text" : "IM8 On-Premise IS (Non-S): 3.3/S1" + } ], + "id" : "dp-5", + "parts" : [ { + "name" : "statement", + "id" : "dp-5_smt", + "prose" : "Sanitise all hardware that stores data at rest. Shred or incinerate data storage meant for retirement." + }, { + "name" : "guidance", + "id" : "dp-5_gdn", + "prose" : "Use industry standards such as a) Peter Gutmann Secure Deletion; b) Bruce Schneier Algorithm c) US Department of Defence's Standards (DoD 5220.22-M)." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Violating this control can expose government data to unauthorised users." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-10-27T16:50:47+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Witness Sanitisation and Destruction of Storage Devices", + "links" : [ { + "href" : "#f3057503-f399-4735-9d7b-ea9830f3b2ac", + "rel" : "reference", + "text" : "IM8 On-Premise IS (Non-S): 3.3/S1" + } ], + "id" : "dp-6", + "parts" : [ { + "name" : "statement", + "id" : "dp-6_smt", + "prose" : "Witness the sanitisation and destruction process to ensure data is removed from storage." + }, { + "name" : "guidance", + "id" : "dp-6_gdn", + "prose" : "Establish a SOP to ensure sanitisation and destruction are witnessed by an agency staff." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Ensuring storage devices are sanitised or destroyed will eliminate the possibility of unauthorised or unintended data retention." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2024-02-29T16:50:47+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + } ] + }, { + "title" : "Logging and Monitoring", + "id" : "lm", + "parts" : [ { + "name" : "overview", + "prose" : "Controls to support detection and response to security and operations incidents." + } ], + "controls" : [ { + "title" : "Separate Log Storage", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 2.7: Logging" + }, { + "href" : "#0062e6a3-8ac4-44db-92df-8357b437ca0c", + "rel" : "reference", + "text" : "NIST SP 800-53 AU-9(2): Store on Separate Physical Systems or Components" + }, { + "href" : "#f3057503-f399-4735-9d7b-ea9830f3b2ac", + "rel" : "reference", + "text" : "IM8 On-Premise IS (Non-S): 7.2/S8" + } ], + "id" : "lm-1", + "parts" : [ { + "name" : "statement", + "id" : "lm-1_smt", + "prose" : "Store logs in a repository that is part of a different system or system component than the system or component being audited." + }, { + "name" : "guidance", + "id" : "lm-1_gdn", + "prose" : "Send logs to the separate storage as soon as possible after the logged event. For cloud audit logs, store them in a separate service or account (such as AWS Organisation Cloudtrail in GCC). Sending logs to the Government Cyber Security Operations Centre (GCSOC) or the central Government Commercial Cloud (GCC) log bucket can also satisfy this control." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Storing logs in a repository separate from the audited system or component enhances security by reducing the risk of tampering, unauthorised access, and manipulation of audit trails, ensuring the integrity and reliability of log data for forensic analysis and compliance purposes." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-16T12:41:27+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Tamper-Resistant Log Storage", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.9/S4" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.9/S5" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.9/S9d" + }, { + "href" : "#f3057503-f399-4735-9d7b-ea9830f3b2ac", + "rel" : "reference", + "text" : "IM8 On-Premise IS (Non-S): 7.1/S2" + } ], + "id" : "lm-2", + "parts" : [ { + "name" : "statement", + "id" : "lm-2_smt", + "prose" : "Protect logs from unauthorised access, modification, and deletion." + }, { + "name" : "guidance", + "id" : "lm-2_gdn", + "prose" : "Apply access control policies to logs based on the principle of least privilege. As far as possible, only read access should be granted. Logs sent to GCC Central Logs are tamper-resistant." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without protection measures, logs are susceptible to unauthorised access, modification, or deletion, leading to the risk of tampering, loss of crucial audit information, and compromised forensic analysis capabilities during security incidents." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-16T12:41:27+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Network Flow Logging", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.5/S6a" + } ], + "id" : "lm-3", + "parts" : [ { + "name" : "statement", + "id" : "lm-3_smt", + "prose" : "Log network traffic going to and from network interfaces." + }, { + "name" : "guidance", + "id" : "lm-3_gdn", + "prose" : "Enable VPC Flow Logs for AWS or its equivalents." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failing to log network traffic going to and from network interfaces increases the risk of overlooking suspicious activities, potential security breaches, and the inability to trace and investigate network-related incidents effectively." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-16T12:41:27+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T00:47:04+0800" + } ] + }, { + "title" : "Cloud Management Event Logging", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 2.7: Logging" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.9/S7" + } ], + "id" : "lm-4", + "parts" : [ { + "name" : "statement", + "id" : "lm-4_smt", + "prose" : "Log management and audit events on cloud resources." + }, { + "name" : "guidance", + "id" : "lm-4_gdn", + "prose" : "Configure CloudTrail for AWS or its equivalents to log management and audit events such as changes to IAM policies and resources." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Neglecting to log and manage audit events on cloud resources increases the risk of undetected security incidents, compromises visibility into system activities, and hinders effective forensic analysis and compliance monitoring in cloud environments." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-16T12:41:27+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T00:47:04+0800" + } ] + }, { + "title" : "Database Logging", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 2.7: Logging" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.9/S3" + } ], + "id" : "lm-5", + "parts" : [ { + "name" : "statement", + "id" : "lm-5_smt", + "prose" : "Log database audit events." + }, { + "name" : "guidance", + "id" : "lm-5_gdn", + "prose" : "Enable RDS logging for AWS or its equivalents." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Neglecting to log database audit events raises the risk of overlooking unauthorised activities, compromises in data security, and hinders the ability to track and investigate security incidents or compliance violations within the database environment." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-16T12:41:27+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T00:47:04+0800" + } ] + }, { + "title" : "Access Logging", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 2.7: Logging" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.6/S4e" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.9/S3" + }, { + "href" : "#f3057503-f399-4735-9d7b-ea9830f3b2ac", + "rel" : "reference", + "text" : "IM8 On-Premise IS (Non-S): 7.1/S3" + } ], + "id" : "lm-6", + "parts" : [ { + "name" : "statement", + "id" : "lm-6_smt", + "prose" : "Log access requests sent to web application firewalls, load balancers, proxies or web servers." + }, { + "name" : "guidance", + "id" : "lm-6_gdn", + "prose" : "Enable AWS WAF logging, Application Load Balancer logging, API Gateways, or their equivalents." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failure to log access requests sent to web application firewalls, load balancers, proxies, or web servers increases the risk of overlooking potential security threats, unauthorised access attempts, and compromises visibility into the traffic that could lead to security incidents." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-16T12:41:27+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Security Event Logging", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.9/S2" + } ], + "id" : "lm-7", + "parts" : [ { + "name" : "statement", + "id" : "lm-7_smt", + "prose" : "Log security events on hosts and other cloud resources." + }, { + "name" : "guidance", + "id" : "lm-7_gdn", + "prose" : "Security events include operating system security events, authentication and audit logs, and endpoint detection and response alerts." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Neglecting to log security events on hosts and other cloud resources increases the risk of undetected security incidents, compromises incident response capabilities, and hinders forensic analysis, limiting the ability to identify and mitigate potential threats." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-16T12:41:27+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T00:47:04+0800" + } ] + }, { + "params" : [ { + "guidelines" : [ { + "prose" : "The time period in days of log retention." + } ], + "id" : "lm-8_prm_1", + "label" : "time period (days)", + "class" : "int" + } ], + "title" : "Security Log Retention", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 2.7: Logging" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.9/S3" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.9/S9" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.9/S13" + }, { + "href" : "#f3057503-f399-4735-9d7b-ea9830f3b2ac", + "rel" : "reference", + "text" : "IM8 On-Premise IS (Non-S): 7.2/S6" + } ], + "id" : "lm-8", + "parts" : [ { + "name" : "statement", + "id" : "lm-8_smt", + "prose" : "Retain security logs for at least {{ insert: param, lm-8_prm_1 }} day(s)." + }, { + "name" : "guidance", + "id" : "lm-8_gdn", + "prose" : "Security logs include network flow logs, cloud management logs, access logs, database logs and host logs. Retain non-security logs (e.g. application, operations and performance logs) as long as needed for incident resolution and debugging. Consider log lifecycle management automation, such as Amazon S3 Lifecycle configurations." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failure to retain security logs increases the risk of losing crucial historical data, hindering investigations, compliance audits, and the ability to identify and respond to security incidents that occurred beyond a limited timeframe." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-16T12:41:27+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-09T22:54:15+0800" + } ] + }, { + "title" : "Security Monitoring and Alerting", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.9/S3" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.9/S7" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.9/S10" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.9/S11" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.9/S13" + }, { + "href" : "#f3057503-f399-4735-9d7b-ea9830f3b2ac", + "rel" : "reference", + "text" : "IM8 On-Premise IS (Non-S): 7.2/S10" + } ], + "id" : "lm-9", + "parts" : [ { + "name" : "statement", + "id" : "lm-9_smt", + "prose" : "Configure security monitoring to identify potential security violations or breaches and send automated alerts." + }, { + "name" : "guidance", + "id" : "lm-9_gdn", + "prose" : "Enable Amazon GuardDuty, Microsoft Azure Security Center, or their equivalents." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without configuring security monitoring to identify potential security violations or breaches and send automated alerts, there's an increased risk of delayed or unnoticed security incidents, hindering timely response and mitigation efforts to protect the system from further compromise." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-16T12:41:27+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Resource Usage Monitoring and Alerting", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.9/S8" + } ], + "id" : "lm-10", + "parts" : [ { + "name" : "statement", + "id" : "lm-10_smt", + "prose" : "Configure resource usage monitoring to identify abnormal usage and send automated alerts." + }, { + "name" : "guidance", + "id" : "lm-10_gdn", + "prose" : "Configure Amazon CloudWatch alarms, Azure Monitor alerts, or their equivalents to identify abnormal usage such as spike in usage, access to resources during expected hours, and excessive charges." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Lack of resource usage monitoring with automated alerts increases the risk of overlooking abnormal usage patterns, potential resource abuse, and compromises in system performance, hindering the ability to proactively address issues and prevent service disruptions." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-16T12:41:27+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T00:47:04+0800" + } ] + }, { + "title" : "Service Level Monitoring and Alerting", + "links" : [ { + "href" : "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", + "rel" : "reference", + "text" : "IM8 Cloud ADS: 11.1/G3" + } ], + "id" : "lm-11", + "parts" : [ { + "name" : "statement", + "id" : "lm-11_smt", + "prose" : "Monitor, maintain and alert on service level objectives (SLOs) and indicators (SLIs) to ensure consistent service performance, availability and reliability." + }, { + "name" : "guidance", + "id" : "lm-11_gdn", + "prose" : "Implement a comprehensive monitoring system that tracks key SLIs and evaluates them against defined SLOs. This will help in identifying potential service level breaches early and take proactive measures to maintain service quality. Examples include Cloudwatch metrics and alerts, Amazon Route 53 health checks, Azure Monitor Application Insights, or their equivalents." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without effective service level monitoring to identify potential application or service degradation and send automated alerts, there is a risk of failing to meet service availability standards, which could result in user dissatisfaction and reduced reliability." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2024-01-04T15:30:00+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "params" : [ { + "guidelines" : [ { + "prose" : "The central security log management and monitoring service." + } ], + "id" : "lm-12_prm_1", + "label" : "service", + "class" : "str" + } ], + "title" : "Central Security Log Management and Monitoring", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.9/S3" + }, { + "href" : "#f3057503-f399-4735-9d7b-ea9830f3b2ac", + "rel" : "reference", + "text" : "IM8 On-Premise IS (Non-S): 7.1/S3" + }, { + "href" : "#0062e6a3-8ac4-44db-92df-8357b437ca0c", + "rel" : "reference", + "text" : "NIST SP 800-53 AU-6(4): Central Review and Analysis" + }, { + "href" : "#0062e6a3-8ac4-44db-92df-8357b437ca0c", + "rel" : "reference", + "text" : "NIST SP 800-53 PL-9: Central Management" + } ], + "id" : "lm-12", + "parts" : [ { + "name" : "statement", + "id" : "lm-12_smt", + "prose" : "Centralise security log management and monitoring with {{ insert: param, lm-12_prm_1 }}." + }, { + "name" : "guidance", + "id" : "lm-12_gdn", + "prose" : "Tenants on Government Commercial Cloud (GCC) already have Cloud Service Provider (CSP) tenant security logs stored centrally and available for forwarding to Government Cyber Security Operations Centre (GCSOC). Contact GCSOC for subscription and additional services." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Lack of central security log management and monitoring increases the risk of delayed or unnoticed security incidents, hindering effective response, and compromising the overall cybersecurity posture." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-10-10T18:06:24+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-05-29T21:17:04+0800" + } ] + }, { + "title" : "Database Activity Monitoring", + "id" : "lm-13", + "parts" : [ { + "name" : "statement", + "id" : "lm-13_smt", + "prose" : "Monitor database activities for anomalous behaviour." + }, { + "name" : "guidance", + "id" : "lm-13_gdn", + "prose" : "Config RDS Activity Streams and logs with alerts or Database Activity Monitoring (DAM) tools to detect unusual authentication, reads or writes to a database." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Neglecting to monitor database activities for anomalous behaviour increases the risk of undetected security threats, unauthorised access, and compromises in data integrity, hindering the ability to identify and respond to potential database-related incidents." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-10-10T18:06:24+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2023-10-10T18:06:24+0800" + } ] + }, { + "title" : "Web Defacement Monitoring", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.9/S13" + }, { + "href" : "#f3057503-f399-4735-9d7b-ea9830f3b2ac", + "rel" : "reference", + "text" : "IM8 On-Premise IS (Non-S): 7.1/S5" + } ], + "id" : "lm-14", + "parts" : [ { + "name" : "statement", + "id" : "lm-14_smt", + "prose" : "Plan for and implement measures to detect and recover from web defacements." + }, { + "name" : "guidance", + "id" : "lm-14_gdn", + "prose" : "The Government Cyber Security Operations Centre (GCSOC) offers centralised monitoring of web defacements of internet-facing systems." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failure to detect and respond to web defacement promptly will lead to prolonged disruption to services." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-10-27T16:50:47+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-05-29T21:20:05+0800" + } ] + }, { + "title" : "Structured Log Formatting", + "id" : "lm-15", + "parts" : [ { + "name" : "statement", + "id" : "lm-15_smt", + "prose" : "Publish logs in a consistent, structured format that aligns with industry standards for easy parsing and analysis." + }, { + "name" : "guidance", + "id" : "lm-15_gdn", + "prose" : "For security logs, implement or transform to OCSF (Open Cybersecurity Schema Framework), ECS (Elastic Common Schema) or similar schemas to standardize log formats for better threat detection and analysis. For operational logs, adopt OpenTelemetry or structured JSON formats to facilitate clear, structured, and efficient log analysis for system performance and diagnostics. Consistent log formatting aids in automated parsing and helps in integrating logs from various sources." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Inconsistent or unstructured log formatting can lead to difficulties in log analysis and monitoring, potentially resulting in missed critical events or delayed response to system anomalies." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-12-20T01:03:42+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-01-04T00:00:00+0800" + } ] + }, { + "title" : "Key Signals Monitoring", + "id" : "lm-16", + "parts" : [ { + "name" : "statement", + "id" : "lm-16_smt", + "prose" : "Monitor key user-facing signals to maintain robust service health and performance." + }, { + "name" : "guidance", + "id" : "lm-16_gdn", + "prose" : "Implement monitoring of key signals such as latency, traffic, errors, and saturation (the 4 Golden Signals). Regularly track and analyse these indicators for proactive issue detection and resolution. Use this data to identify trends and areas for system improvement, ensuring continuous enhancement in service quality and reliability." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Inadequate monitoring of key user-facing signals such as latency, traffic, errors, and saturation can lead to suboptimal service performance, adversely impacting user experience, system efficiency, and increasing the likelihood of system failures. This oversight can significantly detract from service reliability and user satisfaction." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2024-01-04T15:30:00+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-01-04T15:30:00+0800" + } ] + }, { + "title" : "Software delivery performance monitoring", + "id" : "lm-17", + "parts" : [ { + "name" : "statement", + "id" : "lm-17_smt", + "prose" : "Measure and analyse software delivery performance to optimise development velocity and operational efficiency." + }, { + "name" : "guidance", + "id" : "lm-17_gdn", + "prose" : "Implement tools and processes to track Deployment Frequency, Lead Time for Changes, Change Failure Rate, and Time to Restore Service (the DORA 4 Key metrics). Use these metrics as benchmarks to drive continuous improvement in the software development and deployment process, enhancing agility, reliability, and responsiveness to changes." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failing to measure and improve the software delivery performance can lead to inefficient development processes, reduced software quality and longer recovery times." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2024-01-04T15:30:00+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-01-04T15:30:00+0800" + } ] + } ] + }, { + "title" : "Access Control", + "id" : "ac", + "parts" : [ { + "name" : "overview", + "prose" : "Controls to protect against unauthorised access to agency systems." + } ], + "controls" : [ { + "title" : "Principle of Least Privilege", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 4.2: Logical access" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.4/S7" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.5/S4e" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.7/S1b" + } ], + "id" : "ac-1", + "parts" : [ { + "name" : "statement", + "id" : "ac-1_smt", + "prose" : "Deny access by default and grant only the minimum permissions required for authorised accounts or processes to perform a specific function." + }, { + "name" : "guidance", + "id" : "ac-1_gdn", + "prose" : "Consider attribute- or feature-based access control for greater customisability and granularity." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Violating the principle of least privileges increases the risk of unauthorised access, privilege escalation, and potential security breaches due to unnecessary permissions, compromising the overall security posture." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-17T14:31:33+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T00:47:04+0800" + } ] + }, { + "title" : "Multi-Factor Authentication (MFA)", + "links" : [ { + "href" : "#0062e6a3-8ac4-44db-92df-8357b437ca0c", + "rel" : "reference", + "text" : "NIST SP 800-53 IA-2(1): Multi-factor Authentication to Privileged Accounts" + }, { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 4.2: Logical access" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.4/S20a" + }, { + "href" : "#9749c983-5562-4a6f-8852-7eecf9b38d2c", + "rel" : "reference", + "text" : "IM8 On-Premise ADS (Non-S): 2.4/S2" + } ], + "id" : "ac-2", + "parts" : [ { + "name" : "statement", + "id" : "ac-2_smt", + "prose" : "Require MFA for remote developer, maintainer, or administrator access at login." + }, { + "name" : "guidance", + "id" : "ac-2_gdn", + "prose" : "Ensure that the authentication factors are different and independent of the accessing device. For additional security, consider MFA for privileged actions at the application level (such as step-up MFA challenges via PIM tools)." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without requiring phishing-resistant Multi-Factor Authentication (MFA) for remote access, there is an increased risk of unauthorised access, credential theft, and potential compromise of sensitive systems, especially for users with elevated privileges." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-17T14:31:33+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "params" : [ { + "guidelines" : [ { + "prose" : "The time period in days after account expiry." + } ], + "id" : "ac-3_prm_1", + "label" : "time period (days)", + "class" : "int" + }, { + "guidelines" : [ { + "prose" : "The time period in days of account inactivity." + } ], + "id" : "ac-3_prm_2", + "label" : "time period (days)", + "class" : "int" + } ], + "title" : "Inactive and Expired Accounts", + "links" : [ { + "href" : "#0062e6a3-8ac4-44db-92df-8357b437ca0c", + "rel" : "reference", + "text" : "NIST SP 800-53 AC-2(3): Disable Accounts" + }, { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 4.2: Logical access" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.4/S15" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.4/S18b" + }, { + "href" : "#9749c983-5562-4a6f-8852-7eecf9b38d2c", + "rel" : "reference", + "text" : "IM8 On-Premise ADS (Non-S): 2.3/S2, 2.3/S3" + } ], + "id" : "ac-3", + "parts" : [ { + "name" : "statement", + "id" : "ac-3_smt", + "prose" : "Disable or remove accounts with privileged access within {{ insert: param, ac-3_prm_1 }} day(s) from last day of authorised use or have not been used for {{ insert: param, ac-3_prm_2 }} day(s)." + }, { + "name" : "guidance", + "id" : "ac-3_gdn", + "prose" : "Use automated checks to identify accounts and credentials that should be disabled. For privileged user accounts in applications, consider using automated workflows such as System for Cross-domain Identity Management (SCIM) or identity lifecycle management tools. For cloud service provider accounts, use tools such as AWS Config iam-user-unused-credentials-check to manage Identity and Access Management (IAM) users." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failure to disable or remove unused accounts or credentials with elevated access increases the risk of unauthorised access, as dormant accounts may become targets for exploitation, compromising the security of the system." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-17T14:31:33+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-09T23:02:29+0800" + } ] + }, { + "params" : [ { + "guidelines" : [ { + "prose" : "The time period in days of access review frequency." + } ], + "id" : "ac-4_prm_1", + "label" : "time period (days)", + "class" : "int" + }, { + "guidelines" : [ { + "prose" : "The time period in days of access removal deadline." + } ], + "id" : "ac-4_prm_2", + "label" : "time period (days)", + "class" : "int" + } ], + "title" : "Access Review", + "links" : [ { + "href" : "#0062e6a3-8ac4-44db-92df-8357b437ca0c", + "rel" : "reference", + "text" : "AC-2: Account Management" + }, { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 4.2: Logical access" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.4/S13" + }, { + "href" : "#9749c983-5562-4a6f-8852-7eecf9b38d2c", + "rel" : "reference", + "text" : "IM8 On-Premise ADS (Non-S): 2.3/S1, 2.3/S6" + } ], + "id" : "ac-4", + "parts" : [ { + "name" : "statement", + "id" : "ac-4_smt", + "prose" : "Perform an access review every {{ insert: param, ac-4_prm_1 }} day(s) and remove unauthorised or unintended privileged access rights within {{ insert: param, ac-4_prm_2 }} day(s)." + }, { + "name" : "guidance", + "id" : "ac-4_gdn", + "prose" : "For privileged user accounts in applications, implement automated review workflows or reports. For cloud service provider accounts and roles, use tools such as AWS IAM Access Advisor or Azure AD Access Review to facilitate and manage access reviews." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without regular access reviews and prompt removal of unauthorised or unintended access rights, there is an increased risk of lingering access, potential misuse of privileges, and compromised security, impacting the confidentiality and integrity of sensitive data." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-17T14:31:33+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-09T22:54:15+0800" + } ] + }, { + "title" : "Endpoint Device Hardening", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.4/S20a" + }, { + "href" : "#f3057503-f399-4735-9d7b-ea9830f3b2ac", + "rel" : "reference", + "text" : "IM8 On-Premise IS (Non-S): 1.3/S1, 4.7/S3" + } ], + "id" : "ac-5", + "parts" : [ { + "name" : "statement", + "id" : "ac-5_smt", + "prose" : "Require hardened endpoint devices for remote developer, maintainer, or administrator access." + }, { + "name" : "guidance", + "id" : "ac-5_gdn", + "prose" : "Use Endpoint Management platfoms to continuously check and enforce device security posture and deny access if the hardening requirements are not met. Hardened devices include Government Standard Image Build (GSIB) and Security Suite for Engineering Endpoint Devices (SEED)." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without requiring hardened endpoint devices for remote access, there's an increased risk of compromised endpoints, potential malware infections, and security breaches, which could lead to unauthorised access and compromise the integrity of systems." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-17T14:31:33+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Default Credentials", + "links" : [ { + "href" : "#0062e6a3-8ac4-44db-92df-8357b437ca0c", + "rel" : "reference", + "text" : "NIST SP 800-53 IA-5: Authenticator Management" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.4/S1c" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.4/S2c" + }, { + "href" : "#9749c983-5562-4a6f-8852-7eecf9b38d2c", + "rel" : "reference", + "text" : "IM8 On-Premise ADS (Non-S): 2.2/S1d, 2.3/S5" + } ], + "id" : "ac-6", + "parts" : [ { + "name" : "statement", + "id" : "ac-6_smt", + "prose" : "Change default credentials prior to first use." + }, { + "name" : "guidance", + "id" : "ac-6_gdn", + "prose" : "Identify any default credentials used in any system components before deploying and change them. Configure end-user systems to prompt for password change on first login after account creation or reset." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failure to change default credentials prior to first use increases the risk of unauthorised access, as default credentials are often well-known and targeted by attackers, compromising the security of the system or device." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-10-02T10:34:05+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "SingPass/CorpPass for External Users", + "links" : [ { + "href" : "#9749c983-5562-4a6f-8852-7eecf9b38d2c", + "rel" : "reference", + "text" : "IM8 On-Premise ADS (Non-S): 2.1/S1" + } ], + "id" : "ac-7", + "parts" : [ { + "name" : "statement", + "id" : "ac-7_smt", + "prose" : "Use SingPass or CorpPass MFA for digital services that require high level of identity assurance for external users." + }, { + "name" : "guidance", + "id" : "ac-7_gdn", + "prose" : "For high impact or high risk transactions, use SingPass/CorpPass to identify external users (e.g. citizens). Internal users should use Government managed Single Sign-on (SSO) solutions (such as WOG AAD)." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Leverage on SingPass or CorpPass to reduce duplication of effort and provide consistent end user experience." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-10-27T16:50:47+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Automate account provisioning", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.4/S18a" + }, { + "href" : "#9749c983-5562-4a6f-8852-7eecf9b38d2c", + "rel" : "reference", + "text" : "IM8 On-Premise ADS (Non-S): 2.3/S7" + } ], + "id" : "ac-8", + "parts" : [ { + "name" : "statement", + "id" : "ac-8_smt", + "prose" : "Implement automation of cloud and application account provisioning and deprovisioning using an account management tool." + }, { + "name" : "guidance", + "id" : "ac-8_gdn", + "prose" : "Adopt Single Sign-On (SSO) with just-in-time provisioning or account lifecycle management tools (such as SCIM or CAM) to assist with account management. For systems unable to use SSO, it is recommended to leverage account management lifecycle tools with HR records (such as CAM) to automatically provision and de-provision accounts." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Manual account and access provisioning can introduce errors and weaknesses, thus making access control measures ineffective and unreliable." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-10-27T15:51:13+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Endpoint Device Management", + "id" : "ac-9", + "parts" : [ { + "name" : "statement", + "id" : "ac-9_smt", + "prose" : "Implement and maintain an endpoint device management solution to ensure the security and integrity of endpoint devices used within the organisation." + }, { + "name" : "guidance", + "id" : "ac-9_gdn", + "prose" : "Mobile Device Management (MDM) platforms enable management, monitoring, and secure configuration of endpoint devices. This includes enforcing disk encryption, managing configuration, ensuring regular updates, and providing the ability to remotely wipe data in case of device loss or theft." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Unmanaged endpoint devices increase the risk of unauthorized access and potential loss of sensitive information due to the compromise of devices." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-11-29T18:00:00+0000" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-01-19T17:00:00+0800" + } ] + }, { + "title" : "Identity and Device-Based Access Control", + "id" : "ac-10", + "parts" : [ { + "name" : "statement", + "id" : "ac-10_smt", + "prose" : "Adopt Identity and Device-Based Access Control for secure and context-aware connectivity to private organisational resources." + }, { + "name" : "guidance", + "id" : "ac-10_gdn", + "prose" : "Use solutions such as Secure Service Edge (SSE), Identity Aware Proxies (IAP) or other Zero Trust services (Entra ID Conditional Access, Okta Device Trust, etc) that integrate identity and device management systems to provide granular access control to resources based on user identity and device posture. For example, Security Suite for Engineering Endpoint Devices (SEED)." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Relying on direct connections or traditional VPNs for remote access can lead to vulnerabilities, as they do not always incorporate strong identity and device-based security measures. This increases the risk of unauthorized access and potential data breaches." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-11-29T18:00:00+0000" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2023-11-29T18:00:00+0000" + } ] + }, { + "title" : "Single User Endpoints", + "id" : "ac-11", + "parts" : [ { + "name" : "statement", + "id" : "ac-11_smt", + "prose" : "Assign each endpoint device to a single designated primary user and enforce the assignment to ensure accountability and enhance security monitoring." + }, { + "name" : "guidance", + "id" : "ac-11_gdn", + "prose" : "Implement measures such as user authentication and endpoint management with device enrollment to enforce the single primary user per endpoint. If secondary accounts for local device support or maintenance activities consider securing with endpoint privilege management tools." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Allowing multiple users to access a single endpoint device can lead to security risks such as data leakage, difficulty in tracking user activities, and increased vulnerability to insider threats." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-12-07T08:00:00+0000" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2023-12-07T16:00:00+0000" + } ] + }, { + "title" : "Single Sign-On (SSO) for Internal Users", + "links" : [ { + "href" : "#0062e6a3-8ac4-44db-92df-8357b437ca0c", + "rel" : "reference", + "text" : "IA-2(10): Single Sign-on" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.4/S18c" + } ], + "id" : "ac-12", + "parts" : [ { + "name" : "statement", + "id" : "ac-12_smt", + "prose" : "Use Single Sign-On (SSO) for internal users and services." + }, { + "name" : "guidance", + "id" : "ac-12_gdn", + "prose" : "Configure multi-factor authentication (MFA) at the Single-Sign On (SSO) identity provider (IdP) and ensure that access to the system is only granted after the IdP authenticates the user. WOG AAD is recommended for public officers and TechPass AAD for developers." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without Single Sign-On (SSO), there is an increased risk of unauthorized access and compromised user credentials, as users may resort to using weak passwords or reusing credentials across multiple systems, thereby exposing sensitive information to potential security breaches." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-12-07T08:00:00+0000" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T00:47:04+0800" + } ] + } ] + }, { + "title" : "Container Security", + "id" : "cs", + "parts" : [ { + "name" : "overview", + "prose" : "Controls to secure container building, distribution, and deployment." + } ], + "controls" : [ { + "title" : "Unique Base Container Image Tags", + "links" : [ { + "href" : "#438199c5-6b38-4704-88d6-a902ee08a433", + "rel" : "reference", + "text" : "SLSA Build L1: Provenance exists" + }, { + "href" : "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", + "rel" : "reference", + "text" : "IM8 Cloud ADS: 12.1/G3" + } ], + "id" : "cs-1", + "parts" : [ { + "name" : "statement", + "id" : "cs-1_smt", + "prose" : "Use unique base container image tags instead of rolling tags." + }, { + "name" : "guidance", + "id" : "cs-1_gdn", + "prose" : "Avoid the `latest` tag or other common rolling tags for base images to minimise unintended changes during subsequent builds using the same instruction. A digest SHA can provide a unique identifier for the image if no tag is assigned during build time." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Using unique base container image tags instead of rolling tags reduces the risk of unintentional updates, inconsistencies, and potential security vulnerabilities in containerised environments, ensuring a more stable and secure deployment process." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-23T23:58:33+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Minimal Base Container Images", + "links" : [ { + "href" : "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", + "rel" : "reference", + "text" : "IM8 Cloud ADS: 12.1/G1" + } ], + "id" : "cs-2", + "parts" : [ { + "name" : "statement", + "id" : "cs-2_smt", + "prose" : "Build container images with minimal base images." + }, { + "name" : "guidance", + "id" : "cs-2_gdn", + "prose" : "Use minimal container images such as alpine, scratch, wolfi, and distroless images as the base image to reduce attack surface." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Building container images with minimal base images reduces the attack surface, potential vulnerabilities, and resource overhead, minimising the risk of security exploits and enhancing the overall security posture of the containerised environment." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-23T23:58:33+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Runtime Container Secrets", + "links" : [ { + "href" : "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", + "rel" : "reference", + "text" : "IM8 Cloud ADS: 2.2/S4" + } ], + "id" : "cs-3", + "parts" : [ { + "name" : "statement", + "id" : "cs-3_smt", + "prose" : "Provide secrets and sensitive data to the container at runtime instead of image build time." + }, { + "name" : "guidance", + "id" : "cs-3_gdn", + "prose" : "Ensure no secrets (e.g., TLS certificate keys, cloud provider credentials, SSH private keys, database passwords) are embedded in the container image by using dedicated features like Docker secrets or `podman-secret-create`." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Providing secrets and sensitive data to the container at runtime instead of image build time reduces the risk of exposing sensitive information in the image and enhances security by ensuring that secrets are managed and updated independently, minimising the risk of unauthorised access or data compromise." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-23T23:58:33+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Non-Privileged Container User", + "links" : [ { + "href" : "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", + "rel" : "reference", + "text" : "IM8 Cloud ADS: 12.2/S2" + } ], + "id" : "cs-4", + "parts" : [ { + "name" : "statement", + "id" : "cs-4_smt", + "prose" : "Create a non-root user and set it as the default user in the container image build instructions." + }, { + "name" : "guidance", + "id" : "cs-4_gdn", + "prose" : "Ensure the non-root user has the minimal set of permissions required to run the container." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failure to create a non-root user and set it as the default user in container image build instructions increases the risk of security vulnerabilities, as running containers with root privileges may lead to potential exploitation and compromise of the host system." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-23T23:58:33+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Dockerfile Linting", + "links" : [ { + "href" : "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", + "rel" : "reference", + "text" : "IM8 Cloud ADS: 12.1/G4" + } ], + "id" : "cs-5", + "parts" : [ { + "name" : "statement", + "id" : "cs-5_smt", + "prose" : "Lint Dockerfiles before building container images." + }, { + "name" : "guidance", + "id" : "cs-5_gdn", + "prose" : "Use linters such as Hadolint to check the Dockerfile (or similar build file) instructions and flag any issues that contravene best practices. Ensure Dockerfile linting stage is run as part of the Continuous Integration (CI) pipelines." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without linting Dockerfiles before building container images, there's an increased risk of syntax errors, misconfigurations, and potential security vulnerabilities, compromising the reliability and security of the resulting containerised applications." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-23T23:58:33+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Read-Only Container Root Filesystem", + "id" : "cs-6", + "parts" : [ { + "name" : "statement", + "id" : "cs-6_smt", + "prose" : "Configure the container filesystem to be read-only." + }, { + "name" : "guidance", + "id" : "cs-6_gdn", + "prose" : "Use security policies (e.g., `readonlyRootFilesystem` for Kubernetes) to prevent any direct writes to the container's root filesystem during runtime and ensure immutable infrastructure. Do not directly apply patches or alter running containers as the containers are ephemeral and patches will disappear upon redeploy. Apply patches by rebuilding and redeploying container images." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failure to configure the container filesystem as read-only increases the risk of unauthorised modifications, potential tampering, and compromise of containerised applications, as attackers may exploit write access to alter the container's state and integrity." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-23T23:58:33+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-01-19T14:00:00+0800" + } ] + }, { + "params" : [ { + "guidelines" : [ { + "prose" : "The location where container image scanning occurs." + } ], + "select" : { + "how-many" : "one-or-more", + "choice" : [ "CI/CD pipeline", "container registry" ] }, - { - "id": "contact", - "title": "Contact" - } - ], - "parties": [ - { - "uuid": "e738ab7c-ed26-4fe6-a1e7-f485265d50cc", - "type": "organization", - "name": "Workstream 1A (Content), IM8-reform Executive Committee", - "email-addresses": [] - } - ], - "responsible-parties": [ - { - "role-id": "creator", - "party-uuids": [ - "e738ab7c-ed26-4fe6-a1e7-f485265d50cc" - ] + "id" : "cs-7_prm_1", + "label" : "location", + "class" : "str" + } ], + "title" : "Container Image Scanning", + "links" : [ { + "href" : "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", + "rel" : "reference", + "text" : "IM8 Cloud ADS: 12.3/G2b" + }, { + "href" : "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", + "rel" : "reference", + "text" : "IM8 Cloud ADS: 12.3/G2c" + } ], + "id" : "cs-7", + "parts" : [ { + "name" : "statement", + "id" : "cs-7_smt", + "prose" : "Scan container images in the {{ insert: param, cs-7_prm_1 }} for known vulnerabilities." + }, { + "name" : "guidance", + "id" : "cs-7_gdn", + "prose" : "Container image scanning tools (e.g., Amazon Inspector, Trivy, Grype) scan the contents of a container image for known vulnerabilities. Configure scans to run automatically and continuously, as well as enable scanning of image on push. Block deployment of container images with HIGH CVE being detected during scan (e.g., using Amazon ECR with Security Hub)." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failure to scan container images increases the risk of deploying insecure images, potentially exposing the infrastructure to known exploits and compromising the security of the containerised applications during runtime." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-23T23:58:33+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-03-31T23:50:41+0800" + } ] + }, { + "title" : "Private Container Image Registries", + "id" : "cs-8", + "parts" : [ { + "name" : "statement", + "id" : "cs-8_smt", + "prose" : "Host built container images in private container registries." + }, { + "name" : "guidance", + "id" : "cs-8_gdn", + "prose" : "Use only private container registries (e.g., Amazon ECR private registry) to host container images built by the organisation as images may contain proprietary code or sensitive information." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Hosting built container images in private registries enhances security by reducing the exposure of sensitive images, minimising the risk of unauthorised access, and maintaining control over image distribution, ensuring a more secure and controlled container deployment process." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-23T23:58:33+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-03-31T23:39:47+0800" + } ] + }, { + "title" : "Container Orchestrator API Access Control", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.7/S21b" + } ], + "id" : "cs-9", + "parts" : [ { + "name" : "statement", + "id" : "cs-9_smt", + "prose" : "Disable public access to Container Orchestrator API endpoints from the internet." + }, { + "name" : "guidance", + "id" : "cs-9_gdn", + "prose" : "Restrict access to the Container Orchestrator API endpoints (such as the Kubernetes API Server) to specific address ranges or use CSP provided features such as disabling Endpoint public access and Private Clusters to disable public access." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failure to disable public access to Container Orchestrator API endpoints from the internet increases the risk of unauthorised access, potential exploitation, and security breaches, as exposing these endpoints publicly may lead to unauthorised control and compromise of the container infrastructure." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-23T23:58:33+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-03-31T23:39:54+0800" + } ] + }, { + "title" : "Container Workload Segmentation", + "id" : "cs-10", + "parts" : [ { + "name" : "statement", + "id" : "cs-10_smt", + "prose" : "Segregate container workloads to help contain attacks through isolation." + }, { + "name" : "guidance", + "id" : "cs-10_gdn", + "prose" : "Create Kubernetes namespaces or similar container segmentation controls to isolate different workloads, services or projects." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without separating container workloads into namespaces, there's an increased risk of lateral movement and potential compromise." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-23T23:58:33+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-03-31T23:40:00+0800" + } ] + }, { + "title" : "Container Runtime Security", + "links" : [ { + "href" : "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", + "rel" : "reference", + "text" : "IM8 Cloud ADS: 12.3/G2b" + } ], + "id" : "cs-11", + "parts" : [ { + "name" : "statement", + "id" : "cs-11_smt", + "prose" : "Detect and remediate changes to running containers with container runtime protection tools." + }, { + "name" : "guidance", + "id" : "cs-11_gdn", + "prose" : "Runtime protection tools, such as AWS EKS Protection, Microsoft Defender for Containers, or Falco, monitor threats and changes to running containers. Vulnerable container instances should be isolated for investigation and replaced with rebuilt and patched images. To avoid persistence if patches do not exist, the container instance should be replaced frequently with an un-compromised image until a patch released. These tools replace Malware Protection (IS-7) and EDR (IS-8) in container environments." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failure to detect and remediate changes to running containers using container runtime protection tools increases the risk of unnoticed compromises, potential exploitation, and unauthorised alterations to containerised applications, compromising the security and integrity of the runtime environment." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-23T23:58:33+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-03-31T23:40:06+0800" + } ] + } ] + }, { + "title" : "Security Programme Management", + "id" : "pm", + "parts" : [ { + "name" : "overview", + "prose" : "Controls to implement cybersecurity governance, risk, and compliance processes and policies." + } ], + "controls" : [ { + "title" : "Cybersecurity Incident Management Plan", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 1.7: Incident handling" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.1/S3" + }, { + "href" : "#424d176f-09ad-41c5-8a44-a064a9f1e37d", + "rel" : "reference", + "text" : "GIROC ICT and Data Incident Reporting Resources" + } ], + "id" : "pm-1", + "parts" : [ { + "name" : "statement", + "id" : "pm-1_smt", + "prose" : "Develop, document, and disseminate an agency-level cybersecurity incident management plan to respond to cybersecurity incidents." + }, { + "name" : "guidance", + "id" : "pm-1_gdn", + "prose" : "Refer to the Government Incident Reporting and Operations Centre (GIROC) ICT and Data Incident Reporting Resources for an incident management plan and best practices template." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Lack of a cybersecurity incident management plan increases the risk of ineffective response to cybersecurity incidents, hindering the ability to contain, mitigate, and recover from security breaches, potentially leading to extended downtime and data compromise." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-18T12:51:56+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-05-15T23:50:24+0800" + } ] + }, { + "title" : "Project Cybersecurity Risk Assessment", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 1.3: Self-assessment" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.1/S1" + }, { + "href" : "#d90ebf27-ad15-40c3-84f1-c83c98383d16", + "rel" : "reference", + "text" : "Cybersecurity Toolkit for IT Teams" + } ], + "id" : "pm-2", + "parts" : [ { + "name" : "statement", + "id" : "pm-2_smt", + "parts" : [ { + "name" : "item", + "id" : "pm-2_smt.1", + "props" : [ { + "name" : "label", + "value" : "1" + } ], + "prose" : "Risk scenario;" + }, { + "name" : "item", + "id" : "pm-2_smt.2", + "props" : [ { + "name" : "label", + "value" : "2" + } ], + "prose" : "Likelihood (from 1-5);" + }, { + "name" : "item", + "id" : "pm-2_smt.3", + "props" : [ { + "name" : "label", + "value" : "3" + } ], + "prose" : "Impact (from 1-5);" + }, { + "name" : "item", + "id" : "pm-2_smt.4", + "props" : [ { + "name" : "label", + "value" : "4" + } ], + "prose" : "Risk Level (Likelihood \\* Impact; 1-4: Low, 5-9: Medium, 10-14: Medium High, 15-19: High, 20-25: Critical)" + }, { + "name" : "item", + "id" : "pm-2_smt.5", + "props" : [ { + "name" : "label", + "value" : "5" + } ], + "prose" : "Mitigating Measures" + } ], + "prose" : "Develop and document a project-level cybersecurity risk assessment prior to initial full release that includes:" + }, { + "name" : "guidance", + "id" : "pm-2_gdn", + "prose" : "Refer to the Cyber Security Agency of Singapore's Cybersecurity Toolkit for IT Teams for an example of a risk assessment template and modify accordingly." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without developing and documenting a project-level cybersecurity risk assessment before the initial full release, there's an increased risk of overlooking potential security threats, vulnerabilities, and regulatory compliance issues, compromising the overall security posture of the project." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-08-18T12:51:56+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-05-15T23:54:27+0800" + } ] + }, { + "title" : "System Security Plan (SSP) Development", + "id" : "pm-3", + "parts" : [ { + "name" : "statement", + "id" : "pm-3_smt", + "prose" : "Develop and maintain a comprehensive System Security Plan (SSP) that accurately reflects the system characteristics and security controls in place for the organisation's systems and environments." + }, { + "name" : "guidance", + "id" : "pm-3_gdn", + "prose" : "The SSP should be detailed, covering all aspects of security controls, roles, responsibilities, and operational processes. Regular updates are necessary to reflect changes in the security landscape and system evolution." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failure to develop a comprehensive SSP can result in inadequate documentation and security controls, leading to increased vulnerability to cyber threats and non-compliance with regulatory requirements." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-10-05T09:00:00+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2023-10-10T16:00:00+0800" + } ] + }, { + "title" : "Approval of Policy Deviations", + "id" : "pm-4", + "parts" : [ { + "name" : "statement", + "id" : "pm-4_smt", + "prose" : "Get approval of deviations from applicable Level 1 profile controls in the default System Security Plans (SSPs) from the agency's ICT and Digitalisation Steering Committee (IDSC) and document these deviations in the customised SSP." + }, { + "name" : "guidance", + "id" : "pm-4_gdn", + "prose" : "Agencies should seek approval for deviation from their IDSC or delegated approval authority. Controls that are not applicable to the system do not need approval for deviations but the reasons why they are not applicable must be documented in the customised SSP." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Unauthorised deviations from the policy can lead to an increased risk of security vulnerabilities and other compliance issues." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-10-12T11:45:00+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-05-12T23:15:32+0800" + } ] + }, { + "title" : "Central Submission of Approved System Security Plan (SSP)", + "links" : [ { + "href" : "#80bf8bd1-004c-42d9-a810-e3f1fae563bf", + "rel" : "reference", + "text" : "Centralised SSP Management Guidelines" + } ], + "id" : "pm-5", + "parts" : [ { + "name" : "statement", + "id" : "pm-5_smt", + "prose" : "Submit approved SSPs centrally to maintain a unified and up-to-date repository of security plans and practices." + }, { + "name" : "guidance", + "id" : "pm-5_gdn", + "prose" : "Reference the IM8 Portal for submitting all approved SSPs." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Inconsistent or decentralised submission of the SSP can lead to decreased visibility of security and compliance adoption across Government." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-10-20T08:30:00+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2023-10-25T14:00:00+0800" + } ] + }, { + "title" : "System Documentation", + "id" : "pm-6", + "parts" : [ { + "name" : "statement", + "id" : "pm-6_smt", + "prose" : "Maintain detailed, up-to-date documentation of all system information and architecture." + }, { + "name" : "guidance", + "id" : "pm-6_gdn", + "prose" : "Example system documentation includes architecture and network diagrams, architecture decision records, hardware and software inventories, data flows, and configurations. This documentation should be regularly reviewed and updated to reflect changes in the environment. Documentation should be accessible to relevant personnel while ensuring sensitive information is protected. Adopt documentation-as-code practices and machine-readable formats (such as Markdown, JSON, YAML, etc), to facilitate version control, collaboration, and automation in maintaining documentation." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Comprehensive documentation of system architecture, components, configurations, and dependencies is essential for effective management, troubleshooting, and security auditing." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-12-20T10:10:10+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2023-01-10T0:00:00+0800" + } ] + }, { + "params" : [ { + "guidelines" : [ { + "prose" : "The required certifications." + } ], + "id" : "pm-7_prm_1", + "label" : "certifications", + "class" : "str" + } ], + "title" : "Certification", + "id" : "pm-7", + "parts" : [ { + "name" : "statement", + "id" : "pm-7_smt", + "prose" : "Ensure that the Software as a Service (SaaS) provider is certified with {{ insert: param, pm-7_prm_1 }}." + }, { + "name" : "guidance", + "id" : "pm-7_gdn", + "prose" : "Ensure that the certification is up-to-date. Avoid certifications that are only attestations without a pass/fail element." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Third-party certification provides assurance that security controls have been properly implemented in the Software as a Service (SaaS) provider." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2024-01-14T01:35:16+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-09T22:54:15+0800" + } ] + }, { + "title" : "Software as a Service (SaaS) Service Level Agreement", + "id" : "pm-8", + "parts" : [ { + "name" : "statement", + "id" : "pm-8_smt", + "prose" : "Obtain a service level agreement with the Software as a Service (SaaS) provider that covers uptime, response times, downtime notifications, support avenues, and support content." + }, { + "name" : "guidance", + "id" : "pm-8_gdn", + "prose" : "Ensure that the service level agreement is regularly checked for compliance." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without a service level agreement the availability of the Software as a Service (SaaS) system may be poorly maintained by the provider." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2024-01-14T02:04:59+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-01-14T02:06:19+0800" + } ] + } ] + }, { + "title" : "Infrastructure Security", + "id" : "is", + "parts" : [ { + "name" : "overview", + "prose" : "Controls to secure infrastructure that host applications, services, and data." + } ], + "controls" : [ { + "title" : "Management Agents", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.1/G1" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.4/S21" + } ], + "id" : "is-1", + "parts" : [ { + "name" : "statement", + "id" : "is-1_smt", + "prose" : "Install CSP management agents on hosts to remotely and securely manage their configurations." + }, { + "name" : "guidance", + "id" : "is-1_gdn", + "prose" : "Most CSP compute instances preinstall management agents (e.g., AWS Systems Manager Agent, Azure Windows VM Agent) by default. If the image does not come with the preinstalled agent, install manually." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without installing management agents on hosts, there is an increased risk of manual misconfigurations, difficulty in maintaining consistent configurations, and potential security vulnerabilities due to reduced visibility and ability to manage hosts effectively." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-09-01T16:44:29+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T00:47:04+0800" + } ] + }, { + "title" : "Automated Patch Management", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.7/S12" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.8/S4" + } ], + "id" : "is-2", + "parts" : [ { + "name" : "statement", + "id" : "is-2_smt", + "prose" : "Automate patching of operating systems and applications." + }, { + "name" : "guidance", + "id" : "is-2_gdn", + "prose" : "Apply patch baselines via the CSP node management service, unless the patch management process is automated as part of the build and deploy phase. For on-premise systems, use tools like Azure Update Manager to schedule and automatically deploy patches to Windows and Linux OS." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failure to automate patching of operating systems and applications increases the risk of delayed or missed security updates, leaving systems vulnerable to known exploits and potential security breaches, compromising the overall security of the environment." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-09-01T16:44:29+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T00:47:04+0800" + } ] + }, { + "title" : "Restricted Administrator Privileges", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.6/S1d" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.6/S1e" + }, { + "href" : "#f3057503-f399-4735-9d7b-ea9830f3b2ac", + "rel" : "reference", + "text" : "IM8 On-Premise IS (Non-S): 1.2/S2a" + } ], + "id" : "is-3", + "parts" : [ { + "name" : "statement", + "id" : "is-3_smt", + "prose" : "Restrict administrator privileges by disabling remote login for the root/administrator user and restricting sudo/administrators group access for other users." + }, { + "name" : "guidance", + "id" : "is-3_gdn", + "prose" : "Further reduce the attack surface by running common services such as the web server or database without root/administrator/system privileges." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without restricting administrator privileges, there is an increased risk of unauthorised access, privilege escalation, and potential security breaches, compromising the integrity and security of the system." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-09-01T16:44:29+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Least Functionality", + "links" : [ { + "href" : "#0062e6a3-8ac4-44db-92df-8357b437ca0c", + "rel" : "reference", + "text" : "NIST SP 800-53 CM-7: Least Functionality" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.4/S7" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.5/S4e" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.7/S1b" + }, { + "href" : "#f3057503-f399-4735-9d7b-ea9830f3b2ac", + "rel" : "reference", + "text" : "IM8 On-Premise IS (Non-S): 1.2/S2c" + } ], + "id" : "is-4", + "parts" : [ { + "name" : "statement", + "id" : "is-4_smt", + "prose" : "Disable or remove unnecessary functions, system ports, protocols, software, and services on the host." + }, { + "name" : "guidance", + "id" : "is-4_gdn", + "prose" : "Follow the principle of least functionality to configure the host to carry out only its intended purpose. CSP node management services can provide an inventory of software and services (e.g., AWS Systems Manager Inventory). Vulnerability assessment scanners (e.g., AWS Inspector) can also identify software vulnerabilities and network exposure." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failure to disable or remove unnecessary functions, system ports, protocols, software, and services on the host increases the attack surface, potential vulnerabilities, and the risk of exploitation, compromising the overall security and performance of the system." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-09-01T16:44:29+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Host System Hardening", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.6/G2" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.6/S2" + }, { + "href" : "#f3057503-f399-4735-9d7b-ea9830f3b2ac", + "rel" : "reference", + "text" : "IM8 On-Premise IS (Non-S): 1.2/S1" + } ], + "id" : "is-5", + "parts" : [ { + "name" : "statement", + "id" : "is-5_smt", + "prose" : "Harden the host configuration with reference to industry standards." + }, { + "name" : "guidance", + "id" : "is-5_gdn", + "prose" : "Select the appropriate benchmark for the host such as from the [NIST National Checklist Program](#521952dd-5c57-4277-a069-4dae6bc0c28d) or [CIS Benchmarks](#09ba067b-8923-4f22-bb31-b8619edcaa07). Automate the configuration process or use hardened images instead of manually configuring." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without hardening the operating system configuration according to industry standards, there's an increased risk of security vulnerabilities, unauthorised access, and potential exploitation, compromising the overall security posture and resilience of the operating system." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-09-01T16:44:29+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Remote Administration", + "links" : [ { + "href" : "#229a38da-bdc1-4a59-b1cb-8904cb59d0a5", + "rel" : "reference", + "text" : "AWS SSB WKLD.06: Use Systems Manager instead of SSH or RDP" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.4/S21" + } ], + "id" : "is-6", + "parts" : [ { + "name" : "statement", + "id" : "is-6_smt", + "prose" : "Use remote administration tools instead of direct SSH or RDP." + }, { + "name" : "guidance", + "id" : "is-6_gdn", + "prose" : "In production environments, use remote administration (e.g., AWS Systems Manager Session Manager, AWS Systems Manager Fleet Manager, GCC Privileged Identity Management) only for break glass scenarios where remote monitoring and automation is not available. Document and remediate gaps in monitoring and automation to minimise the need for remote administration. If SSH is still required and remote administration tools are not available, only use it within a private non-production environment such as an encrypted tunnel and authenticate with short-lived certificates." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Using remote administration tools enhances security by providing controlled and audited access, reducing the risk of unauthorised activities, and improving overall management of privileged identities." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-09-01T16:44:29+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T00:47:04+0800" + } ] + }, { + "title" : "Malware Protection", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.6/S1a" + } ], + "id" : "is-7", + "parts" : [ { + "name" : "statement", + "id" : "is-7_smt", + "prose" : "Detect and quarantine malware on hosts with anti-malware tools." + }, { + "name" : "guidance", + "id" : "is-7_gdn", + "prose" : "Configure anti-malware tools for all compute hosts (e.g. AWS Guardduty Malware Protection, Azure Antimalware, Trend Micro CloudOne). These tools should be kept up-to-date with the latest malware signatures. Regular scans should be scheduled to detect and quarantine potential threats." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without malware protection, there's an increased risk of undetected malicious activities, potential data breaches, and compromise of host systems, highlighting the importance of proactive measures to ensure the security and integrity of the environment." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-09-20T11:06:17+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T00:47:04+0800" + } ] + }, { + "title" : "Endpoint Detection and Response (EDR)", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.6/G1a" + } ], + "id" : "is-8", + "parts" : [ { + "name" : "statement", + "id" : "is-8_smt", + "prose" : "Monitor security threats on hosts with an EDR tool." + }, { + "name" : "guidance", + "id" : "is-8_gdn", + "prose" : "Implement EDR tools for all compute hosts. Security incident response should be planned and documented for the tool. EDR tools with built-in malware protection should be favoured to reduce additional agents." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failure to monitor security threats on hosts with an Endpoint Detection and Response (EDR) tool increases the risk of undetected advanced threats, compromises in host security, and delayed response to potential security incidents, highlighting the need for continuous monitoring and proactive threat detection." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-09-20T11:06:17+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T00:47:04+0800" + } ] + }, { + "params" : [ { + "guidelines" : [ { + "prose" : "The type of asset." + } ], + "id" : "is-9_prm_1", + "label" : "type", + "class" : "str" + } ], + "title" : "End-of-Support (EOS) Assets", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.1/S6" + }, { + "href" : "#9749c983-5562-4a6f-8852-7eecf9b38d2c", + "rel" : "reference", + "text" : "IM8 On-Premise ADS (Non-S): 5.1/S8" + } ], + "id" : "is-9", + "parts" : [ { + "name" : "statement", + "id" : "is-9_smt", + "prose" : "Ensure deployed {{ insert: param, is-9_prm_1 }} assets have not reached end-of-support (EOS). Use of EOS assets will require risk acceptance by approved authority." + }, { + "name" : "guidance", + "id" : "is-9_gdn", + "prose" : "Identify, track and replace EOS assets in a timely manner. Regularly review assets to identify upcoming EOS timeframe and replace them ahead of EOS date." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "EOS assets can introduce security vulnerabilities as the assets are no longer provided with security fixes." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-10-27T15:48:25+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-05-15T23:39:47+0800" + } ] + }, { + "title" : "Synchronise time clocks", + "links" : [ { + "href" : "#f3057503-f399-4735-9d7b-ea9830f3b2ac", + "rel" : "reference", + "text" : "IM8 On-Premise IS (Non-S): 1.2/S5" + } ], + "id" : "is-10", + "parts" : [ { + "name" : "statement", + "id" : "is-10_smt", + "prose" : "Synchronise internal clocks to a common reference time source." + }, { + "name" : "guidance", + "id" : "is-10_gdn", + "prose" : "Use common time source such as Network Time Protocol (NTP). In the cloud, it is recommended to use the default time sources provided by the CSPs." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "The lack of synchronised clocks introduces significant risks, including increased security vulnerabilities, data integrity issues, and challenges in troubleshooting." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2024-02-27T15:48:25+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Central Domain Name Registration", + "links" : [ { + "href" : "#3402c67f-c59f-440a-b82d-81cf4d92de90", + "rel" : "reference", + "text" : "IM8 Cloud ADO: 2.1/S1, 2.1/S2" + }, { + "href" : "#c83c5d3f-cb13-492b-9028-ab7dc717e396", + "rel" : "reference", + "text" : "MCI ICT Circular Minute No 5/2014: Internet Domain Names Registration, Management and Protection" + } ], + "id" : "is-11", + "parts" : [ { + "name" : "statement", + "id" : "is-11_smt", + "prose" : "Register .gov.sg and .edu.sg domain names with GovTech as the sole registrar." + }, { + "name" : "guidance", + "id" : "is-11_gdn", + "prose" : "Use the Whole of Government Domain Name Server (DNS) portal on the IT Service Management (ITSM) portal to register domain names." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Improper management of domain names increase the risk of phishing attacks or domain takeovers." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2024-03-18T01:21:38+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-05-21T00:56:33+0800" + } ] + }, { + "title" : "DNS Security Extensions (DNSSEC)", + "links" : [ { + "href" : "#f3057503-f399-4735-9d7b-ea9830f3b2ac", + "rel" : "reference", + "text" : "IM8 On-Premise IS (Non-S): 4.4/S5" + }, { + "href" : "#f3057503-f399-4735-9d7b-ea9830f3b2ac", + "rel" : "reference", + "text" : "IM8 Cloud IS (Non-S): 4.4/S5" + }, { + "href" : "#0062e6a3-8ac4-44db-92df-8357b437ca0c", + "rel" : "reference", + "text" : "NIST SP 800-53 SC-20: Secure Name/Address Resolution Service (Authoritative Source)" + } ], + "id" : "is-12", + "parts" : [ { + "name" : "statement", + "id" : "is-12_smt", + "prose" : "Implement DNS Security Extensions (DNSSEC) for public DNS records and servers." + }, { + "name" : "guidance", + "id" : "is-12_gdn", + "prose" : "DNS services such as WOG DNS, Amazon Route 53 and Cloudflare support DNSSEC configuration." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Insecure domain name resolution can lead to man-in-the-middle attacks caused by DNS spoofing or DNS cache poisoning." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2024-03-18T01:17:33+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-03-18T01:17:33+0800" + } ] + }, { + "title" : "Defensive Domain Name Registration", + "links" : [ { + "href" : "#f76c8617-eb15-4b80-8911-4abca5ba2d84", + "rel" : "reference", + "text" : "MCI ICT Circular Minute No 6/2021: Mandatory Defensive Registration of Internet Domain Names" + } ], + "id" : "is-13", + "parts" : [ { + "name" : "statement", + "id" : "is-13_smt", + "prose" : "Register second (.sg) and third (.com.sg, .org.sg, .net.sg, .edu.sg) level domain name variants of the system's primary domain name." + }, { + "name" : "guidance", + "id" : "is-13_gdn", + "prose" : "Consider defensive registration of domain names with typographical variants of the system's primary domain name. The Whole of Government Domain Name Server (DNS) portal on the IT Service Management (ITSM) portal automatically includes the second and third level domain names." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Malicious use of domain names similar to actual Government domain names increases the risk of phishing and spoofing." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2024-05-21T01:14:44+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-05-21T01:14:44+0800" + } ] + }, { + "title" : "Singapore SMS Sender ID Registry Registration", + "links" : [ { + "href" : "#17e0e48b-e687-4dbf-afb0-56adfc0bbc3e", + "rel" : "reference", + "text" : "PMO(SNDGO) Circular Minute No 4/2022: Mandatory Registration with the Singapore SMS Sender ID Registry" + }, { + "href" : "#824c06dc-a7bb-4d1a-8ea7-7ce2095ff55c", + "rel" : "reference", + "text" : "PMO(SNDGO) Circular Minute No 1/2024: Implementation of Measures to Establish Trusted Channels for Government Calls and Messages (Building Trusted Networks)" + }, { + "href" : "#31761a08-1ca2-48f2-90f5-13fc96128f45", + "rel" : "reference", + "text" : "PMO (SNDGO) Circular Minute No 2/2024: Amendments to PMO (SNDGO) Circular Minute No 1/2024: Implementation of Measures to Establish Trusted Channels for Government Calls and Messages (Building Trusted Networks)" + } ], + "id" : "is-14", + "parts" : [ { + "name" : "statement", + "id" : "is-14_smt", + "prose" : "Register and use whitelisted SMS Sender IDs with the Singapore SMS Sender ID Registry for sending SMSes." + }, { + "name" : "guidance", + "id" : "is-14_gdn", + "prose" : "Agencies must use the \"gov.sg\" Sender ID via the Postman tool to send SMSes to members of public unless exempted. Whitelist Sender IDs used to send SMSes and blacklist Sender IDs which are variants of the whitelisted Sender IDs, agency names, or names of services." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Lack of Sender ID registration allows malicious entities to spoof legitimate Government SMSes." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2024-05-21T02:15:22+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-05-21T02:15:22+0800" + } ] + } ] + }, { + "title" : "Secure Development", + "id" : "sd", + "parts" : [ { + "name" : "overview", + "prose" : "Controls to secure the development pipeline and perform source code quality assurance." + } ], + "controls" : [ { + "title" : "Push Protection for Secrets", + "links" : [ { + "href" : "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", + "rel" : "reference", + "text" : "IM8 Cloud ADS: 6.4/G1" + } ], + "id" : "sd-1", + "parts" : [ { + "name" : "statement", + "id" : "sd-1_smt", + "prose" : "Configure the code repository to prevent secrets from being pushed to the repository." + }, { + "name" : "guidance", + "id" : "sd-1_gdn", + "prose" : "Use GitLab's push rules or GitHub's push protection to reject secrets on push." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failure to configure the code repository to prevent secrets from being pushed introduces the risk of inadvertent exposure, unauthorised access, and potential misuse of sensitive information, compromising the security of the codebase and associated systems." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-09-04T21:33:34+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Default Branch Push Permissions", + "id" : "sd-2", + "parts" : [ { + "name" : "statement", + "id" : "sd-2_smt", + "prose" : "Configure the code repository to prevent pushes (including force pushes) to the default branch." + }, { + "name" : "guidance", + "id" : "sd-2_gdn", + "prose" : "Use GitLab's protected branch and merge request settings or GitHub's branch protection settings to enforce this." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without configuring the code repository to prevent pushes, including force pushes, to the default branch, there's an increased risk of unintentional or malicious changes, potential loss of code history, and compromised version control, impacting the integrity and reliability of the software development process." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-09-04T21:33:34+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2023-09-07T09:39:34+0800" + } ] + }, { + "title" : "Continuous Integration (CI) Tests", + "id" : "sd-3", + "parts" : [ { + "name" : "statement", + "id" : "sd-3_smt", + "prose" : "Require Continuous Integration (CI) tests to pass before merging into the default branch." + }, { + "name" : "guidance", + "id" : "sd-3_gdn", + "prose" : "Use GitLab's protected branch and merge request settings or GitHub's branch protection settings to enforce this." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failing to require passing Continuous Integration (CI) tests before merging into the default branch increases the risk of introducing faulty code, potential regressions, and compromise of code quality." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-09-04T21:33:34+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2023-09-04T21:33:34+0800" + } ] + }, { + "params" : [ { + "guidelines" : [ { + "prose" : "The location where static analysis occurs." + } ], + "select" : { + "how-many" : "one-or-more", + "choice" : [ "CI/CD pipeline", "static analysis platform" ] }, - { - "role-id": "contact", - "party-uuids": [ - "e738ab7c-ed26-4fe6-a1e7-f485265d50cc" - ] - } - ] - }, - "groups": [ - { - "id": "as", - "title": "Application Security", - "parts": [ - { - "name": "overview", - "prose": "Controls to prevent application vulnerabilities caused by insecure coding." - } - ], - "controls": [ - { - "id": "as-1", - "title": "Input Validation", - "props": [ - { - "name": "risk-statement", - "value": "Without input validation, there's a heightened risk of injection attacks, data manipulation, or system crashes due to unexpected input, potentially leading to unauthorised access or disruption of services." - }, - { - "name": "published", - "value": "2023-08-01T01:03:42+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 2.5: Security libraries" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.7/S1c" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.7/S8b" - }, - { - "href": "#9749c983-5562-4a6f-8852-7eecf9b38d2c", - "rel": "reference", - "text": "IM8 On-Premise ADS (Non-S): 1.1/S1b" - } - ], - "parts": [ - { - "id": "as-1_smt", - "name": "statement", - "prose": "Validate all application inputs to ensure that they match the expected type, structure, or format." - }, - { - "id": "as-1_gdn", - "name": "guidance", - "prose": "Strictly validating inputs against a comprehensive schema prevents injection attacks caused by inserting special characters or content that would cause the application to perform incorrect operations." - } - ] - }, - { - "id": "as-2", - "title": "Parameterised Interfaces", - "props": [ - { - "name": "risk-statement", - "value": "Failure to use parameterised interfaces increases the vulnerability to SQL injection or command injection attacks, posing a significant risk of unauthorised access, data manipulation, or even potential system compromise." - }, - { - "name": "published", - "value": "2023-08-01T01:03:42+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 2.5: Security libraries" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.7/S8c" - }, - { - "href": "#9749c983-5562-4a6f-8852-7eecf9b38d2c", - "rel": "reference", - "text": "IM8 On-Premise ADS (Non-S): 1.1/S1c" - } - ], - "parts": [ - { - "id": "as-2_smt", - "name": "statement", - "prose": "Use parameterised interfaces for database queries or system commands." - }, - { - "id": "as-2_gdn", - "name": "guidance", - "prose": "Parameterised interfaces such Object-Relational Mapping (ORM) libraries ensure that parameters used in database queries or system commands are properly sanitised and prevent injection attacks." - } - ] - }, - { - "id": "as-3", - "title": "Output Sanitisation", - "props": [ - { - "name": "risk-statement", - "value": "Lack of sanitisation for application outputs used in rendering HTML documents exposes the system to the risk of cross-site scripting (XSS) attacks, allowing malicious code execution in users' browsers." - }, - { - "name": "published", - "value": "2023-08-01T01:03:42+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 2.5: Security libraries" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.7/S8e" - }, - { - "href": "#9749c983-5562-4a6f-8852-7eecf9b38d2c", - "rel": "reference", - "text": "IM8 On-Premise ADS (Non-S): 1.1/S1e,k,l" - } - ], - "parts": [ - { - "id": "as-3_smt", - "name": "statement", - "prose": "Sanitise all application outputs that will be used to render a HTML document." - }, - { - "id": "as-3_gdn", - "name": "guidance", - "prose": "Any application outputs that are returned to the requester and used to render a HTML document can lead to cross-site scripting (XSS) attacks if they contain special characters that change the rendering of the HTML document by the browser." - } - ] - }, - { - "id": "as-4", - "title": "Authentication Mechanism Rate-Limiting", - "props": [ - { - "name": "risk-statement", - "value": "Without rate-limiting, there's an increased risk of unauthorised access as attackers may exploit weak credentials through repeated login attempts." - }, - { - "name": "published", - "value": "2023-08-01T01:03:42+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 2.4: Password policy" - }, - { - "href": "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", - "rel": "reference", - "text": "IM8 Cloud ADS: 2.2/S1j, 2.2/S5b" - }, - { - "href": "#9749c983-5562-4a6f-8852-7eecf9b38d2c", - "rel": "reference", - "text": "IM8 On-Premise ADS (Non-S): 2.2/S5" - } - ], - "parts": [ - { - "id": "as-4_smt", - "name": "statement", - "prose": "Apply rate-limiting on all authentication mechanisms to deter brute-force attacks." - }, - { - "id": "as-4_gdn", - "name": "guidance", - "prose": "Consider rate-limiting to a maximum of 3 consecutive failed authentication attempts within 15 minutes. Time delays between log-on attempts reduce the risk of successful brute-forcing attacks. Bot mitigation tools such as CAPTCHA can further reduce this risk." - } - ] - }, - { - "id": "as-5", - "title": "Password Requirements", - "params": [ - { - "id": "as-5_prm_1", - "class": "int", - "label": "number of characters", - "guidelines": [ - { - "prose": "The minimum length of a password." - } - ] - }, - { - "id": "as-5_prm_2", - "class": "str", - "label": "policy", - "guidelines": [ - { - "prose": "The password policy." - } - ] - } - ], - "props": [ - { - "name": "risk-statement", - "value": "Short or commonly used passwords increase the vulnerability to unauthorised access, potentially leading to compromised accounts and unauthorised activities on the system." - }, - { - "name": "published", - "value": "2023-08-01T01:03:42+0800" - }, - { - "name": "last-modified", - "value": "2024-02-09T22:54:15+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 2.4: Password policy" - }, - { - "href": "#0062e6a3-8ac4-44db-92df-8357b437ca0c", - "rel": "reference", - "text": "NIST SP 800-53 IA-5(1): Password-based Authentication" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.4/S1a" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.4/S2a" - }, - { - "href": "#9749c983-5562-4a6f-8852-7eecf9b38d2c", - "rel": "reference", - "text": "IM8 On-Premise ADS (Non-S): 2.2/S1" - } - ], - "parts": [ - { - "id": "as-5_smt", - "name": "statement", - "prose": "Where SSO or passwordless is not supported, verify that user-defined passwords are at least {{ insert: param, as-5_prm_1 }} characters in length and {{ insert: param, as-5_prm_2 }}." - }, - { - "id": "as-5_gdn", - "name": "guidance", - "prose": "Latest NIST [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) guidelines found that password length is a primary factor in determining the strength of a password while composition and complexity rules provide marginal security benefits." - } - ] - }, - { - "id": "as-6", - "title": "Password Salting and Hashing", - "props": [ - { - "name": "risk-statement", - "value": "Without salting and hashing, in case of a data breach, exposed passwords can be easily extracted, leading to potential compromise of user accounts and sensitive information." - }, - { - "name": "published", - "value": "2023-08-01T01:03:42+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 2.4: Password policy" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.4/S3" - }, - { - "href": "#9749c983-5562-4a6f-8852-7eecf9b38d2c", - "rel": "reference", - "text": "IM8 On-Premise ADS (Non-S): 2.2/S3" - } - ], - "parts": [ - { - "id": "as-6_smt", - "name": "statement", - "prose": "Store passwords as salted hashes using a password hashing scheme that is resistant to offline attacks such as those described in NIST [SP 800-63b](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce). The salt should be:", - "parts": [ - { - "id": "as-6_smt.1", - "name": "item", - "props": [ - { - "name": "label", - "value": "1" - } - ], - "prose": "Generated using a cryptographically secure pseudo-random number generator in accordance with industry standards;" - }, - { - "id": "as-6_smt.2", - "name": "item", - "props": [ - { - "name": "label", - "value": "2" - } - ], - "prose": "At least 32 bits long; and" - }, - { - "id": "as-6_smt.3", - "name": "item", - "props": [ - { - "name": "label", - "value": "3" - } - ], - "prose": "Randomly generated for each account." - } - ] - }, - { - "id": "as-6_gdn", - "name": "guidance", - "prose": "Refer to NIST [SP 800-90Ar1](#64357b22-9868-4453-9b9e-36c2665d12b3) for suitable pseudo-random number generators. Refer to NIST [SP 800-63b](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) Memorized Secret Verifiers section for suitable hashing schemes, including Argon2, scrypt, and PBKDF2. For application source code, use a cryptographically secure pseudo-random number generator function instead of an insecure one, such as crypto.randomBytes instead of Math.random in Node.js and java.security.SecureRandom.nextBytes instead of java.util.Random in Java." - } - ] - }, - { - "id": "as-7", - "title": "Access Control Check Enforcement", - "props": [ - { - "name": "risk-statement", - "value": "Failure to perform access control checks on authenticated requests increases the risk of unauthorised access to sensitive data or functionalities, potentially leading to data breaches and misuse of system resources." - }, - { - "name": "published", - "value": "2023-08-01T01:03:42+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T00:47:04+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 3.3: Vulnerability prevention" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.7/S8a" - } - ], - "parts": [ - { - "id": "as-7_smt", - "name": "statement", - "prose": "Perform access control checks on all authenticated requests." - }, - { - "id": "as-7_gdn", - "name": "guidance", - "prose": "Utilise authorisation filters or middleware to force all authenticated requests to undergo access control checks." - } - ] - }, - { - "id": "as-8", - "title": "Application Secrets Management", - "props": [ - { - "name": "risk-statement", - "value": "Exposure of sensitive information and unauthorised access to system credentials may occur if application secrets are stored without encryption or if hard-coded in source code." - }, - { - "name": "published", - "value": "2023-08-01T01:03:42+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.7/S11" - }, - { - "href": "#9749c983-5562-4a6f-8852-7eecf9b38d2c", - "rel": "reference", - "text": "IM8 On-Premise ADS (Non-S): 1.1/S1f, 2.2/S4, 3.1/S1 and 3.1/S4" - } - ], - "parts": [ - { - "id": "as-8_smt", - "name": "statement", - "prose": "Encrypt and store application secrets in a secret management solution with appropriate access controls and do not hard-code secrets in source code." - }, - { - "id": "as-8_gdn", - "name": "guidance", - "prose": "Secret management solutions include cloud solutions like AWS Secrets Manager and Azure Key Vault as well as cloud-agnostic solutions like HashiCorp Vault and CyberArk Conjur." - } - ] - }, - { - "id": "as-9", - "title": "Content Security Policy (CSP)", - "props": [ - { - "name": "risk-statement", - "value": "Without minimally permissive Content Security Policy (CSP) headers, the risk of cross-site scripting attacks, leading to unauthorised script execution and potential data theft, is increased." - }, - { - "name": "published", - "value": "2023-08-01T01:03:42+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T00:47:04+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 2.3: Security Headers" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.7/G7" - } - ], - "parts": [ - { - "id": "as-9_smt", - "name": "statement", - "prose": "Set minimally permissive CSP response headers to mitigate cross-site scripting attacks." - }, - { - "id": "as-9_gdn", - "name": "guidance", - "prose": "Utilise the relevant fetch directives such as `default-src`, `script-src`, `style-src`, `connect-src`, `img-src`, `media-src` and `object-src` to prevent loading of scripts from malicious sources. Refer to the [OWASP Secure Headers Project](#3101b27c-d39c-49fc-b227-e77df8c5e358) Best Practices for recommended header values." - } - ] - }, - { - "id": "as-10", - "title": "HTTP Strict Transport Security (HSTS)", - "props": [ - { - "name": "risk-statement", - "value": "Failure to implement HTTP Strict Transport Security (HSTS) with a sufficient maximum age may expose the system to protocol downgrade attacks, compromising the security of communication channels." - }, - { - "name": "published", - "value": "2023-10-24T13:54:12+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T00:47:04+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.7/G4" - } - ], - "parts": [ - { - "id": "as-10_smt", - "name": "statement", - "prose": "Set HTTP Strict Transport Security (HSTS) response headers with a maximum age value of at least 1 year (31536000 seconds) to mitigate protocol downgrade attacks." - }, - { - "id": "as-10_gdn", - "name": "guidance", - "prose": "Refer to the [OWASP Secure Headers Project](#3101b27c-d39c-49fc-b227-e77df8c5e358) Best Practices for recommended header values." - } - ] - }, - { - "id": "as-11", - "title": "Session Management", - "params": [ - { - "id": "as-11_prm_1", - "class": "int", - "label": "time period (hours)", - "guidelines": [ - { - "prose": "The maximum time period in hours of a user's session." - } - ] - } - ], - "props": [ - { - "name": "risk-statement", - "value": "Not verifying a user regularly and at suitable checkpoints could allow someone who has access to the user's account to carry out unauthorised actions." - }, - { - "name": "published", - "value": "2024-01-02T16:00:00+0000" - }, - { - "name": "last-modified", - "value": "2024-02-09T22:54:15+0800" - } - ], - "links": [ - { - "href": "#0062e6a3-8ac4-44db-92df-8357b437ca0c", - "rel": "reference", - "text": "NIST SP 800-53 AC-12: Session Termination" - }, - { - "href": "#0062e6a3-8ac4-44db-92df-8357b437ca0c", - "rel": "reference", - "text": "NIST SP 800-53 IA-11: Re-authentication" - }, - { - "href": "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", - "rel": "reference", - "text": "IM8 Cloud ADS: 2.5/S2" - }, - { - "href": "#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce", - "rel": "reference", - "text": "NIST SP 800-63B 4.2.3: Reauthentication" - }, - { - "href": "#9749c983-5562-4a6f-8852-7eecf9b38d2c", - "rel": "reference", - "text": "IM8 On-Premise ADS (Non-S): 2.5/S2" - } - ], - "parts": [ - { - "id": "as-11_smt", - "name": "statement", - "prose": "Require users to re-authenticate after their session exceeds {{ insert: param, as-11_prm_1 }} hour(s) or terminate the session." - }, - { - "id": "as-11_gdn", - "name": "guidance", - "prose": "NIST SP 800-63B recommends re-authentication once per 30 days for Authenticator Assurance Level 1, 12 hours or 30 minutes inactivity for Authenticator Assurance Level 2, and 12 hours or 15 minutes inactivity for Authenticator Assurance Level 3. In addition to time period, system can consider re-authentication when roles, authenticators or credentials change or when the execution of privileged functions occurs." - } - ] - }, - { - "id": "as-12", - "title": "Malware Scanning of Uploaded Files", - "props": [ - { - "name": "risk-statement", - "value": "Without scanning uploaded files for malware, there's an increased risk of exploits or infection for consumers of the files." - }, - { - "name": "published", - "value": "2024-04-16T16:00:00+0000" - }, - { - "name": "last-modified", - "value": "2024-04-16T16:00:00+0000" - } - ], - "links": [ - { - "href": "#0062e6a3-8ac4-44db-92df-8357b437ca0c", - "rel": "reference", - "text": "NIST SP 800-53 SI-3: Malicious Code Protection" - } - ], - "parts": [ - { - "id": "as-12_smt", - "name": "statement", - "prose": "Scan file uploads for malware before further processing by the system or users." - }, - { - "id": "as-12_gdn", - "name": "guidance", - "prose": "Consider uploading the files to temporary storage for malware scanning on ephemeral compute like serverless functions before moving safe files to another storage for further processing or unsafe files to quarantine storage." - } - ] - } - ] - }, - { - "id": "sc", - "title": "Software Supply Chain", - "parts": [ - { - "name": "overview", - "prose": "Controls to prevent tampering and improve the integrity of the software supply chain." - } - ], - "controls": [ - { - "id": "sc-1", - "title": "Code Repository", - "props": [ - { - "name": "risk-statement", - "value": "Absence of centralised code repository and version control increases the risk of code inconsistencies, loss of code history, and difficulties in collaboration, potentially leading to errors and security vulnerabilities." - }, - { - "name": "published", - "value": "2023-08-01T01:03:42+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", - "rel": "reference", - "text": "IM8 Cloud ADS: 7.1/S1" - }, - { - "href": "#9749c983-5562-4a6f-8852-7eecf9b38d2c", - "rel": "reference", - "text": "IM8 On-Premise ADS (Non-S): 6.1/S1" - } - ], - "parts": [ - { - "id": "sc-1_smt", - "name": "statement", - "prose": "Manage the codebase in a central code repository with version control." - }, - { - "id": "sc-1_gdn", - "name": "guidance", - "prose": "Use common platforms such as SHIP-HATS 2.0 GitLab or equivalents." - } - ] - }, - { - "id": "sc-2", - "title": "Commit Signing", - "props": [ - { - "name": "risk-statement", - "value": "Allowing unsigned commits in the code repository introduces the risk of unauthorised or malicious code changes, compromising the integrity and security of the software development process." - }, - { - "name": "published", - "value": "2023-08-01T01:03:42+0800" - }, - { - "name": "last-modified", - "value": "2023-09-04T21:33:34+0800" - } - ], - "parts": [ - { - "id": "sc-2_smt", - "name": "statement", - "prose": "Configure the code repository to reject unsigned commits." - }, - { - "id": "sc-2_gdn", - "name": "guidance", - "prose": "Use GitLab's push rules, GitHub's branch protection rules or similar code repository controls to reject unsigned commits on push." - } - ] - }, - { - "id": "sc-3", - "title": "Peer Review", - "props": [ - { - "name": "risk-statement", - "value": "Without peer review and approval before merging, there is an increased risk of introducing undetected coding errors, security vulnerabilities, and maintaining codebase consistency may become challenging." - }, - { - "name": "published", - "value": "2023-08-02T11:48:56+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.1/S2" - }, - { - "href": "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", - "rel": "reference", - "text": "IM8 Cloud ADS: 8.1/G1" - }, - { - "href": "#9749c983-5562-4a6f-8852-7eecf9b38d2c", - "rel": "reference", - "text": "IM8 On-Premise ADS (Non-S): 8.1/G1" - } - ], - "parts": [ - { - "id": "sc-3_smt", - "name": "statement", - "prose": "Require peer review and approval by a designated reviewer before merging into the default branch." - }, - { - "id": "sc-3_gdn", - "name": "guidance", - "prose": "Use GitLab's protected branch and merge request settings, GitHub's branch protection settings or similar code repository controls to enforce this." - } - ] - }, - { - "id": "sc-4", - "title": "Dependency Manifest Version Pinning", - "props": [ - { - "name": "risk-statement", - "value": "Failure to pin direct and transitive dependency versions in the application's manifest may lead to version drift, introducing compatibility issues, security vulnerabilities, and unpredictability in the software environment." - }, - { - "name": "published", - "value": "2023-08-02T11:48:56+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#438199c5-6b38-4704-88d6-a902ee08a433", - "rel": "reference", - "text": "SLSA Build L1: Provenance exists" - }, - { - "href": "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", - "rel": "reference", - "text": "IM8 Cloud ADS: 8.1/G4" - }, - { - "href": "#9749c983-5562-4a6f-8852-7eecf9b38d2c", - "rel": "reference", - "text": "IM8 On-Premise ADS (Non-S): 8.1/G4" - } - ], - "parts": [ - { - "id": "sc-4_smt", - "name": "statement", - "prose": "Pin direct and transitive dependency versions in the application's dependency manifest." - }, - { - "id": "sc-4_gdn", - "name": "guidance", - "prose": "Dependency manifests such as package-lock.json for npm and Pipfile.lock for pipenv allow you to pin dependency versions." - } - ] - }, - { - "id": "sc-5", - "title": "Automated Build and Deploy", - "props": [ - { - "name": "risk-statement", - "value": "Inconsistent system provisioning and operation, without automation, may lead to configuration drift, increased likelihood of errors, and heightened vulnerability to security breaches due to manual misconfigurations." - }, - { - "name": "published", - "value": "2023-08-02T11:48:56+0800" - }, - { - "name": "last-modified", - "value": "2024-02-16T01:34:37+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 3.5: Build process" - }, - { - "href": "#438199c5-6b38-4704-88d6-a902ee08a433", - "rel": "reference", - "text": "SLSA Build L1: Provenance exists" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.7/S22" - }, - { - "href": "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", - "rel": "reference", - "text": "IM8 Cloud ADS: 6.1/G4" - } - ], - "parts": [ - { - "id": "sc-5_smt", - "name": "statement", - "prose": "Provision and operate systems in a consistent manner using automation." - }, - { - "id": "sc-5_gdn", - "name": "guidance", - "prose": "Deploy and maintain Infrastructure and Applications with automated and repeatable tools such as CI/CD Pipelines, Infrastructure as Code (IaC) and other scripts. Automated build and deploy pipelines allow for signing and validation of build artefacts. Do not make manual changes directly into production systems." - } - ] - }, - { - "id": "sc-6", - "title": "Dependency Installation during Deployment", - "props": [ - { - "name": "risk-statement", - "value": "Failure to install only pinned versions of dependencies during deployment increases the risk of introducing unforeseen changes, compatibility issues, and potential security vulnerabilities into the deployed environment." - }, - { - "name": "published", - "value": "2023-08-02T11:48:56+0800" - }, - { - "name": "last-modified", - "value": "2024-03-31T23:54:33+0800" - } - ], - "links": [ - { - "href": "#438199c5-6b38-4704-88d6-a902ee08a433", - "rel": "reference", - "text": "SLSA Build L1: Provenance exists" - } - ], - "parts": [ - { - "id": "sc-6_smt", - "name": "statement", - "prose": "When installing dependencies during deployment, only install pinned versions in the manifest." - }, - { - "id": "sc-6_gdn", - "name": "guidance", - "prose": "Use package manager commands such as npm ci for npm and pipenv sync for pipenv that ensure only versions specified in the manifest are installed rather than the latest version." - } - ] - }, - { - "id": "sc-7", - "title": "Software Artefact Signing", - "props": [ - { - "name": "risk-statement", - "value": "Unsigned code and container images pose a risk of tampering, impersonation, and the injection of malicious code during the build process, compromising the integrity and security of the deployed software." - }, - { - "name": "published", - "value": "2023-08-02T11:48:56+0800" - }, - { - "name": "last-modified", - "value": "2024-03-31T23:54:39+0800" - } - ], - "links": [ - { - "href": "#438199c5-6b38-4704-88d6-a902ee08a433", - "rel": "reference", - "text": "SLSA Build L2: Hosted build platform" - }, - { - "href": "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", - "rel": "reference", - "text": "IM8 Cloud ADS: 1.7/G9" - }, - { - "href": "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", - "rel": "reference", - "text": "IM8 Cloud ADS: 8.1/G1" - } - ], - "parts": [ - { - "id": "sc-7_smt", - "name": "statement", - "prose": "Sign software artefacts such as code and container images using a trusted source during build." - }, - { - "id": "sc-7_gdn", - "name": "guidance", - "prose": "Use tools or services like Cosign or AWS Signer to sign and verify code." - } - ] - }, - { - "id": "sc-8", - "title": "Software Artefact Signature Verification", - "props": [ - { - "name": "risk-statement", - "value": "Without verifying the signatures of code and artefacts before deployment or runtime, there's an increased risk of deploying tampered or malicious software, compromising the integrity and security of the system." - }, - { - "name": "published", - "value": "2023-08-02T11:48:56+0800" - }, - { - "name": "last-modified", - "value": "2024-03-31T23:54:45+0800" - } - ], - "links": [ - { - "href": "#438199c5-6b38-4704-88d6-a902ee08a433", - "rel": "reference", - "text": "SLSA Build L2: Hosted build platform" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud ADS: 1.7/G9" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.7/S20" - }, - { - "href": "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", - "rel": "reference", - "text": "IM8 Cloud ADS: 8.1/G12" - } - ], - "parts": [ - { - "id": "sc-8_smt", - "name": "statement", - "prose": "Verify the signatures of code and artefacts before deployment or runtime." - }, - { - "id": "sc-8_gdn", - "name": "guidance", - "prose": "Implement a signature verification step such as a pipeline stage or Kubernetes Admission Controller." - } - ] - }, - { - "id": "sc-9", - "title": "Internal Code Collaboration and Sharing", - "props": [ - { - "name": "risk-statement", - "value": "Restricting code repositories to closed source can result in duplicated efforts, hinder collaborative learning, and lead to missed bugs or vulnerabilities." - }, - { - "name": "published", - "value": "2024-01-25T00:00:00+0800" - }, - { - "name": "last-modified", - "value": "2024-03-31T23:54:54+0800" - } - ], - "links": [ - { - "href": "#59a45aeb-ab47-406c-875f-0ebbc4ec00e1", - "rel": "reference", - "text": "Singapore Government Developer Portal - Innersource" - } - ], - "parts": [ - { - "id": "sc-9_smt", - "name": "statement", - "prose": "Share source code within Government to enhance code quality, accelerate innovation, and improve problem-solving efficiency." - }, - { - "id": "sc-9_gdn", - "name": "guidance", - "prose": "Adopt Innersource practices for internal collaboration, utilizing platforms like SHIP-HATS GitLab to manage and share code repositories in Government. Source code should be evaluated for suitability for innersourcing, such as the use of confidential algorithms or embedded sensitive data. The Innersource guidelines published in Developers Portal provide a useful framework for code sharing." - } - ] - } - ] - }, - { - "id": "st", - "title": "Security Testing", - "parts": [ - { - "name": "overview", - "prose": "Controls to validate the security of a system via internal and external testing." - } - ], - "controls": [ - { - "id": "st-1", - "title": "Vulnerability Assessment", - "params": [ - { - "id": "st-1_prm_1", - "class": "str", - "label": "type", - "guidelines": [ - { - "prose": "The type of vulnerability assessment scanning." - } - ] - } - ], - "props": [ - { - "name": "risk-statement", - "value": "Without regular vulnerability assessment scans, hosts remain exposed to undetected security vulnerabilities or misconfigurations, increasing the risk of exploitation and unauthorised access to critical systems." - }, - { - "name": "published", - "value": "2023-08-02T10:22:32+0800" - }, - { - "name": "last-modified", - "value": "2024-05-10T01:26:00+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.8/S1" - } - ], - "parts": [ - { - "id": "st-1_smt", - "name": "statement", - "prose": "Run regular {{ insert: param, st-1_prm_1 }} vulnerability assessment scans for eligible hosts." - }, - { - "id": "st-1_gdn", - "name": "guidance", - "prose": "Select agent-based or network-based scans as necessary. Implement authenticated scans where possible for greater coverage. Use scanners such as Amazon Inspector or Microsoft Defender for Cloud for continuous scanning of cloud systems. For on-premises systems or systems that require periodic scans, subscribe to Vulnerability Management System (VMS)." - } - ] - }, - { - "id": "st-2", - "title": "Cloud Security Posture Management", - "props": [ - { - "name": "risk-statement", - "value": "Lack of continuous configuration scans through cloud security posture management increases the risk of misconfigurations in cloud assets, leading to security vulnerabilities, data breaches, and unauthorised access." - }, - { - "name": "published", - "value": "2023-08-02T10:22:32+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T00:47:04+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.1/S6" - } - ], - "parts": [ - { - "id": "st-2_smt", - "name": "statement", - "prose": "Set up cloud security posture management that performs continuous configuration scans on cloud assets." - }, - { - "id": "st-2_gdn", - "name": "guidance", - "prose": "Use cloud security posture management tools such as CloudSCAPE, AWS Security Hub, and Datadog Cloud Security Posture Management." - } - ] - }, - { - "id": "st-3", - "title": "Vulnerability Disclosure Programme", - "props": [ - { - "name": "risk-statement", - "value": "Publicly disclosing vulnerabilities without following a responsible disclosure process increases the risk of malicious exploitation; responsible disclosure via the Government Vulnerability Disclosure Programme ensures a coordinated and secure approach to addressing vulnerabilities." - }, - { - "name": "published", - "value": "2023-08-02T10:22:32+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 1.1: Vulnerability reports" - }, - { - "href": "#9749c983-5562-4a6f-8852-7eecf9b38d2c", - "rel": "reference", - "text": "IM8 On-Premise ADS (Non-S): 5.1/S4" - } - ], - "parts": [ - { - "id": "st-3_smt", - "name": "statement", - "prose": "Display a way to responsibly disclose vulnerabilities via the Government Vulnerability Disclosure Programme." - }, - { - "id": "st-3_gdn", - "name": "guidance", - "prose": "Add a link to https://go.gov.sg/report-vulnerability on all pages, such as in the footer." - } - ] - }, - { - "id": "st-4", - "title": "Penetration Testing", - "params": [ - { - "id": "st-4_prm_1", - "class": "int", - "label": "time period (days)", - "guidelines": [ - { - "prose": "The time period in days of penetration testing frequency." - } - ] - } - ], - "props": [ - { - "name": "risk-statement", - "value": "Without conducting and documenting penetration tests, there's an increased risk of undetected security weaknesses, leaving the application susceptible to exploitation, data breaches, and unauthorised access." - }, - { - "name": "published", - "value": "2023-08-02T10:22:32+0800" - }, - { - "name": "last-modified", - "value": "2024-02-09T22:54:15+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 1.4: External testing" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.8/S1" - }, - { - "href": "#9749c983-5562-4a6f-8852-7eecf9b38d2c", - "rel": "reference", - "text": "IM8 On-Premise ADS (Non-S): 4.1/S1" - } - ], - "parts": [ - { - "id": "st-4_smt", - "name": "statement", - "prose": "Conduct and document a penetration test by internal teams or independent external parties every {{ insert: param, st-4_prm_1 }} day(s)." - }, - { - "id": "st-4_gdn", - "name": "guidance", - "prose": "A white-box penetration test should be performed to effectively test the application." - } - ] - }, - { - "id": "st-5", - "title": "Vulnerability Management", - "params": [ - { - "id": "st-5_prm_1", - "class": "int", - "label": "time period (days)", - "guidelines": [ - { - "prose": "The time period in days to remediate or risk accept critical vulnerability findings." - } - ] - }, - { - "id": "st-5_prm_2", - "class": "int", - "label": "time period (days)", - "guidelines": [ - { - "prose": "The time period in days to remediate or risk accept high vulnerability findings." - } - ] - }, - { - "id": "st-5_prm_3", - "class": "int", - "label": "time period (days)", - "guidelines": [ - { - "prose": "The time period in days to remediate or risk accept medium vulnerability findings." - } - ] - }, - { - "id": "st-5_prm_4", - "class": "int", - "label": "time period (days)", - "guidelines": [ - { - "prose": "The time period in days to remediate or risk accept low vulnerability findings." - } - ] - } - ], - "props": [ - { - "name": "risk-statement", - "value": "Failure to promptly remediate vulnerabilities increases the risk of potential exploits, security breaches, and prolonged exposure to known vulnerabilities in the system." - }, - { - "name": "published", - "value": "2023-08-02T10:22:32+0800" - }, - { - "name": "last-modified", - "value": "2024-02-09T22:54:15+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 3.4: Time to fix vulnerabilities" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.8/S3" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.8/S4" - }, - { - "href": "#9749c983-5562-4a6f-8852-7eecf9b38d2c", - "rel": "reference", - "text": "IM8 On-Premise ADS (Non-S): 5.1/S3" - } - ], - "parts": [ - { - "id": "st-5_smt", - "name": "statement", - "prose": "Triage and then remediate or risk accept all true positive vulnerability findings discovered through security testing within the following timeframe based on severity:", - "parts": [ - { - "id": "st-5_smt.1", - "name": "item", - "props": [ - { - "name": "label", - "value": "1" - } - ], - "prose": "Critical: {{ insert: param, st-5_prm_1 }} day(s)" - }, - { - "id": "st-5_smt.2", - "name": "item", - "props": [ - { - "name": "label", - "value": "2" - } - ], - "prose": "High: {{ insert: param, st-5_prm_2 }} day(s)" - }, - { - "id": "st-5_smt.3", - "name": "item", - "props": [ - { - "name": "label", - "value": "3" - } - ], - "prose": "Medium: {{ insert: param, st-5_prm_3 }} day(s)" - }, - { - "id": "st-5_smt.4", - "name": "item", - "props": [ - { - "name": "label", - "value": "4" - } - ], - "prose": "Low: {{ insert: param, st-5_prm_4 }} day(s)" - } - ] - }, - { - "id": "st-5_gdn", - "name": "guidance", - "prose": "Seek approval from the appropriate approving authority for risk acceptance." - } - ] - } - ] - }, - { - "id": "ns", - "title": "Network Security", - "parts": [ - { - "name": "overview", - "prose": "Controls to secure the network boundaries of a system." - } - ], - "controls": [ - { - "id": "ns-1", - "title": "Public and Private Subnet Segmentation", - "props": [ - { - "name": "risk-statement", - "value": "Failure to segregate private and public resources within distinct subnets in a virtual network increases the risk of unauthorised access to sensitive data, as private resources may be exposed to the public internet, compromising the overall security of the infrastructure." - }, - { - "name": "published", - "value": "2023-08-02T14:26:27+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.5/S1" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.5/S2" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.7/S14" - }, - { - "href": "#f3057503-f399-4735-9d7b-ea9830f3b2ac", - "rel": "reference", - "text": "IM8 On-Premise IS (Non-S): 4.2/S1a" - }, - { - "href": "#52e1d19c-bf27-4de8-b66a-c2523c9a0d69", - "rel": "reference", - "text": "IM8 On-Premise AAS (Non-S): 1.1/S1, 2.1/S1" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.5/S6b" - } - ], - "parts": [ - { - "id": "ns-1_smt", - "name": "statement", - "prose": "Place private resources (e.g., databases) in private subnets and public resources (e.g., reverse proxies, web servers) in public subnets within a virtual network." - }, - { - "id": "ns-1_gdn", - "name": "guidance", - "prose": "This control does not apply to serverless resources (API Gateways), static sites or assets fronted by CDNs (e.g., CloudFlare, CloudFront) which are located outside of the virtual network. Private subnets do not allow direct connections from the internet while public subnets do. However, resources in private segments can connect to the internet via NAT Gateways in public subnets in the same virtual network." - } - ] - }, - { - "id": "ns-2", - "title": "Access Restrictions on CSP Resources Outside Virtual Network", - "props": [ - { - "name": "risk-statement", - "value": "Lack of access restrictions raises the risk of unauthorised access, data exposure, and potential misuse of critical services, compromising the overall security posture." - }, - { - "name": "published", - "value": "2023-08-02T14:26:27+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T00:47:04+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.5/S2" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.5/S5" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.7/S23" - } - ], - "parts": [ - { - "id": "ns-2_smt", - "name": "statement", - "prose": "Restrict access to CSP resources outside of a virtual network (e.g., Lambda, DynamoDb, API Gateways, S3, CloudFront) using access controls or application layer authorisation." - }, - { - "id": "ns-2_gdn", - "name": "guidance", - "prose": "Apply access restrictions appropriate to the resource type. Access through interface VPC endpoints is only required if the client is hosted in a private subnet. For example:\n\n* Restrict access to DynamoDB with IAM policies.\n\n* Restrict access to API Gateway with Lambda Authorizers or authorisation middlewares at the application layer. If the API Gateway is exposed to private subnets, create a [private API](#38e183ce-b5ab-420a-b910-94c444e878f3).\n\n* Restrict access to S3 Buckets with IAM policies and block public access from the internet." - } - ] - }, - { - "id": "ns-3", - "title": "Deny by Default - Allow by Exception", - "props": [ - { - "name": "risk-statement", - "value": "Without network access controls, there's an increased risk of unauthorised or malicious network access, leading to potential security breaches and compromise of system integrity." - }, - { - "name": "published", - "value": "2023-08-11T22:26:01+0800" - }, - { - "name": "last-modified", - "value": "2024-02-09T22:54:15+0800" - } - ], - "links": [ - { - "href": "#0062e6a3-8ac4-44db-92df-8357b437ca0c", - "rel": "reference", - "text": "NIST SP 800-53 SC-7(5): Deny by Default - Allow by Exception" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.5/S3" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.5/S5" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.6/S1h" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.7/S23b" - }, - { - "href": "#f3057503-f399-4735-9d7b-ea9830f3b2ac", - "rel": "reference", - "text": "IM8 On-Premise IS (Non-S): 4.2/S1b" - }, - { - "href": "#52e1d19c-bf27-4de8-b66a-c2523c9a0d69", - "rel": "reference", - "text": "IM8 On-Premise AAS (Non-S): 2.2/S1" - } - ], - "parts": [ - { - "id": "ns-3_smt", - "name": "statement", - "prose": "Deny network communications traffic by default and allow network communications traffic by exception at managed interfaces." - }, - { - "id": "ns-3_gdn", - "name": "guidance", - "prose": "Configure network access control lists and security groups to deny all traffic by default. Only allow traffic to and from specific hosts and ports by exception. For egress traffic to the internet, consider whitelisting domains at the application layer or DNS resolver rather than just hosts or ports at the transport layer." - } - ] - }, - { - "id": "ns-4", - "title": "Inter-Private Network Connectivity", - "props": [ - { - "name": "risk-statement", - "value": "When routing through the internet, there's an increased risk of man-in-the-middle and spoofing attacks. Allowing bidirectional access between networks without fine-grained access controls increases the risk of unauthorized access, potential data exfiltration, and compromise of network security compared to unidirectional access to specific resources." - }, - { - "name": "published", - "value": "2023-08-11T22:26:01+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T00:47:04+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.5/S7" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.5/S4" - } - ], - "parts": [ - { - "id": "ns-4_smt", - "name": "statement", - "prose": "Route network traffic between private networks without going through the internet." - }, - { - "id": "ns-4_gdn", - "name": "guidance", - "prose": "Use CSP Private endpoint services (e.g., AWS PrivateLink with VPC endpoints) when you want to allow one or more consumer VPCs unidirectional access to a specific service or set of instances in the service provider VPC. Otherwise, use VPC peering and Transit Gateway when you want to enable layer-3 IP connectivity between VPCs. Refer to the [Multi-VPC AWS Network Infrastructure Whitepaper](#9022563f-00b5-48d1-99a6-187503e7f869) for further guidance." - } - ] - }, - { - "id": "ns-5", - "title": "Network and Application Layer Filtering", - "props": [ - { - "name": "risk-statement", - "value": "Lack of filtering for direct traffic from the internet exposes the system to the risk of network and application layer attacks, increasing the likelihood of unauthorised access, denial-of-service incidents, and compromise of sensitive data." - }, - { - "name": "published", - "value": "2023-08-11T22:26:01+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.5/S5" - }, - { - "href": "#9749c983-5562-4a6f-8852-7eecf9b38d2c", - "rel": "reference", - "text": "IM8 On-Premise ADS (Non-S): 1.1/S4" - } - ], - "parts": [ - { - "id": "ns-5_smt", - "name": "statement", - "prose": "Filter direct traffic from the internet to protect against network and application layer attacks." - }, - { - "id": "ns-5_gdn", - "name": "guidance", - "prose": "Deploy the following as required:\n\n* Web Application Firewall\n\n* Distributed Denial of Service Protection (e.g., AWS Shield)\n\n* Content Delivery Network (e.g., CloudFront)" - } - ] - }, - { - "id": "ns-6", - "title": "Valid and Trusted SSL/TLS Certificates", - "props": [ - { - "name": "risk-statement", - "value": "Using invalid SSL/TLS certificates introduces the risk of compromised encryption, man-in-the-middle attacks, and potential unauthorised access to sensitive information." - }, - { - "name": "published", - "value": "2023-08-11T22:26:01+0800" - }, - { - "name": "last-modified", - "value": "2024-02-09T23:02:51+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.5/S8" - } - ], - "parts": [ - { - "id": "ns-6_smt", - "name": "statement", - "prose": "Ensure that deployed SSL/TLS certificates are:", - "parts": [ - { - "id": "ns-6_smt.1", - "name": "item", - "props": [ - { - "name": "label", - "value": "1" - } - ], - "prose": "signed by a trusted root Certificate Authority;" - }, - { - "id": "ns-6_smt.2", - "name": "item", - "props": [ - { - "name": "label", - "value": "2" - } - ], - "prose": "match the domain name of the service they are issued for;" - }, - { - "id": "ns-6_smt.3", - "name": "item", - "props": [ - { - "name": "label", - "value": "3" - } - ], - "prose": "not expired; and" - }, - { - "id": "ns-6_smt.4", - "name": "item", - "props": [ - { - "name": "label", - "value": "4" - } - ], - "prose": "not revoked." - } - ] - }, - { - "id": "ns-6_gdn", - "name": "guidance", - "prose": "Configure a certificate manager that auto-renews certificates and sends alerts before expiry (e.g., AWS Certificate Manager). Otherwise, automate these functions separately." - } - ] - }, - { - "id": "ns-7", - "title": "Secure Inter-Service Communication", - "props": [ - { - "name": "risk-statement", - "value": "Failure to ensure secure communications between services increases the risk of unauthorised access, data breaches, and potential manipulation of sensitive information during transit." - }, - { - "name": "published", - "value": "2023-08-11T22:26:01+0800" - }, - { - "name": "last-modified", - "value": "2024-01-19T17:00:00+0800" - } - ], - "parts": [ - { - "id": "ns-7_smt", - "name": "statement", - "prose": "Ensure communications between services are secure by making them authenticated, authorised and encrypted." - }, - { - "id": "ns-7_gdn", - "name": "guidance", - "prose": "Design and build inter-service communications (e.g., databases, microservices) to be authenticated, authorised and encrypted (e.g., via API gateways, proxies, private endpoint services, message queues, or service meshes). It is recommended to log communication (such as access logs, transaction logs or payloads) between services for detection, monitoring and investigation of incidents." - } - ] - }, - { - "id": "ns-8", - "title": "Secure Government Enterprise Network (GEN) connectivity", - "props": [ - { - "name": "risk-statement", - "value": "Routing network traffic through a secure intermediary mitigates the risk of unauthorised access and cross-network compromise in the case of bridging or direct connectivity." - }, - { - "name": "published", - "value": "2023-08-23T23:58:33+0800" - }, - { - "name": "last-modified", - "value": "2023-09-18T16:12:40+0800" - } - ], - "parts": [ - { - "id": "ns-8_smt", - "name": "statement", - "prose": "Route network traffic between on-premises systems and GCC systems through a secure intermediary." - }, - { - "id": "ns-8_gdn", - "name": "guidance", - "prose": "Design and build secure communications to or from on-premises systems (e.g. Government Enterprise Network (GEN)) through a Gateway rather than direct connectivity (e.g. via API gateways, Application proxies or private endpoint services)." - } - ] - }, - { - "id": "ns-9", - "title": "Intrusion Prevention System (IPS)/Intrusion Detection System (IDS)", - "props": [ - { - "name": "risk-statement", - "value": "Absence of network or host IPS or IDS in the network increases the likelihood of undetected intrusions, putting sensitive data and system integrity at risk." - }, - { - "name": "published", - "value": "2023-10-27T16:02:27+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#f3057503-f399-4735-9d7b-ea9830f3b2ac", - "rel": "reference", - "text": "IM8 On-Premise IS (Non-S): 4.2/S3d" - } - ], - "parts": [ - { - "id": "ns-9_smt", - "name": "statement", - "prose": "Set up and configure an Intrusion Prevention System (IPS)/Intrusion Detection System (IDS) in the network." - }, - { - "id": "ns-9_gdn", - "name": "guidance", - "prose": "Configure network or host IPS/IDS to detect malicious traffic to/from public or untrusted networks." - } - ] - }, - { - "id": "ns-10", - "title": "Private Network Connectivity", - "props": [ - { - "name": "risk-statement", - "value": "Weak private network security may expose our network to malicious activities, jeopardizing the confidentiality, integrity, and availability of critical resources." - }, - { - "name": "published", - "value": "2023-10-27T16:06:38+0800" - }, - { - "name": "last-modified", - "value": "2024-02-09T22:54:15+0800" - } - ], - "links": [ - { - "href": "#f3057503-f399-4735-9d7b-ea9830f3b2ac", - "rel": "reference", - "text": "IM8 On-Premise IS (Non-S): 5.4" - } - ], - "parts": [ - { - "id": "ns-10_smt", - "name": "statement", - "prose": "Implement strong access controls, encryption, and logging for remote developer, maintainer, or administrator access to private network resources." - }, - { - "id": "ns-10_gdn", - "name": "guidance", - "prose": "Use strong authentication and MFA (except for mobile GFE). Layered security mechanisms and controls include:\n\nInspect traffic from gateway to private network;\n\nTerminate all remote access connections in a dedicated network segment within the network and restrict access to only systems and services allowed by the Agencies; Implement strong encryption for remote access into school staff network; Only authorised Government Furnished Equipment (GFE) shall be used for remote access connection to SSN; Make sure that remote access connections are not perpetual or to re-authenticate remote users to the VPN gateway on a periodic basis (such as every four hours); Set the maximum number of consecutive failed authentication attempts before account lockout for remote access into SSN; and Make sure that split tunnelling is not implemented." - } - ] - }, - { - "id": "ns-11", - "title": "Alerts on Firewall Configuration Changes", - "props": [ - { - "name": "risk-statement", - "value": "Any unintended changes to firewall rules can significantly lower the perimeter defence of a network." - }, - { - "name": "published", - "value": "2024-02-29T16:06:38+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#f3057503-f399-4735-9d7b-ea9830f3b2ac", - "rel": "reference", - "text": "IM8 On-Premise IS (Non-S): 4.3/S2" - } - ], - "parts": [ - { - "id": "ns-11_smt", - "name": "statement", - "prose": "Generate alerts to inform appointed administrators on changes to firewall rules, including the enabling or disabling of rules." - }, - { - "id": "ns-11_gdn", - "name": "guidance", - "prose": "Implement real time alerts to inform administrators of creation, deletion, modification, enabling and disabling of firewall rules. Also alert administrators when unusual or sudden spike/drop in utilisation of firewall's system resources." - } - ] - } - ] - }, - { - "id": "br", - "title": "Backup and Recovery", - "parts": [ - { - "name": "overview", - "prose": "Controls to support backup and disaster recovery." - } - ], - "controls": [ - { - "id": "br-1", - "title": "Backup", - "props": [ - { - "name": "risk-statement", - "value": "Without regular backups stored in a secure and separate location, there is an increased risk of data loss, system failures, and extended downtime in the event of accidental deletion, hardware failures, or malicious attacks." - }, - { - "name": "published", - "value": "2023-08-10T18:00:44+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 4.4: Backup and Disaster recovery" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.2/S2" - }, - { - "href": "#f3057503-f399-4735-9d7b-ea9830f3b2ac", - "rel": "reference", - "text": "IM8 On-Premise IS (Non-S): 1.5/S1" - } - ], - "parts": [ - { - "id": "br-1_smt", - "name": "statement", - "prose": "Regularly backup all important data and systems, and store backups in a secure and separate location." - }, - { - "id": "br-1_gdn", - "name": "guidance", - "prose": "Use default CSP-managed backup services (e.g., AWS Backup, Azure Backup, GCP Backup and DR Service). Consider alternative backup services only when default CSP services cannot be used. Store backups and snapshots separately to primary data storage with data encrypted-at-rest." - } - ] - }, - { - "id": "br-2", - "title": "Recovery Testing", - "props": [ - { - "name": "risk-statement", - "value": "Failure to regularly test recovery processes may result in ineffective response during actual incidents, increasing the risk of prolonged downtime, data loss, and compromised business continuity in the event of a disaster or system failure." - }, - { - "name": "published", - "value": "2023-08-10T18:00:44+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 4.4: Backup and Disaster recovery" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.2/S1d" - }, - { - "href": "#f3057503-f399-4735-9d7b-ea9830f3b2ac", - "rel": "reference", - "text": "IM8 On-Premise IS (Non-S): 1.5/S1d" - } - ], - "parts": [ - { - "id": "br-2_smt", - "name": "statement", - "prose": "Conduct regular testing of recovery processes to ensure their effectiveness." - }, - { - "id": "br-2_gdn", - "name": "guidance", - "prose": "Ensure each test verifies the system's ability to fully restore all data and services." - } - ] - }, - { - "id": "br-3", - "title": "Backup Retention", - "params": [ - { - "id": "br-3_prm_1", - "class": "int", - "label": "time period (days)", - "guidelines": [ - { - "prose": "The time period in days of backup retention." - } - ] - } - ], - "props": [ - { - "name": "risk-statement", - "value": "Lack of prevention measures against the modification or deletion of backups for the specified duration increases the risk of data loss, unauthorised alterations, and potential inability to recover from incidents, compromising the integrity and availability of critical information." - }, - { - "name": "published", - "value": "2023-08-28T17:32:36+0800" - }, - { - "name": "last-modified", - "value": "2024-02-09T22:54:15+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 4.4: Backup and Disaster recovery" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.2/S1b" - }, - { - "href": "#f3057503-f399-4735-9d7b-ea9830f3b2ac", - "rel": "reference", - "text": "IM8 On-Premise IS (Non-S): 1.5/S2c" - } - ], - "parts": [ - { - "id": "br-3_smt", - "name": "statement", - "prose": "Prevent backups from being modified or deleted for {{ insert: param, br-3_prm_1 }} day(s) or as stipulated in the agency's data retention policies." - }, - { - "id": "br-3_gdn", - "name": "guidance", - "prose": "Use S3 Object Lock or immutable storage for Azure Blob Storage to enforce time-based retention policies." - } - ] - } - ] - }, - { - "id": "dp", - "title": "Data Protection", - "parts": [ - { - "name": "overview", - "prose": "Controls to protect the data of a system." - } - ], - "controls": [ - { - "id": "dp-1", - "title": "Data Residency", - "props": [ - { - "name": "risk-statement", - "value": "Failure to enforce data residency of primary data in Singapore may lead to legal and regulatory compliance issues, privacy concerns, and potential unauthorised access or storage of sensitive data outside the jurisdiction, increasing the risk of legal consequences and data breaches." - }, - { - "name": "published", - "value": "2023-08-10T23:29:40+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 1.6: Compliance" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.3/S3" - }, - { - "href": "#f3057503-f399-4735-9d7b-ea9830f3b2ac", - "rel": "reference", - "text": "IM8 On-Premise IS (Non-S): 1.1/S1a" - } - ], - "parts": [ - { - "id": "dp-1_smt", - "name": "statement", - "prose": "Enforce data residency of primary data in Singapore." - }, - { - "id": "dp-1_gdn", - "name": "guidance", - "prose": "Use the Singapore region of cloud service providers for compute and storage of primary data, such as ap-southeast-1 for AWS." - } - ] - }, - { - "id": "dp-2", - "title": "Data at Rest Encryption", - "props": [ - { - "name": "risk-statement", - "value": "Without encrypting data at rest, there's an increased risk of unauthorised access and data exposure in the event of physical theft, unauthorised access to storage media, or compromised security controls, compromising the confidentiality of stored information." - }, - { - "name": "published", - "value": "2023-08-10T23:29:40+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 2.8: Encryption" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.3/S2a" - }, - { - "href": "#9749c983-5562-4a6f-8852-7eecf9b38d2c", - "rel": "reference", - "text": "IM8 On-Premise ADS (Non-S): 1.1/S1h" - } - ], - "parts": [ - { - "id": "dp-2_smt", - "name": "statement", - "prose": "Encrypt data at rest." - }, - { - "id": "dp-2_gdn", - "name": "guidance", - "prose": "Many CSP services encrypt data at rest by default but this should be confirmed and validated depending on service usage." - } - ] - }, - { - "id": "dp-3", - "title": "Data in Transit Encryption", - "props": [ - { - "name": "risk-statement", - "value": "Failure to encrypt data in transit increases the risk of unauthorised interception and eavesdropping, potentially leading to data breaches, unauthorised access, and compromise of sensitive information during transmission." - }, - { - "name": "published", - "value": "2023-08-10T23:29:40+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 2.8: Encryption" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.3/S2b" - }, - { - "href": "#9749c983-5562-4a6f-8852-7eecf9b38d2c", - "rel": "reference", - "text": "IM8 On-Premise ADS (Non-S): 3.1/S3" - } - ], - "parts": [ - { - "id": "dp-3_smt", - "name": "statement", - "prose": "Encrypt data in transit." - }, - { - "id": "dp-3_gdn", - "name": "guidance", - "prose": "While some CSP services transparently encrypt data in transit at the network layer, data at the application layer should be encrypted using protocols such as Transport Layer Security (TLS)." - } - ] - }, - { - "id": "dp-4", - "title": "Government on Commercial Cloud (GCC)", - "props": [ - { - "name": "risk-statement", - "value": "Hosting higher-sensitivity systems in Government on Commercial Cloud (GCC) ensures compliance with security classifications, reducing the risk of unauthorised access and maintaining data confidentiality according to government security standards." - }, - { - "name": "published", - "value": "2023-08-18T12:51:56+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T00:47:04+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 1.6: Compliance" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.1/S4" - } - ], - "parts": [ - { - "id": "dp-4_smt", - "name": "statement", - "prose": "Host systems classified as CONFIDENTIAL (CLOUD-ELIGIBLE), RESTRICTED, or OFFICIAL-CLOSED on Commercial Cloud hosting environments in GCC." - }, - { - "id": "dp-4_gdn", - "name": "guidance", - "prose": "GCC allows oversight to be maintained at the Whole-of-Government level and implements several controls by default." - } - ] - }, - { - "id": "dp-5", - "title": "Sanitisation", - "props": [ - { - "name": "risk-statement", - "value": "Violating this control can expose government data to unauthorised users." - }, - { - "name": "published", - "value": "2023-10-27T16:50:47+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#f3057503-f399-4735-9d7b-ea9830f3b2ac", - "rel": "reference", - "text": "IM8 On-Premise IS (Non-S): 3.3/S1" - } - ], - "parts": [ - { - "id": "dp-5_smt", - "name": "statement", - "prose": "Sanitise all hardware that stores data at rest. Shred or incinerate data storage meant for retirement." - }, - { - "id": "dp-5_gdn", - "name": "guidance", - "prose": "Use industry standards such as\na) Peter Gutmann Secure Deletion;\nb) Bruce Schneier Algorithm\nc) US Department of Defence's Standards (DoD 5220.22-M)." - } - ] - }, - { - "id": "dp-6", - "title": "Witness Sanitisation and Destruction of Storage Devices", - "props": [ - { - "name": "risk-statement", - "value": "Ensuring storage devices are sanitised or destroyed will eliminate the possibility of unauthorised or unintended data retention." - }, - { - "name": "published", - "value": "2024-02-29T16:50:47+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#f3057503-f399-4735-9d7b-ea9830f3b2ac", - "rel": "reference", - "text": "IM8 On-Premise IS (Non-S): 3.3/S1" - } - ], - "parts": [ - { - "id": "dp-6_smt", - "name": "statement", - "prose": "Witness the sanitisation and destruction process to ensure data is removed from storage." - }, - { - "id": "dp-6_gdn", - "name": "guidance", - "prose": "Establish a SOP to ensure sanitisation and destruction are witnessed by an agency staff." - } - ] - } - ] - }, - { - "id": "lm", - "title": "Logging and Monitoring", - "parts": [ - { - "name": "overview", - "prose": "Controls to support detection and response to security and operations incidents." - } - ], - "controls": [ - { - "id": "lm-1", - "title": "Separate Log Storage", - "props": [ - { - "name": "risk-statement", - "value": "Storing logs in a repository separate from the audited system or component enhances security by reducing the risk of tampering, unauthorised access, and manipulation of audit trails, ensuring the integrity and reliability of log data for forensic analysis and compliance purposes." - }, - { - "name": "published", - "value": "2023-08-16T12:41:27+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 2.7: Logging" - }, - { - "href": "#0062e6a3-8ac4-44db-92df-8357b437ca0c", - "rel": "reference", - "text": "NIST SP 800-53 AU-9(2): Store on Separate Physical Systems or Components" - }, - { - "href": "#f3057503-f399-4735-9d7b-ea9830f3b2ac", - "rel": "reference", - "text": "IM8 On-Premise IS (Non-S): 7.2/S8" - } - ], - "parts": [ - { - "id": "lm-1_smt", - "name": "statement", - "prose": "Store logs in a repository that is part of a different system or system component than the system or component being audited." - }, - { - "id": "lm-1_gdn", - "name": "guidance", - "prose": "Send logs to the separate storage as soon as possible after the logged event. For cloud audit logs, store them in a separate service or account (such as AWS Organisation Cloudtrail in GCC). Sending logs to the Government Cyber Security Operations Centre (GCSOC) or the central Government Commercial Cloud (GCC) log bucket can also satisfy this control." - } - ] - }, - { - "id": "lm-2", - "title": "Tamper-Resistant Log Storage", - "props": [ - { - "name": "risk-statement", - "value": "Without protection measures, logs are susceptible to unauthorised access, modification, or deletion, leading to the risk of tampering, loss of crucial audit information, and compromised forensic analysis capabilities during security incidents." - }, - { - "name": "published", - "value": "2023-08-16T12:41:27+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.9/S4" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.9/S5" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.9/S9d" - }, - { - "href": "#f3057503-f399-4735-9d7b-ea9830f3b2ac", - "rel": "reference", - "text": "IM8 On-Premise IS (Non-S): 7.1/S2" - } - ], - "parts": [ - { - "id": "lm-2_smt", - "name": "statement", - "prose": "Protect logs from unauthorised access, modification, and deletion." - }, - { - "id": "lm-2_gdn", - "name": "guidance", - "prose": "Apply access control policies to logs based on the principle of least privilege. As far as possible, only read access should be granted. Logs sent to GCC Central Logs are tamper-resistant." - } - ] - }, - { - "id": "lm-3", - "title": "Network Flow Logging", - "props": [ - { - "name": "risk-statement", - "value": "Failing to log network traffic going to and from network interfaces increases the risk of overlooking suspicious activities, potential security breaches, and the inability to trace and investigate network-related incidents effectively." - }, - { - "name": "published", - "value": "2023-08-16T12:41:27+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T00:47:04+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.5/S6a" - } - ], - "parts": [ - { - "id": "lm-3_smt", - "name": "statement", - "prose": "Log network traffic going to and from network interfaces." - }, - { - "id": "lm-3_gdn", - "name": "guidance", - "prose": "Enable VPC Flow Logs for AWS or its equivalents." - } - ] - }, - { - "id": "lm-4", - "title": "Cloud Management Event Logging", - "props": [ - { - "name": "risk-statement", - "value": "Neglecting to log and manage audit events on cloud resources increases the risk of undetected security incidents, compromises visibility into system activities, and hinders effective forensic analysis and compliance monitoring in cloud environments." - }, - { - "name": "published", - "value": "2023-08-16T12:41:27+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T00:47:04+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 2.7: Logging" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.9/S7" - } - ], - "parts": [ - { - "id": "lm-4_smt", - "name": "statement", - "prose": "Log management and audit events on cloud resources." - }, - { - "id": "lm-4_gdn", - "name": "guidance", - "prose": "Configure CloudTrail for AWS or its equivalents to log management and audit events such as changes to IAM policies and resources." - } - ] - }, - { - "id": "lm-5", - "title": "Database Logging", - "props": [ - { - "name": "risk-statement", - "value": "Neglecting to log database audit events raises the risk of overlooking unauthorised activities, compromises in data security, and hinders the ability to track and investigate security incidents or compliance violations within the database environment." - }, - { - "name": "published", - "value": "2023-08-16T12:41:27+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T00:47:04+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 2.7: Logging" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.9/S3" - } - ], - "parts": [ - { - "id": "lm-5_smt", - "name": "statement", - "prose": "Log database audit events." - }, - { - "id": "lm-5_gdn", - "name": "guidance", - "prose": "Enable RDS logging for AWS or its equivalents." - } - ] - }, - { - "id": "lm-6", - "title": "Access Logging", - "props": [ - { - "name": "risk-statement", - "value": "Failure to log access requests sent to web application firewalls, load balancers, proxies, or web servers increases the risk of overlooking potential security threats, unauthorised access attempts, and compromises visibility into the traffic that could lead to security incidents." - }, - { - "name": "published", - "value": "2023-08-16T12:41:27+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 2.7: Logging" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.6/S4e" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.9/S3" - }, - { - "href": "#f3057503-f399-4735-9d7b-ea9830f3b2ac", - "rel": "reference", - "text": "IM8 On-Premise IS (Non-S): 7.1/S3" - } - ], - "parts": [ - { - "id": "lm-6_smt", - "name": "statement", - "prose": "Log access requests sent to web application firewalls, load balancers, proxies or web servers." - }, - { - "id": "lm-6_gdn", - "name": "guidance", - "prose": "Enable AWS WAF logging, Application Load Balancer logging, API Gateways, or their equivalents." - } - ] - }, - { - "id": "lm-7", - "title": "Security Event Logging", - "props": [ - { - "name": "risk-statement", - "value": "Neglecting to log security events on hosts and other cloud resources increases the risk of undetected security incidents, compromises incident response capabilities, and hinders forensic analysis, limiting the ability to identify and mitigate potential threats." - }, - { - "name": "published", - "value": "2023-08-16T12:41:27+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T00:47:04+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.9/S2" - } - ], - "parts": [ - { - "id": "lm-7_smt", - "name": "statement", - "prose": "Log security events on hosts and other cloud resources." - }, - { - "id": "lm-7_gdn", - "name": "guidance", - "prose": "Security events include operating system security events, authentication and audit logs, and endpoint detection and response alerts." - } - ] - }, - { - "id": "lm-8", - "title": "Security Log Retention", - "params": [ - { - "id": "lm-8_prm_1", - "class": "int", - "label": "time period (days)", - "guidelines": [ - { - "prose": "The time period in days of log retention." - } - ] - } - ], - "props": [ - { - "name": "risk-statement", - "value": "Failure to retain security logs increases the risk of losing crucial historical data, hindering investigations, compliance audits, and the ability to identify and respond to security incidents that occurred beyond a limited timeframe." - }, - { - "name": "published", - "value": "2023-08-16T12:41:27+0800" - }, - { - "name": "last-modified", - "value": "2024-02-09T22:54:15+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 2.7: Logging" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.9/S3" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.9/S9" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.9/S13" - }, - { - "href": "#f3057503-f399-4735-9d7b-ea9830f3b2ac", - "rel": "reference", - "text": "IM8 On-Premise IS (Non-S): 7.2/S6" - } - ], - "parts": [ - { - "id": "lm-8_smt", - "name": "statement", - "prose": "Retain security logs for at least {{ insert: param, lm-8_prm_1 }} day(s)." - }, - { - "id": "lm-8_gdn", - "name": "guidance", - "prose": "Security logs include network flow logs, cloud management logs, access logs, database logs and host logs. Retain non-security logs (e.g. application, operations and performance logs) as long as needed for incident resolution and debugging. Consider log lifecycle management automation, such as Amazon S3 Lifecycle configurations." - } - ] - }, - { - "id": "lm-9", - "title": "Security Monitoring and Alerting", - "props": [ - { - "name": "risk-statement", - "value": "Without configuring security monitoring to identify potential security violations or breaches and send automated alerts, there's an increased risk of delayed or unnoticed security incidents, hindering timely response and mitigation efforts to protect the system from further compromise." - }, - { - "name": "published", - "value": "2023-08-16T12:41:27+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.9/S3" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.9/S7" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.9/S10" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.9/S11" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.9/S13" - }, - { - "href": "#f3057503-f399-4735-9d7b-ea9830f3b2ac", - "rel": "reference", - "text": "IM8 On-Premise IS (Non-S): 7.2/S10" - } - ], - "parts": [ - { - "id": "lm-9_smt", - "name": "statement", - "prose": "Configure security monitoring to identify potential security violations or breaches and send automated alerts." - }, - { - "id": "lm-9_gdn", - "name": "guidance", - "prose": "Enable Amazon GuardDuty, Microsoft Azure Security Center, or their equivalents." - } - ] - }, - { - "id": "lm-10", - "title": "Resource Usage Monitoring and Alerting", - "props": [ - { - "name": "risk-statement", - "value": "Lack of resource usage monitoring with automated alerts increases the risk of overlooking abnormal usage patterns, potential resource abuse, and compromises in system performance, hindering the ability to proactively address issues and prevent service disruptions." - }, - { - "name": "published", - "value": "2023-08-16T12:41:27+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T00:47:04+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.9/S8" - } - ], - "parts": [ - { - "id": "lm-10_smt", - "name": "statement", - "prose": "Configure resource usage monitoring to identify abnormal usage and send automated alerts." - }, - { - "id": "lm-10_gdn", - "name": "guidance", - "prose": "Configure Amazon CloudWatch alarms, Azure Monitor alerts, or their equivalents to identify abnormal usage such as spike in usage, access to resources during expected hours, and excessive charges." - } - ] - }, - { - "id": "lm-11", - "title": "Service Level Monitoring and Alerting", - "props": [ - { - "name": "risk-statement", - "value": "Without effective service level monitoring to identify potential application or service degradation and send automated alerts, there is a risk of failing to meet service availability standards, which could result in user dissatisfaction and reduced reliability." - }, - { - "name": "published", - "value": "2024-01-04T15:30:00+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", - "rel": "reference", - "text": "IM8 Cloud ADS: 11.1/G3" - } - ], - "parts": [ - { - "id": "lm-11_smt", - "name": "statement", - "prose": "Monitor, maintain and alert on service level objectives (SLOs) and indicators (SLIs) to ensure consistent service performance, availability and reliability." - }, - { - "id": "lm-11_gdn", - "name": "guidance", - "prose": "Implement a comprehensive monitoring system that tracks key SLIs and evaluates them against defined SLOs. This will help in identifying potential service level breaches early and take proactive measures to maintain service quality. Examples include Cloudwatch metrics and alerts, Amazon Route 53 health checks, Azure Monitor Application Insights, or their equivalents." - } - ] - }, - { - "id": "lm-12", - "title": "Central Security Log Management and Monitoring", - "params": [ - { - "id": "lm-12_prm_1", - "class": "str", - "label": "service", - "guidelines": [ - { - "prose": "The central security log management and monitoring service." - } - ] - } - ], - "props": [ - { - "name": "risk-statement", - "value": "Lack of central security log management and monitoring increases the risk of delayed or unnoticed security incidents, hindering effective response, and compromising the overall cybersecurity posture." - }, - { - "name": "published", - "value": "2023-10-10T18:06:24+0800" - }, - { - "name": "last-modified", - "value": "2024-05-29T21:17:04+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.9/S3" - }, - { - "href": "#f3057503-f399-4735-9d7b-ea9830f3b2ac", - "rel": "reference", - "text": "IM8 On-Premise IS (Non-S): 7.1/S3" - }, - { - "href": "#0062e6a3-8ac4-44db-92df-8357b437ca0c", - "rel": "reference", - "text": "NIST SP 800-53 AU-6(4): Central Review and Analysis" - }, - { - "href": "#0062e6a3-8ac4-44db-92df-8357b437ca0c", - "rel": "reference", - "text": "NIST SP 800-53 PL-9: Central Management" - } - ], - "parts": [ - { - "id": "lm-12_smt", - "name": "statement", - "prose": "Centralise security log management and monitoring with {{ insert: param, lm-12_prm_1 }}." - }, - { - "id": "lm-12_gdn", - "name": "guidance", - "prose": "Tenants on Government Commercial Cloud (GCC) already have Cloud Service Provider (CSP) tenant security logs stored centrally and available for forwarding to Government Cyber Security Operations Centre (GCSOC). Contact GCSOC for subscription and additional services." - } - ] - }, - { - "id": "lm-13", - "title": "Database Activity Monitoring", - "props": [ - { - "name": "risk-statement", - "value": "Neglecting to monitor database activities for anomalous behaviour increases the risk of undetected security threats, unauthorised access, and compromises in data integrity, hindering the ability to identify and respond to potential database-related incidents." - }, - { - "name": "published", - "value": "2023-10-10T18:06:24+0800" - }, - { - "name": "last-modified", - "value": "2023-10-10T18:06:24+0800" - } - ], - "parts": [ - { - "id": "lm-13_smt", - "name": "statement", - "prose": "Monitor database activities for anomalous behaviour." - }, - { - "id": "lm-13_gdn", - "name": "guidance", - "prose": "Config RDS Activity Streams and logs with alerts or Database Activity Monitoring (DAM) tools to detect unusual authentication, reads or writes to a database." - } - ] - }, - { - "id": "lm-14", - "title": "Web Defacement Monitoring", - "props": [ - { - "name": "risk-statement", - "value": "Failure to detect and respond to web defacement promptly will lead to prolonged disruption to services." - }, - { - "name": "published", - "value": "2023-10-27T16:50:47+0800" - }, - { - "name": "last-modified", - "value": "2024-05-29T21:20:05+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.9/S13" - }, - { - "href": "#f3057503-f399-4735-9d7b-ea9830f3b2ac", - "rel": "reference", - "text": "IM8 On-Premise IS (Non-S): 7.1/S5" - } - ], - "parts": [ - { - "id": "lm-14_smt", - "name": "statement", - "prose": "Plan for and implement measures to detect and recover from web defacements." - }, - { - "id": "lm-14_gdn", - "name": "guidance", - "prose": "The Government Cyber Security Operations Centre (GCSOC) offers centralised monitoring of web defacements of internet-facing systems." - } - ] - }, - { - "id": "lm-15", - "title": "Structured Log Formatting", - "props": [ - { - "name": "risk-statement", - "value": "Inconsistent or unstructured log formatting can lead to difficulties in log analysis and monitoring, potentially resulting in missed critical events or delayed response to system anomalies." - }, - { - "name": "published", - "value": "2023-12-20T01:03:42+0800" - }, - { - "name": "last-modified", - "value": "2024-01-04T00:00:00+0800" - } - ], - "parts": [ - { - "id": "lm-15_smt", - "name": "statement", - "prose": "Publish logs in a consistent, structured format that aligns with industry standards for easy parsing and analysis." - }, - { - "id": "lm-15_gdn", - "name": "guidance", - "prose": "For security logs, implement or transform to OCSF (Open Cybersecurity Schema Framework), ECS (Elastic Common Schema) or similar schemas to standardize log formats for better threat detection and analysis. For operational logs, adopt OpenTelemetry or structured JSON formats to facilitate clear, structured, and efficient log analysis for system performance and diagnostics. Consistent log formatting aids in automated parsing and helps in integrating logs from various sources." - } - ] - }, - { - "id": "lm-16", - "title": "Key Signals Monitoring", - "props": [ - { - "name": "risk-statement", - "value": "Inadequate monitoring of key user-facing signals such as latency, traffic, errors, and saturation can lead to suboptimal service performance, adversely impacting user experience, system efficiency, and increasing the likelihood of system failures. This oversight can significantly detract from service reliability and user satisfaction." - }, - { - "name": "published", - "value": "2024-01-04T15:30:00+0800" - }, - { - "name": "last-modified", - "value": "2024-01-04T15:30:00+0800" - } - ], - "parts": [ - { - "id": "lm-16_smt", - "name": "statement", - "prose": "Monitor key user-facing signals to maintain robust service health and performance." - }, - { - "id": "lm-16_gdn", - "name": "guidance", - "prose": "Implement monitoring of key signals such as latency, traffic, errors, and saturation (the 4 Golden Signals). Regularly track and analyse these indicators for proactive issue detection and resolution. Use this data to identify trends and areas for system improvement, ensuring continuous enhancement in service quality and reliability." - } - ] - }, - { - "id": "lm-17", - "title": "Software delivery performance monitoring", - "props": [ - { - "name": "risk-statement", - "value": "Failing to measure and improve the software delivery performance can lead to inefficient development processes, reduced software quality and longer recovery times." - }, - { - "name": "published", - "value": "2024-01-04T15:30:00+0800" - }, - { - "name": "last-modified", - "value": "2024-01-04T15:30:00+0800" - } - ], - "parts": [ - { - "id": "lm-17_smt", - "name": "statement", - "prose": "Measure and analyse software delivery performance to optimise development velocity and operational efficiency." - }, - { - "id": "lm-17_gdn", - "name": "guidance", - "prose": "Implement tools and processes to track Deployment Frequency, Lead Time for Changes, Change Failure Rate, and Time to Restore Service (the DORA 4 Key metrics). Use these metrics as benchmarks to drive continuous improvement in the software development and deployment process, enhancing agility, reliability, and responsiveness to changes." - } - ] - } - ] - }, - { - "id": "ac", - "title": "Access Control", - "parts": [ - { - "name": "overview", - "prose": "Controls to protect against unauthorised access to agency systems." - } - ], - "controls": [ - { - "id": "ac-1", - "title": "Principle of Least Privilege", - "props": [ - { - "name": "risk-statement", - "value": "Violating the principle of least privileges increases the risk of unauthorised access, privilege escalation, and potential security breaches due to unnecessary permissions, compromising the overall security posture." - }, - { - "name": "published", - "value": "2023-08-17T14:31:33+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T00:47:04+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 4.2: Logical access" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.4/S7" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.5/S4e" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.7/S1b" - } - ], - "parts": [ - { - "id": "ac-1_smt", - "name": "statement", - "prose": "Deny access by default and grant only the minimum permissions required for authorised accounts or processes to perform a specific function." - }, - { - "id": "ac-1_gdn", - "name": "guidance", - "prose": "Consider attribute- or feature-based access control for greater customisability and granularity." - } - ] - }, - { - "id": "ac-2", - "title": "Multi-Factor Authentication (MFA)", - "props": [ - { - "name": "risk-statement", - "value": "Without requiring phishing-resistant Multi-Factor Authentication (MFA) for remote access, there is an increased risk of unauthorised access, credential theft, and potential compromise of sensitive systems, especially for users with elevated privileges." - }, - { - "name": "published", - "value": "2023-08-17T14:31:33+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#0062e6a3-8ac4-44db-92df-8357b437ca0c", - "rel": "reference", - "text": "NIST SP 800-53 IA-2(1): Multi-factor Authentication to Privileged Accounts" - }, - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 4.2: Logical access" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.4/S20a" - }, - { - "href": "#9749c983-5562-4a6f-8852-7eecf9b38d2c3", - "rel": "reference", - "text": "IM8 On-Premise ADS (Non-S): 2.4/S2" - } - ], - "parts": [ - { - "id": "ac-2_smt", - "name": "statement", - "prose": "Require MFA for remote developer, maintainer, or administrator access at login." - }, - { - "id": "ac-2_gdn", - "name": "guidance", - "prose": "Ensure that the authentication factors are different and independent of the accessing device. For additional security, consider MFA for privileged actions at the application level (such as step-up MFA challenges via PIM tools)." - } - ] - }, - { - "id": "ac-3", - "title": "Inactive and Expired Accounts", - "params": [ - { - "id": "ac-3_prm_1", - "class": "int", - "label": "time period (days)", - "guidelines": [ - { - "prose": "The time period in days after account expiry." - } - ] - }, - { - "id": "ac-3_prm_2", - "class": "int", - "label": "time period (days)", - "guidelines": [ - { - "prose": "The time period in days of account inactivity." - } - ] - } - ], - "props": [ - { - "name": "risk-statement", - "value": "Failure to disable or remove unused accounts or credentials with elevated access increases the risk of unauthorised access, as dormant accounts may become targets for exploitation, compromising the security of the system." - }, - { - "name": "published", - "value": "2023-08-17T14:31:33+0800" - }, - { - "name": "last-modified", - "value": "2024-02-09T23:02:29+0800" - } - ], - "links": [ - { - "href": "#0062e6a3-8ac4-44db-92df-8357b437ca0c", - "rel": "reference", - "text": "NIST SP 800-53 AC-2(3): Disable Accounts" - }, - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 4.2: Logical access" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.4/S15" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.4/S18b" - }, - { - "href": "#9749c983-5562-4a6f-8852-7eecf9b38d2c", - "rel": "reference", - "text": "IM8 On-Premise ADS (Non-S): 2.3/S2, 2.3/S3" - } - ], - "parts": [ - { - "id": "ac-3_smt", - "name": "statement", - "prose": "Disable or remove accounts with privileged access within {{ insert: param, ac-3_prm_1 }} day(s) from last day of authorised use or have not been used for {{ insert: param, ac-3_prm_2 }} day(s)." - }, - { - "id": "ac-3_gdn", - "name": "guidance", - "prose": "Use automated checks to identify accounts and credentials that should be disabled. For privileged user accounts in applications, consider using automated workflows such as System for Cross-domain Identity Management (SCIM) or identity lifecycle management tools. For cloud service provider accounts, use tools such as AWS Config iam-user-unused-credentials-check to manage Identity and Access Management (IAM) users." - } - ] - }, - { - "id": "ac-4", - "title": "Access Review", - "params": [ - { - "id": "ac-4_prm_1", - "class": "int", - "label": "time period (days)", - "guidelines": [ - { - "prose": "The time period in days of access review frequency." - } - ] - }, - { - "id": "ac-4_prm_2", - "class": "int", - "label": "time period (days)", - "guidelines": [ - { - "prose": "The time period in days of access removal deadline." - } - ] - } - ], - "props": [ - { - "name": "risk-statement", - "value": "Without regular access reviews and prompt removal of unauthorised or unintended access rights, there is an increased risk of lingering access, potential misuse of privileges, and compromised security, impacting the confidentiality and integrity of sensitive data." - }, - { - "name": "published", - "value": "2023-08-17T14:31:33+0800" - }, - { - "name": "last-modified", - "value": "2024-02-09T22:54:15+0800" - } - ], - "links": [ - { - "href": "#0062e6a3-8ac4-44db-92df-8357b437ca0c", - "rel": "reference", - "text": "AC-2: Account Management" - }, - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 4.2: Logical access" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.4/S13" - }, - { - "href": "#9749c983-5562-4a6f-8852-7eecf9b38d2c", - "rel": "reference", - "text": "IM8 On-Premise ADS (Non-S): 2.3/S1, 2.3/S6" - } - ], - "parts": [ - { - "id": "ac-4_smt", - "name": "statement", - "prose": "Perform an access review every {{ insert: param, ac-4_prm_1 }} day(s) and remove unauthorised or unintended privileged access rights within {{ insert: param, ac-4_prm_2 }} day(s)." - }, - { - "id": "ac-4_gdn", - "name": "guidance", - "prose": "For privileged user accounts in applications, implement automated review workflows or reports. For cloud service provider accounts and roles, use tools such as AWS IAM Access Advisor or Azure AD Access Review to facilitate and manage access reviews." - } - ] - }, - { - "id": "ac-5", - "title": "Endpoint Device Hardening", - "props": [ - { - "name": "risk-statement", - "value": "Without requiring hardened endpoint devices for remote access, there's an increased risk of compromised endpoints, potential malware infections, and security breaches, which could lead to unauthorised access and compromise the integrity of systems." - }, - { - "name": "published", - "value": "2023-08-17T14:31:33+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.4/S20a" - }, - { - "href": "#f3057503-f399-4735-9d7b-ea9830f3b2ac", - "rel": "reference", - "text": "IM8 On-Premise IS (Non-S): 1.3/S1, 4.7/S3" - } - ], - "parts": [ - { - "id": "ac-5_smt", - "name": "statement", - "prose": "Require hardened endpoint devices for remote developer, maintainer, or administrator access." - }, - { - "id": "ac-5_gdn", - "name": "guidance", - "prose": "Use Endpoint Management platfoms to continuously check and enforce device security posture and deny access if the hardening requirements are not met. Hardened devices include Government Standard Image Build (GSIB) and Security Suite for Engineering Endpoint Devices (SEED)." - } - ] - }, - { - "id": "ac-6", - "title": "Default Credentials", - "props": [ - { - "name": "risk-statement", - "value": "Failure to change default credentials prior to first use increases the risk of unauthorised access, as default credentials are often well-known and targeted by attackers, compromising the security of the system or device." - }, - { - "name": "published", - "value": "2023-10-02T10:34:05+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#0062e6a3-8ac4-44db-92df-8357b437ca0c", - "rel": "reference", - "text": "NIST SP 800-53 IA-5: Authenticator Management" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.4/S1c" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.4/S2c" - }, - { - "href": "#9749c983-5562-4a6f-8852-7eecf9b38d2c", - "rel": "reference", - "text": "IM8 On-Premise ADS (Non-S): 2.2/S1d, 2.3/S5" - } - ], - "parts": [ - { - "id": "ac-6_smt", - "name": "statement", - "prose": "Change default credentials prior to first use." - }, - { - "id": "ac-6_gdn", - "name": "guidance", - "prose": "Identify any default credentials used in any system components before deploying and change them. Configure end-user systems to prompt for password change on first login after account creation or reset." - } - ] - }, - { - "id": "ac-7", - "title": "SingPass/CorpPass for External Users", - "props": [ - { - "name": "risk-statement", - "value": "Leverage on SingPass or CorpPass to reduce duplication of effort and provide consistent end user experience." - }, - { - "name": "published", - "value": "2023-10-27T16:50:47+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#9749c983-5562-4a6f-8852-7eecf9b38d2c", - "rel": "reference", - "text": "IM8 On-Premise ADS (Non-S): 2.1/S1" - } - ], - "parts": [ - { - "id": "ac-7_smt", - "name": "statement", - "prose": "Use SingPass or CorpPass MFA for digital services that require high level of identity assurance for external users." - }, - { - "id": "ac-7_gdn", - "name": "guidance", - "prose": "For high impact or high risk transactions, use SingPass/CorpPass to identify external users (e.g. citizens). Internal users should use Government managed Single Sign-on (SSO) solutions (such as WOG AAD)." - } - ] - }, - { - "id": "ac-8", - "title": "Automate account provisioning", - "props": [ - { - "name": "risk-statement", - "value": "Manual account and access provisioning can introduce errors and weaknesses, thus making access control measures ineffective and unreliable." - }, - { - "name": "published", - "value": "2023-10-27T15:51:13+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.4/S18a" - }, - { - "href": "#9749c983-5562-4a6f-8852-7eecf9b38d2c", - "rel": "reference", - "text": "IM8 On-Premise ADS (Non-S): 2.3/S7" - } - ], - "parts": [ - { - "id": "ac-8_smt", - "name": "statement", - "prose": "Implement automation of cloud and application account provisioning and deprovisioning using an account management tool." - }, - { - "id": "ac-8_gdn", - "name": "guidance", - "prose": "Adopt Single Sign-On (SSO) with just-in-time provisioning or account lifecycle management tools (such as SCIM or CAM) to assist with account management. For systems unable to use SSO, it is recommended to leverage account management lifecycle tools with HR records (such as CAM) to automatically provision and de-provision accounts." - } - ] - }, - { - "id": "ac-9", - "title": "Endpoint Device Management", - "props": [ - { - "name": "risk-statement", - "value": "Unmanaged endpoint devices increase the risk of unauthorized access and potential loss of sensitive information due to the compromise of devices." - }, - { - "name": "published", - "value": "2023-11-29T18:00:00+0000" - }, - { - "name": "last-modified", - "value": "2024-01-19T17:00:00+0800" - } - ], - "parts": [ - { - "id": "ac-9_smt", - "name": "statement", - "prose": "Implement and maintain an endpoint device management solution to ensure the security and integrity of endpoint devices used within the organisation." - }, - { - "id": "ac-9_gdn", - "name": "guidance", - "prose": "Mobile Device Management (MDM) platforms enable management, monitoring, and secure configuration of endpoint devices. This includes enforcing disk encryption, managing configuration, ensuring regular updates, and providing the ability to remotely wipe data in case of device loss or theft." - } - ] - }, - { - "id": "ac-10", - "title": "Identity and Device-Based Access Control", - "props": [ - { - "name": "risk-statement", - "value": "Relying on direct connections or traditional VPNs for remote access can lead to vulnerabilities, as they do not always incorporate strong identity and device-based security measures. This increases the risk of unauthorized access and potential data breaches." - }, - { - "name": "published", - "value": "2023-11-29T18:00:00+0000" - }, - { - "name": "last-modified", - "value": "2023-11-29T18:00:00+0000" - } - ], - "parts": [ - { - "id": "ac-10_smt", - "name": "statement", - "prose": "Adopt Identity and Device-Based Access Control for secure and context-aware connectivity to private organisational resources." - }, - { - "id": "ac-10_gdn", - "name": "guidance", - "prose": "Use solutions such as Secure Service Edge (SSE), Identity Aware Proxies (IAP) or other Zero Trust services (Entra ID Conditional Access, Okta Device Trust, etc) that integrate identity and device management systems to provide granular access control to resources based on user identity and device posture. For example, Security Suite for Engineering Endpoint Devices (SEED)." - } - ] - }, - { - "id": "ac-11", - "title": "Single User Endpoints", - "props": [ - { - "name": "risk-statement", - "value": "Allowing multiple users to access a single endpoint device can lead to security risks such as data leakage, difficulty in tracking user activities, and increased vulnerability to insider threats." - }, - { - "name": "published", - "value": "2023-12-07T08:00:00+0000" - }, - { - "name": "last-modified", - "value": "2023-12-07T16:00:00+0000" - } - ], - "parts": [ - { - "id": "ac-11_smt", - "name": "statement", - "prose": "Assign each endpoint device to a single designated primary user and enforce the assignment to ensure accountability and enhance security monitoring." - }, - { - "id": "ac-11_gdn", - "name": "guidance", - "prose": "Implement measures such as user authentication and endpoint management with device enrollment to enforce the single primary user per endpoint. If secondary accounts for local device support or maintenance activities consider securing with endpoint privilege management tools." - } - ] - }, - { - "id": "ac-12", - "title": "Single Sign-On (SSO) for Internal Users", - "props": [ - { - "name": "risk-statement", - "value": "Without Single Sign-On (SSO), there is an increased risk of unauthorized access and compromised user credentials, as users may resort to using weak passwords or reusing credentials across multiple systems, thereby exposing sensitive information to potential security breaches." - }, - { - "name": "published", - "value": "2023-12-07T08:00:00+0000" - }, - { - "name": "last-modified", - "value": "2024-02-06T00:47:04+0800" - } - ], - "links": [ - { - "href": "#0062e6a3-8ac4-44db-92df-8357b437ca0c", - "rel": "reference", - "text": "IA-2(10): Single Sign-on" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.4/S18c" - } - ], - "parts": [ - { - "id": "ac-12_smt", - "name": "statement", - "prose": "Use Single Sign-On (SSO) for internal users and services." - }, - { - "id": "ac-12_gdn", - "name": "guidance", - "prose": "Configure multi-factor authentication (MFA) at the Single-Sign On (SSO) identity provider (IdP) and ensure that access to the system is only granted after the IdP authenticates the user. WOG AAD is recommended for public officers and TechPass AAD for developers." - } - ] - } - ] - }, - { - "id": "cs", - "title": "Container Security", - "parts": [ - { - "name": "overview", - "prose": "Controls to secure container building, distribution, and deployment." - } - ], - "controls": [ - { - "id": "cs-1", - "title": "Unique Base Container Image Tags", - "props": [ - { - "name": "risk-statement", - "value": "Using unique base container image tags instead of rolling tags reduces the risk of unintentional updates, inconsistencies, and potential security vulnerabilities in containerised environments, ensuring a more stable and secure deployment process." - }, - { - "name": "published", - "value": "2023-08-23T23:58:33+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#438199c5-6b38-4704-88d6-a902ee08a433", - "rel": "reference", - "text": "SLSA Build L1: Provenance exists" - }, - { - "href": "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", - "rel": "reference", - "text": "IM8 Cloud ADS: 12.1/G3" - } - ], - "parts": [ - { - "id": "cs-1_smt", - "name": "statement", - "prose": "Use unique base container image tags instead of rolling tags." - }, - { - "id": "cs-1_gdn", - "name": "guidance", - "prose": "Avoid the `latest` tag or other common rolling tags for base images to minimise unintended changes during subsequent builds using the same instruction. A digest SHA can provide a unique identifier for the image if no tag is assigned during build time." - } - ] - }, - { - "id": "cs-2", - "title": "Minimal Base Container Images", - "props": [ - { - "name": "risk-statement", - "value": "Building container images with minimal base images reduces the attack surface, potential vulnerabilities, and resource overhead, minimising the risk of security exploits and enhancing the overall security posture of the containerised environment." - }, - { - "name": "published", - "value": "2023-08-23T23:58:33+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", - "rel": "reference", - "text": "IM8 Cloud ADS: 12.1/G1" - } - ], - "parts": [ - { - "id": "cs-2_smt", - "name": "statement", - "prose": "Build container images with minimal base images." - }, - { - "id": "cs-2_gdn", - "name": "guidance", - "prose": "Use minimal container images such as alpine, scratch, wolfi, and distroless images as the base image to reduce attack surface." - } - ] - }, - { - "id": "cs-3", - "title": "Runtime Container Secrets", - "props": [ - { - "name": "risk-statement", - "value": "Providing secrets and sensitive data to the container at runtime instead of image build time reduces the risk of exposing sensitive information in the image and enhances security by ensuring that secrets are managed and updated independently, minimising the risk of unauthorised access or data compromise." - }, - { - "name": "published", - "value": "2023-08-23T23:58:33+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", - "rel": "reference", - "text": "IM8 Cloud ADS: 2.2/S4" - } - ], - "parts": [ - { - "id": "cs-3_smt", - "name": "statement", - "prose": "Provide secrets and sensitive data to the container at runtime instead of image build time." - }, - { - "id": "cs-3_gdn", - "name": "guidance", - "prose": "Ensure no secrets (e.g., TLS certificate keys, cloud provider credentials, SSH private keys, database passwords) are embedded in the container image by using dedicated features like Docker secrets or `podman-secret-create`." - } - ] - }, - { - "id": "cs-4", - "title": "Non-Privileged Container User", - "props": [ - { - "name": "risk-statement", - "value": "Failure to create a non-root user and set it as the default user in container image build instructions increases the risk of security vulnerabilities, as running containers with root privileges may lead to potential exploitation and compromise of the host system." - }, - { - "name": "published", - "value": "2023-08-23T23:58:33+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", - "rel": "reference", - "text": "IM8 Cloud ADS: 12.2/S2" - } - ], - "parts": [ - { - "id": "cs-4_smt", - "name": "statement", - "prose": "Create a non-root user and set it as the default user in the container image build instructions." - }, - { - "id": "cs-4_gdn", - "name": "guidance", - "prose": "Ensure the non-root user has the minimal set of permissions required to run the container." - } - ] - }, - { - "id": "cs-5", - "title": "Dockerfile Linting", - "props": [ - { - "name": "risk-statement", - "value": "Without linting Dockerfiles before building container images, there's an increased risk of syntax errors, misconfigurations, and potential security vulnerabilities, compromising the reliability and security of the resulting containerised applications." - }, - { - "name": "published", - "value": "2023-08-23T23:58:33+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", - "rel": "reference", - "text": "IM8 Cloud ADS: 12.1/G4" - } - ], - "parts": [ - { - "id": "cs-5_smt", - "name": "statement", - "prose": "Lint Dockerfiles before building container images." - }, - { - "id": "cs-5_gdn", - "name": "guidance", - "prose": "Use linters such as Hadolint to check the Dockerfile (or similar build file) instructions and flag any issues that contravene best practices. Ensure Dockerfile linting stage is run as part of the Continuous Integration (CI) pipelines." - } - ] - }, - { - "id": "cs-6", - "title": "Read-Only Container Root Filesystem", - "props": [ - { - "name": "risk-statement", - "value": "Failure to configure the container filesystem as read-only increases the risk of unauthorised modifications, potential tampering, and compromise of containerised applications, as attackers may exploit write access to alter the container's state and integrity." - }, - { - "name": "published", - "value": "2023-08-23T23:58:33+0800" - }, - { - "name": "last-modified", - "value": "2024-01-19T14:00:00+0800" - } - ], - "parts": [ - { - "id": "cs-6_smt", - "name": "statement", - "prose": "Configure the container filesystem to be read-only." - }, - { - "id": "cs-6_gdn", - "name": "guidance", - "prose": "Use security policies (e.g., `readonlyRootFilesystem` for Kubernetes) to prevent any direct writes to the container's root filesystem during runtime and ensure immutable infrastructure. Do not directly apply patches or alter running containers as the containers are ephemeral and patches will disappear upon redeploy. Apply patches by rebuilding and redeploying container images." - } - ] - }, - { - "id": "cs-7", - "title": "Container Image Scanning", - "params": [ - { - "id": "cs-7_prm_1", - "class": "str", - "label": "location", - "guidelines": [ - { - "prose": "The location where container image scanning occurs." - } - ], - "select": { - "how-many": "one-or-more", - "choice": [ - "CI/CD pipeline", - "container registry" - ] - } - } - ], - "props": [ - { - "name": "risk-statement", - "value": "Failure to scan container images increases the risk of deploying insecure images, potentially exposing the infrastructure to known exploits and compromising the security of the containerised applications during runtime." - }, - { - "name": "published", - "value": "2023-08-23T23:58:33+0800" - }, - { - "name": "last-modified", - "value": "2024-03-31T23:50:41+0800" - } - ], - "links": [ - { - "href": "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", - "rel": "reference", - "text": "IM8 Cloud ADS: 12.3/G2b" - }, - { - "href": "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", - "rel": "reference", - "text": "IM8 Cloud ADS: 12.3/G2c" - } - ], - "parts": [ - { - "id": "cs-7_smt", - "name": "statement", - "prose": "Scan container images in the {{ insert: param, cs-7_prm_1 }} for known vulnerabilities." - }, - { - "id": "cs-7_gdn", - "name": "guidance", - "prose": "Container image scanning tools (e.g., Amazon Inspector, Trivy, Grype) scan the contents of a container image for known vulnerabilities. Configure scans to run automatically and continuously, as well as enable scanning of image on push. Block deployment of container images with HIGH CVE being detected during scan (e.g., using Amazon ECR with Security Hub)." - } - ] - }, - { - "id": "cs-8", - "title": "Private Container Image Registries", - "props": [ - { - "name": "risk-statement", - "value": "Hosting built container images in private registries enhances security by reducing the exposure of sensitive images, minimising the risk of unauthorised access, and maintaining control over image distribution, ensuring a more secure and controlled container deployment process." - }, - { - "name": "published", - "value": "2023-08-23T23:58:33+0800" - }, - { - "name": "last-modified", - "value": "2024-03-31T23:39:47+0800" - } - ], - "parts": [ - { - "id": "cs-8_smt", - "name": "statement", - "prose": "Host built container images in private container registries." - }, - { - "id": "cs-8_gdn", - "name": "guidance", - "prose": "Use only private container registries (e.g., Amazon ECR private registry) to host container images built by the organisation as images may contain proprietary code or sensitive information." - } - ] - }, - { - "id": "cs-9", - "title": "Container Orchestrator API Access Control", - "props": [ - { - "name": "risk-statement", - "value": "Failure to disable public access to Container Orchestrator API endpoints from the internet increases the risk of unauthorised access, potential exploitation, and security breaches, as exposing these endpoints publicly may lead to unauthorised control and compromise of the container infrastructure." - }, - { - "name": "published", - "value": "2023-08-23T23:58:33+0800" - }, - { - "name": "last-modified", - "value": "2024-03-31T23:39:54+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.7/S21b" - } - ], - "parts": [ - { - "id": "cs-9_smt", - "name": "statement", - "prose": "Disable public access to Container Orchestrator API endpoints from the internet." - }, - { - "id": "cs-9_gdn", - "name": "guidance", - "prose": "Restrict access to the Container Orchestrator API endpoints (such as the Kubernetes API Server) to specific address ranges or use CSP provided features such as disabling Endpoint public access and Private Clusters to disable public access." - } - ] - }, - { - "id": "cs-10", - "title": "Container Workload Segmentation", - "props": [ - { - "name": "risk-statement", - "value": "Without separating container workloads into namespaces, there's an increased risk of lateral movement and potential compromise." - }, - { - "name": "published", - "value": "2023-08-23T23:58:33+0800" - }, - { - "name": "last-modified", - "value": "2024-03-31T23:40:00+0800" - } - ], - "parts": [ - { - "id": "cs-10_smt", - "name": "statement", - "prose": "Segregate container workloads to help contain attacks through isolation." - }, - { - "id": "cs-10_gdn", - "name": "guidance", - "prose": "Create Kubernetes namespaces or similar container segmentation controls to isolate different workloads, services or projects." - } - ] - }, - { - "id": "cs-11", - "title": "Container Runtime Security", - "props": [ - { - "name": "risk-statement", - "value": "Failure to detect and remediate changes to running containers using container runtime protection tools increases the risk of unnoticed compromises, potential exploitation, and unauthorised alterations to containerised applications, compromising the security and integrity of the runtime environment." - }, - { - "name": "published", - "value": "2023-08-23T23:58:33+0800" - }, - { - "name": "last-modified", - "value": "2024-03-31T23:40:06+0800" - } - ], - "links": [ - { - "href": "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", - "rel": "reference", - "text": "IM8 Cloud ADS: 12.3/G2b" - } - ], - "parts": [ - { - "id": "cs-11_smt", - "name": "statement", - "prose": "Detect and remediate changes to running containers with container runtime protection tools." - }, - { - "id": "cs-11_gdn", - "name": "guidance", - "prose": "Runtime protection tools, such as AWS EKS Protection, Microsoft Defender for Containers, or Falco, monitor threats and changes to running containers. Vulnerable container instances should be isolated for investigation and replaced with rebuilt and patched images. To avoid persistence if patches do not exist, the container instance should be replaced frequently with an un-compromised image until a patch released. These tools replace Malware Protection (IS-7) and EDR (IS-8) in container environments." - } - ] - } - ] - }, - { - "id": "pm", - "title": "Security Programme Management", - "parts": [ - { - "name": "overview", - "prose": "Controls to implement cybersecurity governance, risk, and compliance processes and policies." - } - ], - "controls": [ - { - "id": "pm-1", - "title": "Cybersecurity Incident Management Plan", - "props": [ - { - "name": "risk-statement", - "value": "Lack of a cybersecurity incident management plan increases the risk of ineffective response to cybersecurity incidents, hindering the ability to contain, mitigate, and recover from security breaches, potentially leading to extended downtime and data compromise." - }, - { - "name": "published", - "value": "2023-08-18T12:51:56+0800" - }, - { - "name": "last-modified", - "value": "2024-05-15T23:50:24+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 1.7: Incident handling" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.1/S3" - }, - { - "href": "#424d176f-09ad-41c5-8a44-a064a9f1e37d", - "rel": "reference", - "text": "GIROC ICT and Data Incident Reporting Resources" - } - ], - "parts": [ - { - "id": "pm-1_smt", - "name": "statement", - "prose": "Develop, document, and disseminate an agency-level cybersecurity incident management plan to respond to cybersecurity incidents." - }, - { - "id": "pm-1_gdn", - "name": "guidance", - "prose": "Refer to the Government Incident Reporting and Operations Centre (GIROC) ICT and Data Incident Reporting Resources for an incident management plan and best practices template." - } - ] - }, - { - "id": "pm-2", - "title": "Project Cybersecurity Risk Assessment", - "props": [ - { - "name": "risk-statement", - "value": "Without developing and documenting a project-level cybersecurity risk assessment before the initial full release, there's an increased risk of overlooking potential security threats, vulnerabilities, and regulatory compliance issues, compromising the overall security posture of the project." - }, - { - "name": "published", - "value": "2023-08-18T12:51:56+0800" - }, - { - "name": "last-modified", - "value": "2024-05-15T23:54:27+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 1.3: Self-assessment" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.1/S1" - }, - { - "href": "#d90ebf27-ad15-40c3-84f1-c83c98383d16", - "rel": "reference", - "text": "Cybersecurity Toolkit for IT Teams" - } - ], - "parts": [ - { - "id": "pm-2_smt", - "name": "statement", - "prose": "Develop and document a project-level cybersecurity risk assessment prior to initial full release that includes:", - "parts": [ - { - "id": "pm-2_smt.1", - "name": "item", - "props": [ - { - "name": "label", - "value": "1" - } - ], - "prose": "Risk scenario;" - }, - { - "id": "pm-2_smt.2", - "name": "item", - "props": [ - { - "name": "label", - "value": "2" - } - ], - "prose": "Likelihood (from 1-5);" - }, - { - "id": "pm-2_smt.3", - "name": "item", - "props": [ - { - "name": "label", - "value": "3" - } - ], - "prose": "Impact (from 1-5);" - }, - { - "id": "pm-2_smt.4", - "name": "item", - "props": [ - { - "name": "label", - "value": "4" - } - ], - "prose": "Risk Level (Likelihood * Impact; 1-4: Low, 5-9: Medium, 10-14: Medium High, 15-19: High, 20-25: Critical)" - }, - { - "id": "pm-2_smt.5", - "name": "item", - "props": [ - { - "name": "label", - "value": "5" - } - ], - "prose": "Mitigating Measures" - } - ] - }, - { - "id": "pm-2_gdn", - "name": "guidance", - "prose": "Refer to the Cyber Security Agency of Singapore's Cybersecurity Toolkit for IT Teams for an example of a risk assessment template and modify accordingly." - } - ] - }, - { - "id": "pm-3", - "title": "System Security Plan (SSP) Development", - "props": [ - { - "name": "risk-statement", - "value": "Failure to develop a comprehensive SSP can result in inadequate documentation and security controls, leading to increased vulnerability to cyber threats and non-compliance with regulatory requirements." - }, - { - "name": "published", - "value": "2023-10-05T09:00:00+0800" - }, - { - "name": "last-modified", - "value": "2023-10-10T16:00:00+0800" - } - ], - "parts": [ - { - "id": "pm-3_smt", - "name": "statement", - "prose": "Develop and maintain a comprehensive System Security Plan (SSP) that accurately reflects the system characteristics and security controls in place for the organisation's systems and environments." - }, - { - "id": "pm-3_gdn", - "name": "guidance", - "prose": "The SSP should be detailed, covering all aspects of security controls, roles, responsibilities, and operational processes. Regular updates are necessary to reflect changes in the security landscape and system evolution." - } - ] - }, - { - "id": "pm-4", - "title": "Approval of Policy Deviations", - "props": [ - { - "name": "risk-statement", - "value": "Unauthorised deviations from the policy can lead to an increased risk of security vulnerabilities and other compliance issues." - }, - { - "name": "published", - "value": "2023-10-12T11:45:00+0800" - }, - { - "name": "last-modified", - "value": "2024-05-12T23:15:32+0800" - } - ], - "parts": [ - { - "id": "pm-4_smt", - "name": "statement", - "prose": "Get approval of deviations from applicable Level 1 profile controls in the default System Security Plans (SSPs) from the agency's ICT and Digitalisation Steering Committee (IDSC) and document these deviations in the customised SSP." - }, - { - "id": "pm-4_gdn", - "name": "guidance", - "prose": "Agencies should seek approval for deviation from their IDSC or delegated approval authority. Controls that are not applicable to the system do not need approval for deviations but the reasons why they are not applicable must be documented in the customised SSP." - } - ] - }, - { - "id": "pm-5", - "title": "Central Submission of Approved System Security Plan (SSP)", - "props": [ - { - "name": "risk-statement", - "value": "Inconsistent or decentralised submission of the SSP can lead to decreased visibility of security and compliance adoption across Government." - }, - { - "name": "published", - "value": "2023-10-20T08:30:00+0800" - }, - { - "name": "last-modified", - "value": "2023-10-25T14:00:00+0800" - } - ], - "links": [ - { - "href": "#ssp-3-reference", - "rel": "reference", - "text": "Centralised SSP Management Guidelines" - } - ], - "parts": [ - { - "id": "pm-5_smt", - "name": "statement", - "prose": "Submit approved SSPs centrally to maintain a unified and up-to-date repository of security plans and practices." - }, - { - "id": "pm-5_gdn", - "name": "guidance", - "prose": "Reference the IM8 Portal for submitting all approved SSPs." - } - ] - }, - { - "id": "pm-6", - "title": "System Documentation", - "props": [ - { - "name": "risk-statement", - "value": "Comprehensive documentation of system architecture, components, configurations, and dependencies is essential for effective management, troubleshooting, and security auditing." - }, - { - "name": "published", - "value": "2023-12-20T10:10:10+0800" - }, - { - "name": "last-modified", - "value": "2023-01-10T0:00:00+0800" - } - ], - "parts": [ - { - "id": "pm-6_smt", - "name": "statement", - "prose": "Maintain detailed, up-to-date documentation of all system information and architecture." - }, - { - "id": "pm-6_gdn", - "name": "guidance", - "prose": "Example system documentation includes architecture and network diagrams, architecture decision records, hardware and software inventories, data flows, and configurations. This documentation should be regularly reviewed and updated to reflect changes in the environment. Documentation should be accessible to relevant personnel while ensuring sensitive information is protected. Adopt documentation-as-code practices and machine-readable formats (such as Markdown, JSON, YAML, etc), to facilitate version control, collaboration, and automation in maintaining documentation." - } - ] - }, - { - "id": "pm-7", - "title": "Certification", - "params": [ - { - "id": "pm-7_prm_1", - "class": "str", - "label": "certifications", - "guidelines": [ - { - "prose": "The required certifications." - } - ] - } - ], - "props": [ - { - "name": "risk-statement", - "value": "Third-party certification provides assurance that security controls have been properly implemented in the Software as a Service (SaaS) provider." - }, - { - "name": "published", - "value": "2024-01-14T01:35:16+0800" - }, - { - "name": "last-modified", - "value": "2024-02-09T22:54:15+0800" - } - ], - "parts": [ - { - "id": "pm-7_smt", - "name": "statement", - "prose": "Ensure that the Software as a Service (SaaS) provider is certified with {{ insert: param, pm-7_prm_1 }}." - }, - { - "id": "pm-7_gdn", - "name": "guidance", - "prose": "Ensure that the certification is up-to-date. Avoid certifications that are only attestations without a pass/fail element." - } - ] - }, - { - "id": "pm-8", - "title": "Software as a Service (SaaS) Service Level Agreement", - "props": [ - { - "name": "risk-statement", - "value": "Without a service level agreement the availability of the Software as a Service (SaaS) system may be poorly maintained by the provider." - }, - { - "name": "published", - "value": "2024-01-14T02:04:59+0800" - }, - { - "name": "last-modified", - "value": "2024-01-14T02:06:19+0800" - } - ], - "parts": [ - { - "id": "pm-8_smt", - "name": "statement", - "prose": "Obtain a service level agreement with the Software as a Service (SaaS) provider that covers uptime, response times, downtime notifications, support avenues, and support content." - }, - { - "id": "pm-8_gdn", - "name": "guidance", - "prose": "Ensure that the service level agreement is regularly checked for compliance." - } - ] - } - ] - }, - { - "id": "is", - "title": "Infrastructure Security", - "parts": [ - { - "name": "overview", - "prose": "Controls to secure infrastructure that host applications, services, and data." - } - ], - "controls": [ - { - "id": "is-1", - "title": "Management Agents", - "props": [ - { - "name": "risk-statement", - "value": "Without installing management agents on hosts, there is an increased risk of manual misconfigurations, difficulty in maintaining consistent configurations, and potential security vulnerabilities due to reduced visibility and ability to manage hosts effectively." - }, - { - "name": "published", - "value": "2023-09-01T16:44:29+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T00:47:04+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.1/G1" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.4/S21" - } - ], - "parts": [ - { - "id": "is-1_smt", - "name": "statement", - "prose": "Install CSP management agents on hosts to remotely and securely manage their configurations." - }, - { - "id": "is-1_gdn", - "name": "guidance", - "prose": "Most CSP compute instances preinstall management agents (e.g., AWS Systems Manager Agent, Azure Windows VM Agent) by default. If the image does not come with the preinstalled agent, install manually." - } - ] - }, - { - "id": "is-2", - "title": "Automated Patch Management", - "props": [ - { - "name": "risk-statement", - "value": "Failure to automate patching of operating systems and applications increases the risk of delayed or missed security updates, leaving systems vulnerable to known exploits and potential security breaches, compromising the overall security of the environment." - }, - { - "name": "published", - "value": "2023-09-01T16:44:29+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T00:47:04+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.7/S12" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.8/S4" - } - ], - "parts": [ - { - "id": "is-2_smt", - "name": "statement", - "prose": "Automate patching of operating systems and applications." - }, - { - "id": "is-2_gdn", - "name": "guidance", - "prose": "Apply patch baselines via the CSP node management service, unless the patch management process is automated as part of the build and deploy phase. For on-premise systems, use tools like Azure Update Manager to schedule and automatically deploy patches to Windows and Linux OS." - } - ] - }, - { - "id": "is-3", - "title": "Restricted Administrator Privileges", - "props": [ - { - "name": "risk-statement", - "value": "Without restricting administrator privileges, there is an increased risk of unauthorised access, privilege escalation, and potential security breaches, compromising the integrity and security of the system." - }, - { - "name": "published", - "value": "2023-09-01T16:44:29+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.6/S1d" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.6/S1e" - }, - { - "href": "#f3057503-f399-4735-9d7b-ea9830f3b2ac", - "rel": "reference", - "text": "IM8 On-Premise IS (Non-S): 1.2/S2a" - } - ], - "parts": [ - { - "id": "is-3_smt", - "name": "statement", - "prose": "Restrict administrator privileges by disabling remote login for the root/administrator user and restricting sudo/administrators group access for other users." - }, - { - "id": "is-3_gdn", - "name": "guidance", - "prose": "Further reduce the attack surface by running common services such as the web server or database without root/administrator/system privileges." - } - ] - }, - { - "id": "is-4", - "title": "Least Functionality", - "props": [ - { - "name": "risk-statement", - "value": "Failure to disable or remove unnecessary functions, system ports, protocols, software, and services on the host increases the attack surface, potential vulnerabilities, and the risk of exploitation, compromising the overall security and performance of the system." - }, - { - "name": "published", - "value": "2023-09-01T16:44:29+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#0062e6a3-8ac4-44db-92df-8357b437ca0c", - "rel": "reference", - "text": "NIST SP 800-53 CM-7: Least Functionality" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.4/S7" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.5/S4e" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.7/S1b" - }, - { - "href": "#f3057503-f399-4735-9d7b-ea9830f3b2ac", - "rel": "reference", - "text": "IM8 On-Premise IS (Non-S): 1.2/S2c" - } - ], - "parts": [ - { - "id": "is-4_smt", - "name": "statement", - "prose": "Disable or remove unnecessary functions, system ports, protocols, software, and services on the host." - }, - { - "id": "is-4_gdn", - "name": "guidance", - "prose": "Follow the principle of least functionality to configure the host to carry out only its intended purpose. CSP node management services can provide an inventory of software and services (e.g., AWS Systems Manager Inventory). Vulnerability assessment scanners (e.g., AWS Inspector) can also identify software vulnerabilities and network exposure." - } - ] - }, - { - "id": "is-5", - "title": "Host System Hardening", - "props": [ - { - "name": "risk-statement", - "value": "Without hardening the operating system configuration according to industry standards, there's an increased risk of security vulnerabilities, unauthorised access, and potential exploitation, compromising the overall security posture and resilience of the operating system." - }, - { - "name": "published", - "value": "2023-09-01T16:44:29+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.6/G2" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.6/S2" - }, - { - "href": "#f3057503-f399-4735-9d7b-ea9830f3b2ac", - "rel": "reference", - "text": "IM8 On-Premise IS (Non-S): 1.2/S1" - } - ], - "parts": [ - { - "id": "is-5_smt", - "name": "statement", - "prose": "Harden the host configuration with reference to industry standards." - }, - { - "id": "is-5_gdn", - "name": "guidance", - "prose": "Select the appropriate benchmark for the host such as from the [NIST National Checklist Program](#521952dd-5c57-4277-a069-4dae6bc0c28d) or [CIS Benchmarks](#09ba067b-8923-4f22-bb31-b8619edcaa07). Automate the configuration process or use hardened images instead of manually configuring." - } - ] - }, - { - "id": "is-6", - "title": "Remote Administration", - "props": [ - { - "name": "risk-statement", - "value": "Using remote administration tools enhances security by providing controlled and audited access, reducing the risk of unauthorised activities, and improving overall management of privileged identities." - }, - { - "name": "published", - "value": "2023-09-01T16:44:29+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T00:47:04+0800" - } - ], - "links": [ - { - "href": "#229a38da-bdc1-4a59-b1cb-8904cb59d0a5", - "rel": "reference", - "text": "AWS SSB WKLD.06: Use Systems Manager instead of SSH or RDP" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.4/S21" - } - ], - "parts": [ - { - "id": "is-6_smt", - "name": "statement", - "prose": "Use remote administration tools instead of direct SSH or RDP." - }, - { - "id": "is-6_gdn", - "name": "guidance", - "prose": "In production environments, use remote administration (e.g., AWS Systems Manager Session Manager, AWS Systems Manager Fleet Manager, GCC Privileged Identity Management) only for break glass scenarios where remote monitoring and automation is not available. Document and remediate gaps in monitoring and automation to minimise the need for remote administration. If SSH is still required and remote administration tools are not available, only use it within a private non-production environment such as an encrypted tunnel and authenticate with short-lived certificates." - } - ] - }, - { - "id": "is-7", - "title": "Malware Protection", - "props": [ - { - "name": "risk-statement", - "value": "Without malware protection, there's an increased risk of undetected malicious activities, potential data breaches, and compromise of host systems, highlighting the importance of proactive measures to ensure the security and integrity of the environment." - }, - { - "name": "published", - "value": "2023-09-20T11:06:17+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T00:47:04+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.6/S1a" - } - ], - "parts": [ - { - "id": "is-7_smt", - "name": "statement", - "prose": "Detect and quarantine malware on hosts with anti-malware tools." - }, - { - "id": "is-7_gdn", - "name": "guidance", - "prose": "Configure anti-malware tools for all compute hosts (e.g. AWS Guardduty Malware Protection, Azure Antimalware, Trend Micro CloudOne). These tools should be kept up-to-date with the latest malware signatures. Regular scans should be scheduled to detect and quarantine potential threats." - } - ] - }, - { - "id": "is-8", - "title": "Endpoint Detection and Response (EDR)", - "props": [ - { - "name": "risk-statement", - "value": "Failure to monitor security threats on hosts with an Endpoint Detection and Response (EDR) tool increases the risk of undetected advanced threats, compromises in host security, and delayed response to potential security incidents, highlighting the need for continuous monitoring and proactive threat detection." - }, - { - "name": "published", - "value": "2023-09-20T11:06:17+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T00:47:04+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.6/G1a" - } - ], - "parts": [ - { - "id": "is-8_smt", - "name": "statement", - "prose": "Monitor security threats on hosts with an EDR tool." - }, - { - "id": "is-8_gdn", - "name": "guidance", - "prose": "Implement EDR tools for all compute hosts. Security incident response should be planned and documented for the tool. EDR tools with built-in malware protection should be favoured to reduce additional agents." - } - ] - }, - { - "id": "is-9", - "title": "End-of-Support (EOS) Assets", - "params": [ - { - "id": "is-9_prm_1", - "class": "str", - "label": "type", - "guidelines": [ - { - "prose": "The type of asset." - } - ] - } - ], - "props": [ - { - "name": "risk-statement", - "value": "EOS assets can introduce security vulnerabilities as the assets are no longer provided with security fixes." - }, - { - "name": "published", - "value": "2023-10-27T15:48:25+0800" - }, - { - "name": "last-modified", - "value": "2024-05-15T23:39:47+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.1/S6" - }, - { - "href": "#9749c983-5562-4a6f-8852-7eecf9b38d2c", - "rel": "reference", - "text": "IM8 On-Premise ADS (Non-S): 5.1/S8" - } - ], - "parts": [ - { - "id": "is-9_smt", - "name": "statement", - "prose": "Ensure deployed {{ insert: param, is-9_prm_1 }} assets have not reached end-of-support (EOS). Use of EOS assets will require risk acceptance by approved authority." - }, - { - "id": "is-9_gdn", - "name": "guidance", - "prose": "Identify, track and replace EOS assets in a timely manner. Regularly review assets to identify upcoming EOS timeframe and replace them ahead of EOS date." - } - ] - }, - { - "id": "is-10", - "title": "Synchronise time clocks", - "props": [ - { - "name": "risk-statement", - "value": "The lack of synchronised clocks introduces significant risks, including increased security vulnerabilities, data integrity issues, and challenges in troubleshooting." - }, - { - "name": "published", - "value": "2024-02-27T15:48:25+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#f3057503-f399-4735-9d7b-ea9830f3b2ac", - "rel": "reference", - "text": "IM8 On-Premise IS (Non-S): 1.2/S5" - } - ], - "parts": [ - { - "id": "is-10_smt", - "name": "statement", - "prose": "Synchronise internal clocks to a common reference time source." - }, - { - "id": "is-10_gdn", - "name": "guidance", - "prose": "Use common time source such as Network Time Protocol (NTP). In the cloud, it is recommended to use the default time sources provided by the CSPs." - } - ] - }, - { - "id": "is-11", - "title": "Central Domain Name Registration", - "props": [ - { - "name": "risk-statement", - "value": "Improper management of domain names increase the risk of phishing attacks or domain takeovers." - }, - { - "name": "published", - "value": "2024-03-18T01:21:38+0800" - }, - { - "name": "last-modified", - "value": "2024-05-21T00:56:33+0800" - } - ], - "links": [ - { - "href": "#3402c67f-c59f-440a-b82d-81cf4d92de90", - "rel": "reference", - "text": "IM8 Cloud ADO: 2.1/S1, 2.1/S2" - }, - { - "href": "#c83c5d3f-cb13-492b-9028-ab7dc717e396", - "rel": "reference", - "text": "MCI ICT Circular Minute No 5/2014: Internet Domain Names Registration, Management and Protection" - } - ], - "parts": [ - { - "id": "is-11_smt", - "name": "statement", - "prose": "Register .gov.sg and .edu.sg domain names with GovTech as the sole registrar." - }, - { - "id": "is-11_gdn", - "name": "guidance", - "prose": "Use the Whole of Government Domain Name Server (DNS) portal on the IT Service Management (ITSM) portal to register domain names." - } - ] - }, - { - "id": "is-12", - "title": "DNS Security Extensions (DNSSEC)", - "props": [ - { - "name": "risk-statement", - "value": "Insecure domain name resolution can lead to man-in-the-middle attacks caused by DNS spoofing or DNS cache poisoning." - }, - { - "name": "published", - "value": "2024-03-18T01:17:33+0800" - }, - { - "name": "last-modified", - "value": "2024-03-18T01:17:33+0800" - } - ], - "links": [ - { - "href": "#f3057503-f399-4735-9d7b-ea9830f3b2ac", - "rel": "reference", - "text": "IM8 On-Premise IS (Non-S): 4.4/S5" - }, - { - "href": "#f3057503-f399-4735-9d7b-ea9830f3b2ac", - "rel": "reference", - "text": "IM8 Cloud IS (Non-S): 4.4/S5" - }, - { - "href": "#0062e6a3-8ac4-44db-92df-8357b437ca0c", - "rel": "reference", - "text": "NIST SP 800-53 SC-20: Secure Name/Address Resolution Service (Authoritative Source)" - } - ], - "parts": [ - { - "id": "is-12_smt", - "name": "statement", - "prose": "Implement DNS Security Extensions (DNSSEC) for public DNS records and servers." - }, - { - "id": "is-12_gdn", - "name": "guidance", - "prose": "DNS services such as WOG DNS, Amazon Route 53 and Cloudflare support DNSSEC configuration." - } - ] - }, - { - "id": "is-13", - "title": "Defensive Domain Name Registration", - "props": [ - { - "name": "risk-statement", - "value": "Malicious use of domain names similar to actual Government domain names increases the risk of phishing and spoofing." - }, - { - "name": "published", - "value": "2024-05-21T01:14:44+0800" - }, - { - "name": "last-modified", - "value": "2024-05-21T01:14:44+0800" - } - ], - "links": [ - { - "href": "#f76c8617-eb15-4b80-8911-4abca5ba2d84", - "rel": "reference", - "text": "MCI ICT Circular Minute No 6/2021: Mandatory Defensive Registration of Internet Domain Names" - } - ], - "parts": [ - { - "id": "is-13_smt", - "name": "statement", - "prose": "Register second (.sg) and third (.com.sg, .org.sg, .net.sg, .edu.sg) level domain name variants of the system's primary domain name." - }, - { - "id": "is-13_gdn", - "name": "guidance", - "prose": "Consider defensive registration of domain names with typographical variants of the system's primary domain name. The Whole of Government Domain Name Server (DNS) portal on the IT Service Management (ITSM) portal automatically includes the second and third level domain names." - } - ] - }, - { - "id": "is-14", - "title": "Singapore SMS Sender ID Registry Registration", - "props": [ - { - "name": "risk-statement", - "value": "Lack of Sender ID registration allows malicious entities to spoof legitimate Government SMSes." - }, - { - "name": "published", - "value": "2024-05-21T02:15:22+0800" - }, - { - "name": "last-modified", - "value": "2024-05-21T02:15:22+0800" - } - ], - "links": [ - { - "href": "#17e0e48b-e687-4dbf-afb0-56adfc0bbc3e", - "rel": "reference", - "text": "PMO(SNDGO) Circular Minute No 4/2022: Mandatory Registration with the Singapore SMS Sender ID Registry" - }, - { - "href": "#824c06dc-a7bb-4d1a-8ea7-7ce2095ff55c", - "rel": "reference", - "text": "PMO(SNDGO) Circular Minute No 1/2024: Implementation of Measures to Establish Trusted Channels for Government Calls and Messages (Building Trusted Networks)" - }, - { - "href": "#31761a08-1ca2-48f2-90f5-13fc96128f45", - "rel": "reference", - "text": "PMO (SNDGO) Circular Minute No 2/2024: Amendments to PMO (SNDGO) Circular Minute No 1/2024: Implementation of Measures to Establish Trusted Channels for Government Calls and Messages (Building Trusted Networks)" - } - ], - "parts": [ - { - "id": "is-14_smt", - "name": "statement", - "prose": "Register and use whitelisted SMS Sender IDs with the Singapore SMS Sender ID Registry for sending SMSes." - }, - { - "id": "is-14_gdn", - "name": "guidance", - "prose": "Agencies must use the \"gov.sg\" Sender ID via the Postman tool to send SMSes to members of public unless exempted. Whitelist Sender IDs used to send SMSes and blacklist Sender IDs which are variants of the whitelisted Sender IDs, agency names, or names of services." - } - ] - } - ] - }, - { - "id": "sd", - "title": "Secure Development", - "parts": [ - { - "name": "overview", - "prose": "Controls to secure the development pipeline and perform source code quality assurance." - } - ], - "controls": [ - { - "id": "sd-1", - "title": "Push Protection for Secrets", - "props": [ - { - "name": "risk-statement", - "value": "Failure to configure the code repository to prevent secrets from being pushed introduces the risk of inadvertent exposure, unauthorised access, and potential misuse of sensitive information, compromising the security of the codebase and associated systems." - }, - { - "name": "published", - "value": "2023-09-04T21:33:34+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", - "rel": "reference", - "text": "IM8 Cloud ADS: 6.4/G1" - } - ], - "parts": [ - { - "id": "sd-1_smt", - "name": "statement", - "prose": "Configure the code repository to prevent secrets from being pushed to the repository." - }, - { - "id": "sd-1_gdn", - "name": "guidance", - "prose": "Use GitLab's push rules or GitHub's push protection to reject secrets on push." - } - ] - }, - { - "id": "sd-2", - "title": "Default Branch Push Permissions", - "props": [ - { - "name": "risk-statement", - "value": "Without configuring the code repository to prevent pushes, including force pushes, to the default branch, there's an increased risk of unintentional or malicious changes, potential loss of code history, and compromised version control, impacting the integrity and reliability of the software development process." - }, - { - "name": "published", - "value": "2023-09-04T21:33:34+0800" - }, - { - "name": "last-modified", - "value": "2023-09-07T09:39:34+0800" - } - ], - "parts": [ - { - "id": "sd-2_smt", - "name": "statement", - "prose": "Configure the code repository to prevent pushes (including force pushes) to the default branch." - }, - { - "id": "sd-2_gdn", - "name": "guidance", - "prose": "Use GitLab's protected branch and merge request settings or GitHub's branch protection settings to enforce this." - } - ] - }, - { - "id": "sd-3", - "title": "Continuous Integration (CI) Tests", - "props": [ - { - "name": "risk-statement", - "value": "Failing to require passing Continuous Integration (CI) tests before merging into the default branch increases the risk of introducing faulty code, potential regressions, and compromise of code quality." - }, - { - "name": "published", - "value": "2023-09-04T21:33:34+0800" - }, - { - "name": "last-modified", - "value": "2023-09-04T21:33:34+0800" - } - ], - "parts": [ - { - "id": "sd-3_smt", - "name": "statement", - "prose": "Require Continuous Integration (CI) tests to pass before merging into the default branch." - }, - { - "id": "sd-3_gdn", - "name": "guidance", - "prose": "Use GitLab's protected branch and merge request settings or GitHub's branch protection settings to enforce this." - } - ] - }, - { - "id": "sd-4", - "title": "Static Analysis", - "params": [ - { - "id": "sd-4_prm_1", - "class": "str", - "label": "location", - "guidelines": [ - { - "prose": "The location where static analysis occurs." - } - ], - "select": { - "how-many": "one-or-more", - "choice": [ - "CI/CD pipeline", - "static analysis platform" - ] - } - } - ], - "props": [ - { - "name": "risk-statement", - "value": "Without setting up static analysis in the CI/CD pipeline for each merge request and addressing true positive vulnerability findings, there is an increased risk of deploying insecure code to the production branch, potentially leading to security breaches and compromise of the overall system." - }, - { - "name": "published", - "value": "2023-09-04T21:33:34+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", - "rel": "reference", - "text": "IM8 Cloud ADS: 6.4/S2" - }, - { - "href": "#9749c983-5562-4a6f-8852-7eecf9b38d2c", - "rel": "reference", - "text": "IM8 On-Premise ADS (Non-S): 4.1/S1" - } - ], - "parts": [ - { - "id": "sd-4_smt", - "name": "statement", - "prose": "Set up a static analysis job in the {{ insert: param, sd-4_prm_1 }}, and remediate or risk accept true positive vulnerability findings before deploying to production." - }, - { - "id": "sd-4_gdn", - "name": "guidance", - "prose": "Static analysis tools (such as SAST or IaC security scanners) check source code for common vulnerabilities and misconfigurations. By running static analysis tools earlier in the DevSecOps cycle, vulnerabilities can be detected and prevented from being deployed to production." - } - ] - }, - { - "id": "sd-5", - "title": "Dependency Scanning", - "params": [ - { - "id": "sd-5_prm_1", - "class": "int", - "label": "time period (days)", - "guidelines": [ - { - "prose": "The time period in days of dependency scanning frequency." - } - ] - }, - { - "id": "sd-5_prm_2", - "class": "str", - "label": "location", - "guidelines": [ - { - "prose": "The location where dependency scanning occurs." - } - ], - "select": { - "how-many": "one-or-more", - "choice": [ - "CI/CD pipeline", - "code repository", - "dependency scanning platform" - ] - } - } - ], - "props": [ - { - "name": "risk-statement", - "value": "Failing to schedule regular dependency scanning to identify vulnerable software libraries and address findings in a timely manner increases the risk of deploying applications with known vulnerabilities, potentially exposing the system to security exploits and compromise." - }, - { - "name": "published", - "value": "2023-09-04T21:33:34+0800" - }, - { - "name": "last-modified", - "value": "2024-03-31T23:51:28+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 2.6: Dependency Patching" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.7/S8i" - }, - { - "href": "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", - "rel": "reference", - "text": "IM8 Cloud ADS: 8.1/S2" - }, - { - "href": "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", - "rel": "reference", - "text": "IM8 Cloud ADS: 6.1/S1c" - }, - { - "href": "#9749c983-5562-4a6f-8852-7eecf9b38d2c", - "rel": "reference", - "text": "IM8 On-Premise ADS (Non-S): 1.1/S1i" - } - ], - "parts": [ - { - "id": "sd-5_smt", - "name": "statement", - "prose": "Schedule a scan at least every {{ insert: param, sd-5_prm_1 }} day(s) in the {{ insert: param, sd-5_prm_2 }} to identify the use of vulnerable software libraries." - }, - { - "id": "sd-5_gdn", - "name": "guidance", - "prose": "Dependency scanning checks the source code for dependencies with known vulnerabilities. By running scans regularly using bots or software composition analysis (SCA) tools, vulnerabilities arising from outdated dependencies can be quickly detected and patched. Software composition analysis can be performed using tools such as Gitlab, Nexus IQ, or their equivalent, with output in a common SBOM format such as SPDX or CycloneDX." - } - ] - }, - { - "id": "sd-6", - "title": "Secret Detection", - "params": [ - { - "id": "sd-6_prm_1", - "class": "int", - "label": "time period (days)", - "guidelines": [ - { - "prose": "Number of days within which to remediate a secret detection true positive." - } - ] - }, - { - "id": "sd-6_prm_2", - "class": "str", - "label": "location", - "guidelines": [ - { - "prose": "The location where secret detection occurs." - } - ], - "select": { - "how-many": "one-or-more", - "choice": [ - "CI/CD pipeline", - "code repository", - "secret detection platform" - ] - } - } - ], - "props": [ - { - "name": "risk-statement", - "value": "Without setting up secret detection and addressing true positive findings promptly, there's an increased risk of exposing sensitive information, potential unauthorised access, and compromised security." - }, - { - "name": "published", - "value": "2023-09-04T21:33:34+0800" - }, - { - "name": "last-modified", - "value": "2024-02-09T22:54:15+0800" - } - ], - "links": [ - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.7/S8f" - }, - { - "href": "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", - "rel": "reference", - "text": "IM8 Cloud ADS: 1.1/S1f" - }, - { - "href": "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", - "rel": "reference", - "text": "IM8 Cloud ADS: 6.4/G1b" - }, - { - "href": "#9749c983-5562-4a6f-8852-7eecf9b38d2c", - "rel": "reference", - "text": "IM8 On-Premise ADS (Non-S): 6.4/G1" - } - ], - "parts": [ - { - "id": "sd-6_smt", - "name": "statement", - "prose": "Set up secret detection in the {{ insert: param, sd-6_prm_1 }} and remediate true positives within {{ insert: param, sd-6_prm_2 }} day(s)." - }, - { - "id": "sd-6_gdn", - "name": "guidance", - "prose": "Ensure that the exposed secret is revoked and purged from the Git history." - } - ] - }, - { - "id": "sd-7", - "title": "CI Environment Variable Secrets Management", - "props": [ - { - "name": "risk-statement", - "value": "Failing to protect environment variable secrets in CI jobs by limiting them to protected pipelines and masking them in job logs increases the risk of unauthorized access and exposure of sensitive information." - }, - { - "name": "published", - "value": "2023-09-04T21:33:34+0800" - }, - { - "name": "last-modified", - "value": "2023-09-04T21:33:34+0800" - } - ], - "parts": [ - { - "id": "sd-7_smt", - "name": "statement", - "prose": "Protect environment variable secrets used in CI jobs by limiting them to protected pipelines and masking them in job logs." - }, - { - "id": "sd-7_gdn", - "name": "guidance", - "prose": "Use GitLab's CI/CD variable security settings or GitHub's encrypted secrets with the add-mask workflow command." - } - ] - }, - { - "id": "sd-8", - "title": "Deployment Environment Segregation", - "props": [ - { - "name": "risk-statement", - "value": "Failure to segregate production and non-production environments increases the risk of unauthorized access, data leaks, and denial of service attacks, as compromises in non-production environments may lead to cascading impacts on production systems." - }, - { - "name": "published", - "value": "2023-09-04T21:33:34+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T00:47:04+0800" - } - ], - "links": [ - { - "href": "#8723fc45-7378-478f-b61f-2e22a170e98c", - "rel": "reference", - "text": "MVSP 4.2: Logical access" - }, - { - "href": "#da71948e-4dff-4a9d-a645-69ced821fe97", - "rel": "reference", - "text": "IM8 Cloud Security (IaaS and PaaS): 1.4/S9" - } - ], - "parts": [ - { - "id": "sd-8_smt", - "name": "statement", - "prose": "Segregate production and non-production environments including applications, services, data, secrets, roles, and networks." - }, - { - "id": "sd-8_gdn", - "name": "guidance", - "prose": "Achieve segregation using separate Government on Commercial Cloud (GCC) accounts for environments such as production, development, test, and staging. Account segregation enhances security by limiting exposure, simplifies resource and cost management, maintains configuration integrity, facilitates compliance and auditing and streamlines operational tasks. Deploy and operate environments as similarly as possible to enhance debugging and time-to-market." - } - ] - } - ] - }, - { - "id": "dc", - "title": "Datacentre", - "parts": [ - { - "name": "overview", - "prose": "" - } - ], - "controls": [ - { - "id": "dc-1", - "title": "Separate hosting", - "props": [ - { - "name": "risk-statement", - "value": "Violating this control can subject government data and systems to access risks leading to compromised systems and data." - }, - { - "name": "published", - "value": "2023-10-27T16:50:47+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#f3057503-f399-4735-9d7b-ea9830f3b2ac", - "rel": "reference", - "text": "IM8 On-Premise IS (Non-S): 1.1/S1c" - } - ], - "parts": [ - { - "id": "dc-1_smt", - "name": "statement", - "prose": "Physically separate Government resources from non-Government resources." - }, - { - "id": "dc-1_gdn", - "name": "guidance", - "prose": "For on-premise environments, ensure government resources are physically stored and secured separately from non-government resources." - } - ] - }, - { - "id": "dc-2", - "title": "Physical Access Controls", - "props": [ - { - "name": "risk-statement", - "value": "Violating this control can subject government data and systems to access risks leading to compromised systems and data." - }, - { - "name": "published", - "value": "2023-10-27T16:50:47+0800" - }, - { - "name": "last-modified", - "value": "2024-02-06T01:04:05+0800" - } - ], - "links": [ - { - "href": "#f3057503-f399-4735-9d7b-ea9830f3b2ac", - "rel": "reference", - "text": "IM8 On-Premise IS (Non-S): 1.1/S1i" - } - ], - "parts": [ - { - "id": "dc-2_smt", - "name": "statement", - "prose": "Implement physical access controls to prohibit unauthorised access to the hosting environment or network rooms." - }, - { - "id": "dc-2_gdn", - "name": "guidance", - "prose": "Measures to consider include:\n\na) personnel security clearance and checks\n\nb) Continuous monitoring\n\nc) Immediate security response\n\nd) Strong authentication card access system to regulate and log access of employees, visitors and contractors to the facility;\n\ne) Guards deployed to guard the facility 24/7;\n\nf) Restrict items (such as unauthorised computing devices) to be brought into the facility;\n\ng) Intrusion Detection System installed to detect unauthorised access;\n\nh) CCTV installed to monitor the facility." - } - ] - } - ] - } - ], - "back-matter": { - "resources": [ - ] - } + "id" : "sd-4_prm_1", + "label" : "location", + "class" : "str" + } ], + "title" : "Static Analysis", + "links" : [ { + "href" : "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", + "rel" : "reference", + "text" : "IM8 Cloud ADS: 6.4/S2" + }, { + "href" : "#9749c983-5562-4a6f-8852-7eecf9b38d2c", + "rel" : "reference", + "text" : "IM8 On-Premise ADS (Non-S): 4.1/S1" + } ], + "id" : "sd-4", + "parts" : [ { + "name" : "statement", + "id" : "sd-4_smt", + "prose" : "Set up a static analysis job in the {{ insert: param, sd-4_prm_1 }}, and remediate or risk accept true positive vulnerability findings before deploying to production." + }, { + "name" : "guidance", + "id" : "sd-4_gdn", + "prose" : "Static analysis tools (such as SAST or IaC security scanners) check source code for common vulnerabilities and misconfigurations. By running static analysis tools earlier in the DevSecOps cycle, vulnerabilities can be detected and prevented from being deployed to production." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without setting up static analysis in the CI/CD pipeline for each merge request and addressing true positive vulnerability findings, there is an increased risk of deploying insecure code to the production branch, potentially leading to security breaches and compromise of the overall system." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-09-04T21:33:34+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "params" : [ { + "guidelines" : [ { + "prose" : "The time period in days of dependency scanning frequency." + } ], + "id" : "sd-5_prm_1", + "label" : "time period (days)", + "class" : "int" + }, { + "guidelines" : [ { + "prose" : "The location where dependency scanning occurs." + } ], + "select" : { + "how-many" : "one-or-more", + "choice" : [ "CI/CD pipeline", "code repository", "dependency scanning platform" ] + }, + "id" : "sd-5_prm_2", + "label" : "location", + "class" : "str" + } ], + "title" : "Dependency Scanning", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 2.6: Dependency Patching" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.7/S8i" + }, { + "href" : "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", + "rel" : "reference", + "text" : "IM8 Cloud ADS: 8.1/S2" + }, { + "href" : "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", + "rel" : "reference", + "text" : "IM8 Cloud ADS: 6.1/S1c" + }, { + "href" : "#9749c983-5562-4a6f-8852-7eecf9b38d2c", + "rel" : "reference", + "text" : "IM8 On-Premise ADS (Non-S): 1.1/S1i" + } ], + "id" : "sd-5", + "parts" : [ { + "name" : "statement", + "id" : "sd-5_smt", + "prose" : "Schedule a scan at least every {{ insert: param, sd-5_prm_1 }} day(s) in the {{ insert: param, sd-5_prm_2 }} to identify the use of vulnerable software libraries." + }, { + "name" : "guidance", + "id" : "sd-5_gdn", + "prose" : "Dependency scanning checks the source code for dependencies with known vulnerabilities. By running scans regularly using bots or software composition analysis (SCA) tools, vulnerabilities arising from outdated dependencies can be quickly detected and patched. Software composition analysis can be performed using tools such as Gitlab, Nexus IQ, or their equivalent, with output in a common SBOM format such as SPDX or CycloneDX." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failing to schedule regular dependency scanning to identify vulnerable software libraries and address findings in a timely manner increases the risk of deploying applications with known vulnerabilities, potentially exposing the system to security exploits and compromise." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-09-04T21:33:34+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-03-31T23:51:28+0800" + } ] + }, { + "params" : [ { + "guidelines" : [ { + "prose" : "Number of days within which to remediate a secret detection true positive." + } ], + "id" : "sd-6_prm_1", + "label" : "time period (days)", + "class" : "int" + }, { + "guidelines" : [ { + "prose" : "The location where secret detection occurs." + } ], + "select" : { + "how-many" : "one-or-more", + "choice" : [ "CI/CD pipeline", "code repository", "secret detection platform" ] + }, + "id" : "sd-6_prm_2", + "label" : "location", + "class" : "str" + } ], + "title" : "Secret Detection", + "links" : [ { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.7/S8f" + }, { + "href" : "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", + "rel" : "reference", + "text" : "IM8 Cloud ADS: 1.1/S1f" + }, { + "href" : "#ee9148b4-3f31-48c8-8503-24fb5cd73db8", + "rel" : "reference", + "text" : "IM8 Cloud ADS: 6.4/G1b" + }, { + "href" : "#9749c983-5562-4a6f-8852-7eecf9b38d2c", + "rel" : "reference", + "text" : "IM8 On-Premise ADS (Non-S): 6.4/G1" + } ], + "id" : "sd-6", + "parts" : [ { + "name" : "statement", + "id" : "sd-6_smt", + "prose" : "Set up secret detection in the {{ insert: param, sd-6_prm_1 }} and remediate true positives within {{ insert: param, sd-6_prm_2 }} day(s)." + }, { + "name" : "guidance", + "id" : "sd-6_gdn", + "prose" : "Ensure that the exposed secret is revoked and purged from the Git history." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Without setting up secret detection and addressing true positive findings promptly, there's an increased risk of exposing sensitive information, potential unauthorised access, and compromised security." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-09-04T21:33:34+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-09T22:54:15+0800" + } ] + }, { + "title" : "CI Environment Variable Secrets Management", + "id" : "sd-7", + "parts" : [ { + "name" : "statement", + "id" : "sd-7_smt", + "prose" : "Protect environment variable secrets used in CI jobs by limiting them to protected pipelines and masking them in job logs." + }, { + "name" : "guidance", + "id" : "sd-7_gdn", + "prose" : "Use GitLab's CI/CD variable security settings or GitHub's encrypted secrets with the add-mask workflow command." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failing to protect environment variable secrets in CI jobs by limiting them to protected pipelines and masking them in job logs increases the risk of unauthorized access and exposure of sensitive information." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-09-04T21:33:34+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2023-09-04T21:33:34+0800" + } ] + }, { + "title" : "Deployment Environment Segregation", + "links" : [ { + "href" : "#8723fc45-7378-478f-b61f-2e22a170e98c", + "rel" : "reference", + "text" : "MVSP 4.2: Logical access" + }, { + "href" : "#da71948e-4dff-4a9d-a645-69ced821fe97", + "rel" : "reference", + "text" : "IM8 Cloud Security (IaaS and PaaS): 1.4/S9" + } ], + "id" : "sd-8", + "parts" : [ { + "name" : "statement", + "id" : "sd-8_smt", + "prose" : "Segregate production and non-production environments including applications, services, data, secrets, roles, and networks." + }, { + "name" : "guidance", + "id" : "sd-8_gdn", + "prose" : "Achieve segregation using separate Government on Commercial Cloud (GCC) accounts for environments such as production, development, test, and staging. Account segregation enhances security by limiting exposure, simplifies resource and cost management, maintains configuration integrity, facilitates compliance and auditing and streamlines operational tasks. Deploy and operate environments as similarly as possible to enhance debugging and time-to-market." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Failure to segregate production and non-production environments increases the risk of unauthorized access, data leaks, and denial of service attacks, as compromises in non-production environments may lead to cascading impacts on production systems." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-09-04T21:33:34+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T00:47:04+0800" + } ] + } ] + }, { + "title" : "Datacentre", + "id" : "dc", + "parts" : [ { + "name" : "overview" + } ], + "controls" : [ { + "title" : "Separate hosting", + "links" : [ { + "href" : "#f3057503-f399-4735-9d7b-ea9830f3b2ac", + "rel" : "reference", + "text" : "IM8 On-Premise IS (Non-S): 1.1/S1c" + } ], + "id" : "dc-1", + "parts" : [ { + "name" : "statement", + "id" : "dc-1_smt", + "prose" : "Physically separate Government resources from non-Government resources." + }, { + "name" : "guidance", + "id" : "dc-1_gdn", + "prose" : "For on-premise environments, ensure government resources are physically stored and secured separately from non-government resources." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Violating this control can subject government data and systems to access risks leading to compromised systems and data." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-10-27T16:50:47+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + }, { + "title" : "Physical Access Controls", + "links" : [ { + "href" : "#f3057503-f399-4735-9d7b-ea9830f3b2ac", + "rel" : "reference", + "text" : "IM8 On-Premise IS (Non-S): 1.1/S1i" + } ], + "id" : "dc-2", + "parts" : [ { + "name" : "statement", + "id" : "dc-2_smt", + "prose" : "Implement physical access controls to prohibit unauthorised access to the hosting environment or network rooms." + }, { + "name" : "guidance", + "id" : "dc-2_gdn", + "prose" : "Measures to consider include:\n\na) personnel security clearance and checks\n\nb) Continuous monitoring\n\nc) Immediate security response\n\nd) Strong authentication card access system to regulate and log access of employees, visitors and contractors to the facility;\n\ne) Guards deployed to guard the facility 24/7;\n\nf) Restrict items (such as unauthorised computing devices) to be brought into the facility;\n\ng) Intrusion Detection System installed to detect unauthorised access;\n\nh) CCTV installed to monitor the facility." + } ], + "props" : [ { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "risk-statement", + "value" : "Violating this control can subject government data and systems to access risks leading to compromised systems and data." + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "published", + "value" : "2023-10-27T16:50:47+0800" + }, { + "ns" : "http://tech.gov.sg/ns/oscal", + "name" : "last-modified", + "value" : "2024-02-06T01:04:05+0800" + } ] + } ] + } ], + "uuid" : "dfad1a6f-1aae-43e6-8fc6-10f1771d6dbc", + "metadata" : { + "version" : "2024.05.30-2", + "parties" : [ { + "type" : "organization", + "uuid" : "e738ab7c-ed26-4fe6-a1e7-f485265d50cc", + "name" : "Workstream 1A (Content), IM8-reform Executive Committee" + } ], + "props" : [ { + "name" : "keywords", + "value" : "IM8, GovTech, Singapore, cloud, instruction manual, application security" + } ], + "oscal-version" : "1.1.2", + "last-modified" : "2024-05-29T10:17:03.320504+08:00", + "responsible-parties" : [ { + "party-uuids" : [ "e738ab7c-ed26-4fe6-a1e7-f485265d50cc" ], + "role-id" : "creator" + }, { + "party-uuids" : [ "e738ab7c-ed26-4fe6-a1e7-f485265d50cc" ], + "role-id" : "contact" + } ], + "title" : "Instruction Manual 8 Reform", + "roles" : [ { + "id" : "creator", + "title" : "Creator" + }, { + "id" : "contact", + "title" : "Contact" + } ] } - } \ No newline at end of file + } +} \ No newline at end of file diff --git a/catalogs/im8-reform.xml b/catalogs/im8-reform.xml new file mode 100644 index 0000000..15c513e --- /dev/null +++ b/catalogs/im8-reform.xml @@ -0,0 +1,33 @@ +Instruction Manual 8 Reform2024-05-29T10:17:03.320504+08:002024.05.30-21.1.2CreatorContactWorkstream 1A (Content), IM8-reform Executive Committeee738ab7c-ed26-4fe6-a1e7-f485265d50cce738ab7c-ed26-4fe6-a1e7-f485265d50ccApplication Security

Controls to prevent application vulnerabilities caused by insecure coding.

Input ValidationMVSP 2.5: Security librariesIM8 Cloud Security (IaaS and PaaS): 1.7/S1cIM8 Cloud Security (IaaS and PaaS): 1.7/S8bIM8 On-Premise ADS (Non-S): 1.1/S1b

Validate all application inputs to ensure that they match the expected type, structure, or format.

Strictly validating inputs against a comprehensive schema prevents injection attacks caused by inserting special characters or content that would cause the application to perform incorrect operations.

Parameterised InterfacesMVSP 2.5: Security librariesIM8 Cloud Security (IaaS and PaaS): 1.7/S8cIM8 On-Premise ADS (Non-S): 1.1/S1c

Use parameterised interfaces for database queries or system commands.

Parameterised interfaces such Object-Relational Mapping (ORM) libraries ensure that parameters used in database queries or system commands are properly sanitised and prevent injection attacks.

Output SanitisationMVSP 2.5: Security librariesIM8 Cloud Security (IaaS and PaaS): 1.7/S8eIM8 On-Premise ADS (Non-S): 1.1/S1e,k,l

Sanitise all application outputs that will be used to render a HTML document.

Any application outputs that are returned to the requester and used to render a HTML document can lead to cross-site scripting (XSS) attacks if they contain special characters that change the rendering of the HTML document by the browser.

Authentication Mechanism Rate-LimitingMVSP 2.4: Password policyIM8 Cloud ADS: 2.2/S1j, 2.2/S5bIM8 On-Premise ADS (Non-S): 2.2/S5

Apply rate-limiting on all authentication mechanisms to deter brute-force attacks.

Consider rate-limiting to a maximum of 3 consecutive failed authentication attempts within 15 minutes. Time delays between log-on attempts reduce the risk of successful brute-forcing attacks. Bot mitigation tools such as CAPTCHA can further reduce this risk.

Password Requirements

The minimum length of a password.

The password policy.

MVSP 2.4: Password policyNIST SP 800-53 IA-5(1): Password-based AuthenticationIM8 Cloud Security (IaaS and PaaS): 1.4/S1aIM8 Cloud Security (IaaS and PaaS): 1.4/S2aIM8 On-Premise ADS (Non-S): 2.2/S1

Where SSO or passwordless is not supported, verify that user-defined passwords are at least characters in length and .

Latest NIST SP 800-63B guidelines found that password length is a primary factor in determining the strength of a password while composition and complexity rules provide marginal security benefits.

Password Salting and HashingMVSP 2.4: Password policyIM8 Cloud Security (IaaS and PaaS): 1.4/S3IM8 On-Premise ADS (Non-S): 2.2/S3

Store passwords as salted hashes using a password hashing scheme that is resistant to offline attacks such as those described in NIST SP 800-63b. The salt should be:

Generated using a cryptographically secure pseudo-random number generator in accordance with industry standards;

At least 32 bits long; and

Randomly generated for each account.

Refer to NIST SP 800-90Ar1 for suitable pseudo-random number generators. Refer to NIST SP 800-63b Memorized Secret Verifiers section for suitable hashing schemes, including Argon2, scrypt, and PBKDF2. For application source code, use a cryptographically secure pseudo-random number generator function instead of an insecure one, such as crypto.randomBytes instead of Math.random in Node.js and java.security.SecureRandom.nextBytes instead of java.util.Random in Java.

Access Control Check EnforcementMVSP 3.3: Vulnerability preventionIM8 Cloud Security (IaaS and PaaS): 1.7/S8a

Perform access control checks on all authenticated requests.

Utilise authorisation filters or middleware to force all authenticated requests to undergo access control checks.

Application Secrets ManagementIM8 Cloud Security (IaaS and PaaS): 1.7/S11IM8 On-Premise ADS (Non-S): 1.1/S1f, 2.2/S4, 3.1/S1 and 3.1/S4

Encrypt and store application secrets in a secret management solution with appropriate access controls and do not hard-code secrets in source code.

Secret management solutions include cloud solutions like AWS Secrets Manager and Azure Key Vault as well as cloud-agnostic solutions like HashiCorp Vault and CyberArk Conjur.

Content Security Policy (CSP)MVSP 2.3: Security HeadersIM8 Cloud Security (IaaS and PaaS): 1.7/G7

Set minimally permissive CSP response headers to mitigate cross-site scripting attacks.

Utilise the relevant fetch directives such as default-src, script-src, style-src, connect-src, img-src, media-src and object-src to prevent loading of scripts from malicious sources. Refer to the OWASP Secure Headers Project Best Practices for recommended header values.

HTTP Strict Transport Security (HSTS)IM8 Cloud Security (IaaS and PaaS): 1.7/G4

Set HTTP Strict Transport Security (HSTS) response headers with a maximum age value of at least 1 year (31536000 seconds) to mitigate protocol downgrade attacks.

Refer to the OWASP Secure Headers Project Best Practices for recommended header values.

Session Management

The maximum time period in hours of a user's session.

NIST SP 800-53 AC-12: Session TerminationNIST SP 800-53 IA-11: Re-authenticationIM8 Cloud ADS: 2.5/S2NIST SP 800-63B 4.2.3: ReauthenticationIM8 On-Premise ADS (Non-S): 2.5/S2

Require users to re-authenticate after their session exceeds hour(s) or terminate the session.

NIST SP 800-63B recommends re-authentication once per 30 days for Authenticator Assurance Level 1, 12 hours or 30 minutes inactivity for Authenticator Assurance Level 2, and 12 hours or 15 minutes inactivity for Authenticator Assurance Level 3. In addition to time period, system can consider re-authentication when roles, authenticators or credentials change or when the execution of privileged functions occurs.

Malware Scanning of Uploaded FilesNIST SP 800-53 SI-3: Malicious Code Protection

Scan file uploads for malware before further processing by the system or users.

Consider uploading the files to temporary storage for malware scanning on ephemeral compute like serverless functions before moving safe files to another storage for further processing or unsafe files to quarantine storage.

Software Supply Chain

Controls to prevent tampering and improve the integrity of the software supply chain.

Code RepositoryIM8 Cloud ADS: 7.1/S1IM8 On-Premise ADS (Non-S): 6.1/S1

Manage the codebase in a central code repository with version control.

Use common platforms such as SHIP-HATS 2.0 GitLab or equivalents.

Commit Signing

Configure the code repository to reject unsigned commits.

Use GitLab's push rules, GitHub's branch protection rules or similar code repository controls to reject unsigned commits on push.

Peer ReviewIM8 Cloud Security (IaaS and PaaS): 1.1/S2IM8 Cloud ADS: 8.1/G1IM8 On-Premise ADS (Non-S): 8.1/G1

Require peer review and approval by a designated reviewer before merging into the default branch.

Use GitLab's protected branch and merge request settings, GitHub's branch protection settings or similar code repository controls to enforce this.

Dependency Manifest Version PinningSLSA Build L1: Provenance existsIM8 Cloud ADS: 8.1/G4IM8 On-Premise ADS (Non-S): 8.1/G4

Pin direct and transitive dependency versions in the application's dependency manifest.

Dependency manifests such as package-lock.json for npm and Pipfile.lock for pipenv allow you to pin dependency versions.

Automated Build and DeployMVSP 3.5: Build processSLSA Build L1: Provenance existsIM8 Cloud Security (IaaS and PaaS): 1.7/S22IM8 Cloud ADS: 6.1/G4

Provision and operate systems in a consistent manner using automation.

Deploy and maintain Infrastructure and Applications with automated and repeatable tools such as CI/CD Pipelines, Infrastructure as Code (IaC) and other scripts. Automated build and deploy pipelines allow for signing and validation of build artefacts. Do not make manual changes directly into production systems.

Dependency Installation during DeploymentSLSA Build L1: Provenance exists

When installing dependencies during deployment, only install pinned versions in the manifest.

Use package manager commands such as npm ci for npm and pipenv sync for pipenv that ensure only versions specified in the manifest are installed rather than the latest version.

Software Artefact SigningSLSA Build L2: Hosted build platformIM8 Cloud ADS: 1.7/G9IM8 Cloud ADS: 8.1/G1

Sign software artefacts such as code and container images using a trusted source during build.

Use tools or services like Cosign or AWS Signer to sign and verify code.

Software Artefact Signature VerificationSLSA Build L2: Hosted build platformIM8 Cloud ADS: 1.7/G9IM8 Cloud Security (IaaS and PaaS): 1.7/S20IM8 Cloud ADS: 8.1/G12

Verify the signatures of code and artefacts before deployment or runtime.

Implement a signature verification step such as a pipeline stage or Kubernetes Admission Controller.

Internal Code Collaboration and SharingSingapore Government Developer Portal - Innersource

Share source code within Government to enhance code quality, accelerate innovation, and improve problem-solving efficiency.

Adopt Innersource practices for internal collaboration, utilizing platforms like SHIP-HATS GitLab to manage and share code repositories in Government. Source code should be evaluated for suitability for innersourcing, such as the use of confidential algorithms or embedded sensitive data. The Innersource guidelines published in Developers Portal provide a useful framework for code sharing.

Security Testing

Controls to validate the security of a system via internal and external testing.

Vulnerability Assessment

The type of vulnerability assessment scanning.

IM8 Cloud Security (IaaS and PaaS): 1.8/S1

Run regular vulnerability assessment scans for eligible hosts.

Select agent-based or network-based scans as necessary. Implement authenticated scans where possible for greater coverage. Use scanners such as Amazon Inspector or Microsoft Defender for Cloud for continuous scanning of cloud systems. For on-premises systems or systems that require periodic scans, subscribe to Vulnerability Management System (VMS).

Cloud Security Posture ManagementIM8 Cloud Security (IaaS and PaaS): 1.1/S6

Set up cloud security posture management that performs continuous configuration scans on cloud assets.

Use cloud security posture management tools such as CloudSCAPE, AWS Security Hub, and Datadog Cloud Security Posture Management.

Vulnerability Disclosure ProgrammeMVSP 1.1: Vulnerability reportsIM8 On-Premise ADS (Non-S): 5.1/S4

Display a way to responsibly disclose vulnerabilities via the Government Vulnerability Disclosure Programme.

Add a link to https://go.gov.sg/report-vulnerability on all pages, such as in the footer.

Penetration Testing

The time period in days of penetration testing frequency.

MVSP 1.4: External testingIM8 Cloud Security (IaaS and PaaS): 1.8/S1IM8 On-Premise ADS (Non-S): 4.1/S1

Conduct and document a penetration test by internal teams or independent external parties every day(s).

A white-box penetration test should be performed to effectively test the application.

Vulnerability Management

The time period in days to remediate or risk accept critical vulnerability findings.

The time period in days to remediate or risk accept high vulnerability findings.

The time period in days to remediate or risk accept medium vulnerability findings.

The time period in days to remediate or risk accept low vulnerability findings.

MVSP 3.4: Time to fix vulnerabilitiesIM8 Cloud Security (IaaS and PaaS): 1.8/S3IM8 Cloud Security (IaaS and PaaS): 1.8/S4IM8 On-Premise ADS (Non-S): 5.1/S3

Triage and then remediate or risk accept all true positive vulnerability findings discovered through security testing within the following timeframe based on severity:

Critical: day(s)

High: day(s)

Medium: day(s)

Low: day(s)

Seek approval from the appropriate approving authority for risk acceptance.

Network Security

Controls to secure the network boundaries of a system.

Public and Private Subnet SegmentationIM8 Cloud Security (IaaS and PaaS): 1.5/S1IM8 Cloud Security (IaaS and PaaS): 1.5/S2IM8 Cloud Security (IaaS and PaaS): 1.7/S14IM8 On-Premise IS (Non-S): 4.2/S1aIM8 On-Premise AAS (Non-S): 1.1/S1, 2.1/S1IM8 Cloud Security (IaaS and PaaS): 1.5/S6b

Place private resources (e.g., databases) in private subnets and public resources (e.g., reverse proxies, web servers) in public subnets within a virtual network.

This control does not apply to serverless resources (API Gateways), static sites or assets fronted by CDNs (e.g., CloudFlare, CloudFront) which are located outside of the virtual network. Private subnets do not allow direct connections from the internet while public subnets do. However, resources in private segments can connect to the internet via NAT Gateways in public subnets in the same virtual network.

Access Restrictions on CSP Resources Outside Virtual NetworkIM8 Cloud Security (IaaS and PaaS): 1.5/S2IM8 Cloud Security (IaaS and PaaS): 1.5/S5IM8 Cloud Security (IaaS and PaaS): 1.7/S23

Restrict access to CSP resources outside of a virtual network (e.g., Lambda, DynamoDb, API Gateways, S3, CloudFront) using access controls or application layer authorisation.

Apply access restrictions appropriate to the resource type. Access through interface VPC endpoints is only required if the client is hosted in a private subnet. For example:

+
    +
  • +

    Restrict access to DynamoDB with IAM policies.

    +
    • +
  • +

    Restrict access to API Gateway with Lambda Authorizers or authorisation middlewares at the application layer. If the API Gateway is exposed to private subnets, create a private API.

    +
    • +
  • +

    Restrict access to S3 Buckets with IAM policies and block public access from the internet.

    +
    • +
Deny by Default - Allow by ExceptionNIST SP 800-53 SC-7(5): Deny by Default - Allow by ExceptionIM8 Cloud Security (IaaS and PaaS): 1.5/S3IM8 Cloud Security (IaaS and PaaS): 1.5/S5IM8 Cloud Security (IaaS and PaaS): 1.6/S1hIM8 Cloud Security (IaaS and PaaS): 1.7/S23bIM8 On-Premise IS (Non-S): 4.2/S1bIM8 On-Premise AAS (Non-S): 2.2/S1

Deny network communications traffic by default and allow network communications traffic by exception at managed interfaces.

Configure network access control lists and security groups to deny all traffic by default. Only allow traffic to and from specific hosts and ports by exception. For egress traffic to the internet, consider whitelisting domains at the application layer or DNS resolver rather than just hosts or ports at the transport layer.

Inter-Private Network ConnectivityIM8 Cloud Security (IaaS and PaaS): 1.5/S7IM8 Cloud Security (IaaS and PaaS): 1.5/S4

Route network traffic between private networks without going through the internet.

Use CSP Private endpoint services (e.g., AWS PrivateLink with VPC endpoints) when you want to allow one or more consumer VPCs unidirectional access to a specific service or set of instances in the service provider VPC. Otherwise, use VPC peering and Transit Gateway when you want to enable layer-3 IP connectivity between VPCs. Refer to the Multi-VPC AWS Network Infrastructure Whitepaper for further guidance.

Network and Application Layer FilteringIM8 Cloud Security (IaaS and PaaS): 1.5/S5IM8 On-Premise ADS (Non-S): 1.1/S4

Filter direct traffic from the internet to protect against network and application layer attacks.

Deploy the following as required:

+
    +
  • +

    Web Application Firewall

    +
    • +
  • +

    Distributed Denial of Service Protection (e.g., AWS Shield)

    +
    • +
  • +

    Content Delivery Network (e.g., CloudFront)

    +
    • +
Valid and Trusted SSL/TLS CertificatesIM8 Cloud Security (IaaS and PaaS): 1.5/S8

Ensure that deployed SSL/TLS certificates are:

signed by a trusted root Certificate Authority;

match the domain name of the service they are issued for;

not expired; and

not revoked.

Configure a certificate manager that auto-renews certificates and sends alerts before expiry (e.g., AWS Certificate Manager). Otherwise, automate these functions separately.

Secure Inter-Service Communication

Ensure communications between services are secure by making them authenticated, authorised and encrypted.

Design and build inter-service communications (e.g., databases, microservices) to be authenticated, authorised and encrypted (e.g., via API gateways, proxies, private endpoint services, message queues, or service meshes). It is recommended to log communication (such as access logs, transaction logs or payloads) between services for detection, monitoring and investigation of incidents.

Secure Government Enterprise Network (GEN) connectivity

Route network traffic between on-premises systems and GCC systems through a secure intermediary.

Design and build secure communications to or from on-premises systems (e.g. Government Enterprise Network (GEN)) through a Gateway rather than direct connectivity (e.g. via API gateways, Application proxies or private endpoint services).

Intrusion Prevention System (IPS)/Intrusion Detection System (IDS)IM8 On-Premise IS (Non-S): 4.2/S3d

Set up and configure an Intrusion Prevention System (IPS)/Intrusion Detection System (IDS) in the network.

Configure network or host IPS/IDS to detect malicious traffic to/from public or untrusted networks.

Private Network ConnectivityIM8 On-Premise IS (Non-S): 5.4

Implement strong access controls, encryption, and logging for remote developer, maintainer, or administrator access to private network resources.

Use strong authentication and MFA (except for mobile GFE). Layered security mechanisms and controls include:

+

Inspect traffic from gateway to private network;

+

Terminate all remote access connections in a dedicated network segment within the network and restrict access to only systems and services allowed by the Agencies; Implement strong encryption for remote access into school staff network; Only authorised Government Furnished Equipment (GFE) shall be used for remote access connection to SSN; Make sure that remote access connections are not perpetual or to re-authenticate remote users to the VPN gateway on a periodic basis (such as every four hours); Set the maximum number of consecutive failed authentication attempts before account lockout for remote access into SSN; and Make sure that split tunnelling is not implemented.

Alerts on Firewall Configuration ChangesIM8 On-Premise IS (Non-S): 4.3/S2

Generate alerts to inform appointed administrators on changes to firewall rules, including the enabling or disabling of rules.

Implement real time alerts to inform administrators of creation, deletion, modification, enabling and disabling of firewall rules. Also alert administrators when unusual or sudden spike/drop in utilisation of firewall's system resources.

Backup and Recovery

Controls to support backup and disaster recovery.

BackupMVSP 4.4: Backup and Disaster recoveryIM8 Cloud Security (IaaS and PaaS): 1.2/S2IM8 On-Premise IS (Non-S): 1.5/S1

Regularly backup all important data and systems, and store backups in a secure and separate location.

Use default CSP-managed backup services (e.g., AWS Backup, Azure Backup, GCP Backup and DR Service). Consider alternative backup services only when default CSP services cannot be used. Store backups and snapshots separately to primary data storage with data encrypted-at-rest.

Recovery TestingMVSP 4.4: Backup and Disaster recoveryIM8 Cloud Security (IaaS and PaaS): 1.2/S1dIM8 On-Premise IS (Non-S): 1.5/S1d

Conduct regular testing of recovery processes to ensure their effectiveness.

Ensure each test verifies the system's ability to fully restore all data and services.

Backup Retention

The time period in days of backup retention.

MVSP 4.4: Backup and Disaster recoveryIM8 Cloud Security (IaaS and PaaS): 1.2/S1bIM8 On-Premise IS (Non-S): 1.5/S2c

Prevent backups from being modified or deleted for day(s) or as stipulated in the agency's data retention policies.

Use S3 Object Lock or immutable storage for Azure Blob Storage to enforce time-based retention policies.

Data Protection

Controls to protect the data of a system.

Data ResidencyMVSP 1.6: ComplianceIM8 Cloud Security (IaaS and PaaS): 1.3/S3IM8 On-Premise IS (Non-S): 1.1/S1a

Enforce data residency of primary data in Singapore.

Use the Singapore region of cloud service providers for compute and storage of primary data, such as ap-southeast-1 for AWS.

Data at Rest EncryptionMVSP 2.8: EncryptionIM8 Cloud Security (IaaS and PaaS): 1.3/S2aIM8 On-Premise ADS (Non-S): 1.1/S1h

Encrypt data at rest.

Many CSP services encrypt data at rest by default but this should be confirmed and validated depending on service usage.

Data in Transit EncryptionMVSP 2.8: EncryptionIM8 Cloud Security (IaaS and PaaS): 1.3/S2bIM8 On-Premise ADS (Non-S): 3.1/S3

Encrypt data in transit.

While some CSP services transparently encrypt data in transit at the network layer, data at the application layer should be encrypted using protocols such as Transport Layer Security (TLS).

Government on Commercial Cloud (GCC)MVSP 1.6: ComplianceIM8 Cloud Security (IaaS and PaaS): 1.1/S4

Host systems classified as CONFIDENTIAL (CLOUD-ELIGIBLE), RESTRICTED, or OFFICIAL-CLOSED on Commercial Cloud hosting environments in GCC.

GCC allows oversight to be maintained at the Whole-of-Government level and implements several controls by default.

SanitisationIM8 On-Premise IS (Non-S): 3.3/S1

Sanitise all hardware that stores data at rest. Shred or incinerate data storage meant for retirement.

Use industry standards such as a) Peter Gutmann Secure Deletion; b) Bruce Schneier Algorithm c) US Department of Defence's Standards (DoD 5220.22-M).

Witness Sanitisation and Destruction of Storage DevicesIM8 On-Premise IS (Non-S): 3.3/S1

Witness the sanitisation and destruction process to ensure data is removed from storage.

Establish a SOP to ensure sanitisation and destruction are witnessed by an agency staff.

Logging and Monitoring

Controls to support detection and response to security and operations incidents.

Separate Log StorageMVSP 2.7: LoggingNIST SP 800-53 AU-9(2): Store on Separate Physical Systems or ComponentsIM8 On-Premise IS (Non-S): 7.2/S8

Store logs in a repository that is part of a different system or system component than the system or component being audited.

Send logs to the separate storage as soon as possible after the logged event. For cloud audit logs, store them in a separate service or account (such as AWS Organisation Cloudtrail in GCC). Sending logs to the Government Cyber Security Operations Centre (GCSOC) or the central Government Commercial Cloud (GCC) log bucket can also satisfy this control.

Tamper-Resistant Log StorageIM8 Cloud Security (IaaS and PaaS): 1.9/S4IM8 Cloud Security (IaaS and PaaS): 1.9/S5IM8 Cloud Security (IaaS and PaaS): 1.9/S9dIM8 On-Premise IS (Non-S): 7.1/S2

Protect logs from unauthorised access, modification, and deletion.

Apply access control policies to logs based on the principle of least privilege. As far as possible, only read access should be granted. Logs sent to GCC Central Logs are tamper-resistant.

Network Flow LoggingIM8 Cloud Security (IaaS and PaaS): 1.5/S6a

Log network traffic going to and from network interfaces.

Enable VPC Flow Logs for AWS or its equivalents.

Cloud Management Event LoggingMVSP 2.7: LoggingIM8 Cloud Security (IaaS and PaaS): 1.9/S7

Log management and audit events on cloud resources.

Configure CloudTrail for AWS or its equivalents to log management and audit events such as changes to IAM policies and resources.

Database LoggingMVSP 2.7: LoggingIM8 Cloud Security (IaaS and PaaS): 1.9/S3

Log database audit events.

Enable RDS logging for AWS or its equivalents.

Access LoggingMVSP 2.7: LoggingIM8 Cloud Security (IaaS and PaaS): 1.6/S4eIM8 Cloud Security (IaaS and PaaS): 1.9/S3IM8 On-Premise IS (Non-S): 7.1/S3

Log access requests sent to web application firewalls, load balancers, proxies or web servers.

Enable AWS WAF logging, Application Load Balancer logging, API Gateways, or their equivalents.

Security Event LoggingIM8 Cloud Security (IaaS and PaaS): 1.9/S2

Log security events on hosts and other cloud resources.

Security events include operating system security events, authentication and audit logs, and endpoint detection and response alerts.

Security Log Retention

The time period in days of log retention.

MVSP 2.7: LoggingIM8 Cloud Security (IaaS and PaaS): 1.9/S3IM8 Cloud Security (IaaS and PaaS): 1.9/S9IM8 Cloud Security (IaaS and PaaS): 1.9/S13IM8 On-Premise IS (Non-S): 7.2/S6

Retain security logs for at least day(s).

Security logs include network flow logs, cloud management logs, access logs, database logs and host logs. Retain non-security logs (e.g. application, operations and performance logs) as long as needed for incident resolution and debugging. Consider log lifecycle management automation, such as Amazon S3 Lifecycle configurations.

Security Monitoring and AlertingIM8 Cloud Security (IaaS and PaaS): 1.9/S3IM8 Cloud Security (IaaS and PaaS): 1.9/S7IM8 Cloud Security (IaaS and PaaS): 1.9/S10IM8 Cloud Security (IaaS and PaaS): 1.9/S11IM8 Cloud Security (IaaS and PaaS): 1.9/S13IM8 On-Premise IS (Non-S): 7.2/S10

Configure security monitoring to identify potential security violations or breaches and send automated alerts.

Enable Amazon GuardDuty, Microsoft Azure Security Center, or their equivalents.

Resource Usage Monitoring and AlertingIM8 Cloud Security (IaaS and PaaS): 1.9/S8

Configure resource usage monitoring to identify abnormal usage and send automated alerts.

Configure Amazon CloudWatch alarms, Azure Monitor alerts, or their equivalents to identify abnormal usage such as spike in usage, access to resources during expected hours, and excessive charges.

Service Level Monitoring and AlertingIM8 Cloud ADS: 11.1/G3

Monitor, maintain and alert on service level objectives (SLOs) and indicators (SLIs) to ensure consistent service performance, availability and reliability.

Implement a comprehensive monitoring system that tracks key SLIs and evaluates them against defined SLOs. This will help in identifying potential service level breaches early and take proactive measures to maintain service quality. Examples include Cloudwatch metrics and alerts, Amazon Route 53 health checks, Azure Monitor Application Insights, or their equivalents.

Central Security Log Management and Monitoring

The central security log management and monitoring service.

IM8 Cloud Security (IaaS and PaaS): 1.9/S3IM8 On-Premise IS (Non-S): 7.1/S3NIST SP 800-53 AU-6(4): Central Review and AnalysisNIST SP 800-53 PL-9: Central Management

Centralise security log management and monitoring with .

Tenants on Government Commercial Cloud (GCC) already have Cloud Service Provider (CSP) tenant security logs stored centrally and available for forwarding to Government Cyber Security Operations Centre (GCSOC). Contact GCSOC for subscription and additional services.

Database Activity Monitoring

Monitor database activities for anomalous behaviour.

Config RDS Activity Streams and logs with alerts or Database Activity Monitoring (DAM) tools to detect unusual authentication, reads or writes to a database.

Web Defacement MonitoringIM8 Cloud Security (IaaS and PaaS): 1.9/S13IM8 On-Premise IS (Non-S): 7.1/S5

Plan for and implement measures to detect and recover from web defacements.

The Government Cyber Security Operations Centre (GCSOC) offers centralised monitoring of web defacements of internet-facing systems.

Structured Log Formatting

Publish logs in a consistent, structured format that aligns with industry standards for easy parsing and analysis.

For security logs, implement or transform to OCSF (Open Cybersecurity Schema Framework), ECS (Elastic Common Schema) or similar schemas to standardize log formats for better threat detection and analysis. For operational logs, adopt OpenTelemetry or structured JSON formats to facilitate clear, structured, and efficient log analysis for system performance and diagnostics. Consistent log formatting aids in automated parsing and helps in integrating logs from various sources.

Key Signals Monitoring

Monitor key user-facing signals to maintain robust service health and performance.

Implement monitoring of key signals such as latency, traffic, errors, and saturation (the 4 Golden Signals). Regularly track and analyse these indicators for proactive issue detection and resolution. Use this data to identify trends and areas for system improvement, ensuring continuous enhancement in service quality and reliability.

Software delivery performance monitoring

Measure and analyse software delivery performance to optimise development velocity and operational efficiency.

Implement tools and processes to track Deployment Frequency, Lead Time for Changes, Change Failure Rate, and Time to Restore Service (the DORA 4 Key metrics). Use these metrics as benchmarks to drive continuous improvement in the software development and deployment process, enhancing agility, reliability, and responsiveness to changes.

Access Control

Controls to protect against unauthorised access to agency systems.

Principle of Least PrivilegeMVSP 4.2: Logical accessIM8 Cloud Security (IaaS and PaaS): 1.4/S7IM8 Cloud Security (IaaS and PaaS): 1.5/S4eIM8 Cloud Security (IaaS and PaaS): 1.7/S1b

Deny access by default and grant only the minimum permissions required for authorised accounts or processes to perform a specific function.

Consider attribute- or feature-based access control for greater customisability and granularity.

Multi-Factor Authentication (MFA)NIST SP 800-53 IA-2(1): Multi-factor Authentication to Privileged AccountsMVSP 4.2: Logical accessIM8 Cloud Security (IaaS and PaaS): 1.4/S20aIM8 On-Premise ADS (Non-S): 2.4/S2

Require MFA for remote developer, maintainer, or administrator access at login.

Ensure that the authentication factors are different and independent of the accessing device. For additional security, consider MFA for privileged actions at the application level (such as step-up MFA challenges via PIM tools).

Inactive and Expired Accounts

The time period in days after account expiry.

The time period in days of account inactivity.

NIST SP 800-53 AC-2(3): Disable AccountsMVSP 4.2: Logical accessIM8 Cloud Security (IaaS and PaaS): 1.4/S15IM8 Cloud Security (IaaS and PaaS): 1.4/S18bIM8 On-Premise ADS (Non-S): 2.3/S2, 2.3/S3

Disable or remove accounts with privileged access within day(s) from last day of authorised use or have not been used for day(s).

Use automated checks to identify accounts and credentials that should be disabled. For privileged user accounts in applications, consider using automated workflows such as System for Cross-domain Identity Management (SCIM) or identity lifecycle management tools. For cloud service provider accounts, use tools such as AWS Config iam-user-unused-credentials-check to manage Identity and Access Management (IAM) users.

Access Review

The time period in days of access review frequency.

The time period in days of access removal deadline.

AC-2: Account ManagementMVSP 4.2: Logical accessIM8 Cloud Security (IaaS and PaaS): 1.4/S13IM8 On-Premise ADS (Non-S): 2.3/S1, 2.3/S6

Perform an access review every day(s) and remove unauthorised or unintended privileged access rights within day(s).

For privileged user accounts in applications, implement automated review workflows or reports. For cloud service provider accounts and roles, use tools such as AWS IAM Access Advisor or Azure AD Access Review to facilitate and manage access reviews.

Endpoint Device HardeningIM8 Cloud Security (IaaS and PaaS): 1.4/S20aIM8 On-Premise IS (Non-S): 1.3/S1, 4.7/S3

Require hardened endpoint devices for remote developer, maintainer, or administrator access.

Use Endpoint Management platfoms to continuously check and enforce device security posture and deny access if the hardening requirements are not met. Hardened devices include Government Standard Image Build (GSIB) and Security Suite for Engineering Endpoint Devices (SEED).

Default CredentialsNIST SP 800-53 IA-5: Authenticator ManagementIM8 Cloud Security (IaaS and PaaS): 1.4/S1cIM8 Cloud Security (IaaS and PaaS): 1.4/S2cIM8 On-Premise ADS (Non-S): 2.2/S1d, 2.3/S5

Change default credentials prior to first use.

Identify any default credentials used in any system components before deploying and change them. Configure end-user systems to prompt for password change on first login after account creation or reset.

SingPass/CorpPass for External UsersIM8 On-Premise ADS (Non-S): 2.1/S1

Use SingPass or CorpPass MFA for digital services that require high level of identity assurance for external users.

For high impact or high risk transactions, use SingPass/CorpPass to identify external users (e.g. citizens). Internal users should use Government managed Single Sign-on (SSO) solutions (such as WOG AAD).

Automate account provisioningIM8 Cloud Security (IaaS and PaaS): 1.4/S18aIM8 On-Premise ADS (Non-S): 2.3/S7

Implement automation of cloud and application account provisioning and deprovisioning using an account management tool.

Adopt Single Sign-On (SSO) with just-in-time provisioning or account lifecycle management tools (such as SCIM or CAM) to assist with account management. For systems unable to use SSO, it is recommended to leverage account management lifecycle tools with HR records (such as CAM) to automatically provision and de-provision accounts.

Endpoint Device Management

Implement and maintain an endpoint device management solution to ensure the security and integrity of endpoint devices used within the organisation.

Mobile Device Management (MDM) platforms enable management, monitoring, and secure configuration of endpoint devices. This includes enforcing disk encryption, managing configuration, ensuring regular updates, and providing the ability to remotely wipe data in case of device loss or theft.

Identity and Device-Based Access Control

Adopt Identity and Device-Based Access Control for secure and context-aware connectivity to private organisational resources.

Use solutions such as Secure Service Edge (SSE), Identity Aware Proxies (IAP) or other Zero Trust services (Entra ID Conditional Access, Okta Device Trust, etc) that integrate identity and device management systems to provide granular access control to resources based on user identity and device posture. For example, Security Suite for Engineering Endpoint Devices (SEED).

Single User Endpoints

Assign each endpoint device to a single designated primary user and enforce the assignment to ensure accountability and enhance security monitoring.

Implement measures such as user authentication and endpoint management with device enrollment to enforce the single primary user per endpoint. If secondary accounts for local device support or maintenance activities consider securing with endpoint privilege management tools.

Single Sign-On (SSO) for Internal UsersIA-2(10): Single Sign-onIM8 Cloud Security (IaaS and PaaS): 1.4/S18c

Use Single Sign-On (SSO) for internal users and services.

Configure multi-factor authentication (MFA) at the Single-Sign On (SSO) identity provider (IdP) and ensure that access to the system is only granted after the IdP authenticates the user. WOG AAD is recommended for public officers and TechPass AAD for developers.

Container Security

Controls to secure container building, distribution, and deployment.

Unique Base Container Image TagsSLSA Build L1: Provenance existsIM8 Cloud ADS: 12.1/G3

Use unique base container image tags instead of rolling tags.

Avoid the latest tag or other common rolling tags for base images to minimise unintended changes during subsequent builds using the same instruction. A digest SHA can provide a unique identifier for the image if no tag is assigned during build time.

Minimal Base Container ImagesIM8 Cloud ADS: 12.1/G1

Build container images with minimal base images.

Use minimal container images such as alpine, scratch, wolfi, and distroless images as the base image to reduce attack surface.

Runtime Container SecretsIM8 Cloud ADS: 2.2/S4

Provide secrets and sensitive data to the container at runtime instead of image build time.

Ensure no secrets (e.g., TLS certificate keys, cloud provider credentials, SSH private keys, database passwords) are embedded in the container image by using dedicated features like Docker secrets or podman-secret-create.

Non-Privileged Container UserIM8 Cloud ADS: 12.2/S2

Create a non-root user and set it as the default user in the container image build instructions.

Ensure the non-root user has the minimal set of permissions required to run the container.

Dockerfile LintingIM8 Cloud ADS: 12.1/G4

Lint Dockerfiles before building container images.

Use linters such as Hadolint to check the Dockerfile (or similar build file) instructions and flag any issues that contravene best practices. Ensure Dockerfile linting stage is run as part of the Continuous Integration (CI) pipelines.

Read-Only Container Root Filesystem

Configure the container filesystem to be read-only.

Use security policies (e.g., readonlyRootFilesystem for Kubernetes) to prevent any direct writes to the container's root filesystem during runtime and ensure immutable infrastructure. Do not directly apply patches or alter running containers as the containers are ephemeral and patches will disappear upon redeploy. Apply patches by rebuilding and redeploying container images.

Container Image Scanning

The location where container image scanning occurs.

IM8 Cloud ADS: 12.3/G2bIM8 Cloud ADS: 12.3/G2c

Scan container images in the for known vulnerabilities.

Container image scanning tools (e.g., Amazon Inspector, Trivy, Grype) scan the contents of a container image for known vulnerabilities. Configure scans to run automatically and continuously, as well as enable scanning of image on push. Block deployment of container images with HIGH CVE being detected during scan (e.g., using Amazon ECR with Security Hub).

Private Container Image Registries

Host built container images in private container registries.

Use only private container registries (e.g., Amazon ECR private registry) to host container images built by the organisation as images may contain proprietary code or sensitive information.

Container Orchestrator API Access ControlIM8 Cloud Security (IaaS and PaaS): 1.7/S21b

Disable public access to Container Orchestrator API endpoints from the internet.

Restrict access to the Container Orchestrator API endpoints (such as the Kubernetes API Server) to specific address ranges or use CSP provided features such as disabling Endpoint public access and Private Clusters to disable public access.

Container Workload Segmentation

Segregate container workloads to help contain attacks through isolation.

Create Kubernetes namespaces or similar container segmentation controls to isolate different workloads, services or projects.

Container Runtime SecurityIM8 Cloud ADS: 12.3/G2b

Detect and remediate changes to running containers with container runtime protection tools.

Runtime protection tools, such as AWS EKS Protection, Microsoft Defender for Containers, or Falco, monitor threats and changes to running containers. Vulnerable container instances should be isolated for investigation and replaced with rebuilt and patched images. To avoid persistence if patches do not exist, the container instance should be replaced frequently with an un-compromised image until a patch released. These tools replace Malware Protection (IS-7) and EDR (IS-8) in container environments.

Security Programme Management

Controls to implement cybersecurity governance, risk, and compliance processes and policies.

Cybersecurity Incident Management PlanMVSP 1.7: Incident handlingIM8 Cloud Security (IaaS and PaaS): 1.1/S3GIROC ICT and Data Incident Reporting Resources

Develop, document, and disseminate an agency-level cybersecurity incident management plan to respond to cybersecurity incidents.

Refer to the Government Incident Reporting and Operations Centre (GIROC) ICT and Data Incident Reporting Resources for an incident management plan and best practices template.

Project Cybersecurity Risk AssessmentMVSP 1.3: Self-assessmentIM8 Cloud Security (IaaS and PaaS): 1.1/S1Cybersecurity Toolkit for IT Teams

Develop and document a project-level cybersecurity risk assessment prior to initial full release that includes:

Risk scenario;

Likelihood (from 1-5);

Impact (from 1-5);

Risk Level (Likelihood * Impact; 1-4: Low, 5-9: Medium, 10-14: Medium High, 15-19: High, 20-25: Critical)

Mitigating Measures

Refer to the Cyber Security Agency of Singapore's Cybersecurity Toolkit for IT Teams for an example of a risk assessment template and modify accordingly.

System Security Plan (SSP) Development

Develop and maintain a comprehensive System Security Plan (SSP) that accurately reflects the system characteristics and security controls in place for the organisation's systems and environments.

The SSP should be detailed, covering all aspects of security controls, roles, responsibilities, and operational processes. Regular updates are necessary to reflect changes in the security landscape and system evolution.

Approval of Policy Deviations

Get approval of deviations from applicable Level 1 profile controls in the default System Security Plans (SSPs) from the agency's ICT and Digitalisation Steering Committee (IDSC) and document these deviations in the customised SSP.

Agencies should seek approval for deviation from their IDSC or delegated approval authority. Controls that are not applicable to the system do not need approval for deviations but the reasons why they are not applicable must be documented in the customised SSP.

Central Submission of Approved System Security Plan (SSP)Centralised SSP Management Guidelines

Submit approved SSPs centrally to maintain a unified and up-to-date repository of security plans and practices.

Reference the IM8 Portal for submitting all approved SSPs.

System Documentation

Maintain detailed, up-to-date documentation of all system information and architecture.

Example system documentation includes architecture and network diagrams, architecture decision records, hardware and software inventories, data flows, and configurations. This documentation should be regularly reviewed and updated to reflect changes in the environment. Documentation should be accessible to relevant personnel while ensuring sensitive information is protected. Adopt documentation-as-code practices and machine-readable formats (such as Markdown, JSON, YAML, etc), to facilitate version control, collaboration, and automation in maintaining documentation.

Certification

The required certifications.

Ensure that the Software as a Service (SaaS) provider is certified with .

Ensure that the certification is up-to-date. Avoid certifications that are only attestations without a pass/fail element.

Software as a Service (SaaS) Service Level Agreement

Obtain a service level agreement with the Software as a Service (SaaS) provider that covers uptime, response times, downtime notifications, support avenues, and support content.

Ensure that the service level agreement is regularly checked for compliance.

Infrastructure Security

Controls to secure infrastructure that host applications, services, and data.

Management AgentsIM8 Cloud Security (IaaS and PaaS): 1.1/G1IM8 Cloud Security (IaaS and PaaS): 1.4/S21

Install CSP management agents on hosts to remotely and securely manage their configurations.

Most CSP compute instances preinstall management agents (e.g., AWS Systems Manager Agent, Azure Windows VM Agent) by default. If the image does not come with the preinstalled agent, install manually.

Automated Patch ManagementIM8 Cloud Security (IaaS and PaaS): 1.7/S12IM8 Cloud Security (IaaS and PaaS): 1.8/S4

Automate patching of operating systems and applications.

Apply patch baselines via the CSP node management service, unless the patch management process is automated as part of the build and deploy phase. For on-premise systems, use tools like Azure Update Manager to schedule and automatically deploy patches to Windows and Linux OS.

Restricted Administrator PrivilegesIM8 Cloud Security (IaaS and PaaS): 1.6/S1dIM8 Cloud Security (IaaS and PaaS): 1.6/S1eIM8 On-Premise IS (Non-S): 1.2/S2a

Restrict administrator privileges by disabling remote login for the root/administrator user and restricting sudo/administrators group access for other users.

Further reduce the attack surface by running common services such as the web server or database without root/administrator/system privileges.

Least FunctionalityNIST SP 800-53 CM-7: Least FunctionalityIM8 Cloud Security (IaaS and PaaS): 1.4/S7IM8 Cloud Security (IaaS and PaaS): 1.5/S4eIM8 Cloud Security (IaaS and PaaS): 1.7/S1bIM8 On-Premise IS (Non-S): 1.2/S2c

Disable or remove unnecessary functions, system ports, protocols, software, and services on the host.

Follow the principle of least functionality to configure the host to carry out only its intended purpose. CSP node management services can provide an inventory of software and services (e.g., AWS Systems Manager Inventory). Vulnerability assessment scanners (e.g., AWS Inspector) can also identify software vulnerabilities and network exposure.

Host System HardeningIM8 Cloud Security (IaaS and PaaS): 1.6/G2IM8 Cloud Security (IaaS and PaaS): 1.6/S2IM8 On-Premise IS (Non-S): 1.2/S1

Harden the host configuration with reference to industry standards.

Select the appropriate benchmark for the host such as from the NIST National Checklist Program or CIS Benchmarks. Automate the configuration process or use hardened images instead of manually configuring.

Remote AdministrationAWS SSB WKLD.06: Use Systems Manager instead of SSH or RDPIM8 Cloud Security (IaaS and PaaS): 1.4/S21

Use remote administration tools instead of direct SSH or RDP.

In production environments, use remote administration (e.g., AWS Systems Manager Session Manager, AWS Systems Manager Fleet Manager, GCC Privileged Identity Management) only for break glass scenarios where remote monitoring and automation is not available. Document and remediate gaps in monitoring and automation to minimise the need for remote administration. If SSH is still required and remote administration tools are not available, only use it within a private non-production environment such as an encrypted tunnel and authenticate with short-lived certificates.

Malware ProtectionIM8 Cloud Security (IaaS and PaaS): 1.6/S1a

Detect and quarantine malware on hosts with anti-malware tools.

Configure anti-malware tools for all compute hosts (e.g. AWS Guardduty Malware Protection, Azure Antimalware, Trend Micro CloudOne). These tools should be kept up-to-date with the latest malware signatures. Regular scans should be scheduled to detect and quarantine potential threats.

Endpoint Detection and Response (EDR)IM8 Cloud Security (IaaS and PaaS): 1.6/G1a

Monitor security threats on hosts with an EDR tool.

Implement EDR tools for all compute hosts. Security incident response should be planned and documented for the tool. EDR tools with built-in malware protection should be favoured to reduce additional agents.

End-of-Support (EOS) Assets

The type of asset.

IM8 Cloud Security (IaaS and PaaS): 1.1/S6IM8 On-Premise ADS (Non-S): 5.1/S8

Ensure deployed assets have not reached end-of-support (EOS). Use of EOS assets will require risk acceptance by approved authority.

Identify, track and replace EOS assets in a timely manner. Regularly review assets to identify upcoming EOS timeframe and replace them ahead of EOS date.

Synchronise time clocksIM8 On-Premise IS (Non-S): 1.2/S5

Synchronise internal clocks to a common reference time source.

Use common time source such as Network Time Protocol (NTP). In the cloud, it is recommended to use the default time sources provided by the CSPs.

Central Domain Name RegistrationIM8 Cloud ADO: 2.1/S1, 2.1/S2MCI ICT Circular Minute No 5/2014: Internet Domain Names Registration, Management and Protection

Register .gov.sg and .edu.sg domain names with GovTech as the sole registrar.

Use the Whole of Government Domain Name Server (DNS) portal on the IT Service Management (ITSM) portal to register domain names.

DNS Security Extensions (DNSSEC)IM8 On-Premise IS (Non-S): 4.4/S5IM8 Cloud IS (Non-S): 4.4/S5NIST SP 800-53 SC-20: Secure Name/Address Resolution Service (Authoritative Source)

Implement DNS Security Extensions (DNSSEC) for public DNS records and servers.

DNS services such as WOG DNS, Amazon Route 53 and Cloudflare support DNSSEC configuration.

Defensive Domain Name RegistrationMCI ICT Circular Minute No 6/2021: Mandatory Defensive Registration of Internet Domain Names

Register second (.sg) and third (.com.sg, .org.sg, .net.sg, .edu.sg) level domain name variants of the system's primary domain name.

Consider defensive registration of domain names with typographical variants of the system's primary domain name. The Whole of Government Domain Name Server (DNS) portal on the IT Service Management (ITSM) portal automatically includes the second and third level domain names.

Singapore SMS Sender ID Registry RegistrationPMO(SNDGO) Circular Minute No 4/2022: Mandatory Registration with the Singapore SMS Sender ID RegistryPMO(SNDGO) Circular Minute No 1/2024: Implementation of Measures to Establish Trusted Channels for Government Calls and Messages (Building Trusted Networks)PMO (SNDGO) Circular Minute No 2/2024: Amendments to PMO (SNDGO) Circular Minute No 1/2024: Implementation of Measures to Establish Trusted Channels for Government Calls and Messages (Building Trusted Networks)

Register and use whitelisted SMS Sender IDs with the Singapore SMS Sender ID Registry for sending SMSes.

Agencies must use the gov.sg Sender ID via the Postman tool to send SMSes to members of public unless exempted. Whitelist Sender IDs used to send SMSes and blacklist Sender IDs which are variants of the whitelisted Sender IDs, agency names, or names of services.

Secure Development

Controls to secure the development pipeline and perform source code quality assurance.

Push Protection for SecretsIM8 Cloud ADS: 6.4/G1

Configure the code repository to prevent secrets from being pushed to the repository.

Use GitLab's push rules or GitHub's push protection to reject secrets on push.

Default Branch Push Permissions

Configure the code repository to prevent pushes (including force pushes) to the default branch.

Use GitLab's protected branch and merge request settings or GitHub's branch protection settings to enforce this.

Continuous Integration (CI) Tests

Require Continuous Integration (CI) tests to pass before merging into the default branch.

Use GitLab's protected branch and merge request settings or GitHub's branch protection settings to enforce this.

Static Analysis

The location where static analysis occurs.

IM8 Cloud ADS: 6.4/S2IM8 On-Premise ADS (Non-S): 4.1/S1

Set up a static analysis job in the , and remediate or risk accept true positive vulnerability findings before deploying to production.

Static analysis tools (such as SAST or IaC security scanners) check source code for common vulnerabilities and misconfigurations. By running static analysis tools earlier in the DevSecOps cycle, vulnerabilities can be detected and prevented from being deployed to production.

Dependency Scanning

The time period in days of dependency scanning frequency.

The location where dependency scanning occurs.

MVSP 2.6: Dependency PatchingIM8 Cloud Security (IaaS and PaaS): 1.7/S8iIM8 Cloud ADS: 8.1/S2IM8 Cloud ADS: 6.1/S1cIM8 On-Premise ADS (Non-S): 1.1/S1i

Schedule a scan at least every day(s) in the to identify the use of vulnerable software libraries.

Dependency scanning checks the source code for dependencies with known vulnerabilities. By running scans regularly using bots or software composition analysis (SCA) tools, vulnerabilities arising from outdated dependencies can be quickly detected and patched. Software composition analysis can be performed using tools such as Gitlab, Nexus IQ, or their equivalent, with output in a common SBOM format such as SPDX or CycloneDX.

Secret Detection

Number of days within which to remediate a secret detection true positive.

The location where secret detection occurs.

IM8 Cloud Security (IaaS and PaaS): 1.7/S8fIM8 Cloud ADS: 1.1/S1fIM8 Cloud ADS: 6.4/G1bIM8 On-Premise ADS (Non-S): 6.4/G1

Set up secret detection in the and remediate true positives within day(s).

Ensure that the exposed secret is revoked and purged from the Git history.

CI Environment Variable Secrets Management

Protect environment variable secrets used in CI jobs by limiting them to protected pipelines and masking them in job logs.

Use GitLab's CI/CD variable security settings or GitHub's encrypted secrets with the add-mask workflow command.

Deployment Environment SegregationMVSP 4.2: Logical accessIM8 Cloud Security (IaaS and PaaS): 1.4/S9

Segregate production and non-production environments including applications, services, data, secrets, roles, and networks.

Achieve segregation using separate Government on Commercial Cloud (GCC) accounts for environments such as production, development, test, and staging. Account segregation enhances security by limiting exposure, simplifies resource and cost management, maintains configuration integrity, facilitates compliance and auditing and streamlines operational tasks. Deploy and operate environments as similarly as possible to enhance debugging and time-to-market.

DatacentreSeparate hostingIM8 On-Premise IS (Non-S): 1.1/S1c

Physically separate Government resources from non-Government resources.

For on-premise environments, ensure government resources are physically stored and secured separately from non-government resources.

Physical Access ControlsIM8 On-Premise IS (Non-S): 1.1/S1i

Implement physical access controls to prohibit unauthorised access to the hosting environment or network rooms.

Measures to consider include:

+

a) personnel security clearance and checks

+

b) Continuous monitoring

+

c) Immediate security response

+

d) Strong authentication card access system to regulate and log access of employees, visitors and contractors to the facility;

+

e) Guards deployed to guard the facility 24/7;

+

f) Restrict items (such as unauthorised computing devices) to be brought into the facility;

+

g) Intrusion Detection System installed to detect unauthorised access;

+

h) CCTV installed to monitor the facility.

AWS Startup Security BaselineCentralised SSP Management GuidelinesCybersecurity Toolkit for IT TeamsGIROC ICT and Data Incident Reporting ResourcesIM8 Cloud ADOIM8 Cloud ADSIM8 Cloud Security (IaaS and PaaS)IM8 On-Premise AAS (Non-S)IM8 On-Premise ADS (Non-S)IM8 On-Premise IS (Non-S)MCI ICT Circular Minute No 5/2014MCI ICT Circular Minute No 6/2021Minimum Viable Secure Product (MVSP)NIST SP 800-53NIST SP 800-63BPMO (SNDGO) Circular Minute No 2/2024PMO(SNDGO) Circular Minute No 1/2024PMO(SNDGO) Circular Minute No 4/2022Singapore Government Developer Portal - InnersourceSupply-chain Levels for Software Artifacts (SLSA) \ No newline at end of file From 1388e2a2e598d9e7fe19eda3134e54bbacd7d5fe Mon Sep 17 00:00:00 2001 From: Brian Ruf Date: Tue, 4 Feb 2025 13:41:21 -0500 Subject: [PATCH 2/2] added YAML format --- catalogs/im8-reform.yaml | 3540 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 3540 insertions(+) create mode 100644 catalogs/im8-reform.yaml diff --git a/catalogs/im8-reform.yaml b/catalogs/im8-reform.yaml new file mode 100644 index 0000000..fd3cf95 --- /dev/null +++ b/catalogs/im8-reform.yaml @@ -0,0 +1,3540 @@ +--- +catalog: + uuid: dfad1a6f-1aae-43e6-8fc6-10f1771d6dbc + metadata: + props: + - name: keywords + value: "IM8, GovTech, Singapore, cloud, instruction manual, application security" + oscal-version: 1.1.2 + last-modified: 2024-05-29T10:17:03.320504+08:00 + responsible-parties: + - role-id: creator + party-uuids: + - e738ab7c-ed26-4fe6-a1e7-f485265d50cc + - role-id: contact + party-uuids: + - e738ab7c-ed26-4fe6-a1e7-f485265d50cc + title: Instruction Manual 8 Reform + roles: + - title: Creator + id: creator + - title: Contact + id: contact + version: 2024.05.30-2 + parties: + - uuid: e738ab7c-ed26-4fe6-a1e7-f485265d50cc + name: "Workstream 1A (Content), IM8-reform Executive Committee" + type: organization + back-matter: + resources: + - title: AWS Startup Security Baseline + rlinks: + - href: https://docs.aws.amazon.com/pdfs/prescriptive-guidance/latest/aws-startup-security-baseline/aws-startup-security-baseline.pdf + uuid: 229a38da-bdc1-4a59-b1cb-8904cb59d0a5 + - title: Centralised SSP Management Guidelines + rlinks: + - href: https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/instruction-manual-for-ict-ss-management.html + uuid: 80bf8bd1-004c-42d9-a810-e3f1fae563bf + - title: Cybersecurity Toolkit for IT Teams + rlinks: + - href: https://isomer-user-content.by.gov.sg/36/91d33a31-d51d-419b-8458-25f901183f19/CSA_Cybersecurity-Toolkit-IT-Team.pdf + uuid: d90ebf27-ad15-40c3-84f1-c83c98383d16 + - title: GIROC ICT and Data Incident Reporting Resources + rlinks: + - href: https://www.thedigitalacademy.tech.gov.sg/category-giroc + uuid: 424d176f-09ad-41c5-8a44-a064a9f1e37d + - title: IM8 Cloud ADO + rlinks: + - href: https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/instruction-manual-for-ict-ss-management.html + uuid: 3402c67f-c59f-440a-b82d-81cf4d92de90 + - title: IM8 Cloud ADS + rlinks: + - href: https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/instruction-manual-for-ict-ss-management.html + uuid: ee9148b4-3f31-48c8-8503-24fb5cd73db8 + - title: IM8 Cloud Security (IaaS and PaaS) + rlinks: + - href: https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/instruction-manual-for-ict-ss-management.html + uuid: da71948e-4dff-4a9d-a645-69ced821fe97 + - title: IM8 On-Premise AAS (Non-S) + rlinks: + - href: https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/instruction-manual-for-ict-ss-management.html + uuid: 52e1d19c-bf27-4de8-b66a-c2523c9a0d69 + - title: IM8 On-Premise ADS (Non-S) + rlinks: + - href: https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/instruction-manual-for-ict-ss-management.html + uuid: 9749c983-5562-4a6f-8852-7eecf9b38d2c + - title: IM8 On-Premise IS (Non-S) + rlinks: + - href: https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/instruction-manual-for-ict-ss-management.html + uuid: f3057503-f399-4735-9d7b-ea9830f3b2ac + - title: MCI ICT Circular Minute No 5/2014 + rlinks: + - href: https://intranet.mof.gov.sg/portal/IM/Circulars/ICT/Circular-Minutes/2014 + uuid: c83c5d3f-cb13-492b-9028-ab7dc717e396 + - title: MCI ICT Circular Minute No 6/2021 + rlinks: + - href: https://intranet.mof.gov.sg/portal/IM/Circulars/ICT/Circular-Minutes/2021 + uuid: f76c8617-eb15-4b80-8911-4abca5ba2d84 + - title: Minimum Viable Secure Product (MVSP) + rlinks: + - href: https://www.mvsp.dev/ + uuid: 8723fc45-7378-478f-b61f-2e22a170e98c + - title: NIST SP 800-53 + rlinks: + - href: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf + uuid: 0062e6a3-8ac4-44db-92df-8357b437ca0c + - title: NIST SP 800-63B + rlinks: + - href: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf + uuid: e59c5a7c-8b1f-49ca-8de0-6ee0882180ce + - title: PMO (SNDGO) Circular Minute No 2/2024 + rlinks: + - href: https://intranet.mof.gov.sg/portal/IM/Circulars/ICT/Circular-Minutes/2024 + uuid: 31761a08-1ca2-48f2-90f5-13fc96128f45 + - title: PMO(SNDGO) Circular Minute No 1/2024 + rlinks: + - href: https://intranet.mof.gov.sg/portal/IM/Circulars/ICT/Circular-Minutes/2024 + uuid: 824c06dc-a7bb-4d1a-8ea7-7ce2095ff55c + - title: PMO(SNDGO) Circular Minute No 4/2022 + rlinks: + - href: https://intranet.mof.gov.sg/portal/IM/Circulars/ICT/Circular-Minutes/2022 + uuid: 17e0e48b-e687-4dbf-afb0-56adfc0bbc3e + - title: Singapore Government Developer Portal - Innersource + rlinks: + - href: https://www.developer.tech.gov.sg/guidelines/standards-and-best-practices/innersource.html + uuid: 59a45aeb-ab47-406c-875f-0ebbc4ec00e1 + - title: Supply-chain Levels for Software Artifacts (SLSA) + rlinks: + - href: https://slsa.dev/ + uuid: 438199c5-6b38-4704-88d6-a902ee08a433 + groups: + - parts: + - prose: Controls to prevent application vulnerabilities caused by insecure coding. + name: overview + controls: + - parts: + - prose: "Validate all application inputs to ensure that they match the expected type, structure, or format." + name: statement + id: as-1_smt + - prose: Strictly validating inputs against a comprehensive schema prevents injection attacks caused by inserting special characters or content that would cause the application to perform incorrect operations. + name: guidance + id: as-1_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without input validation, there's a heightened risk of injection attacks, data manipulation, or system crashes due to unexpected input, potentially leading to unauthorised access or disruption of services." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-01T01:03:42+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Input Validation + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 2.5: Security libraries" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.7/S1c" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.7/S8b" + - href: "#9749c983-5562-4a6f-8852-7eecf9b38d2c" + rel: reference + text: "IM8 On-Premise ADS (Non-S): 1.1/S1b" + id: as-1 + - parts: + - prose: Use parameterised interfaces for database queries or system commands. + name: statement + id: as-2_smt + - prose: Parameterised interfaces such Object-Relational Mapping (ORM) libraries ensure that parameters used in database queries or system commands are properly sanitised and prevent injection attacks. + name: guidance + id: as-2_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failure to use parameterised interfaces increases the vulnerability to SQL injection or command injection attacks, posing a significant risk of unauthorised access, data manipulation, or even potential system compromise." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-01T01:03:42+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Parameterised Interfaces + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 2.5: Security libraries" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.7/S8c" + - href: "#9749c983-5562-4a6f-8852-7eecf9b38d2c" + rel: reference + text: "IM8 On-Premise ADS (Non-S): 1.1/S1c" + id: as-2 + - parts: + - prose: Sanitise all application outputs that will be used to render a HTML document. + name: statement + id: as-3_smt + - prose: Any application outputs that are returned to the requester and used to render a HTML document can lead to cross-site scripting (XSS) attacks if they contain special characters that change the rendering of the HTML document by the browser. + name: guidance + id: as-3_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Lack of sanitisation for application outputs used in rendering HTML documents exposes the system to the risk of cross-site scripting (XSS) attacks, allowing malicious code execution in users' browsers." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-01T01:03:42+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Output Sanitisation + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 2.5: Security libraries" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.7/S8e" + - href: "#9749c983-5562-4a6f-8852-7eecf9b38d2c" + rel: reference + text: "IM8 On-Premise ADS (Non-S): 1.1/S1e,k,l" + id: as-3 + - parts: + - prose: Apply rate-limiting on all authentication mechanisms to deter brute-force attacks. + name: statement + id: as-4_smt + - prose: Consider rate-limiting to a maximum of 3 consecutive failed authentication attempts within 15 minutes. Time delays between log-on attempts reduce the risk of successful brute-forcing attacks. Bot mitigation tools such as CAPTCHA can further reduce this risk. + name: guidance + id: as-4_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without rate-limiting, there's an increased risk of unauthorised access as attackers may exploit weak credentials through repeated login attempts." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-01T01:03:42+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Authentication Mechanism Rate-Limiting + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 2.4: Password policy" + - href: "#ee9148b4-3f31-48c8-8503-24fb5cd73db8" + rel: reference + text: "IM8 Cloud ADS: 2.2/S1j, 2.2/S5b" + - href: "#9749c983-5562-4a6f-8852-7eecf9b38d2c" + rel: reference + text: "IM8 On-Premise ADS (Non-S): 2.2/S5" + id: as-4 + - parts: + - prose: "Where SSO or passwordless is not supported, verify that user-defined passwords are at least {{ insert: param, as-5_prm_1 }} characters in length and {{ insert: param, as-5_prm_2 }}." + name: statement + id: as-5_smt + - prose: "Latest NIST [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) guidelines found that password length is a primary factor in determining the strength of a password while composition and complexity rules provide marginal security benefits." + name: guidance + id: as-5_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Short or commonly used passwords increase the vulnerability to unauthorised access, potentially leading to compromised accounts and unauthorised activities on the system." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-01T01:03:42+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-09T22:54:15+0800 + params: + - id: as-5_prm_1 + label: number of characters + class: int + guidelines: + - prose: The minimum length of a password. + - id: as-5_prm_2 + label: policy + class: str + guidelines: + - prose: The password policy. + title: Password Requirements + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 2.4: Password policy" + - href: "#0062e6a3-8ac4-44db-92df-8357b437ca0c" + rel: reference + text: "NIST SP 800-53 IA-5(1): Password-based Authentication" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.4/S1a" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.4/S2a" + - href: "#9749c983-5562-4a6f-8852-7eecf9b38d2c" + rel: reference + text: "IM8 On-Premise ADS (Non-S): 2.2/S1" + id: as-5 + - parts: + - parts: + - prose: Generated using a cryptographically secure pseudo-random number generator in accordance with industry standards; + name: item + id: as-6_smt.1 + props: + - name: label + value: "1" + - prose: At least 32 bits long; and + name: item + id: as-6_smt.2 + props: + - name: label + value: "2" + - prose: Randomly generated for each account. + name: item + id: as-6_smt.3 + props: + - name: label + value: "3" + prose: "Store passwords as salted hashes using a password hashing scheme that is resistant to offline attacks such as those described in NIST [SP 800-63b](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce). The salt should be:" + name: statement + id: as-6_smt + - prose: "Refer to NIST [SP 800-90Ar1](#64357b22-9868-4453-9b9e-36c2665d12b3) for suitable pseudo-random number generators. Refer to NIST [SP 800-63b](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) Memorized Secret Verifiers section for suitable hashing schemes, including Argon2, scrypt, and PBKDF2. For application source code, use a cryptographically secure pseudo-random number generator function instead of an insecure one, such as crypto.randomBytes instead of Math.random in Node.js and java.security.SecureRandom.nextBytes instead of java.util.Random in Java." + name: guidance + id: as-6_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without salting and hashing, in case of a data breach, exposed passwords can be easily extracted, leading to potential compromise of user accounts and sensitive information." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-01T01:03:42+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Password Salting and Hashing + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 2.4: Password policy" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.4/S3" + - href: "#9749c983-5562-4a6f-8852-7eecf9b38d2c" + rel: reference + text: "IM8 On-Premise ADS (Non-S): 2.2/S3" + id: as-6 + - parts: + - prose: Perform access control checks on all authenticated requests. + name: statement + id: as-7_smt + - prose: Utilise authorisation filters or middleware to force all authenticated requests to undergo access control checks. + name: guidance + id: as-7_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failure to perform access control checks on authenticated requests increases the risk of unauthorised access to sensitive data or functionalities, potentially leading to data breaches and misuse of system resources." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-01T01:03:42+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T00:47:04+0800 + title: Access Control Check Enforcement + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 3.3: Vulnerability prevention" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.7/S8a" + id: as-7 + - parts: + - prose: Encrypt and store application secrets in a secret management solution with appropriate access controls and do not hard-code secrets in source code. + name: statement + id: as-8_smt + - prose: Secret management solutions include cloud solutions like AWS Secrets Manager and Azure Key Vault as well as cloud-agnostic solutions like HashiCorp Vault and CyberArk Conjur. + name: guidance + id: as-8_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: Exposure of sensitive information and unauthorised access to system credentials may occur if application secrets are stored without encryption or if hard-coded in source code. + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-01T01:03:42+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Application Secrets Management + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.7/S11" + - href: "#9749c983-5562-4a6f-8852-7eecf9b38d2c" + rel: reference + text: "IM8 On-Premise ADS (Non-S): 1.1/S1f, 2.2/S4, 3.1/S1 and 3.1/S4" + id: as-8 + - parts: + - prose: Set minimally permissive CSP response headers to mitigate cross-site scripting attacks. + name: statement + id: as-9_smt + - prose: "Utilise the relevant fetch directives such as `default-src`, `script-src`, `style-src`, `connect-src`, `img-src`, `media-src` and `object-src` to prevent loading of scripts from malicious sources. Refer to the [OWASP Secure Headers Project](#3101b27c-d39c-49fc-b227-e77df8c5e358) Best Practices for recommended header values." + name: guidance + id: as-9_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without minimally permissive Content Security Policy (CSP) headers, the risk of cross-site scripting attacks, leading to unauthorised script execution and potential data theft, is increased." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-01T01:03:42+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T00:47:04+0800 + title: Content Security Policy (CSP) + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 2.3: Security Headers" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.7/G7" + id: as-9 + - parts: + - prose: Set HTTP Strict Transport Security (HSTS) response headers with a maximum age value of at least 1 year (31536000 seconds) to mitigate protocol downgrade attacks. + name: statement + id: as-10_smt + - prose: "Refer to the [OWASP Secure Headers Project](#3101b27c-d39c-49fc-b227-e77df8c5e358) Best Practices for recommended header values." + name: guidance + id: as-10_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failure to implement HTTP Strict Transport Security (HSTS) with a sufficient maximum age may expose the system to protocol downgrade attacks, compromising the security of communication channels." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-10-24T13:54:12+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T00:47:04+0800 + title: HTTP Strict Transport Security (HSTS) + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.7/G4" + id: as-10 + - parts: + - prose: "Require users to re-authenticate after their session exceeds {{ insert: param, as-11_prm_1 }} hour(s) or terminate the session." + name: statement + id: as-11_smt + - prose: "NIST SP 800-63B recommends re-authentication once per 30 days for Authenticator Assurance Level 1, 12 hours or 30 minutes inactivity for Authenticator Assurance Level 2, and 12 hours or 15 minutes inactivity for Authenticator Assurance Level 3. In addition to time period, system can consider re-authentication when roles, authenticators or credentials change or when the execution of privileged functions occurs." + name: guidance + id: as-11_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: Not verifying a user regularly and at suitable checkpoints could allow someone who has access to the user's account to carry out unauthorised actions. + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2024-01-02T16:00:00+0000 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-09T22:54:15+0800 + params: + - id: as-11_prm_1 + label: time period (hours) + class: int + guidelines: + - prose: The maximum time period in hours of a user's session. + title: Session Management + links: + - href: "#0062e6a3-8ac4-44db-92df-8357b437ca0c" + rel: reference + text: "NIST SP 800-53 AC-12: Session Termination" + - href: "#0062e6a3-8ac4-44db-92df-8357b437ca0c" + rel: reference + text: "NIST SP 800-53 IA-11: Re-authentication" + - href: "#ee9148b4-3f31-48c8-8503-24fb5cd73db8" + rel: reference + text: "IM8 Cloud ADS: 2.5/S2" + - href: "#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce" + rel: reference + text: "NIST SP 800-63B 4.2.3: Reauthentication" + - href: "#9749c983-5562-4a6f-8852-7eecf9b38d2c" + rel: reference + text: "IM8 On-Premise ADS (Non-S): 2.5/S2" + id: as-11 + - parts: + - prose: Scan file uploads for malware before further processing by the system or users. + name: statement + id: as-12_smt + - prose: Consider uploading the files to temporary storage for malware scanning on ephemeral compute like serverless functions before moving safe files to another storage for further processing or unsafe files to quarantine storage. + name: guidance + id: as-12_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without scanning uploaded files for malware, there's an increased risk of exploits or infection for consumers of the files." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2024-04-16T16:00:00+0000 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-04-16T16:00:00+0000 + title: Malware Scanning of Uploaded Files + links: + - href: "#0062e6a3-8ac4-44db-92df-8357b437ca0c" + rel: reference + text: "NIST SP 800-53 SI-3: Malicious Code Protection" + id: as-12 + title: Application Security + id: as + - parts: + - prose: Controls to prevent tampering and improve the integrity of the software supply chain. + name: overview + controls: + - parts: + - prose: Manage the codebase in a central code repository with version control. + name: statement + id: sc-1_smt + - prose: Use common platforms such as SHIP-HATS 2.0 GitLab or equivalents. + name: guidance + id: sc-1_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Absence of centralised code repository and version control increases the risk of code inconsistencies, loss of code history, and difficulties in collaboration, potentially leading to errors and security vulnerabilities." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-01T01:03:42+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Code Repository + links: + - href: "#ee9148b4-3f31-48c8-8503-24fb5cd73db8" + rel: reference + text: "IM8 Cloud ADS: 7.1/S1" + - href: "#9749c983-5562-4a6f-8852-7eecf9b38d2c" + rel: reference + text: "IM8 On-Premise ADS (Non-S): 6.1/S1" + id: sc-1 + - parts: + - prose: Configure the code repository to reject unsigned commits. + name: statement + id: sc-2_smt + - prose: "Use GitLab's push rules, GitHub's branch protection rules or similar code repository controls to reject unsigned commits on push." + name: guidance + id: sc-2_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Allowing unsigned commits in the code repository introduces the risk of unauthorised or malicious code changes, compromising the integrity and security of the software development process." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-01T01:03:42+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2023-09-04T21:33:34+0800 + title: Commit Signing + id: sc-2 + - parts: + - prose: Require peer review and approval by a designated reviewer before merging into the default branch. + name: statement + id: sc-3_smt + - prose: "Use GitLab's protected branch and merge request settings, GitHub's branch protection settings or similar code repository controls to enforce this." + name: guidance + id: sc-3_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without peer review and approval before merging, there is an increased risk of introducing undetected coding errors, security vulnerabilities, and maintaining codebase consistency may become challenging." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-02T11:48:56+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Peer Review + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.1/S2" + - href: "#ee9148b4-3f31-48c8-8503-24fb5cd73db8" + rel: reference + text: "IM8 Cloud ADS: 8.1/G1" + - href: "#9749c983-5562-4a6f-8852-7eecf9b38d2c" + rel: reference + text: "IM8 On-Premise ADS (Non-S): 8.1/G1" + id: sc-3 + - parts: + - prose: Pin direct and transitive dependency versions in the application's dependency manifest. + name: statement + id: sc-4_smt + - prose: Dependency manifests such as package-lock.json for npm and Pipfile.lock for pipenv allow you to pin dependency versions. + name: guidance + id: sc-4_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failure to pin direct and transitive dependency versions in the application's manifest may lead to version drift, introducing compatibility issues, security vulnerabilities, and unpredictability in the software environment." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-02T11:48:56+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Dependency Manifest Version Pinning + links: + - href: "#438199c5-6b38-4704-88d6-a902ee08a433" + rel: reference + text: "SLSA Build L1: Provenance exists" + - href: "#ee9148b4-3f31-48c8-8503-24fb5cd73db8" + rel: reference + text: "IM8 Cloud ADS: 8.1/G4" + - href: "#9749c983-5562-4a6f-8852-7eecf9b38d2c" + rel: reference + text: "IM8 On-Premise ADS (Non-S): 8.1/G4" + id: sc-4 + - parts: + - prose: Provision and operate systems in a consistent manner using automation. + name: statement + id: sc-5_smt + - prose: "Deploy and maintain Infrastructure and Applications with automated and repeatable tools such as CI/CD Pipelines, Infrastructure as Code (IaC) and other scripts. Automated build and deploy pipelines allow for signing and validation of build artefacts. Do not make manual changes directly into production systems." + name: guidance + id: sc-5_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Inconsistent system provisioning and operation, without automation, may lead to configuration drift, increased likelihood of errors, and heightened vulnerability to security breaches due to manual misconfigurations." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-02T11:48:56+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-16T01:34:37+0800 + title: Automated Build and Deploy + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 3.5: Build process" + - href: "#438199c5-6b38-4704-88d6-a902ee08a433" + rel: reference + text: "SLSA Build L1: Provenance exists" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.7/S22" + - href: "#ee9148b4-3f31-48c8-8503-24fb5cd73db8" + rel: reference + text: "IM8 Cloud ADS: 6.1/G4" + id: sc-5 + - parts: + - prose: "When installing dependencies during deployment, only install pinned versions in the manifest." + name: statement + id: sc-6_smt + - prose: Use package manager commands such as npm ci for npm and pipenv sync for pipenv that ensure only versions specified in the manifest are installed rather than the latest version. + name: guidance + id: sc-6_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failure to install only pinned versions of dependencies during deployment increases the risk of introducing unforeseen changes, compatibility issues, and potential security vulnerabilities into the deployed environment." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-02T11:48:56+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-03-31T23:54:33+0800 + title: Dependency Installation during Deployment + links: + - href: "#438199c5-6b38-4704-88d6-a902ee08a433" + rel: reference + text: "SLSA Build L1: Provenance exists" + id: sc-6 + - parts: + - prose: Sign software artefacts such as code and container images using a trusted source during build. + name: statement + id: sc-7_smt + - prose: Use tools or services like Cosign or AWS Signer to sign and verify code. + name: guidance + id: sc-7_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Unsigned code and container images pose a risk of tampering, impersonation, and the injection of malicious code during the build process, compromising the integrity and security of the deployed software." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-02T11:48:56+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-03-31T23:54:39+0800 + title: Software Artefact Signing + links: + - href: "#438199c5-6b38-4704-88d6-a902ee08a433" + rel: reference + text: "SLSA Build L2: Hosted build platform" + - href: "#ee9148b4-3f31-48c8-8503-24fb5cd73db8" + rel: reference + text: "IM8 Cloud ADS: 1.7/G9" + - href: "#ee9148b4-3f31-48c8-8503-24fb5cd73db8" + rel: reference + text: "IM8 Cloud ADS: 8.1/G1" + id: sc-7 + - parts: + - prose: Verify the signatures of code and artefacts before deployment or runtime. + name: statement + id: sc-8_smt + - prose: Implement a signature verification step such as a pipeline stage or Kubernetes Admission Controller. + name: guidance + id: sc-8_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without verifying the signatures of code and artefacts before deployment or runtime, there's an increased risk of deploying tampered or malicious software, compromising the integrity and security of the system." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-02T11:48:56+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-03-31T23:54:45+0800 + title: Software Artefact Signature Verification + links: + - href: "#438199c5-6b38-4704-88d6-a902ee08a433" + rel: reference + text: "SLSA Build L2: Hosted build platform" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud ADS: 1.7/G9" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.7/S20" + - href: "#ee9148b4-3f31-48c8-8503-24fb5cd73db8" + rel: reference + text: "IM8 Cloud ADS: 8.1/G12" + id: sc-8 + - parts: + - prose: "Share source code within Government to enhance code quality, accelerate innovation, and improve problem-solving efficiency." + name: statement + id: sc-9_smt + - prose: "Adopt Innersource practices for internal collaboration, utilizing platforms like SHIP-HATS GitLab to manage and share code repositories in Government. Source code should be evaluated for suitability for innersourcing, such as the use of confidential algorithms or embedded sensitive data. The Innersource guidelines published in Developers Portal provide a useful framework for code sharing." + name: guidance + id: sc-9_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Restricting code repositories to closed source can result in duplicated efforts, hinder collaborative learning, and lead to missed bugs or vulnerabilities." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2024-01-25T00:00:00+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-03-31T23:54:54+0800 + title: Internal Code Collaboration and Sharing + links: + - href: "#59a45aeb-ab47-406c-875f-0ebbc4ec00e1" + rel: reference + text: Singapore Government Developer Portal - Innersource + id: sc-9 + title: Software Supply Chain + id: sc + - parts: + - prose: Controls to validate the security of a system via internal and external testing. + name: overview + controls: + - parts: + - prose: "Run regular {{ insert: param, st-1_prm_1 }} vulnerability assessment scans for eligible hosts." + name: statement + id: st-1_smt + - prose: "Select agent-based or network-based scans as necessary. Implement authenticated scans where possible for greater coverage. Use scanners such as Amazon Inspector or Microsoft Defender for Cloud for continuous scanning of cloud systems. For on-premises systems or systems that require periodic scans, subscribe to Vulnerability Management System (VMS)." + name: guidance + id: st-1_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without regular vulnerability assessment scans, hosts remain exposed to undetected security vulnerabilities or misconfigurations, increasing the risk of exploitation and unauthorised access to critical systems." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-02T10:22:32+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-05-10T01:26:00+0800 + params: + - id: st-1_prm_1 + label: type + class: str + guidelines: + - prose: The type of vulnerability assessment scanning. + title: Vulnerability Assessment + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.8/S1" + id: st-1 + - parts: + - prose: Set up cloud security posture management that performs continuous configuration scans on cloud assets. + name: statement + id: st-2_smt + - prose: "Use cloud security posture management tools such as CloudSCAPE, AWS Security Hub, and Datadog Cloud Security Posture Management." + name: guidance + id: st-2_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Lack of continuous configuration scans through cloud security posture management increases the risk of misconfigurations in cloud assets, leading to security vulnerabilities, data breaches, and unauthorised access." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-02T10:22:32+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T00:47:04+0800 + title: Cloud Security Posture Management + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.1/S6" + id: st-2 + - parts: + - prose: Display a way to responsibly disclose vulnerabilities via the Government Vulnerability Disclosure Programme. + name: statement + id: st-3_smt + - prose: "Add a link to https://go.gov.sg/report-vulnerability on all pages, such as in the footer." + name: guidance + id: st-3_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: Publicly disclosing vulnerabilities without following a responsible disclosure process increases the risk of malicious exploitation; responsible disclosure via the Government Vulnerability Disclosure Programme ensures a coordinated and secure approach to addressing vulnerabilities. + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-02T10:22:32+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Vulnerability Disclosure Programme + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 1.1: Vulnerability reports" + - href: "#9749c983-5562-4a6f-8852-7eecf9b38d2c" + rel: reference + text: "IM8 On-Premise ADS (Non-S): 5.1/S4" + id: st-3 + - parts: + - prose: "Conduct and document a penetration test by internal teams or independent external parties every {{ insert: param, st-4_prm_1 }} day(s)." + name: statement + id: st-4_smt + - prose: A white-box penetration test should be performed to effectively test the application. + name: guidance + id: st-4_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without conducting and documenting penetration tests, there's an increased risk of undetected security weaknesses, leaving the application susceptible to exploitation, data breaches, and unauthorised access." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-02T10:22:32+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-09T22:54:15+0800 + params: + - id: st-4_prm_1 + label: time period (days) + class: int + guidelines: + - prose: The time period in days of penetration testing frequency. + title: Penetration Testing + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 1.4: External testing" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.8/S1" + - href: "#9749c983-5562-4a6f-8852-7eecf9b38d2c" + rel: reference + text: "IM8 On-Premise ADS (Non-S): 4.1/S1" + id: st-4 + - parts: + - parts: + - prose: "Critical: {{ insert: param, st-5_prm_1 }} day(s)" + name: item + id: st-5_smt.1 + props: + - name: label + value: "1" + - prose: "High: {{ insert: param, st-5_prm_2 }} day(s)" + name: item + id: st-5_smt.2 + props: + - name: label + value: "2" + - prose: "Medium: {{ insert: param, st-5_prm_3 }} day(s)" + name: item + id: st-5_smt.3 + props: + - name: label + value: "3" + - prose: "Low: {{ insert: param, st-5_prm_4 }} day(s)" + name: item + id: st-5_smt.4 + props: + - name: label + value: "4" + prose: "Triage and then remediate or risk accept all true positive vulnerability findings discovered through security testing within the following timeframe based on severity:" + name: statement + id: st-5_smt + - prose: Seek approval from the appropriate approving authority for risk acceptance. + name: guidance + id: st-5_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failure to promptly remediate vulnerabilities increases the risk of potential exploits, security breaches, and prolonged exposure to known vulnerabilities in the system." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-02T10:22:32+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-09T22:54:15+0800 + params: + - id: st-5_prm_1 + label: time period (days) + class: int + guidelines: + - prose: The time period in days to remediate or risk accept critical vulnerability findings. + - id: st-5_prm_2 + label: time period (days) + class: int + guidelines: + - prose: The time period in days to remediate or risk accept high vulnerability findings. + - id: st-5_prm_3 + label: time period (days) + class: int + guidelines: + - prose: The time period in days to remediate or risk accept medium vulnerability findings. + - id: st-5_prm_4 + label: time period (days) + class: int + guidelines: + - prose: The time period in days to remediate or risk accept low vulnerability findings. + title: Vulnerability Management + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 3.4: Time to fix vulnerabilities" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.8/S3" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.8/S4" + - href: "#9749c983-5562-4a6f-8852-7eecf9b38d2c" + rel: reference + text: "IM8 On-Premise ADS (Non-S): 5.1/S3" + id: st-5 + title: Security Testing + id: st + - parts: + - prose: Controls to secure the network boundaries of a system. + name: overview + controls: + - parts: + - prose: "Place private resources (e.g., databases) in private subnets and public resources (e.g., reverse proxies, web servers) in public subnets within a virtual network." + name: statement + id: ns-1_smt + - prose: "This control does not apply to serverless resources (API Gateways), static sites or assets fronted by CDNs (e.g., CloudFlare, CloudFront) which are located outside of the virtual network. Private subnets do not allow direct connections from the internet while public subnets do. However, resources in private segments can connect to the internet via NAT Gateways in public subnets in the same virtual network." + name: guidance + id: ns-1_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failure to segregate private and public resources within distinct subnets in a virtual network increases the risk of unauthorised access to sensitive data, as private resources may be exposed to the public internet, compromising the overall security of the infrastructure." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-02T14:26:27+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Public and Private Subnet Segmentation + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.5/S1" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.5/S2" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.7/S14" + - href: "#f3057503-f399-4735-9d7b-ea9830f3b2ac" + rel: reference + text: "IM8 On-Premise IS (Non-S): 4.2/S1a" + - href: "#52e1d19c-bf27-4de8-b66a-c2523c9a0d69" + rel: reference + text: "IM8 On-Premise AAS (Non-S): 1.1/S1, 2.1/S1" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.5/S6b" + id: ns-1 + - parts: + - prose: "Restrict access to CSP resources outside of a virtual network (e.g., Lambda, DynamoDb, API Gateways, S3, CloudFront) using access controls or application layer authorisation." + name: statement + id: ns-2_smt + - prose: |- + Apply access restrictions appropriate to the resource type. Access through interface VPC endpoints is only required if the client is hosted in a private subnet. For example: + + - Restrict access to DynamoDB with IAM policies. + + - Restrict access to API Gateway with Lambda Authorizers or authorisation middlewares at the application layer. If the API Gateway is exposed to private subnets, create a [private API](#38e183ce-b5ab-420a-b910-94c444e878f3). + + - Restrict access to S3 Buckets with IAM policies and block public access from the internet. + name: guidance + id: ns-2_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Lack of access restrictions raises the risk of unauthorised access, data exposure, and potential misuse of critical services, compromising the overall security posture." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-02T14:26:27+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T00:47:04+0800 + title: Access Restrictions on CSP Resources Outside Virtual Network + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.5/S2" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.5/S5" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.7/S23" + id: ns-2 + - parts: + - prose: Deny network communications traffic by default and allow network communications traffic by exception at managed interfaces. + name: statement + id: ns-3_smt + - prose: "Configure network access control lists and security groups to deny all traffic by default. Only allow traffic to and from specific hosts and ports by exception. For egress traffic to the internet, consider whitelisting domains at the application layer or DNS resolver rather than just hosts or ports at the transport layer." + name: guidance + id: ns-3_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without network access controls, there's an increased risk of unauthorised or malicious network access, leading to potential security breaches and compromise of system integrity." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-11T22:26:01+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-09T22:54:15+0800 + title: Deny by Default - Allow by Exception + links: + - href: "#0062e6a3-8ac4-44db-92df-8357b437ca0c" + rel: reference + text: "NIST SP 800-53 SC-7(5): Deny by Default - Allow by Exception" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.5/S3" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.5/S5" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.6/S1h" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.7/S23b" + - href: "#f3057503-f399-4735-9d7b-ea9830f3b2ac" + rel: reference + text: "IM8 On-Premise IS (Non-S): 4.2/S1b" + - href: "#52e1d19c-bf27-4de8-b66a-c2523c9a0d69" + rel: reference + text: "IM8 On-Premise AAS (Non-S): 2.2/S1" + id: ns-3 + - parts: + - prose: Route network traffic between private networks without going through the internet. + name: statement + id: ns-4_smt + - prose: "Use CSP Private endpoint services (e.g., AWS PrivateLink with VPC endpoints) when you want to allow one or more consumer VPCs unidirectional access to a specific service or set of instances in the service provider VPC. Otherwise, use VPC peering and Transit Gateway when you want to enable layer-3 IP connectivity between VPCs. Refer to the [Multi-VPC AWS Network Infrastructure Whitepaper](#9022563f-00b5-48d1-99a6-187503e7f869) for further guidance." + name: guidance + id: ns-4_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "When routing through the internet, there's an increased risk of man-in-the-middle and spoofing attacks. Allowing bidirectional access between networks without fine-grained access controls increases the risk of unauthorized access, potential data exfiltration, and compromise of network security compared to unidirectional access to specific resources." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-11T22:26:01+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T00:47:04+0800 + title: Inter-Private Network Connectivity + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.5/S7" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.5/S4" + id: ns-4 + - parts: + - prose: Filter direct traffic from the internet to protect against network and application layer attacks. + name: statement + id: ns-5_smt + - prose: |- + Deploy the following as required: + + - Web Application Firewall + + - Distributed Denial of Service Protection (e.g., AWS Shield) + + - Content Delivery Network (e.g., CloudFront) + name: guidance + id: ns-5_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Lack of filtering for direct traffic from the internet exposes the system to the risk of network and application layer attacks, increasing the likelihood of unauthorised access, denial-of-service incidents, and compromise of sensitive data." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-11T22:26:01+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Network and Application Layer Filtering + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.5/S5" + - href: "#9749c983-5562-4a6f-8852-7eecf9b38d2c" + rel: reference + text: "IM8 On-Premise ADS (Non-S): 1.1/S4" + id: ns-5 + - parts: + - parts: + - prose: signed by a trusted root Certificate Authority; + name: item + id: ns-6_smt.1 + props: + - name: label + value: "1" + - prose: match the domain name of the service they are issued for; + name: item + id: ns-6_smt.2 + props: + - name: label + value: "2" + - prose: not expired; and + name: item + id: ns-6_smt.3 + props: + - name: label + value: "3" + - prose: not revoked. + name: item + id: ns-6_smt.4 + props: + - name: label + value: "4" + prose: "Ensure that deployed SSL/TLS certificates are:" + name: statement + id: ns-6_smt + - prose: "Configure a certificate manager that auto-renews certificates and sends alerts before expiry (e.g., AWS Certificate Manager). Otherwise, automate these functions separately." + name: guidance + id: ns-6_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Using invalid SSL/TLS certificates introduces the risk of compromised encryption, man-in-the-middle attacks, and potential unauthorised access to sensitive information." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-11T22:26:01+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-09T23:02:51+0800 + title: Valid and Trusted SSL/TLS Certificates + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.5/S8" + id: ns-6 + - parts: + - prose: "Ensure communications between services are secure by making them authenticated, authorised and encrypted." + name: statement + id: ns-7_smt + - prose: "Design and build inter-service communications (e.g., databases, microservices) to be authenticated, authorised and encrypted (e.g., via API gateways, proxies, private endpoint services, message queues, or service meshes). It is recommended to log communication (such as access logs, transaction logs or payloads) between services for detection, monitoring and investigation of incidents." + name: guidance + id: ns-7_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failure to ensure secure communications between services increases the risk of unauthorised access, data breaches, and potential manipulation of sensitive information during transit." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-11T22:26:01+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-01-19T17:00:00+0800 + title: Secure Inter-Service Communication + id: ns-7 + - parts: + - prose: Route network traffic between on-premises systems and GCC systems through a secure intermediary. + name: statement + id: ns-8_smt + - prose: "Design and build secure communications to or from on-premises systems (e.g. Government Enterprise Network (GEN)) through a Gateway rather than direct connectivity (e.g. via API gateways, Application proxies or private endpoint services)." + name: guidance + id: ns-8_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: Routing network traffic through a secure intermediary mitigates the risk of unauthorised access and cross-network compromise in the case of bridging or direct connectivity. + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-23T23:58:33+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2023-09-18T16:12:40+0800 + title: Secure Government Enterprise Network (GEN) connectivity + id: ns-8 + - parts: + - prose: Set up and configure an Intrusion Prevention System (IPS)/Intrusion Detection System (IDS) in the network. + name: statement + id: ns-9_smt + - prose: Configure network or host IPS/IDS to detect malicious traffic to/from public or untrusted networks. + name: guidance + id: ns-9_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Absence of network or host IPS or IDS in the network increases the likelihood of undetected intrusions, putting sensitive data and system integrity at risk." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-10-27T16:02:27+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Intrusion Prevention System (IPS)/Intrusion Detection System (IDS) + links: + - href: "#f3057503-f399-4735-9d7b-ea9830f3b2ac" + rel: reference + text: "IM8 On-Premise IS (Non-S): 4.2/S3d" + id: ns-9 + - parts: + - prose: "Implement strong access controls, encryption, and logging for remote developer, maintainer, or administrator access to private network resources." + name: statement + id: ns-10_smt + - prose: |- + Use strong authentication and MFA (except for mobile GFE). Layered security mechanisms and controls include: + + Inspect traffic from gateway to private network; + + Terminate all remote access connections in a dedicated network segment within the network and restrict access to only systems and services allowed by the Agencies; Implement strong encryption for remote access into school staff network; Only authorised Government Furnished Equipment (GFE) shall be used for remote access connection to SSN; Make sure that remote access connections are not perpetual or to re-authenticate remote users to the VPN gateway on a periodic basis (such as every four hours); Set the maximum number of consecutive failed authentication attempts before account lockout for remote access into SSN; and Make sure that split tunnelling is not implemented. + name: guidance + id: ns-10_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Weak private network security may expose our network to malicious activities, jeopardizing the confidentiality, integrity, and availability of critical resources." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-10-27T16:06:38+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-09T22:54:15+0800 + title: Private Network Connectivity + links: + - href: "#f3057503-f399-4735-9d7b-ea9830f3b2ac" + rel: reference + text: "IM8 On-Premise IS (Non-S): 5.4" + id: ns-10 + - parts: + - prose: "Generate alerts to inform appointed administrators on changes to firewall rules, including the enabling or disabling of rules." + name: statement + id: ns-11_smt + - prose: "Implement real time alerts to inform administrators of creation, deletion, modification, enabling and disabling of firewall rules. Also alert administrators when unusual or sudden spike/drop in utilisation of firewall's system resources." + name: guidance + id: ns-11_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: Any unintended changes to firewall rules can significantly lower the perimeter defence of a network. + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2024-02-29T16:06:38+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Alerts on Firewall Configuration Changes + links: + - href: "#f3057503-f399-4735-9d7b-ea9830f3b2ac" + rel: reference + text: "IM8 On-Premise IS (Non-S): 4.3/S2" + id: ns-11 + title: Network Security + id: ns + - parts: + - prose: Controls to support backup and disaster recovery. + name: overview + controls: + - parts: + - prose: "Regularly backup all important data and systems, and store backups in a secure and separate location." + name: statement + id: br-1_smt + - prose: "Use default CSP-managed backup services (e.g., AWS Backup, Azure Backup, GCP Backup and DR Service). Consider alternative backup services only when default CSP services cannot be used. Store backups and snapshots separately to primary data storage with data encrypted-at-rest." + name: guidance + id: br-1_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without regular backups stored in a secure and separate location, there is an increased risk of data loss, system failures, and extended downtime in the event of accidental deletion, hardware failures, or malicious attacks." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-10T18:00:44+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Backup + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 4.4: Backup and Disaster recovery" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.2/S2" + - href: "#f3057503-f399-4735-9d7b-ea9830f3b2ac" + rel: reference + text: "IM8 On-Premise IS (Non-S): 1.5/S1" + id: br-1 + - parts: + - prose: Conduct regular testing of recovery processes to ensure their effectiveness. + name: statement + id: br-2_smt + - prose: Ensure each test verifies the system's ability to fully restore all data and services. + name: guidance + id: br-2_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failure to regularly test recovery processes may result in ineffective response during actual incidents, increasing the risk of prolonged downtime, data loss, and compromised business continuity in the event of a disaster or system failure." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-10T18:00:44+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Recovery Testing + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 4.4: Backup and Disaster recovery" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.2/S1d" + - href: "#f3057503-f399-4735-9d7b-ea9830f3b2ac" + rel: reference + text: "IM8 On-Premise IS (Non-S): 1.5/S1d" + id: br-2 + - parts: + - prose: "Prevent backups from being modified or deleted for {{ insert: param, br-3_prm_1 }} day(s) or as stipulated in the agency's data retention policies." + name: statement + id: br-3_smt + - prose: Use S3 Object Lock or immutable storage for Azure Blob Storage to enforce time-based retention policies. + name: guidance + id: br-3_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Lack of prevention measures against the modification or deletion of backups for the specified duration increases the risk of data loss, unauthorised alterations, and potential inability to recover from incidents, compromising the integrity and availability of critical information." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-28T17:32:36+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-09T22:54:15+0800 + params: + - id: br-3_prm_1 + label: time period (days) + class: int + guidelines: + - prose: The time period in days of backup retention. + title: Backup Retention + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 4.4: Backup and Disaster recovery" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.2/S1b" + - href: "#f3057503-f399-4735-9d7b-ea9830f3b2ac" + rel: reference + text: "IM8 On-Premise IS (Non-S): 1.5/S2c" + id: br-3 + title: Backup and Recovery + id: br + - parts: + - prose: Controls to protect the data of a system. + name: overview + controls: + - parts: + - prose: Enforce data residency of primary data in Singapore. + name: statement + id: dp-1_smt + - prose: "Use the Singapore region of cloud service providers for compute and storage of primary data, such as ap-southeast-1 for AWS." + name: guidance + id: dp-1_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failure to enforce data residency of primary data in Singapore may lead to legal and regulatory compliance issues, privacy concerns, and potential unauthorised access or storage of sensitive data outside the jurisdiction, increasing the risk of legal consequences and data breaches." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-10T23:29:40+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Data Residency + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 1.6: Compliance" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.3/S3" + - href: "#f3057503-f399-4735-9d7b-ea9830f3b2ac" + rel: reference + text: "IM8 On-Premise IS (Non-S): 1.1/S1a" + id: dp-1 + - parts: + - prose: Encrypt data at rest. + name: statement + id: dp-2_smt + - prose: Many CSP services encrypt data at rest by default but this should be confirmed and validated depending on service usage. + name: guidance + id: dp-2_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without encrypting data at rest, there's an increased risk of unauthorised access and data exposure in the event of physical theft, unauthorised access to storage media, or compromised security controls, compromising the confidentiality of stored information." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-10T23:29:40+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Data at Rest Encryption + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 2.8: Encryption" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.3/S2a" + - href: "#9749c983-5562-4a6f-8852-7eecf9b38d2c" + rel: reference + text: "IM8 On-Premise ADS (Non-S): 1.1/S1h" + id: dp-2 + - parts: + - prose: Encrypt data in transit. + name: statement + id: dp-3_smt + - prose: "While some CSP services transparently encrypt data in transit at the network layer, data at the application layer should be encrypted using protocols such as Transport Layer Security (TLS)." + name: guidance + id: dp-3_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failure to encrypt data in transit increases the risk of unauthorised interception and eavesdropping, potentially leading to data breaches, unauthorised access, and compromise of sensitive information during transmission." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-10T23:29:40+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Data in Transit Encryption + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 2.8: Encryption" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.3/S2b" + - href: "#9749c983-5562-4a6f-8852-7eecf9b38d2c" + rel: reference + text: "IM8 On-Premise ADS (Non-S): 3.1/S3" + id: dp-3 + - parts: + - prose: "Host systems classified as CONFIDENTIAL (CLOUD-ELIGIBLE), RESTRICTED, or OFFICIAL-CLOSED on Commercial Cloud hosting environments in GCC." + name: statement + id: dp-4_smt + - prose: GCC allows oversight to be maintained at the Whole-of-Government level and implements several controls by default. + name: guidance + id: dp-4_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Hosting higher-sensitivity systems in Government on Commercial Cloud (GCC) ensures compliance with security classifications, reducing the risk of unauthorised access and maintaining data confidentiality according to government security standards." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-18T12:51:56+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T00:47:04+0800 + title: Government on Commercial Cloud (GCC) + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 1.6: Compliance" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.1/S4" + id: dp-4 + - parts: + - prose: Sanitise all hardware that stores data at rest. Shred or incinerate data storage meant for retirement. + name: statement + id: dp-5_smt + - prose: Use industry standards such as a) Peter Gutmann Secure Deletion; b) Bruce Schneier Algorithm c) US Department of Defence's Standards (DoD 5220.22-M). + name: guidance + id: dp-5_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: Violating this control can expose government data to unauthorised users. + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-10-27T16:50:47+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Sanitisation + links: + - href: "#f3057503-f399-4735-9d7b-ea9830f3b2ac" + rel: reference + text: "IM8 On-Premise IS (Non-S): 3.3/S1" + id: dp-5 + - parts: + - prose: Witness the sanitisation and destruction process to ensure data is removed from storage. + name: statement + id: dp-6_smt + - prose: Establish a SOP to ensure sanitisation and destruction are witnessed by an agency staff. + name: guidance + id: dp-6_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: Ensuring storage devices are sanitised or destroyed will eliminate the possibility of unauthorised or unintended data retention. + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2024-02-29T16:50:47+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Witness Sanitisation and Destruction of Storage Devices + links: + - href: "#f3057503-f399-4735-9d7b-ea9830f3b2ac" + rel: reference + text: "IM8 On-Premise IS (Non-S): 3.3/S1" + id: dp-6 + title: Data Protection + id: dp + - parts: + - prose: Controls to support detection and response to security and operations incidents. + name: overview + controls: + - parts: + - prose: Store logs in a repository that is part of a different system or system component than the system or component being audited. + name: statement + id: lm-1_smt + - prose: "Send logs to the separate storage as soon as possible after the logged event. For cloud audit logs, store them in a separate service or account (such as AWS Organisation Cloudtrail in GCC). Sending logs to the Government Cyber Security Operations Centre (GCSOC) or the central Government Commercial Cloud (GCC) log bucket can also satisfy this control." + name: guidance + id: lm-1_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Storing logs in a repository separate from the audited system or component enhances security by reducing the risk of tampering, unauthorised access, and manipulation of audit trails, ensuring the integrity and reliability of log data for forensic analysis and compliance purposes." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-16T12:41:27+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Separate Log Storage + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 2.7: Logging" + - href: "#0062e6a3-8ac4-44db-92df-8357b437ca0c" + rel: reference + text: "NIST SP 800-53 AU-9(2): Store on Separate Physical Systems or Components" + - href: "#f3057503-f399-4735-9d7b-ea9830f3b2ac" + rel: reference + text: "IM8 On-Premise IS (Non-S): 7.2/S8" + id: lm-1 + - parts: + - prose: "Protect logs from unauthorised access, modification, and deletion." + name: statement + id: lm-2_smt + - prose: "Apply access control policies to logs based on the principle of least privilege. As far as possible, only read access should be granted. Logs sent to GCC Central Logs are tamper-resistant." + name: guidance + id: lm-2_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without protection measures, logs are susceptible to unauthorised access, modification, or deletion, leading to the risk of tampering, loss of crucial audit information, and compromised forensic analysis capabilities during security incidents." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-16T12:41:27+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Tamper-Resistant Log Storage + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.9/S4" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.9/S5" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.9/S9d" + - href: "#f3057503-f399-4735-9d7b-ea9830f3b2ac" + rel: reference + text: "IM8 On-Premise IS (Non-S): 7.1/S2" + id: lm-2 + - parts: + - prose: Log network traffic going to and from network interfaces. + name: statement + id: lm-3_smt + - prose: Enable VPC Flow Logs for AWS or its equivalents. + name: guidance + id: lm-3_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failing to log network traffic going to and from network interfaces increases the risk of overlooking suspicious activities, potential security breaches, and the inability to trace and investigate network-related incidents effectively." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-16T12:41:27+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T00:47:04+0800 + title: Network Flow Logging + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.5/S6a" + id: lm-3 + - parts: + - prose: Log management and audit events on cloud resources. + name: statement + id: lm-4_smt + - prose: Configure CloudTrail for AWS or its equivalents to log management and audit events such as changes to IAM policies and resources. + name: guidance + id: lm-4_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Neglecting to log and manage audit events on cloud resources increases the risk of undetected security incidents, compromises visibility into system activities, and hinders effective forensic analysis and compliance monitoring in cloud environments." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-16T12:41:27+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T00:47:04+0800 + title: Cloud Management Event Logging + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 2.7: Logging" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.9/S7" + id: lm-4 + - parts: + - prose: Log database audit events. + name: statement + id: lm-5_smt + - prose: Enable RDS logging for AWS or its equivalents. + name: guidance + id: lm-5_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Neglecting to log database audit events raises the risk of overlooking unauthorised activities, compromises in data security, and hinders the ability to track and investigate security incidents or compliance violations within the database environment." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-16T12:41:27+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T00:47:04+0800 + title: Database Logging + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 2.7: Logging" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.9/S3" + id: lm-5 + - parts: + - prose: "Log access requests sent to web application firewalls, load balancers, proxies or web servers." + name: statement + id: lm-6_smt + - prose: "Enable AWS WAF logging, Application Load Balancer logging, API Gateways, or their equivalents." + name: guidance + id: lm-6_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failure to log access requests sent to web application firewalls, load balancers, proxies, or web servers increases the risk of overlooking potential security threats, unauthorised access attempts, and compromises visibility into the traffic that could lead to security incidents." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-16T12:41:27+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Access Logging + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 2.7: Logging" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.6/S4e" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.9/S3" + - href: "#f3057503-f399-4735-9d7b-ea9830f3b2ac" + rel: reference + text: "IM8 On-Premise IS (Non-S): 7.1/S3" + id: lm-6 + - parts: + - prose: Log security events on hosts and other cloud resources. + name: statement + id: lm-7_smt + - prose: "Security events include operating system security events, authentication and audit logs, and endpoint detection and response alerts." + name: guidance + id: lm-7_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Neglecting to log security events on hosts and other cloud resources increases the risk of undetected security incidents, compromises incident response capabilities, and hinders forensic analysis, limiting the ability to identify and mitigate potential threats." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-16T12:41:27+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T00:47:04+0800 + title: Security Event Logging + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.9/S2" + id: lm-7 + - parts: + - prose: "Retain security logs for at least {{ insert: param, lm-8_prm_1 }} day(s)." + name: statement + id: lm-8_smt + - prose: "Security logs include network flow logs, cloud management logs, access logs, database logs and host logs. Retain non-security logs (e.g. application, operations and performance logs) as long as needed for incident resolution and debugging. Consider log lifecycle management automation, such as Amazon S3 Lifecycle configurations." + name: guidance + id: lm-8_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failure to retain security logs increases the risk of losing crucial historical data, hindering investigations, compliance audits, and the ability to identify and respond to security incidents that occurred beyond a limited timeframe." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-16T12:41:27+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-09T22:54:15+0800 + params: + - id: lm-8_prm_1 + label: time period (days) + class: int + guidelines: + - prose: The time period in days of log retention. + title: Security Log Retention + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 2.7: Logging" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.9/S3" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.9/S9" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.9/S13" + - href: "#f3057503-f399-4735-9d7b-ea9830f3b2ac" + rel: reference + text: "IM8 On-Premise IS (Non-S): 7.2/S6" + id: lm-8 + - parts: + - prose: Configure security monitoring to identify potential security violations or breaches and send automated alerts. + name: statement + id: lm-9_smt + - prose: "Enable Amazon GuardDuty, Microsoft Azure Security Center, or their equivalents." + name: guidance + id: lm-9_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without configuring security monitoring to identify potential security violations or breaches and send automated alerts, there's an increased risk of delayed or unnoticed security incidents, hindering timely response and mitigation efforts to protect the system from further compromise." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-16T12:41:27+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Security Monitoring and Alerting + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.9/S3" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.9/S7" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.9/S10" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.9/S11" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.9/S13" + - href: "#f3057503-f399-4735-9d7b-ea9830f3b2ac" + rel: reference + text: "IM8 On-Premise IS (Non-S): 7.2/S10" + id: lm-9 + - parts: + - prose: Configure resource usage monitoring to identify abnormal usage and send automated alerts. + name: statement + id: lm-10_smt + - prose: "Configure Amazon CloudWatch alarms, Azure Monitor alerts, or their equivalents to identify abnormal usage such as spike in usage, access to resources during expected hours, and excessive charges." + name: guidance + id: lm-10_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Lack of resource usage monitoring with automated alerts increases the risk of overlooking abnormal usage patterns, potential resource abuse, and compromises in system performance, hindering the ability to proactively address issues and prevent service disruptions." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-16T12:41:27+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T00:47:04+0800 + title: Resource Usage Monitoring and Alerting + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.9/S8" + id: lm-10 + - parts: + - prose: "Monitor, maintain and alert on service level objectives (SLOs) and indicators (SLIs) to ensure consistent service performance, availability and reliability." + name: statement + id: lm-11_smt + - prose: "Implement a comprehensive monitoring system that tracks key SLIs and evaluates them against defined SLOs. This will help in identifying potential service level breaches early and take proactive measures to maintain service quality. Examples include Cloudwatch metrics and alerts, Amazon Route 53 health checks, Azure Monitor Application Insights, or their equivalents." + name: guidance + id: lm-11_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without effective service level monitoring to identify potential application or service degradation and send automated alerts, there is a risk of failing to meet service availability standards, which could result in user dissatisfaction and reduced reliability." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2024-01-04T15:30:00+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Service Level Monitoring and Alerting + links: + - href: "#ee9148b4-3f31-48c8-8503-24fb5cd73db8" + rel: reference + text: "IM8 Cloud ADS: 11.1/G3" + id: lm-11 + - parts: + - prose: "Centralise security log management and monitoring with {{ insert: param, lm-12_prm_1 }}." + name: statement + id: lm-12_smt + - prose: Tenants on Government Commercial Cloud (GCC) already have Cloud Service Provider (CSP) tenant security logs stored centrally and available for forwarding to Government Cyber Security Operations Centre (GCSOC). Contact GCSOC for subscription and additional services. + name: guidance + id: lm-12_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Lack of central security log management and monitoring increases the risk of delayed or unnoticed security incidents, hindering effective response, and compromising the overall cybersecurity posture." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-10-10T18:06:24+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-05-29T21:17:04+0800 + params: + - id: lm-12_prm_1 + label: service + class: str + guidelines: + - prose: The central security log management and monitoring service. + title: Central Security Log Management and Monitoring + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.9/S3" + - href: "#f3057503-f399-4735-9d7b-ea9830f3b2ac" + rel: reference + text: "IM8 On-Premise IS (Non-S): 7.1/S3" + - href: "#0062e6a3-8ac4-44db-92df-8357b437ca0c" + rel: reference + text: "NIST SP 800-53 AU-6(4): Central Review and Analysis" + - href: "#0062e6a3-8ac4-44db-92df-8357b437ca0c" + rel: reference + text: "NIST SP 800-53 PL-9: Central Management" + id: lm-12 + - parts: + - prose: Monitor database activities for anomalous behaviour. + name: statement + id: lm-13_smt + - prose: "Config RDS Activity Streams and logs with alerts or Database Activity Monitoring (DAM) tools to detect unusual authentication, reads or writes to a database." + name: guidance + id: lm-13_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Neglecting to monitor database activities for anomalous behaviour increases the risk of undetected security threats, unauthorised access, and compromises in data integrity, hindering the ability to identify and respond to potential database-related incidents." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-10-10T18:06:24+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2023-10-10T18:06:24+0800 + title: Database Activity Monitoring + id: lm-13 + - parts: + - prose: Plan for and implement measures to detect and recover from web defacements. + name: statement + id: lm-14_smt + - prose: The Government Cyber Security Operations Centre (GCSOC) offers centralised monitoring of web defacements of internet-facing systems. + name: guidance + id: lm-14_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: Failure to detect and respond to web defacement promptly will lead to prolonged disruption to services. + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-10-27T16:50:47+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-05-29T21:20:05+0800 + title: Web Defacement Monitoring + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.9/S13" + - href: "#f3057503-f399-4735-9d7b-ea9830f3b2ac" + rel: reference + text: "IM8 On-Premise IS (Non-S): 7.1/S5" + id: lm-14 + - parts: + - prose: "Publish logs in a consistent, structured format that aligns with industry standards for easy parsing and analysis." + name: statement + id: lm-15_smt + - prose: "For security logs, implement or transform to OCSF (Open Cybersecurity Schema Framework), ECS (Elastic Common Schema) or similar schemas to standardize log formats for better threat detection and analysis. For operational logs, adopt OpenTelemetry or structured JSON formats to facilitate clear, structured, and efficient log analysis for system performance and diagnostics. Consistent log formatting aids in automated parsing and helps in integrating logs from various sources." + name: guidance + id: lm-15_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Inconsistent or unstructured log formatting can lead to difficulties in log analysis and monitoring, potentially resulting in missed critical events or delayed response to system anomalies." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-12-20T01:03:42+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-01-04T00:00:00+0800 + title: Structured Log Formatting + id: lm-15 + - parts: + - prose: Monitor key user-facing signals to maintain robust service health and performance. + name: statement + id: lm-16_smt + - prose: "Implement monitoring of key signals such as latency, traffic, errors, and saturation (the 4 Golden Signals). Regularly track and analyse these indicators for proactive issue detection and resolution. Use this data to identify trends and areas for system improvement, ensuring continuous enhancement in service quality and reliability." + name: guidance + id: lm-16_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Inadequate monitoring of key user-facing signals such as latency, traffic, errors, and saturation can lead to suboptimal service performance, adversely impacting user experience, system efficiency, and increasing the likelihood of system failures. This oversight can significantly detract from service reliability and user satisfaction." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2024-01-04T15:30:00+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-01-04T15:30:00+0800 + title: Key Signals Monitoring + id: lm-16 + - parts: + - prose: Measure and analyse software delivery performance to optimise development velocity and operational efficiency. + name: statement + id: lm-17_smt + - prose: "Implement tools and processes to track Deployment Frequency, Lead Time for Changes, Change Failure Rate, and Time to Restore Service (the DORA 4 Key metrics). Use these metrics as benchmarks to drive continuous improvement in the software development and deployment process, enhancing agility, reliability, and responsiveness to changes." + name: guidance + id: lm-17_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failing to measure and improve the software delivery performance can lead to inefficient development processes, reduced software quality and longer recovery times." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2024-01-04T15:30:00+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-01-04T15:30:00+0800 + title: Software delivery performance monitoring + id: lm-17 + title: Logging and Monitoring + id: lm + - parts: + - prose: Controls to protect against unauthorised access to agency systems. + name: overview + controls: + - parts: + - prose: Deny access by default and grant only the minimum permissions required for authorised accounts or processes to perform a specific function. + name: statement + id: ac-1_smt + - prose: Consider attribute- or feature-based access control for greater customisability and granularity. + name: guidance + id: ac-1_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Violating the principle of least privileges increases the risk of unauthorised access, privilege escalation, and potential security breaches due to unnecessary permissions, compromising the overall security posture." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-17T14:31:33+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T00:47:04+0800 + title: Principle of Least Privilege + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 4.2: Logical access" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.4/S7" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.5/S4e" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.7/S1b" + id: ac-1 + - parts: + - prose: "Require MFA for remote developer, maintainer, or administrator access at login." + name: statement + id: ac-2_smt + - prose: "Ensure that the authentication factors are different and independent of the accessing device. For additional security, consider MFA for privileged actions at the application level (such as step-up MFA challenges via PIM tools)." + name: guidance + id: ac-2_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without requiring phishing-resistant Multi-Factor Authentication (MFA) for remote access, there is an increased risk of unauthorised access, credential theft, and potential compromise of sensitive systems, especially for users with elevated privileges." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-17T14:31:33+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Multi-Factor Authentication (MFA) + links: + - href: "#0062e6a3-8ac4-44db-92df-8357b437ca0c" + rel: reference + text: "NIST SP 800-53 IA-2(1): Multi-factor Authentication to Privileged Accounts" + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 4.2: Logical access" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.4/S20a" + - href: "#9749c983-5562-4a6f-8852-7eecf9b38d2c" + rel: reference + text: "IM8 On-Premise ADS (Non-S): 2.4/S2" + id: ac-2 + - parts: + - prose: "Disable or remove accounts with privileged access within {{ insert: param, ac-3_prm_1 }} day(s) from last day of authorised use or have not been used for {{ insert: param, ac-3_prm_2 }} day(s)." + name: statement + id: ac-3_smt + - prose: "Use automated checks to identify accounts and credentials that should be disabled. For privileged user accounts in applications, consider using automated workflows such as System for Cross-domain Identity Management (SCIM) or identity lifecycle management tools. For cloud service provider accounts, use tools such as AWS Config iam-user-unused-credentials-check to manage Identity and Access Management (IAM) users." + name: guidance + id: ac-3_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failure to disable or remove unused accounts or credentials with elevated access increases the risk of unauthorised access, as dormant accounts may become targets for exploitation, compromising the security of the system." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-17T14:31:33+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-09T23:02:29+0800 + params: + - id: ac-3_prm_1 + label: time period (days) + class: int + guidelines: + - prose: The time period in days after account expiry. + - id: ac-3_prm_2 + label: time period (days) + class: int + guidelines: + - prose: The time period in days of account inactivity. + title: Inactive and Expired Accounts + links: + - href: "#0062e6a3-8ac4-44db-92df-8357b437ca0c" + rel: reference + text: "NIST SP 800-53 AC-2(3): Disable Accounts" + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 4.2: Logical access" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.4/S15" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.4/S18b" + - href: "#9749c983-5562-4a6f-8852-7eecf9b38d2c" + rel: reference + text: "IM8 On-Premise ADS (Non-S): 2.3/S2, 2.3/S3" + id: ac-3 + - parts: + - prose: "Perform an access review every {{ insert: param, ac-4_prm_1 }} day(s) and remove unauthorised or unintended privileged access rights within {{ insert: param, ac-4_prm_2 }} day(s)." + name: statement + id: ac-4_smt + - prose: "For privileged user accounts in applications, implement automated review workflows or reports. For cloud service provider accounts and roles, use tools such as AWS IAM Access Advisor or Azure AD Access Review to facilitate and manage access reviews." + name: guidance + id: ac-4_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without regular access reviews and prompt removal of unauthorised or unintended access rights, there is an increased risk of lingering access, potential misuse of privileges, and compromised security, impacting the confidentiality and integrity of sensitive data." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-17T14:31:33+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-09T22:54:15+0800 + params: + - id: ac-4_prm_1 + label: time period (days) + class: int + guidelines: + - prose: The time period in days of access review frequency. + - id: ac-4_prm_2 + label: time period (days) + class: int + guidelines: + - prose: The time period in days of access removal deadline. + title: Access Review + links: + - href: "#0062e6a3-8ac4-44db-92df-8357b437ca0c" + rel: reference + text: "AC-2: Account Management" + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 4.2: Logical access" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.4/S13" + - href: "#9749c983-5562-4a6f-8852-7eecf9b38d2c" + rel: reference + text: "IM8 On-Premise ADS (Non-S): 2.3/S1, 2.3/S6" + id: ac-4 + - parts: + - prose: "Require hardened endpoint devices for remote developer, maintainer, or administrator access." + name: statement + id: ac-5_smt + - prose: Use Endpoint Management platfoms to continuously check and enforce device security posture and deny access if the hardening requirements are not met. Hardened devices include Government Standard Image Build (GSIB) and Security Suite for Engineering Endpoint Devices (SEED). + name: guidance + id: ac-5_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without requiring hardened endpoint devices for remote access, there's an increased risk of compromised endpoints, potential malware infections, and security breaches, which could lead to unauthorised access and compromise the integrity of systems." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-17T14:31:33+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Endpoint Device Hardening + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.4/S20a" + - href: "#f3057503-f399-4735-9d7b-ea9830f3b2ac" + rel: reference + text: "IM8 On-Premise IS (Non-S): 1.3/S1, 4.7/S3" + id: ac-5 + - parts: + - prose: Change default credentials prior to first use. + name: statement + id: ac-6_smt + - prose: Identify any default credentials used in any system components before deploying and change them. Configure end-user systems to prompt for password change on first login after account creation or reset. + name: guidance + id: ac-6_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failure to change default credentials prior to first use increases the risk of unauthorised access, as default credentials are often well-known and targeted by attackers, compromising the security of the system or device." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-10-02T10:34:05+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Default Credentials + links: + - href: "#0062e6a3-8ac4-44db-92df-8357b437ca0c" + rel: reference + text: "NIST SP 800-53 IA-5: Authenticator Management" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.4/S1c" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.4/S2c" + - href: "#9749c983-5562-4a6f-8852-7eecf9b38d2c" + rel: reference + text: "IM8 On-Premise ADS (Non-S): 2.2/S1d, 2.3/S5" + id: ac-6 + - parts: + - prose: Use SingPass or CorpPass MFA for digital services that require high level of identity assurance for external users. + name: statement + id: ac-7_smt + - prose: "For high impact or high risk transactions, use SingPass/CorpPass to identify external users (e.g. citizens). Internal users should use Government managed Single Sign-on (SSO) solutions (such as WOG AAD)." + name: guidance + id: ac-7_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: Leverage on SingPass or CorpPass to reduce duplication of effort and provide consistent end user experience. + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-10-27T16:50:47+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: SingPass/CorpPass for External Users + links: + - href: "#9749c983-5562-4a6f-8852-7eecf9b38d2c" + rel: reference + text: "IM8 On-Premise ADS (Non-S): 2.1/S1" + id: ac-7 + - parts: + - prose: Implement automation of cloud and application account provisioning and deprovisioning using an account management tool. + name: statement + id: ac-8_smt + - prose: "Adopt Single Sign-On (SSO) with just-in-time provisioning or account lifecycle management tools (such as SCIM or CAM) to assist with account management. For systems unable to use SSO, it is recommended to leverage account management lifecycle tools with HR records (such as CAM) to automatically provision and de-provision accounts." + name: guidance + id: ac-8_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Manual account and access provisioning can introduce errors and weaknesses, thus making access control measures ineffective and unreliable." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-10-27T15:51:13+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Automate account provisioning + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.4/S18a" + - href: "#9749c983-5562-4a6f-8852-7eecf9b38d2c" + rel: reference + text: "IM8 On-Premise ADS (Non-S): 2.3/S7" + id: ac-8 + - parts: + - prose: Implement and maintain an endpoint device management solution to ensure the security and integrity of endpoint devices used within the organisation. + name: statement + id: ac-9_smt + - prose: "Mobile Device Management (MDM) platforms enable management, monitoring, and secure configuration of endpoint devices. This includes enforcing disk encryption, managing configuration, ensuring regular updates, and providing the ability to remotely wipe data in case of device loss or theft." + name: guidance + id: ac-9_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: Unmanaged endpoint devices increase the risk of unauthorized access and potential loss of sensitive information due to the compromise of devices. + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-11-29T18:00:00+0000 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-01-19T17:00:00+0800 + title: Endpoint Device Management + id: ac-9 + - parts: + - prose: Adopt Identity and Device-Based Access Control for secure and context-aware connectivity to private organisational resources. + name: statement + id: ac-10_smt + - prose: "Use solutions such as Secure Service Edge (SSE), Identity Aware Proxies (IAP) or other Zero Trust services (Entra ID Conditional Access, Okta Device Trust, etc) that integrate identity and device management systems to provide granular access control to resources based on user identity and device posture. For example, Security Suite for Engineering Endpoint Devices (SEED)." + name: guidance + id: ac-10_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Relying on direct connections or traditional VPNs for remote access can lead to vulnerabilities, as they do not always incorporate strong identity and device-based security measures. This increases the risk of unauthorized access and potential data breaches." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-11-29T18:00:00+0000 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2023-11-29T18:00:00+0000 + title: Identity and Device-Based Access Control + id: ac-10 + - parts: + - prose: Assign each endpoint device to a single designated primary user and enforce the assignment to ensure accountability and enhance security monitoring. + name: statement + id: ac-11_smt + - prose: Implement measures such as user authentication and endpoint management with device enrollment to enforce the single primary user per endpoint. If secondary accounts for local device support or maintenance activities consider securing with endpoint privilege management tools. + name: guidance + id: ac-11_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Allowing multiple users to access a single endpoint device can lead to security risks such as data leakage, difficulty in tracking user activities, and increased vulnerability to insider threats." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-12-07T08:00:00+0000 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2023-12-07T16:00:00+0000 + title: Single User Endpoints + id: ac-11 + - parts: + - prose: Use Single Sign-On (SSO) for internal users and services. + name: statement + id: ac-12_smt + - prose: Configure multi-factor authentication (MFA) at the Single-Sign On (SSO) identity provider (IdP) and ensure that access to the system is only granted after the IdP authenticates the user. WOG AAD is recommended for public officers and TechPass AAD for developers. + name: guidance + id: ac-12_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without Single Sign-On (SSO), there is an increased risk of unauthorized access and compromised user credentials, as users may resort to using weak passwords or reusing credentials across multiple systems, thereby exposing sensitive information to potential security breaches." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-12-07T08:00:00+0000 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T00:47:04+0800 + title: Single Sign-On (SSO) for Internal Users + links: + - href: "#0062e6a3-8ac4-44db-92df-8357b437ca0c" + rel: reference + text: "IA-2(10): Single Sign-on" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.4/S18c" + id: ac-12 + title: Access Control + id: ac + - parts: + - prose: "Controls to secure container building, distribution, and deployment." + name: overview + controls: + - parts: + - prose: Use unique base container image tags instead of rolling tags. + name: statement + id: cs-1_smt + - prose: Avoid the `latest` tag or other common rolling tags for base images to minimise unintended changes during subsequent builds using the same instruction. A digest SHA can provide a unique identifier for the image if no tag is assigned during build time. + name: guidance + id: cs-1_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Using unique base container image tags instead of rolling tags reduces the risk of unintentional updates, inconsistencies, and potential security vulnerabilities in containerised environments, ensuring a more stable and secure deployment process." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-23T23:58:33+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Unique Base Container Image Tags + links: + - href: "#438199c5-6b38-4704-88d6-a902ee08a433" + rel: reference + text: "SLSA Build L1: Provenance exists" + - href: "#ee9148b4-3f31-48c8-8503-24fb5cd73db8" + rel: reference + text: "IM8 Cloud ADS: 12.1/G3" + id: cs-1 + - parts: + - prose: Build container images with minimal base images. + name: statement + id: cs-2_smt + - prose: "Use minimal container images such as alpine, scratch, wolfi, and distroless images as the base image to reduce attack surface." + name: guidance + id: cs-2_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Building container images with minimal base images reduces the attack surface, potential vulnerabilities, and resource overhead, minimising the risk of security exploits and enhancing the overall security posture of the containerised environment." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-23T23:58:33+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Minimal Base Container Images + links: + - href: "#ee9148b4-3f31-48c8-8503-24fb5cd73db8" + rel: reference + text: "IM8 Cloud ADS: 12.1/G1" + id: cs-2 + - parts: + - prose: Provide secrets and sensitive data to the container at runtime instead of image build time. + name: statement + id: cs-3_smt + - prose: "Ensure no secrets (e.g., TLS certificate keys, cloud provider credentials, SSH private keys, database passwords) are embedded in the container image by using dedicated features like Docker secrets or `podman-secret-create`." + name: guidance + id: cs-3_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Providing secrets and sensitive data to the container at runtime instead of image build time reduces the risk of exposing sensitive information in the image and enhances security by ensuring that secrets are managed and updated independently, minimising the risk of unauthorised access or data compromise." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-23T23:58:33+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Runtime Container Secrets + links: + - href: "#ee9148b4-3f31-48c8-8503-24fb5cd73db8" + rel: reference + text: "IM8 Cloud ADS: 2.2/S4" + id: cs-3 + - parts: + - prose: Create a non-root user and set it as the default user in the container image build instructions. + name: statement + id: cs-4_smt + - prose: Ensure the non-root user has the minimal set of permissions required to run the container. + name: guidance + id: cs-4_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failure to create a non-root user and set it as the default user in container image build instructions increases the risk of security vulnerabilities, as running containers with root privileges may lead to potential exploitation and compromise of the host system." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-23T23:58:33+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Non-Privileged Container User + links: + - href: "#ee9148b4-3f31-48c8-8503-24fb5cd73db8" + rel: reference + text: "IM8 Cloud ADS: 12.2/S2" + id: cs-4 + - parts: + - prose: Lint Dockerfiles before building container images. + name: statement + id: cs-5_smt + - prose: Use linters such as Hadolint to check the Dockerfile (or similar build file) instructions and flag any issues that contravene best practices. Ensure Dockerfile linting stage is run as part of the Continuous Integration (CI) pipelines. + name: guidance + id: cs-5_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without linting Dockerfiles before building container images, there's an increased risk of syntax errors, misconfigurations, and potential security vulnerabilities, compromising the reliability and security of the resulting containerised applications." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-23T23:58:33+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Dockerfile Linting + links: + - href: "#ee9148b4-3f31-48c8-8503-24fb5cd73db8" + rel: reference + text: "IM8 Cloud ADS: 12.1/G4" + id: cs-5 + - parts: + - prose: Configure the container filesystem to be read-only. + name: statement + id: cs-6_smt + - prose: "Use security policies (e.g., `readonlyRootFilesystem` for Kubernetes) to prevent any direct writes to the container's root filesystem during runtime and ensure immutable infrastructure. Do not directly apply patches or alter running containers as the containers are ephemeral and patches will disappear upon redeploy. Apply patches by rebuilding and redeploying container images." + name: guidance + id: cs-6_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failure to configure the container filesystem as read-only increases the risk of unauthorised modifications, potential tampering, and compromise of containerised applications, as attackers may exploit write access to alter the container's state and integrity." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-23T23:58:33+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-01-19T14:00:00+0800 + title: Read-Only Container Root Filesystem + id: cs-6 + - parts: + - prose: "Scan container images in the {{ insert: param, cs-7_prm_1 }} for known vulnerabilities." + name: statement + id: cs-7_smt + - prose: "Container image scanning tools (e.g., Amazon Inspector, Trivy, Grype) scan the contents of a container image for known vulnerabilities. Configure scans to run automatically and continuously, as well as enable scanning of image on push. Block deployment of container images with HIGH CVE being detected during scan (e.g., using Amazon ECR with Security Hub)." + name: guidance + id: cs-7_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failure to scan container images increases the risk of deploying insecure images, potentially exposing the infrastructure to known exploits and compromising the security of the containerised applications during runtime." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-23T23:58:33+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-03-31T23:50:41+0800 + params: + - id: cs-7_prm_1 + label: location + class: str + guidelines: + - prose: The location where container image scanning occurs. + select: + how-many: one-or-more + choice: + - CI/CD pipeline + - container registry + title: Container Image Scanning + links: + - href: "#ee9148b4-3f31-48c8-8503-24fb5cd73db8" + rel: reference + text: "IM8 Cloud ADS: 12.3/G2b" + - href: "#ee9148b4-3f31-48c8-8503-24fb5cd73db8" + rel: reference + text: "IM8 Cloud ADS: 12.3/G2c" + id: cs-7 + - parts: + - prose: Host built container images in private container registries. + name: statement + id: cs-8_smt + - prose: "Use only private container registries (e.g., Amazon ECR private registry) to host container images built by the organisation as images may contain proprietary code or sensitive information." + name: guidance + id: cs-8_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Hosting built container images in private registries enhances security by reducing the exposure of sensitive images, minimising the risk of unauthorised access, and maintaining control over image distribution, ensuring a more secure and controlled container deployment process." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-23T23:58:33+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-03-31T23:39:47+0800 + title: Private Container Image Registries + id: cs-8 + - parts: + - prose: Disable public access to Container Orchestrator API endpoints from the internet. + name: statement + id: cs-9_smt + - prose: Restrict access to the Container Orchestrator API endpoints (such as the Kubernetes API Server) to specific address ranges or use CSP provided features such as disabling Endpoint public access and Private Clusters to disable public access. + name: guidance + id: cs-9_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failure to disable public access to Container Orchestrator API endpoints from the internet increases the risk of unauthorised access, potential exploitation, and security breaches, as exposing these endpoints publicly may lead to unauthorised control and compromise of the container infrastructure." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-23T23:58:33+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-03-31T23:39:54+0800 + title: Container Orchestrator API Access Control + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.7/S21b" + id: cs-9 + - parts: + - prose: Segregate container workloads to help contain attacks through isolation. + name: statement + id: cs-10_smt + - prose: "Create Kubernetes namespaces or similar container segmentation controls to isolate different workloads, services or projects." + name: guidance + id: cs-10_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without separating container workloads into namespaces, there's an increased risk of lateral movement and potential compromise." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-23T23:58:33+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-03-31T23:40:00+0800 + title: Container Workload Segmentation + id: cs-10 + - parts: + - prose: Detect and remediate changes to running containers with container runtime protection tools. + name: statement + id: cs-11_smt + - prose: "Runtime protection tools, such as AWS EKS Protection, Microsoft Defender for Containers, or Falco, monitor threats and changes to running containers. Vulnerable container instances should be isolated for investigation and replaced with rebuilt and patched images. To avoid persistence if patches do not exist, the container instance should be replaced frequently with an un-compromised image until a patch released. These tools replace Malware Protection (IS-7) and EDR (IS-8) in container environments." + name: guidance + id: cs-11_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failure to detect and remediate changes to running containers using container runtime protection tools increases the risk of unnoticed compromises, potential exploitation, and unauthorised alterations to containerised applications, compromising the security and integrity of the runtime environment." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-23T23:58:33+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-03-31T23:40:06+0800 + title: Container Runtime Security + links: + - href: "#ee9148b4-3f31-48c8-8503-24fb5cd73db8" + rel: reference + text: "IM8 Cloud ADS: 12.3/G2b" + id: cs-11 + title: Container Security + id: cs + - parts: + - prose: "Controls to implement cybersecurity governance, risk, and compliance processes and policies." + name: overview + controls: + - parts: + - prose: "Develop, document, and disseminate an agency-level cybersecurity incident management plan to respond to cybersecurity incidents." + name: statement + id: pm-1_smt + - prose: Refer to the Government Incident Reporting and Operations Centre (GIROC) ICT and Data Incident Reporting Resources for an incident management plan and best practices template. + name: guidance + id: pm-1_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Lack of a cybersecurity incident management plan increases the risk of ineffective response to cybersecurity incidents, hindering the ability to contain, mitigate, and recover from security breaches, potentially leading to extended downtime and data compromise." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-18T12:51:56+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-05-15T23:50:24+0800 + title: Cybersecurity Incident Management Plan + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 1.7: Incident handling" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.1/S3" + - href: "#424d176f-09ad-41c5-8a44-a064a9f1e37d" + rel: reference + text: GIROC ICT and Data Incident Reporting Resources + id: pm-1 + - parts: + - parts: + - prose: Risk scenario; + name: item + id: pm-2_smt.1 + props: + - name: label + value: "1" + - prose: Likelihood (from 1-5); + name: item + id: pm-2_smt.2 + props: + - name: label + value: "2" + - prose: Impact (from 1-5); + name: item + id: pm-2_smt.3 + props: + - name: label + value: "3" + - prose: "Risk Level (Likelihood \\* Impact; 1-4: Low, 5-9: Medium, 10-14: Medium High, 15-19: High, 20-25: Critical)" + name: item + id: pm-2_smt.4 + props: + - name: label + value: "4" + - prose: Mitigating Measures + name: item + id: pm-2_smt.5 + props: + - name: label + value: "5" + prose: "Develop and document a project-level cybersecurity risk assessment prior to initial full release that includes:" + name: statement + id: pm-2_smt + - prose: Refer to the Cyber Security Agency of Singapore's Cybersecurity Toolkit for IT Teams for an example of a risk assessment template and modify accordingly. + name: guidance + id: pm-2_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without developing and documenting a project-level cybersecurity risk assessment before the initial full release, there's an increased risk of overlooking potential security threats, vulnerabilities, and regulatory compliance issues, compromising the overall security posture of the project." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-08-18T12:51:56+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-05-15T23:54:27+0800 + title: Project Cybersecurity Risk Assessment + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 1.3: Self-assessment" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.1/S1" + - href: "#d90ebf27-ad15-40c3-84f1-c83c98383d16" + rel: reference + text: Cybersecurity Toolkit for IT Teams + id: pm-2 + - parts: + - prose: Develop and maintain a comprehensive System Security Plan (SSP) that accurately reflects the system characteristics and security controls in place for the organisation's systems and environments. + name: statement + id: pm-3_smt + - prose: "The SSP should be detailed, covering all aspects of security controls, roles, responsibilities, and operational processes. Regular updates are necessary to reflect changes in the security landscape and system evolution." + name: guidance + id: pm-3_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failure to develop a comprehensive SSP can result in inadequate documentation and security controls, leading to increased vulnerability to cyber threats and non-compliance with regulatory requirements." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-10-05T09:00:00+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2023-10-10T16:00:00+0800 + title: System Security Plan (SSP) Development + id: pm-3 + - parts: + - prose: Get approval of deviations from applicable Level 1 profile controls in the default System Security Plans (SSPs) from the agency's ICT and Digitalisation Steering Committee (IDSC) and document these deviations in the customised SSP. + name: statement + id: pm-4_smt + - prose: Agencies should seek approval for deviation from their IDSC or delegated approval authority. Controls that are not applicable to the system do not need approval for deviations but the reasons why they are not applicable must be documented in the customised SSP. + name: guidance + id: pm-4_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: Unauthorised deviations from the policy can lead to an increased risk of security vulnerabilities and other compliance issues. + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-10-12T11:45:00+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-05-12T23:15:32+0800 + title: Approval of Policy Deviations + id: pm-4 + - parts: + - prose: Submit approved SSPs centrally to maintain a unified and up-to-date repository of security plans and practices. + name: statement + id: pm-5_smt + - prose: Reference the IM8 Portal for submitting all approved SSPs. + name: guidance + id: pm-5_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: Inconsistent or decentralised submission of the SSP can lead to decreased visibility of security and compliance adoption across Government. + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-10-20T08:30:00+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2023-10-25T14:00:00+0800 + title: Central Submission of Approved System Security Plan (SSP) + links: + - href: "#80bf8bd1-004c-42d9-a810-e3f1fae563bf" + rel: reference + text: Centralised SSP Management Guidelines + id: pm-5 + - parts: + - prose: "Maintain detailed, up-to-date documentation of all system information and architecture." + name: statement + id: pm-6_smt + - prose: "Example system documentation includes architecture and network diagrams, architecture decision records, hardware and software inventories, data flows, and configurations. This documentation should be regularly reviewed and updated to reflect changes in the environment. Documentation should be accessible to relevant personnel while ensuring sensitive information is protected. Adopt documentation-as-code practices and machine-readable formats (such as Markdown, JSON, YAML, etc), to facilitate version control, collaboration, and automation in maintaining documentation." + name: guidance + id: pm-6_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Comprehensive documentation of system architecture, components, configurations, and dependencies is essential for effective management, troubleshooting, and security auditing." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-12-20T10:10:10+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2023-01-10T0:00:00+0800 + title: System Documentation + id: pm-6 + - parts: + - prose: "Ensure that the Software as a Service (SaaS) provider is certified with {{ insert: param, pm-7_prm_1 }}." + name: statement + id: pm-7_smt + - prose: Ensure that the certification is up-to-date. Avoid certifications that are only attestations without a pass/fail element. + name: guidance + id: pm-7_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: Third-party certification provides assurance that security controls have been properly implemented in the Software as a Service (SaaS) provider. + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2024-01-14T01:35:16+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-09T22:54:15+0800 + params: + - id: pm-7_prm_1 + label: certifications + class: str + guidelines: + - prose: The required certifications. + title: Certification + id: pm-7 + - parts: + - prose: "Obtain a service level agreement with the Software as a Service (SaaS) provider that covers uptime, response times, downtime notifications, support avenues, and support content." + name: statement + id: pm-8_smt + - prose: Ensure that the service level agreement is regularly checked for compliance. + name: guidance + id: pm-8_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: Without a service level agreement the availability of the Software as a Service (SaaS) system may be poorly maintained by the provider. + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2024-01-14T02:04:59+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-01-14T02:06:19+0800 + title: Software as a Service (SaaS) Service Level Agreement + id: pm-8 + title: Security Programme Management + id: pm + - parts: + - prose: "Controls to secure infrastructure that host applications, services, and data." + name: overview + controls: + - parts: + - prose: Install CSP management agents on hosts to remotely and securely manage their configurations. + name: statement + id: is-1_smt + - prose: "Most CSP compute instances preinstall management agents (e.g., AWS Systems Manager Agent, Azure Windows VM Agent) by default. If the image does not come with the preinstalled agent, install manually." + name: guidance + id: is-1_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without installing management agents on hosts, there is an increased risk of manual misconfigurations, difficulty in maintaining consistent configurations, and potential security vulnerabilities due to reduced visibility and ability to manage hosts effectively." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-09-01T16:44:29+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T00:47:04+0800 + title: Management Agents + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.1/G1" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.4/S21" + id: is-1 + - parts: + - prose: Automate patching of operating systems and applications. + name: statement + id: is-2_smt + - prose: "Apply patch baselines via the CSP node management service, unless the patch management process is automated as part of the build and deploy phase. For on-premise systems, use tools like Azure Update Manager to schedule and automatically deploy patches to Windows and Linux OS." + name: guidance + id: is-2_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failure to automate patching of operating systems and applications increases the risk of delayed or missed security updates, leaving systems vulnerable to known exploits and potential security breaches, compromising the overall security of the environment." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-09-01T16:44:29+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T00:47:04+0800 + title: Automated Patch Management + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.7/S12" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.8/S4" + id: is-2 + - parts: + - prose: Restrict administrator privileges by disabling remote login for the root/administrator user and restricting sudo/administrators group access for other users. + name: statement + id: is-3_smt + - prose: Further reduce the attack surface by running common services such as the web server or database without root/administrator/system privileges. + name: guidance + id: is-3_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without restricting administrator privileges, there is an increased risk of unauthorised access, privilege escalation, and potential security breaches, compromising the integrity and security of the system." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-09-01T16:44:29+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Restricted Administrator Privileges + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.6/S1d" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.6/S1e" + - href: "#f3057503-f399-4735-9d7b-ea9830f3b2ac" + rel: reference + text: "IM8 On-Premise IS (Non-S): 1.2/S2a" + id: is-3 + - parts: + - prose: "Disable or remove unnecessary functions, system ports, protocols, software, and services on the host." + name: statement + id: is-4_smt + - prose: "Follow the principle of least functionality to configure the host to carry out only its intended purpose. CSP node management services can provide an inventory of software and services (e.g., AWS Systems Manager Inventory). Vulnerability assessment scanners (e.g., AWS Inspector) can also identify software vulnerabilities and network exposure." + name: guidance + id: is-4_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failure to disable or remove unnecessary functions, system ports, protocols, software, and services on the host increases the attack surface, potential vulnerabilities, and the risk of exploitation, compromising the overall security and performance of the system." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-09-01T16:44:29+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Least Functionality + links: + - href: "#0062e6a3-8ac4-44db-92df-8357b437ca0c" + rel: reference + text: "NIST SP 800-53 CM-7: Least Functionality" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.4/S7" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.5/S4e" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.7/S1b" + - href: "#f3057503-f399-4735-9d7b-ea9830f3b2ac" + rel: reference + text: "IM8 On-Premise IS (Non-S): 1.2/S2c" + id: is-4 + - parts: + - prose: Harden the host configuration with reference to industry standards. + name: statement + id: is-5_smt + - prose: "Select the appropriate benchmark for the host such as from the [NIST National Checklist Program](#521952dd-5c57-4277-a069-4dae6bc0c28d) or [CIS Benchmarks](#09ba067b-8923-4f22-bb31-b8619edcaa07). Automate the configuration process or use hardened images instead of manually configuring." + name: guidance + id: is-5_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without hardening the operating system configuration according to industry standards, there's an increased risk of security vulnerabilities, unauthorised access, and potential exploitation, compromising the overall security posture and resilience of the operating system." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-09-01T16:44:29+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Host System Hardening + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.6/G2" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.6/S2" + - href: "#f3057503-f399-4735-9d7b-ea9830f3b2ac" + rel: reference + text: "IM8 On-Premise IS (Non-S): 1.2/S1" + id: is-5 + - parts: + - prose: Use remote administration tools instead of direct SSH or RDP. + name: statement + id: is-6_smt + - prose: "In production environments, use remote administration (e.g., AWS Systems Manager Session Manager, AWS Systems Manager Fleet Manager, GCC Privileged Identity Management) only for break glass scenarios where remote monitoring and automation is not available. Document and remediate gaps in monitoring and automation to minimise the need for remote administration. If SSH is still required and remote administration tools are not available, only use it within a private non-production environment such as an encrypted tunnel and authenticate with short-lived certificates." + name: guidance + id: is-6_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Using remote administration tools enhances security by providing controlled and audited access, reducing the risk of unauthorised activities, and improving overall management of privileged identities." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-09-01T16:44:29+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T00:47:04+0800 + title: Remote Administration + links: + - href: "#229a38da-bdc1-4a59-b1cb-8904cb59d0a5" + rel: reference + text: "AWS SSB WKLD.06: Use Systems Manager instead of SSH or RDP" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.4/S21" + id: is-6 + - parts: + - prose: Detect and quarantine malware on hosts with anti-malware tools. + name: statement + id: is-7_smt + - prose: "Configure anti-malware tools for all compute hosts (e.g. AWS Guardduty Malware Protection, Azure Antimalware, Trend Micro CloudOne). These tools should be kept up-to-date with the latest malware signatures. Regular scans should be scheduled to detect and quarantine potential threats." + name: guidance + id: is-7_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without malware protection, there's an increased risk of undetected malicious activities, potential data breaches, and compromise of host systems, highlighting the importance of proactive measures to ensure the security and integrity of the environment." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-09-20T11:06:17+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T00:47:04+0800 + title: Malware Protection + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.6/S1a" + id: is-7 + - parts: + - prose: Monitor security threats on hosts with an EDR tool. + name: statement + id: is-8_smt + - prose: Implement EDR tools for all compute hosts. Security incident response should be planned and documented for the tool. EDR tools with built-in malware protection should be favoured to reduce additional agents. + name: guidance + id: is-8_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failure to monitor security threats on hosts with an Endpoint Detection and Response (EDR) tool increases the risk of undetected advanced threats, compromises in host security, and delayed response to potential security incidents, highlighting the need for continuous monitoring and proactive threat detection." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-09-20T11:06:17+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T00:47:04+0800 + title: Endpoint Detection and Response (EDR) + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.6/G1a" + id: is-8 + - parts: + - prose: "Ensure deployed {{ insert: param, is-9_prm_1 }} assets have not reached end-of-support (EOS). Use of EOS assets will require risk acceptance by approved authority." + name: statement + id: is-9_smt + - prose: "Identify, track and replace EOS assets in a timely manner. Regularly review assets to identify upcoming EOS timeframe and replace them ahead of EOS date." + name: guidance + id: is-9_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: EOS assets can introduce security vulnerabilities as the assets are no longer provided with security fixes. + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-10-27T15:48:25+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-05-15T23:39:47+0800 + params: + - id: is-9_prm_1 + label: type + class: str + guidelines: + - prose: The type of asset. + title: End-of-Support (EOS) Assets + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.1/S6" + - href: "#9749c983-5562-4a6f-8852-7eecf9b38d2c" + rel: reference + text: "IM8 On-Premise ADS (Non-S): 5.1/S8" + id: is-9 + - parts: + - prose: Synchronise internal clocks to a common reference time source. + name: statement + id: is-10_smt + - prose: "Use common time source such as Network Time Protocol (NTP). In the cloud, it is recommended to use the default time sources provided by the CSPs." + name: guidance + id: is-10_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "The lack of synchronised clocks introduces significant risks, including increased security vulnerabilities, data integrity issues, and challenges in troubleshooting." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2024-02-27T15:48:25+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Synchronise time clocks + links: + - href: "#f3057503-f399-4735-9d7b-ea9830f3b2ac" + rel: reference + text: "IM8 On-Premise IS (Non-S): 1.2/S5" + id: is-10 + - parts: + - prose: Register .gov.sg and .edu.sg domain names with GovTech as the sole registrar. + name: statement + id: is-11_smt + - prose: Use the Whole of Government Domain Name Server (DNS) portal on the IT Service Management (ITSM) portal to register domain names. + name: guidance + id: is-11_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: Improper management of domain names increase the risk of phishing attacks or domain takeovers. + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2024-03-18T01:21:38+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-05-21T00:56:33+0800 + title: Central Domain Name Registration + links: + - href: "#3402c67f-c59f-440a-b82d-81cf4d92de90" + rel: reference + text: "IM8 Cloud ADO: 2.1/S1, 2.1/S2" + - href: "#c83c5d3f-cb13-492b-9028-ab7dc717e396" + rel: reference + text: "MCI ICT Circular Minute No 5/2014: Internet Domain Names Registration, Management and Protection" + id: is-11 + - parts: + - prose: Implement DNS Security Extensions (DNSSEC) for public DNS records and servers. + name: statement + id: is-12_smt + - prose: "DNS services such as WOG DNS, Amazon Route 53 and Cloudflare support DNSSEC configuration." + name: guidance + id: is-12_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: Insecure domain name resolution can lead to man-in-the-middle attacks caused by DNS spoofing or DNS cache poisoning. + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2024-03-18T01:17:33+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-03-18T01:17:33+0800 + title: DNS Security Extensions (DNSSEC) + links: + - href: "#f3057503-f399-4735-9d7b-ea9830f3b2ac" + rel: reference + text: "IM8 On-Premise IS (Non-S): 4.4/S5" + - href: "#f3057503-f399-4735-9d7b-ea9830f3b2ac" + rel: reference + text: "IM8 Cloud IS (Non-S): 4.4/S5" + - href: "#0062e6a3-8ac4-44db-92df-8357b437ca0c" + rel: reference + text: "NIST SP 800-53 SC-20: Secure Name/Address Resolution Service (Authoritative Source)" + id: is-12 + - parts: + - prose: "Register second (.sg) and third (.com.sg, .org.sg, .net.sg, .edu.sg) level domain name variants of the system's primary domain name." + name: statement + id: is-13_smt + - prose: Consider defensive registration of domain names with typographical variants of the system's primary domain name. The Whole of Government Domain Name Server (DNS) portal on the IT Service Management (ITSM) portal automatically includes the second and third level domain names. + name: guidance + id: is-13_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: Malicious use of domain names similar to actual Government domain names increases the risk of phishing and spoofing. + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2024-05-21T01:14:44+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-05-21T01:14:44+0800 + title: Defensive Domain Name Registration + links: + - href: "#f76c8617-eb15-4b80-8911-4abca5ba2d84" + rel: reference + text: "MCI ICT Circular Minute No 6/2021: Mandatory Defensive Registration of Internet Domain Names" + id: is-13 + - parts: + - prose: Register and use whitelisted SMS Sender IDs with the Singapore SMS Sender ID Registry for sending SMSes. + name: statement + id: is-14_smt + - prose: "Agencies must use the \"gov.sg\" Sender ID via the Postman tool to send SMSes to members of public unless exempted. Whitelist Sender IDs used to send SMSes and blacklist Sender IDs which are variants of the whitelisted Sender IDs, agency names, or names of services." + name: guidance + id: is-14_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: Lack of Sender ID registration allows malicious entities to spoof legitimate Government SMSes. + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2024-05-21T02:15:22+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-05-21T02:15:22+0800 + title: Singapore SMS Sender ID Registry Registration + links: + - href: "#17e0e48b-e687-4dbf-afb0-56adfc0bbc3e" + rel: reference + text: "PMO(SNDGO) Circular Minute No 4/2022: Mandatory Registration with the Singapore SMS Sender ID Registry" + - href: "#824c06dc-a7bb-4d1a-8ea7-7ce2095ff55c" + rel: reference + text: "PMO(SNDGO) Circular Minute No 1/2024: Implementation of Measures to Establish Trusted Channels for Government Calls and Messages (Building Trusted Networks)" + - href: "#31761a08-1ca2-48f2-90f5-13fc96128f45" + rel: reference + text: "PMO (SNDGO) Circular Minute No 2/2024: Amendments to PMO (SNDGO) Circular Minute No 1/2024: Implementation of Measures to Establish Trusted Channels for Government Calls and Messages (Building Trusted Networks)" + id: is-14 + title: Infrastructure Security + id: is + - parts: + - prose: Controls to secure the development pipeline and perform source code quality assurance. + name: overview + controls: + - parts: + - prose: Configure the code repository to prevent secrets from being pushed to the repository. + name: statement + id: sd-1_smt + - prose: Use GitLab's push rules or GitHub's push protection to reject secrets on push. + name: guidance + id: sd-1_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failure to configure the code repository to prevent secrets from being pushed introduces the risk of inadvertent exposure, unauthorised access, and potential misuse of sensitive information, compromising the security of the codebase and associated systems." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-09-04T21:33:34+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Push Protection for Secrets + links: + - href: "#ee9148b4-3f31-48c8-8503-24fb5cd73db8" + rel: reference + text: "IM8 Cloud ADS: 6.4/G1" + id: sd-1 + - parts: + - prose: Configure the code repository to prevent pushes (including force pushes) to the default branch. + name: statement + id: sd-2_smt + - prose: Use GitLab's protected branch and merge request settings or GitHub's branch protection settings to enforce this. + name: guidance + id: sd-2_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without configuring the code repository to prevent pushes, including force pushes, to the default branch, there's an increased risk of unintentional or malicious changes, potential loss of code history, and compromised version control, impacting the integrity and reliability of the software development process." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-09-04T21:33:34+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2023-09-07T09:39:34+0800 + title: Default Branch Push Permissions + id: sd-2 + - parts: + - prose: Require Continuous Integration (CI) tests to pass before merging into the default branch. + name: statement + id: sd-3_smt + - prose: Use GitLab's protected branch and merge request settings or GitHub's branch protection settings to enforce this. + name: guidance + id: sd-3_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failing to require passing Continuous Integration (CI) tests before merging into the default branch increases the risk of introducing faulty code, potential regressions, and compromise of code quality." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-09-04T21:33:34+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2023-09-04T21:33:34+0800 + title: Continuous Integration (CI) Tests + id: sd-3 + - parts: + - prose: "Set up a static analysis job in the {{ insert: param, sd-4_prm_1 }}, and remediate or risk accept true positive vulnerability findings before deploying to production." + name: statement + id: sd-4_smt + - prose: "Static analysis tools (such as SAST or IaC security scanners) check source code for common vulnerabilities and misconfigurations. By running static analysis tools earlier in the DevSecOps cycle, vulnerabilities can be detected and prevented from being deployed to production." + name: guidance + id: sd-4_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without setting up static analysis in the CI/CD pipeline for each merge request and addressing true positive vulnerability findings, there is an increased risk of deploying insecure code to the production branch, potentially leading to security breaches and compromise of the overall system." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-09-04T21:33:34+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + params: + - id: sd-4_prm_1 + label: location + class: str + guidelines: + - prose: The location where static analysis occurs. + select: + how-many: one-or-more + choice: + - CI/CD pipeline + - static analysis platform + title: Static Analysis + links: + - href: "#ee9148b4-3f31-48c8-8503-24fb5cd73db8" + rel: reference + text: "IM8 Cloud ADS: 6.4/S2" + - href: "#9749c983-5562-4a6f-8852-7eecf9b38d2c" + rel: reference + text: "IM8 On-Premise ADS (Non-S): 4.1/S1" + id: sd-4 + - parts: + - prose: "Schedule a scan at least every {{ insert: param, sd-5_prm_1 }} day(s) in the {{ insert: param, sd-5_prm_2 }} to identify the use of vulnerable software libraries." + name: statement + id: sd-5_smt + - prose: "Dependency scanning checks the source code for dependencies with known vulnerabilities. By running scans regularly using bots or software composition analysis (SCA) tools, vulnerabilities arising from outdated dependencies can be quickly detected and patched. Software composition analysis can be performed using tools such as Gitlab, Nexus IQ, or their equivalent, with output in a common SBOM format such as SPDX or CycloneDX." + name: guidance + id: sd-5_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failing to schedule regular dependency scanning to identify vulnerable software libraries and address findings in a timely manner increases the risk of deploying applications with known vulnerabilities, potentially exposing the system to security exploits and compromise." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-09-04T21:33:34+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-03-31T23:51:28+0800 + params: + - id: sd-5_prm_1 + label: time period (days) + class: int + guidelines: + - prose: The time period in days of dependency scanning frequency. + - id: sd-5_prm_2 + label: location + class: str + guidelines: + - prose: The location where dependency scanning occurs. + select: + how-many: one-or-more + choice: + - CI/CD pipeline + - code repository + - dependency scanning platform + title: Dependency Scanning + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 2.6: Dependency Patching" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.7/S8i" + - href: "#ee9148b4-3f31-48c8-8503-24fb5cd73db8" + rel: reference + text: "IM8 Cloud ADS: 8.1/S2" + - href: "#ee9148b4-3f31-48c8-8503-24fb5cd73db8" + rel: reference + text: "IM8 Cloud ADS: 6.1/S1c" + - href: "#9749c983-5562-4a6f-8852-7eecf9b38d2c" + rel: reference + text: "IM8 On-Premise ADS (Non-S): 1.1/S1i" + id: sd-5 + - parts: + - prose: "Set up secret detection in the {{ insert: param, sd-6_prm_1 }} and remediate true positives within {{ insert: param, sd-6_prm_2 }} day(s)." + name: statement + id: sd-6_smt + - prose: Ensure that the exposed secret is revoked and purged from the Git history. + name: guidance + id: sd-6_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Without setting up secret detection and addressing true positive findings promptly, there's an increased risk of exposing sensitive information, potential unauthorised access, and compromised security." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-09-04T21:33:34+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-09T22:54:15+0800 + params: + - id: sd-6_prm_1 + label: time period (days) + class: int + guidelines: + - prose: Number of days within which to remediate a secret detection true positive. + - id: sd-6_prm_2 + label: location + class: str + guidelines: + - prose: The location where secret detection occurs. + select: + how-many: one-or-more + choice: + - CI/CD pipeline + - code repository + - secret detection platform + title: Secret Detection + links: + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.7/S8f" + - href: "#ee9148b4-3f31-48c8-8503-24fb5cd73db8" + rel: reference + text: "IM8 Cloud ADS: 1.1/S1f" + - href: "#ee9148b4-3f31-48c8-8503-24fb5cd73db8" + rel: reference + text: "IM8 Cloud ADS: 6.4/G1b" + - href: "#9749c983-5562-4a6f-8852-7eecf9b38d2c" + rel: reference + text: "IM8 On-Premise ADS (Non-S): 6.4/G1" + id: sd-6 + - parts: + - prose: Protect environment variable secrets used in CI jobs by limiting them to protected pipelines and masking them in job logs. + name: statement + id: sd-7_smt + - prose: Use GitLab's CI/CD variable security settings or GitHub's encrypted secrets with the add-mask workflow command. + name: guidance + id: sd-7_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: Failing to protect environment variable secrets in CI jobs by limiting them to protected pipelines and masking them in job logs increases the risk of unauthorized access and exposure of sensitive information. + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-09-04T21:33:34+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2023-09-04T21:33:34+0800 + title: CI Environment Variable Secrets Management + id: sd-7 + - parts: + - prose: "Segregate production and non-production environments including applications, services, data, secrets, roles, and networks." + name: statement + id: sd-8_smt + - prose: "Achieve segregation using separate Government on Commercial Cloud (GCC) accounts for environments such as production, development, test, and staging. Account segregation enhances security by limiting exposure, simplifies resource and cost management, maintains configuration integrity, facilitates compliance and auditing and streamlines operational tasks. Deploy and operate environments as similarly as possible to enhance debugging and time-to-market." + name: guidance + id: sd-8_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: "Failure to segregate production and non-production environments increases the risk of unauthorized access, data leaks, and denial of service attacks, as compromises in non-production environments may lead to cascading impacts on production systems." + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-09-04T21:33:34+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T00:47:04+0800 + title: Deployment Environment Segregation + links: + - href: "#8723fc45-7378-478f-b61f-2e22a170e98c" + rel: reference + text: "MVSP 4.2: Logical access" + - href: "#da71948e-4dff-4a9d-a645-69ced821fe97" + rel: reference + text: "IM8 Cloud Security (IaaS and PaaS): 1.4/S9" + id: sd-8 + title: Secure Development + id: sd + - parts: + - name: overview + controls: + - parts: + - prose: Physically separate Government resources from non-Government resources. + name: statement + id: dc-1_smt + - prose: "For on-premise environments, ensure government resources are physically stored and secured separately from non-government resources." + name: guidance + id: dc-1_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: Violating this control can subject government data and systems to access risks leading to compromised systems and data. + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-10-27T16:50:47+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Separate hosting + links: + - href: "#f3057503-f399-4735-9d7b-ea9830f3b2ac" + rel: reference + text: "IM8 On-Premise IS (Non-S): 1.1/S1c" + id: dc-1 + - parts: + - prose: Implement physical access controls to prohibit unauthorised access to the hosting environment or network rooms. + name: statement + id: dc-2_smt + - prose: |- + Measures to consider include: + + a) personnel security clearance and checks + + b) Continuous monitoring + + c) Immediate security response + + d) Strong authentication card access system to regulate and log access of employees, visitors and contractors to the facility; + + e) Guards deployed to guard the facility 24/7; + + f) Restrict items (such as unauthorised computing devices) to be brought into the facility; + + g) Intrusion Detection System installed to detect unauthorised access; + + h) CCTV installed to monitor the facility. + name: guidance + id: dc-2_gdn + props: + - ns: http://tech.gov.sg/ns/oscal + name: risk-statement + value: Violating this control can subject government data and systems to access risks leading to compromised systems and data. + - ns: http://tech.gov.sg/ns/oscal + name: published + value: 2023-10-27T16:50:47+0800 + - ns: http://tech.gov.sg/ns/oscal + name: last-modified + value: 2024-02-06T01:04:05+0800 + title: Physical Access Controls + links: + - href: "#f3057503-f399-4735-9d7b-ea9830f3b2ac" + rel: reference + text: "IM8 On-Premise IS (Non-S): 1.1/S1i" + id: dc-2 + title: Datacentre + id: dc