FrameworksMAS Cyber Hygiene
sector specificv2019Published
Singapore Cyber Hygiene Notice (MAS)
MAS Cyber Hygiene
The MAS Cyber Hygiene Notice sets out legally binding requirements for financial institutions in Singapore to implement fundamental cybersecurity measures. It covers secure configuration, patch management, MFA, network perimeter defense, malware protection, employee awareness, and data loss prevention.
Issuing Body
Monetary Authority of Singapore (MAS)
Version
2019
Published
2019-08-06
Controls
8
Mapped Laws
4
| Control ID | Title | Domain | Maturity |
|---|---|---|---|
| MAS-CH-4.1 | Secure Configuration A financial institution shall establish and implement a process to harden the configuration of its systems. Unnecessary services, ports and protocols shall be disabled or removed. Default passwords shall be changed. | — | managed |
| MAS-CH-4.2 | Patch Management A financial institution shall establish and implement a process to identify and remediate security vulnerabilities in its systems. Security patches shall be applied in a timely manner. A risk-based approach shall be used to prioritise patching. | — | managed |
| MAS-CH-4.3 | Multi-Factor Authentication A financial institution shall implement multi-factor authentication for all administrative accounts and accounts with access to customer information. MFA shall also be implemented for remote access to the financial institution's network. | — | managed |
| MAS-CH-4.4 | Anti-Malware A financial institution shall deploy anti-malware software on all systems. The anti-malware software shall be kept up-to-date and shall be configured to perform regular scans. | — | managed |
| MAS-CH-4.5 | Network Perimeter Defence A financial institution shall establish and implement controls to protect its network perimeter. Firewalls and intrusion detection/prevention systems shall be deployed. Network traffic shall be monitored. | — | managed |
| MAS-CH-4.6 | Privileged Access Management A financial institution shall establish and implement controls to manage privileged access. Privileged accounts shall be used only when necessary. Activities performed using privileged accounts shall be logged. | — | managed |
| MAS-CH-4.7 | Employee Security Awareness Training A financial institution shall conduct security awareness training for all employees on a regular basis. Training shall cover phishing, social engineering, and other common attack vectors. | — | managed |
| MAS-CH-4.8 | Data Loss Prevention A financial institution shall implement controls to prevent unauthorised disclosure of customer information. Data loss prevention tools shall be deployed to monitor and control the transfer of sensitive data. | — | managed |