Security requirements for financial services firms are among the strictest security standards. In Singapore data center security requirements include ISAE 3402 (theinternational equivalent of SSAE 16) compliance as well as the requirement by the Monetary Authority of Singapore (MAS) that all financial institutions complete a Threat and Vulnerability Risk Assessment (TVRA). Both standards include thorough data center security auditing requirements.
SSAE 16, for example, examines the safety controls of “service organizations,” including hosted data centers. And purpose of the TVRA is to identify security threats to and operational weaknesses in a data center. The governments of both the United States and Singapore oversee these security certifications, ensuring that operations teams at financial services companies are able to deal with any unforeseen events.
SSAE 16 / ISAE 3402: If a data center performs services that have a direct or indirect effect on the financial statements or internal control systems of its clients, clients may ask that data center to provide an SSAE 16 SOC 1 Type II Report – demonstrating that the data center’s controls are designed and operated effectively.
Monetary Authority of Singapore (MAS): The MAS expects financial institutions to perform a Threat and Vulnerability Risk Assessment (TVRA) on their data centers in Singapore – and overseas, if the overseas data center supports the financial institution’s Singapore operations.
As Chris Schellman, founder of Brightline CPAs (a firm that provides SSAE 16 / SOC examination services) explains, “Data centers and managed service providers that host systems relevant to their customers’ financial reporting are responsible for certain controls over those systems, such as physical and environmental security. In the real world, customers are demanding ongoing SSAE 16 examinations from their data center providers.”
Singapore data center security compliance at IO Singapore
The IO data center in Singapore has achieved SSAE 16 SOC 1 Type II compliance and has completed a TVRA. Our anchor tenant in Singapore, investment bank Goldman Sachs, has achieved compliance with MAS guidelines.
That’s significant. Alan Bulley, associate partner at Citihub Consulting (a global IT advisory firm), says MAS is “probably the world’s strictest regulatory requirement when it comes to availability of financial IT systems.”
According to a report by Citihub, “The Monetary Authority of Singapore (MAS) was one of the first regulators to take a stance on regulating the data center assets of financial institutions. Any financial institution that is regulated by MAS must ensure that they have a current Threat, Vulnerability and Risk Assessment (TVRA) that demonstrates that its data center assets in Singapore and all other associated locations meets MAS guidelines. The TVRA requirements are both broad and deep in their specification.”
The same Citihub report explains that “MAS regulation is a significant challenge for financial services firms with their own facilities.” Yet “only a handful of commercial colocation vendors in Singapore [like IO] have a TVRA which is acceptable to the financial services end users…few colocation providers comply with the MAS requirements.”
How the TVRA works
The purpose of a Threat and Vulnerability Risk Assessment (TVRA) is to identify security threats to and operational weaknesses in a data center in order to determine the level and type of protection that should be established to safeguard the facility. The financial institution achieving TVRA compliance has to be able to manage and control risks in a manner that will maintain its financial and operational viability and stability.
The assessment of threats and vulnerabilities relating to a data center vary, depending on a number of factors, including:
- How critical the data center is to the business
- Geographic location
- Type of tenants (if the data center is multi-tenant)
- Potential impact from natural disasters
- Political and economic climate of the country where it resides
To achieve MAS TVRA compliance, a financial institution is required to assess the risk of various scenarios including theft, explosives, arson, unauthorized entry, external attacks, and insider sabotage. Risk assessment takes into account the inside of the data center, its perimeter, and surrounding environment.
How SSAE 16 works
The U.S.-based SSAE 16 (Statement on Standards for Attestation Engagements No. 16) and its international equivalent ISAE 3402 are audit standards established by the American Institute of Certified Public Accountants and the International Auditing and Assurance Standards Board of the International Federation of Accountants. The standards are geared towards service organizations – and companies doing outsourced work.
SSAE 16 audits are independent verifications of compliance with security controls and effectiveness of security controls. At the conclusion of an SSAE 16 SOC 1 Type II audit, the auditor renders an opinion on whether the service organization’s controls:
- Are described fairly
- Are designed effectively
- Are placed in operation as of a specified date
- Are operating effectively over a specified period of time
What drives security and resiliency at IO Singapore
The fact that the IO Singapore data center has completed a SSAE 16 SOC 1 Type II report, as well as a TVRA, and that our Singapore anchor tenant has achieved compliance with MAS guidelines, further validates the data center’s security, resiliency, and operational excellence.
What drives Singapore data center security and resiliency at IO Singapore? First, there are physical security measures protecting the data center building, including:
- Fenced defensible perimeter
- Traffic bollards/car traps
- Guard controlled gated entry
- 24x7xForever on-site guard staff
- Digital video surveillance
- Customer defined access lists
- Visitor tracking
- Biometric screening
- Private access control systems allowed
Additional physical security comes in the form of data center modules – hardened “steel vaults.” The modules are tested, certified, standardized data center infrastructure built within repeatable manufacturing processes. The modules can be hardened and tested even to the highest levels of national security requirements.
The other key aspect of data center security at IO is logical: Data center infrastructure management software establishes a baseline and framework for information exchange across operational technology and the information technology stack and enables organizations to proactively detect and mitigate threats to their IT enterprise.
Other key features of the IO data center in Singapore that drive security and resiliency include:
- IO controls entire Seagate building (over 1 million square-feet)
- The local power utility has its data center inside this building (priority building)
- Data center contains four (4) compartmentalized, physically distinct “pods”
- Bordered by central water canal and key fiber landings
- Proximate to main distribution substation with (4) 22kV feeders
- One of largest make-up water tanks in Singapore (300,000 liters)
IO serves companies around the world, with colocation data centers in the U.S. (Arizona, Ohio, and New Jersey), plus a Singapore data center in Asia, and a London data center in Europe coming online this spring. Tying it all together is DCIM software, which enables clients to monitor and manage their data center environments from any device, anywhere in the world. Learn more about Singapore colocation.