NCSA Tackles Cloud Security with New Measures

The National Cyber Security Agency (NCSA) has recognized the growing reliance on cloud services by both government agencies and private sectors, along with the increasing number of cyberattacks targeting users. In response, the agency has drafted the Notification on Cloud System Cyber Security Standard (“Notification“), aiming to establish a robust standard of security measures for cloud systems.

Applicable Entities and Scope: The draft Notification is applicable to government agencies, supervising or regulating organizations, and organizations of critical information infrastructure (as defined under the Cybersecurity Act B.E. 2562 (2019)) that utilize cloud services and have official contracts with Cloud Service Providers (CSPs). These entities are collectively referred to as Cloud Service Customers (CSCs).

Risk Assessment and Categorization: According to the draft Notification, the risks associated with cloud system usage can originate from either the CSC or the CSP. Despite the fact that the draft Notification’s applicability is extended to only the CSCs, the CSPs are to be bound by its service agreement with CSCs to comply with the requirements of the draft Notification as well. CSCs and CSPs are mandated to assess the level of risk in accordance with the security objectives prescribed by another NCSA’s notification. The risk levels are categorized as low, moderate, and high, each with different minimum requirements for security standards, CSC and CSP assessments, and certifications.

Minimum Requirements: The minimum requirements for cloud security depend on the assessed risk level and the related security objectives. These requirements may encompass various aspects, including:

1. Cloud security governance, encompassing information security policies, organization of information security, supplier relationships, and compliance with rules and regulations.
2. Cloud infrastructure security and operations, covering human resources security, asset management, access control, cryptography, physical and environmental security, operations security, communication security, system acquisition, development and maintenance, supplier relationships, and information security incident management.

Assessment and Certification: Depending on the risk level and the related security objectives, CSCs or CSPs may be required to conduct compliance assessments as follows:

1. Self-assessment, conducted in accordance with NCSA’s prescribed requirements.
2. Assessment by a regulator or regulatory agency (attestation).
3. Assessment by an advanced certified body.

The frequency of assessments and certifications will also depend on the assessed risk level.

The draft Notification provides greater details, and CSPs and CSCs subject to its provisions are required to carefully assess their associated risks and obligations.

Conclusion: The NCSA’s draft Notification aims to establish a comprehensive framework for ensuring the security of cloud systems used by government agencies, regulatory bodies, and critical infrastructure organizations. By introducing risk-based minimum requirements, assessments, and certifications, the agency seeks to address the growing cybersecurity threats and enhance the overall resilience of cloud services within the country.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

• MOFA Eyes Shorter Visa-Free Stays of 30 Days to Close Loopholes
• Super License: The Draft Act on Facilitation in the Consideration of Licenses and Provision of Services to the Public
• Thailand Plans to Reform Excise Tax System to Increase Revenue
• BOT: Policy Rate Reduced to 1.00% to Support Economic Recovery Amid Heightened Downside Risks
• BOT: Bank of Thailand Introduces Stricter Rules on Large Cash Transactions to Combat Illicit Flows
• BOT: Draft Regulations on Enhanced Customer Due Diligence and Risk Management for Customer Use of Financial Services, Including Cash-Related Transactions