Singapore announces new Cloud Outage Incident Response Guidelines

by

28 February 2016
COIR

As part of its drive to strengthen transparency, trust and resilience of cloud service providers (CSPs) in a Smart Nation, the Infocomm Development Authority of Singapore (IDA) has announced a set of Cloud Outage Incident Response (COIR) Guidelines to assist in Business Continuity Management (BCM) and Disaster Recovery (DR) Plans.

This was announced at the Singapore Computer Society’s Business Continuity Management Conference on February 26 by IDA Assistant Chief Executive Khoong Hock Yun.

“In our journey towards being a Smart Nation, this Cloud Outage Incident Response Guidelines complement our efforts to drive ICT standards, strengthen resiliency and encourage clarity for businesses as cloud users. This effort, in collaboration with industry, shows IDA’s continuing commitment to encourage the industry to have robust Business Continuity Management and Disaster Recovery plans as well as Service Level clarity, to foster a more competitive business environment that enhances our digital economy,” he said in his opening address.

According to IDA, the guidelines enable CSPs to address the challenge of preparing for and mitigating the threat of cloud outages, whether for business-critical uptime or data sensitivity. CSPs which have completed COIR Guidelines can clearly state the scope and scale of resilience measures they have in place in the event of cloud outages, IDA said.

Worked on since September 2013, the COIR Guidelines draw on the combined work and feedback of enterprises and public agencies to form a cohesive blueprint to enhance CSP resilience capabilities. The COIR Working Group comprises representatives from IDA, Defence Science & Technology Agency, Asia Cloud Computing Association, IT Management Association, Singapore Computer Society and Singapore IT Federation. Focus Groups comprising representatives from cloud users, CSPs and sectorial regulators were also formed to solicit their views and feedback.

According to IDA, there are four tiers of responses CSPs can prepare for based on projected impact of outages, ranging from most to least severe:

  • Tier A - Systemic/Life-Threatening Impact (e.g. airplane traffic controls industry) – cloud services hosting functions which directly affect human safety or stability of economy, market or an entire industry at large. Immediate restoration is essential.
  • Tier B - Business Critical Impact (e.g. payment gateways, e-commerce portals) – cloud services hosting functions that are critical to an organisation’s operations. Businesses may be severely impacted should restoration not occur within hours. Restoration should occur within four hours.
  • Tier C - Operational Impact (e.g. corporate emails) – cloud services hosting functions that are essential to an organisation’s operations. Outage of these would result in significant impact to efficiency and effectiveness. Restoration within eight hours to a day is expected.
  • Tier D - Minimal Impact (e.g. general information websites) – cloud services hosting functions that are considered least important to an organisation’s operations and where longer duration of outages are tolerable. Restoration should generally occur within two working days.

By utilising these guidelines, IDA said CSPs can clearly outline the scope and scale of resilience measures they offer as part of their cloud services. Such measures can include clarity on mobilisation of emergency resources, prioritisation levels for recovery and restoration of affected cloud services.

Paul Lee, President of Singapore Computer Society Business Continuity Group, said, “The Cloud Outage Incident Response Guidelines are a welcome addition to the business continuity and disaster recovery body of knowledge for our industry. It brings clarity and assurance to enterprises and strengthens Singapore’s resilience as part of a Smart Nation.”

IDA and the COIR Working Group will now be working with the IT Standards Committee to turn the guidelines into a Singapore Standard.