ºÚÁÏÊÓƵ

Computer Misuse Act (CMA): Primary legislation in Singapore that criminalizes unauthorized access and modification of computer material, requiring explicit authorization for penetration testing activities

Personal Data Protection Act (PDPA): Legislation governing the collection, use, disclosure, and care of personal data, which must be considered when handling data during VAPT activities

Cybersecurity Act 2018: Framework for the protection of Critical Information Infrastructure (CII) in Singapore, establishing requirements for cybersecurity assessments and incident reporting

Criminal Law (Temporary Provisions) Act: Relevant for certain aspects of cybersecurity investigations and handling of potential criminal activities discovered during testing

MAS Technology Risk Management Guidelines: Regulatory guidelines specifically for financial institutions, providing requirements for technology risk management including penetration testing

MAS Notice 644: Specific notice on Technology Risk Management requirements for banks, including requirements for security testing and assessments

Singapore's Cybersecurity Code of Practice: Provides practical guidance on cybersecurity measures and best practices for organizations in Singapore

PDPC's Advisory Guidelines: Detailed guidance on compliance with PDPA requirements in various contexts, including security testing

ISO/IEC 27001: International standard for information security management systems, providing framework for security testing and assessments

NIST Cybersecurity Framework: Internationally recognized framework providing standards, guidelines, and best practices for managing cybersecurity risk

OWASP Testing Guide: Industry-standard guide for web application security testing, providing methodologies and best practices

PCI DSS: Payment Card Industry Data Security Standard requirements for organizations handling payment card data, including specific testing requirements

Authorization Requirements: Legal requirement for documented scope and explicit authorization from system owners before conducting VAPT activities

Data Protection Requirements: Legal obligations regarding handling of personal data during testing, including breach notification and data disposal requirements

Testing Boundaries Documentation: Legal requirement to clearly define and document scope limitations, prohibited activities, and emergency procedures

Reporting Obligations: Legal requirements for incident reporting, documentation, and retention of testing evidence

Professional Liability Considerations: Legal requirements regarding insurance, limitation of liability, and indemnification clauses for VAPT activities