Organizations that operate Singapore’s critical infrastructure face an ever‑evolving cyber threat landscape. To protect essential services, Singapore’s Cyber Security Agency (CSA) developed the Cybersecurity Code of Practice (CCoP) for Critical Information Infrastructure. The second edition of the CCoP – sometimes called “CCoP 2.0” – came into effect on 4 July 2022 and provides a 12‑month grace period for operators to achieve compliance. The framework establishes minimum cybersecurity requirements for each of Singapore’s 11 CII sectors, including energy, healthcare, finance and transportation. These baseline controls are designed to enhance defensive capabilities and ensure the resilience of both IT and operational technology (OT) systems. In short, the CCoP sets the bar for security practices, while acknowledging that Critical Information Infrastructure Owners (CIIOs) may need to implement measures beyond the code to address evolving threats.
This guest post explores the key requirements of CCoP 2.0 and demonstrates how Mamori.io — an all‑in‑one privileged access management (PAM), zero‑trust network access (ZTNA) and database security platform — can streamline compliance and be your go-to CCoP Compliance Solution. By unifying multiple security controls in a single platform, Mamori addresses complex CCoP mandates and reduces the burden of managing disparate tools.
Understanding the Cybersecurity Code of Practice (CCoP)
The CCoP is a regulatory framework issued under Singapore’s Cybersecurity Act. It defines baseline cybersecurity practices for systems designated as critical information infrastructure (CII) and is designed to strengthen defences against sophisticated tactics, techniques and procedures (TTPs) used by threat actors. CCI operators must demonstrate compliance during periodic audits; the second edition supersedes prior versions and requires all audits conducted after the grace period to use CCoP 2.0.
At its core, the CCoP emphasises governance, protection, detection and response. Operators are expected to establish governance frameworks, implement controls that protect people, processes and technology, detect anomalous behaviour and respond effectively to incidents. With increased connectivity between IT and OT networks, the code also stresses the need to segregate operational technology, maintain fail‑safe mechanisms and ensure cyber‑resilience.
The Challenge for CII Operators
Complying with CCoP 2.0 can be daunting. The code covers everything from access control and account management to network segmentation, privileged access, logging, monitoring and OT architecture. Each domain requires dedicated technology, processes and expertise. Many organizations grapple with the complexity of integrating separate point solutions, maintaining audit trails and demonstrating continuous compliance. Moreover, the CSA notes that CIIOs may seek waivers only if compensating controls are deemed adequate, underscoring the importance of a holistic security posture.
How Mamori Addresses Access Control and Account Management (CCoP 5.1 & 5.2)
At the heart of CCoP is the requirement to implement role‑based access control. Mamori’s platform provides exactly this: Role‑Based authorization and authentication for users accessing critical systems. Access policies are defined based on roles rather than individual accounts, ensuring that users only receive the minimum privileges required for their duties. For account management, Mamori manages role‑based access to Remote Desktop (RDP), SSH (Linux) and databases, recording every session. Capturing detailed session logs helps organizations demonstrate compliance during audits and trace user actions for forensic analysis.
Strengthening Privileged Access and Domain Control (CCoP 5.3 & 5.4)
Privileged accounts are a primary target for attackers; the CCoP therefore mandates strong privileged access management. Mamori enforces multi‑factor authentication (MFA) and role‑based administrative access, preventing administrators from self‑approving access to sensitive resources. For domain controller access control, the platform offers multi‑factored access to specific network IP‑port combinations. These controls ensure that privileged users are authenticated and authorised before interacting with critical systems, reducing the risk of account compromise or misuse.
Micro‑Segmentation and Network Security (CCoP 5.5 & 5.6)
CCoP 2.0 calls for network segmentation to prevent attackers from moving laterally within a network. While firewalls segment core subnets, Mamori manages role‑based micro‑segmentation across subnets. The platform controls TCP traffic down to the IP‑port level, verifying a user’s right to access a specific service, performing MFA, logging the activity and monitoring for abnormal behaviour. This granular control not only satisfies CCoP mandates but also reduces the attack surface by allowing only authorised communications between systems.
Secure Remote Connections and Database Security (CCoP 5.7 & 5.13)
The increasing need for remote work and third‑party maintenance makes secure remote connections essential. Mamori provides secure, multi‑factored, encrypted remote access for RDP, SSH and database connections. Administrators access critical systems through the Mamori gateway rather than directly, which reduces exposure and simplifies auditing.
Database security is another pillar of CCoP. Mamori uses Database Activity Monitoring (DAM) through proxies to track every SQL statement executed. This capability delivers comprehensive visibility into how data is accessed and manipulated, enabling organizations to detect suspicious queries and maintain an immutable audit trail for compliance reporting.
Logging and Real‑Time Monitoring (CCoP 6.1 & 6.2)
Continuous logging and monitoring are core requirements for detecting anomalies. Mamori logs all activities — including RDP, SSH, database and HTTP connections — and aggregates them into a security data mart with dashboarding capabilities. Machine‑driven analytics detect unusual patterns such as network scanning or atypical database access, enabling real‑time alerts and rapid incident response. These capabilities align with the CCoP’s emphasis on detection and response.
OT Architecture and Air‑Gapped Security (CCoP 10.2)
Operators of critical infrastructure often manage operational technology that cannot be exposed to the Internet. CCoP 2.0 recognises this and prescribes specific OT architecture and security measures. Mamori’s solution is designed to work in air‑gapped environments, where data flows are restricted and credentials are protected. Users never enter database IDs or passwords directly; instead, the platform brokers access on their behalf. This reduces the risk of credential leakage and supports compliance in highly sensitive environments.
Additional Benefits Beyond Compliance
While the primary goal is to meet regulatory requirements, Mamori offers additional advantages that help CIIs strengthen their overall security posture. By consolidating multiple tools into a unified platform, organizations can replace complex, disparate solutions. Mamori also delivers full visibility across servers, networks and databases, enabling security teams to monitor all access activities in one place. Detailed logs and audit trails simplify audit readiness and accelerate regulatory reporting.
The platform’s design suits high‑security environments across sectors such as critical infrastructure, healthcare, government and energy, providing confidence that the solution can operate reliably where operational continuity is paramount. Mamori’s 2FA‑everywhere philosophy reflects a belief that passwords are inherently insecure; every access is verified with a second factor.
Fast and Frictionless Implementation
One of the challenges with compliance software is deployment complexity. Mamori removes this barrier with a three‑step onboarding process:
- Deploy a Mamori server – Download the free ZTNA solution, install it on a server (on‑premises or in the cloud) and configure MFA and alert settings. No agents or network changes are required.
- Integrate with existing directories or create new identities – Existing directory structures and permissions can be rolled over with minimal effort.
- Define access controls – Set up roles and specify which systems and data each role can access.
By simplifying deployment, Mamori helps CIIOs start their compliance journey quickly and reduces the time needed to demonstrate conformance with CCoP controls.
Getting Started
The CCoP clearly articulates that critical information infrastructure owners must comply with the code and implement the required cybersecurity controls. Mamori offers a unified platform that addresses access control, privileged access management, database monitoring, logging and anomaly detection. The solution also supports OT environments, including air‑gapped architectures, and provides secure access without exposing system credentials.
For small businesses or organisations just embarking on their compliance journey, Mamori even provides a free cybersecurity and CCoP compliance solution. Whether you’re operating a power grid or a hospital network, adopting a platform that consolidates multiple controls makes it easier to meet regulatory expectations and defend against evolving threats.
Conclusion
The Cybersecurity Code of Practice sets the foundation for protecting Singapore’s critical infrastructure, but compliance does not have to be complicated. By leveraging Mamori’s all‑in‑one data security platform, operators can unify their access control, PAM, network segmentation, database security, logging and monitoring requirements under a single roof. This approach not only meets the letter of the CCoP but also strengthens overall resilience and reduces operational complexity. As cyber threats become more sophisticated, tools that enable role‑based security, micro‑segmentation, two‑factor authentication and real‑time analytics will become indispensable.
With the compliance grace period for CCoP 2.0 now well underway, there has never been a better time to evaluate unified solutions. Mamori.io stands out as a platform that simplifies the journey toward compliance while enhancing security across your entire infrastructure. Start your CCoP compliance journey today and build a stronger defence for the critical services Singapore relies on.
