Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part IV Page 137 of 425 position) would have reported the matter to SingHealth GCIO Benedict on 13 June 2018. 412. Turning to Ernest, who was overseas at the time, the Committee finds that he should have nominated a covering officer. As Vivek observed SIRM is a critical role and must be staffed at all times. Also, there must be a proper handover-takeover process in place to ensure the responsibilities are transferred back to the primary SIRM once he or she is back from leave. Not having a functioning SIRM for an extended period could significantly hamper the investigation as CERT team may struggle to take decisions and seek the necessary support from other external parties including the SIRT team members. 413. The issues identified by Vivek were clearly borne out in this case, where Benjamin was effectively left alone to carryout his own investigations and coordinate the incident response, to the best of his abilities and resources. The fact that Ernest remained contactable while overseas did little to help the situation although Ernest was aware of the TigerConnect messages and able to read them, he did not do so. He simply opened the application to dismiss the notifications. If Ernest had paid some attention to the messages, he may have realised something was afoot, and could have delegated his duties to a specific officer while he was away. 414. The Committee further notes that this being a security incident, under the IR-SOP, the SIRT (Security Incident Response Team) should have been activated. The SIRT comprises not only security staff from the CERT (Computer Emergency Response Team, but also the infrastructure services lead and the application services lead. Had the SIRT been activated, there could, at a minimum, have been better coordination, resourcing, and leadership in the incident response. Senior management who were aware of the reporting framework and the need to escalate the matter may have done so, and CSA could have been informed at a much earlier stage.
