COI Report – Part IV
Page 142 of 425
23.5 Assessment of IHiS’ incident response from 14 to 25 June 2018
428. The Committee notes the initiative shown by Benjamin and the CERT team to carryout forensic investigations. However, the pace of their investigations could have been improved with better resources. For instance, it took five days to locate and collect Workstation C, as the CERT did not possess the tools necessary to remotely collect forensic evidence. The CERT was also hampered by the fact that they only had one laptop, Benjamin’s personal computer, which was capable of processing the forensic images.
429. The CERT team, being new and relatively inexperienced, would also have benefitted from firm and effective leadership from the SIRM and Cluster ISO, both in terms of the conduct of investigations and on the issue of whether to escalate the matter to the GCIO. However, no such leadership was forthcoming from Ernest and Wee.
430. Turning to Ernest, two aspects of his evidence standout in particular a) First, Ernest stated that he gets about 200” emails in a day. This presumably includes emails on security issues and, based on
Ernest’s evidence, also includes emails about issues such as end- users not getting their account IDs and passwords, and complaints or feedback about his staff or the outsourced IT administration team. Ernest has explained that he would give equal priority to his emails and not prioritise them based on urgency, except when it came to complaints. b) Second, Ernest’s definition of a security incident, which requires confirmation of both malicious intent and a successful malicious act.
431. In the Committee’s view, it is unacceptable for someone in position of a
SIRM to hold such views. Even as a matter of commonsense, the difficulties are obvious user complaints are prioritised over security matters, and a security
|
