COI Report – Part IV
Page
171 of
425 to Roy’s accounts, that IHiS’ “
entire infra has been compromised…Followed by Citrix, and successful login and queries to our scm…”
542. In reply, Ernest stated “
as mentioned, we need to isolate, contain and defend first...our tightening by infra is not strong enough. even if we report now bring down the experts, they'll say our tightening is not well done...once we escalate to mgt, there will be no day no night. everyone I meant everyone in IHiS will be working nonstop on this case...” Ernest has given an explanation for his reply When I referred
to management in this message, I was referring to
GCIO Benedict. At the time I sent this message on 6 July 2018, it had occurred tome that I should report the incident to management. Nevertheless, I did not report the matter. I did not report because
my focus was on isolating, containing and defending. I was so busy with this that I did not escalate to management about the security incident. In fact, I thought to myself, If I report the matter, what do
I get If I report the matter, I will simply get more people chasing me for more updates. If they are chasing me for more updates, I need to be able to get more information to provide to them. The moment I report the security incident, the clock will start ticking as per the timelines indicated at p 11 of the IR-SOP… I avoided reporting the matter as soon as
it occurred tome to report it, because the clock will start ticking. Having to provide these updates on these timelines puts a lot of pressure on my team - CSA, CSG, MOH, IHiS and SingHealth senior management, GCIO and CISO
will all want more information, and all of this pressure will be on my team…”
32
32
In context of Ernest’s oral evidence, the term “CISO” was intended to refer to Cluster ISO Wee Jia
Huo.
