COI Report – Part IV Page 178 of 425 relaying the information that he had heard to Bruce, including the understanding at that point that the queries returned zero results. 564. Bruce told Benedict to inform Kim Chuan, and to setup a conference call the next day, 10 July 2018, at pm with Kim Chuan and the team from the Infrastructure Services Division. Bruce explained that the conference call was fixed at pm because he had other meetings scheduled on the morning of 10 July 2018. 565. After the call with Bruce, Benedict called Kim Chuan and relayed the same information, and informed him of the conference call to beheld at pm on 10 July 2018. It was also understood that a decision would betaken at the 10 July 2018 conference call on whether there was a need to inform CSA and MOH. Bruce also called Kim Chuan, asking the latter to look into the matter urgently, and consider if it was a security event. 566. At the time, Kim Chuan considered whether the incident was a deliberate adverse event, which could amount to an IT security incident under the SIRF, and which would ultimately have to be reported to the CSA. He also considered whether the incident would be considered a Category 1, 2, or 3 incident. At the time, he only had the information provided to him by Benedict. Pertinently, he did not know then that user accounts and the local administrator accounts for the Citrix servers had been compromised. He did however obtain confirmation that there were no ongoing audits or red teaming exercises. Nonetheless, in view of the conference call with Bruce arranged for the next day, he did not report the matter to the CSA on the night of 9 July 2018. 567. On the part of Bruce, he did not consider what the categorisation of the incident should be, because he thought that the incident may not be a security event. He had in mind that there have been previous incidents of unauthorised access, and these incidents did not turnout to be security incidents. 568. At around pm on 9 July 2018, Benedict also called Prof. Kenneth Deputy Group CEO (Organisational Transformation and Informatics) of
|