COI Report – Part VII
Page
238 of
425 689. To properly
implement defence-in-depth, active steps must betaken to identify and secure vulnerabilities that are out there, particularly in legacy systems, to protect against future exploitation. Defence-in-depth also involves people, technology and operations a) People. Trained security personnel should be responsible for securing the network and systems b) Technology. A variety of technological measures should be used for layers of protection and c) Operations. Preventative activities (
e.g. penetration testing, software patching, access controls,
etc.) and reactive activities monitoring,
detection, blocking isolation,
etc.) required to maintain security should be put in place. Several measures for this purpose will beset out below.
690. In the context of cybersecurity,
one cannot protect against vulnerabilities that one is unaware of. IHiS should study and adopt the measures discussed in this report, and consciously layer them to adequately protect its systems. The following measures contain a particular emphasis on the review of systems, assets and networks.
36.2.1 Reviewing legacy systems 691. CE, CSA explained that legacy systems (such as the SCM) are
not unique to the public healthcare sector and many system owners across the board (
e.g. public transport, banking and finance and the Government) have re-looked their legacy systems through anew lens of potential vulnerabilities which did not exist at the point when the systems were put in place.
49
Network and System Security at p.
