Table of contents exchange of letters with the minister executive summary



Download 5.91 Mb.
View original pdf
Page231/329
Date27.11.2023
Size5.91 Mb.
#62728
1   ...   227   228   229   230   231   232   233   234   ...   329
Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019

COI Report – Part VII
Page 281 of 425

816. This is in fact a requirement imposed on CII owners in respect of CII, under the CCoP. The CCoP also requires CII owners to, if requested by the Commissioner for Cybersecurity (the “Commissioner”), submit a copy of the report of any completed vulnerability assessments or penetration tests to the Commissioner within 30 working days of receiving the request.
817. In respect of mission-critical systems and internet-facing systems assuming these are not also CII), such requirements for vulnerability assessments to be conducted are also important, and were in fact part of IHiS’ policy under the HITSPS.
39.1.2
The scope of the vulnerability assessment should extend to all assets
and systems connected to the CII, mission-critical and/or internet-
facing system in question
818. In relation to the SCM system, which is both a CII and mission-critical system in the healthcare sector, vulnerability assessments were not conducted on the Citrix servers which are critical assets connected to the SCM database. Leong
Seng testified that the Citrix servers were not considered part of the mission- critical SCM infrastructure and were not treated as “the same levelas the SCM infrastructure, although he acknowledged that all servers should be considered critical assets to be protected. On the other hand, Benedict considered that systems connected to internet-facing systems, although not directly internet- facing themselves (such as the Citrix servers, should be treated as internet-facing systems for the purposes of the vulnerability assessment and penetration testing requirements under the HITSPS.
819. We recommend that a) First, the scope of vulnerability assessments to be conducted should extend to key assets and systems connected to the CII, mission-critical and/or internet-facing system in question. As seen in the Cyber Attack, the attacker exploited access to the SGH Citrix servers as a key part of its attack route to the SCM database. It is


Download 5.91 Mb.

Share with your friends:
1   ...   227   228   229   230   231   232   233   234   ...   329



The database is protected by copyright ©ininet.org 2024
send message
    Main page
united states
total number
vast majority
federal government
other side
next generation
supreme court
information contained
current state
executive director
national association
middle east
east coast
general assembly
private sector
same time
west coast
united kingdom
united nations
total amount
full range
highest level
soviet union
european union
national academy