Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part VII Page 282 of 425 thus important for key assets and systems connected to CII, mission-critical and/or internet-facing systems to also be subject to vulnerability assessment. Such a measure would also cohere with the CCoP’s requirement for CII owners to ensure that the scope of each vulnerability assessment includes (a) a host security assessment (b) a network security assessment and (can architecture security review. b) Second, there must be clarity within the organisation on what IT infrastructure would be considered connected to or part of CII, mission-critical and/or internet-facing systems, and therefore subject to vulnerability assessments. This could be achieved byway of drawing up an inventory of assets comprised in and connected to each system, such inventory to be regularly reviewed and communicated to the persons within the organisation responsible for conducting and overseeing the results of the vulnerability assessments. 39.1.3 Vulnerability assessments should also be conducted regularly on other critical assets which may not be part of or connected to CII, mission- critical or internet-facing systems 820. Leong Seng testified that IHiS’ intention going forward was for all applications and servers (but not endpoints) to be subject to vulnerability scanning on a periodic and perpetual basis. In this regard, IHiS intends to use an Enterprise Vulnerability Management tool to perform regular vulnerability scans to detect and prioritise vulnerabilities found for remediation. We concur with this intended practice, as all servers are critical assets, as acknowledged by Leong Seng (see paragraph 818 (pg 281) above. We recommend that IHiS should carefully consider what would be considered critical assets, and perform vulnerability assessments on these assets at regular periodic intervals.
