Table of contents exchange of letters with the minister executive summary


RISK ASSESSMENTS AND AUDIT PROCESSES MUST BE



Download 5.91 Mb.
View original pdf
Page272/329
Date27.11.2023
Size5.91 Mb.
#62728
1   ...   268   269   270   271   272   273   274   275   ...   329
Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
RISK
ASSESSMENTS AND AUDIT PROCESSES MUST BE
TREATED SERIOUSLY AND CARRIED OUT REGULARLY
#PREVENTION VIGILANCE #GOVERNANCE
986. IT security risk assessments and audits are important for ascertaining gaps in an organisation’s policies, processes and procedures, and must be treated seriously and carried out regularly, with findings followed upon religiously.
43.1 Risk assessments must be conducted at critical junctures
987. While the HITSPS does provide for the conduct of IT security risk assessments, the policy is not adequate, and worse, there were gaps in IHiS staffs conduct of the risk assessments. We will elaborate on this with reference to our recommendations as follows.
43.1.1
IT security risk assessments must be conducted on CII and mission-
critical systems annually and upon specified events
988. The HITSPS requires that an IT security risk assessment be done for all mission-critical IT systems, before they are commissioned and during the system design phase and maintained whenever there are major changes. Under section
15(1)(b) of the Cybersecurity Act, however, CII owners are required to conduct cybersecurity risk assessments on CII at least once a year, and this risk assessment is to include each CII asset in the CII system. Under section 15(2) of the Cybersecurity Act, the CII owner must furnish a copy of the cybersecurity risk assessment report to the Commissioner not later than 30 days after completion of the risk assessment.


COI Report – Part VII
Page 341 of 425

989. Accordingly, we recommend that IHiS must reformulate its policy to require the conduct of cybersecurity risk assessments on CII and mission-critical systems at critical junctures a) at least annually bin respect of new systems, during the design of the solution and before commissioning and c) whenever there are major changes to the systems.
43.1.2
A written cybersecurity risk management framework must be
established
990. The HITSPS does not set out a proper cybersecurity risk management framework. The CCoP requires CII owners to establish a written cybersecurity risk management framework, which shall include a) roles and responsibilities in managing cybersecurity risk, including reporting lines and accountabilities; b) identification and prioritisation of CII assets c) organisation’s cybersecurity risk appetite, as well as thresholds or limits for residual risk d) cybersecurity risk assessment methodology and e) treatment and monitoring of cybersecurity risk.
991. We recommend that a comprehensive written cybersecurity risk management framework covering at least the above areas should be established. We elaborate on our recommendations in respect of some of these areas.


Download 5.91 Mb.

Share with your friends:
1   ...   268   269   270   271   272   273   274   275   ...   329



The database is protected by copyright ©ininet.org 2024
send message
    Main page
united states
total number
vast majority
federal government
other side
next generation
supreme court
information contained
current state
executive director
national association
middle east
east coast
general assembly
private sector
same time
west coast
united kingdom
united nations
total amount
full range
highest level
soviet union
european union
national academy