Table of contents exchange of letters with the minister executive summary



Download 5.91 Mb.
View original pdf
Page276/329
Date27.11.2023
Size5.91 Mb.
#62728
1   ...   272   273   274   275   276   277   278   279   ...   329
Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019

COI Report – Part VII
Page 345 of 425

(b) How to identify the controls that are in place to address the risks, and who is in charge of such identification c) How to assess the likelihood of the risk occurring, and who is in charge of such identification. For example, Kim Chuan has stated that efforts have begun to ensure IHiS staff are aligned on the understanding and assessment of risks, so as to reduce the element of subjectivity in risk assessment d) How to identify the additional controls that maybe needed to address the residual risks, and who is in charge of such identification e) Who is in charge of formulating the action plan to implement measures for additional controls f) How the action plan shall be tracked, by whom and when and g) Who in management shall review and have oversight of the risk assessment process.
1000. We further recommend that once the process and methodology are established, there should be proper dissemination of the same to the relevant staff, who should also attend training to familiarise themselves with the process and what implementing it entails. Indeed, Kim Chuan testified that CSG was conducting workshops for Cluster security officers, SMD and the Delivery Group to train them on risk assessments. The workshops would harmonise the assessment of cybersecurity risks and effectiveness of controls by Cluster ISOs and GCIOs.



COI Report – Part VII
Page 346 of 425

43.1.5
A policy should be established fora comprehensive risk register to be
maintained and updated after every risk assessment
1001. The CCoP requires CII owners to maintain a list of all cybersecurity risks identified, byway of a risk register in respect of each CII. CII owners shall ensure all identified cybersecurity risks listed are monitored regularly with a view to ensuring that the organisation’s thresholds or limits for risks are not breached. The risk register shall be updated after every cybersecurity risk assessment. A risk register shall document the following a) Date the risk is identified b) Description of the risk c) Likelihood of occurrence d) Severity of the occurrence e) Risk treatment f) Risk owner g) Status of risk treatment and h) Residual risk, which is defined in the CCoP as “the risk exposure
after risk mitigating controls are considered or applied”.
1002. While the HITSPS provides for an IT security risk register, the policy is inadequate, when compared against the requirements under the CCoP.
1003. We recommend that a policy be put in place that establishes a) the requirement fora comprehensive risk register, documenting the items set out in the CCoP, in respect of each CII and mission- critical system on which a risk assessment is done


Download 5.91 Mb.

Share with your friends:
1   ...   272   273   274   275   276   277   278   279   ...   329



The database is protected by copyright ©ininet.org 2024
send message
    Main page
united states
total number
vast majority
federal government
other side
next generation
supreme court
information contained
current state
executive director
national association
middle east
east coast
general assembly
private sector
same time
west coast
united kingdom
united nations
total amount
full range
highest level
soviet union
european union
national academy