Table of contents exchange of letters with the minister executive summary



Download 5.91 Mb.
View original pdf
Page277/329
Date27.11.2023
Size5.91 Mb.
#62728
1   ...   273   274   275   276   277   278   279   280   ...   329
Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019

COI Report – Part VII
Page 347 of 425

(b) the requirement for the risk register to be updated after every cybersecurity risk assessment c) the persons) in charge of maintaining the risk register and d) a protocol for surfacing of the risk register to senior management at regular intervals.
43.1.6
Senior management should be responsible for and clearly articulate
the organisation’s risk appetite
1004. The CCoP defines risk appetite as “the amount and type of risk that an
organisation is willing to take in order to meet their strategic objectives and it is
often taken as a forward looking view of risk acceptance”. Risk acceptance means “the informed decision to knowingly take a particular risk”.
1005. In our recommendations on the adoption of an enhanced security structure and readiness, we had explained the experts view that cybersecurity should be treated as a risk management issue and not merely a technical issue, and that senior management had to have oversight of risks. For example a) Gen. Alexander recommended that risks need to be elevated to the CEO level, and not stop at the CIO (who may have a conflict between the two missions of ensuring IT operations and IT security) and end up taking risks that the CEO is not aware of. It is very important to have the CEO or management at equivalent level know and discuss the risks. There must be sufficient senior management oversight of risks. b) Dr Lim recommended that cybersecurity risks should be treated as part of the enterprise risk management and should be regularly updated every quarter at the enterprise risk management meeting. This is to ensure that cybersecurity risk is given the necessary


COI Report – Part VII
Page 348 of 425

attention and resources are directed and prioritised by the senior management within the organisation. c)
Relatedly, and as we have also explained, Dr Lim also expressed the view that the senior management making decisions on risks would need to be equipped with technical expertise/competency to appreciate and manage the risks.
1006. Inline with these recommendations, it would follow that it is for senior management to articulate the organisation’s risk appetite, and we recommend that a clear cybersecurity risk appetite statement be drawn up and regularly reviewed and updated by senior management.

Download 5.91 Mb.

Share with your friends:
1   ...   273   274   275   276   277   278   279   280   ...   329



The database is protected by copyright ©ininet.org 2024
send message
    Main page
united states
total number
vast majority
federal government
other side
next generation
supreme court
information contained
current state
executive director
national association
middle east
east coast
general assembly
private sector
same time
west coast
united kingdom
united nations
total amount
full range
highest level
soviet union
european union
national academy