COI Report – Part II
Page
45 of
425 12.4 IT security audits 127. IHiS does not have its own internal audit department. Audits, including IT security audits, are carried out by MOHH GIA.
Periodically, the GIA would conduct audits on the clusters' network and systems. The team that looks at IT within GIA conducts audits of both CII and non-CII systems.
128. The HITSPS states that independent audits of PHI’s IT systems are to be conducted by the GIA periodically to evaluate and test the adequacy of, and the compliance to prevailing IT security policies and standards.
12.4.1 CII audits on the SCM system 129. Since the SCM system is a CII system, SingHealth as CII owner is to conduct an independent cybersecurity audit of the SCM system at least once every 12 months, with the scope of the audit
conducted in accordance with CSA’s requirements. These results are then to be submitted to Sector Lead CSG, together with mitigation/improvement plan and timeline. GIA would
carryout the audit itself, while CSG as Sector Lead would followup on the results to track the progress of action plans for reporting to MOHH management. Further details on CSG’s role in followup are at section 12.5 (pg 46) below.
12.4.2 Audits for non-CII systems and the FY H-Cloud Pen-Test 130.
For non-CII systems, the GIA will prepare an audit workplan, with inputs from SingHealth management. These audits are
typically conducted by the GIA, although the GIA may contract some audits to external auditors. Findings of these internal audits are reported to SingHealth's Audit Committee, and where risks
are highlighted in the audit, will be surfaced to SingHealth's Risk Oversight Committee (“
ROC”).
The GIA keeps SingHealth updated on audit findings and the status of remediation plans in response to the audit findings, at Audit Progress This requirement has been superceded by the requirements
of the Cybersecurity Act, which came into force on 31 August 2018.
