COI Report – Part IV Page 144 of 425 434. The above does not detract from the fact that Ernest’s failure to followup on clear evidence of malicious activity targeting a CII and the systems connected to it was plainly unacceptable. He did not apply himself properly to the facts before him, and did not take any further action on the matter pending the completion of Benjamin’s forensic investigations – which he did not provide any guidance on. These are clear failings in the discharge of his duties as the SIRM. Yet at the same time, his comments and failure to act are suggestive of deeper cultural issues within the organisation as to where priorities should lie. 24 EVENTS OF 26 JUNE 2018 24.1 Detecting a failed attempt at logging into the SCM database from Citrix Server 2 435. At pm on 26 June 2016, a system-generated email alert was sent to Katherine, notifying her of one failed attempt at logging into the SCM database that same afternoon. The user-ID used in this attempt was again that of the user account of Workstation A, and the attempt was made from Citrix Server 2. 436. Katherine recognised this as another attempt to gain unauthorised access to the SCM database that was being made from one of the same IP address (that of Citrix Server 2) as the attempts on 13 June 2018. She forwarded the email alert to Kelvin, Robin and Lum immediately. 24.2 Investigating further into the use of VM 2 and the SA. account to login to Citrix Server 2 437. Upon receiving the alert from Katherine, the Citrix Team was able to identify a suspicious login to Citrix Server 2 made earlier in the afternoon of 26 June 2018 using the SA. account. Lum was surprised to learn that SA. had been added back into the administrator role and could be used to login to Citrix Server 2, despite the fact that the Citrix Team had removed the account from the administrator group on 13 June 2018. Given that adding the account back to the administrator group can only be done using an account which has administrator
