COI Report – Part IV
Page 164 of 425
incident is considered ‘reportable’.
31
Common sense alone would inform us that this cannot be the case. As before, and without detracting from Ernest’s clear failures in understanding and discharging his duties, the Committee questions the manner and extent to which his views have been shaped by the organisational culture in IHiS.
514. Turning now to Wee, his response was also clearly lacking, and displayed an alarming lack of concern. First, by this point it was already clear that a CII system had been potentially breached.
Wee should have recognised this as a Category 1 reportable security incident and taken steps to escalate the matter immediately. Yet he did not do so, and effectively abdicated to Ernest the responsibility of deciding whether to escalate the incident. Second, under the IR-
SOP, Wee was also accountable for the actions of the SIRT. Yet he did nothing, and simply left Ernest and the rest of the SIRT to their own devices in the investigation of the matter and remediation efforts.
515. To sum up, considerable initiative was shown by officers on the front line, including Sze Chun, Katherine, and Benjamin. It is a shame that such initiative was then smothered by a blanket of middle management mistakes, by the likes of Ernest and Wee. Despite the fact that “alarm bells” had started ringing, Ernest and Wee failed to take any further action to escalate the matter and seek further assistance, instead leaving the SMD personnel and the Citrix Team to continue their investigations and remediation in much the same manner as before over the next few days.
31
Further details of Ernest’s views on what information is necessary before a security incident is reportable can be found in paragraph 494 (pg 171) above.
COI Report – Part IV Page 165 of 425 Share with your friends: |
