Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
49 RECOMMENDATION #14: INCIDENT RESPONSE PLANS MUST MORE CLEARLY STATE WHEN AND HOW A SECURITY INCIDENT IS TO BE REPORTED ................................................................................................ 397 49.1 An incident response plan for IHiS staff must be formulated for security incidents relating to Cluster systems and assets .......................................... 397 49.1.1 The need for an incident response plan .......................................................... 398 49.1.2 Contents of an effective incident response plan ............................................. 399 The incident response plan must clearly state that an attempt to compromise a system is a reportable security incident ....................................................... 401 The incident response plan must include wide-ranging examples of security incidents, and the corresponding indicators of attack .................................. 404 49.3.1 Suspicious Privileged Account Activity .......................................................... 405 49.3.2 Suspicious Outbound Traffic .......................................................................... 406 49.3.3 Anomalous login failure ................................................................................. 406 49.3.4 Spikes in Database Activity ............................................................................ 406 49.3.5 Anomalous registry changes ........................................................................... 406 49.3.6 Unusual port usage ......................................................................................... 406 49.3.7 Suspicious File and Folder Activity ................................................................ 407