COI Report –
Part VIIPage
222 of
425 35.2 Recommendations for TORs # 3, #4, and #5 667. The Committee makes 16 recommendations, comprising seven Priority Recommendations and nine Additional Recommendations.
668. The recommendations have been categorised by borrowing broadly from the US. National Institute of Science and Technology (“
NIST”)
44
Framework for Improving Critical Infrastructure Cybersecurity (the “
NIST framework”), with necessary supplementation to address broader issues
that are relevant to the Cyber Attack. The broad areas that the recommendations will address area) PREVENTION – Prevention requires maintaining fundamental security capabilities, and implementing appropriate safeguards to stop or limit the impact of a cyber attack b) VIGILANCE – Being vigilant means putting in place procedures and solutions to identify vulnerabilities and misconfigurations, and to anticipate emerging threats c) DETECTION – Detection means putting in place measures to discover potential cyber attacks and alert responders to their existence d) RESPONSE – Response entails being prepared
to react to cyber attacks, contain the impact, repair damage to operations, and return to normal operations e) GOVERNANCE – Governance involves creating a culture of security to mitigate risk and better protect the company’s
critical 44
NIST is a non-regulatory federal agency within the US. Department of Commerce. Its mission is to promote innovation and industrial competitiveness by advancing standards, and technology. NIST guidelines often become the foundation for best practice recommendations across the security industry and are incorporated into other standards.
COI Report – Part VII
Page
223 of
425 infrastructure, by adopting and maintaining a proper posture
in the area of cybersecurity; and f) PEOPLE DEVELOPMENT – People development involves training and equipping staff at all levels with cybersecurity knowledge and skills, to increase the cyber resilience of the organisation.
669. The broad areas that each of the Committee’s recommendations relate to and addresses will be identified at the beginning of each relevant section with hashtags (‘#’).
670. Out of the 16 recommendations, the Committee proposes seven Priority Recommendations. They relate to certain strategic and operational measures to uplift the cybersecurity
posture of SingHealth and IHiS, and steps must betaken to implement them immediately.
671. Given that the next attack may not follow the same attack pattern as the
Cyber Attack and may also target different assets, the first six Priority Recommendations address areas for improving cybersecurity policies and capabilities as well as embedding cybersecurity awareness into daily operations. The senior management of SingHealth and IHiS must provide effective and agile leadership for the timely and effective implementation
of these recommendations, allocating adequate resources, and keeping a close and careful watch. There must also be appropriate oversight over and verification of their implementation, including by external entities where appropriate. As CE,
CSA has pointed out,
“
from a technical, professional perspective…certain things need to be done. They have to be done and perhaps they should have been done yesterday”.
672. The seventh Priority Recommendation addresses the
issue of collective security, and builds on the first six Priority Recommendations to bring our cyber defences to anew and higher level. This is imperative given the high degree of digitalisation and interconnectivity in Singapore, and the risks at the national level.
