Table of contents exchange of letters with the minister executive summary
Download 5.91 Mb. View original pdf
|
- Navigate this page:
- COI Report – Part VIIPage 246 of 425
| COI Report – Part VII Page 245 of 425 were responded to and reported, but also incidents which were responded to but did not meet the threshold for reporting. In many cases, as regards the latter group of incidents, even if they had been overlooked or were not correctly responded to, there is an opportunity for review and consideration at the right level, if management has visibility over them. These dashboards should be given visibility all the way up to the organisation’s CEO and should be reviewed periodically. This way, management can understand what is going on on the ground, where the bottlenecks are, and if any resources need to be further assigned. 36.4.2 Ensuring appropriate cybersecurity resources at the Cluster senior management level 712. Current practice and policy require the GCIO to have responsibility over a number of functions in the Cluster a) First, the GCIO is in charge of strategic IT planning and development for the Cluster, including the overseeing of project delivery for the Cluster. b) Second, the GCIO is also generally responsible for ensuring that the Cluster’s IT enterprise programs are aligned with security requirements, ensuring compliance with prevailing security policies and standards, and overseeing the Cluster’s IT risk assessment. c) The HITSPS also states that the GCIO is responsible for (i) providing leadership and direction for the IT security program including the establishment and maintenance of the program objectives, strategy, and near and medium term activities and (ii) updating the Cluster Board on important IT security matters including IT security incidents, security policy changes, and noncompliance with security policies resulting from internal audits or from self-compliance reviews. COI Report – Part VII Page 246 of 425 713. However, the evidence shows that the SingHealth GCIO Benedict does not have the resources to properly fulfil his functions in respect of cybersecurity. His GCIO office comprises about 50 staff, but these were mostly IT directors from SingHealth’s PHIs and domain/business analysts. Specifically for cybersecurity, Benedict is supported by a team of one – the Cluster ISO Wee. Benedict’s evidence is that he and Wee “collaborate” with IHiS’ Delivery Group and CSG on cybersecurity matters, but generally, they are reliant on IHiS because the technical and engineering capabilities are all centralised within IHiS. Benedict’s own evidence is that his technical expertise is limited – for example, as regards approving proposed management responses to audit findings, he can only consider their adequacy “to the extent of his technical knowledge”. 714. As a result, SingHealth’s senior management, who rely on Benedict, are left dependent on the central IHiS team to manage SingHealth’s cybersecurity risks. This was confirmed by SingHealth’s Dy GCEO Prof. Kenneth, who explained that even at management level, SingHealth is totally dependent on IHiS for their oversight on cybersecurity risks. This position is difficult to sustain in the light of the new Cybersecurity Code of Practice 51 (“CCoP”) which requires CII owners (i.e. SingHealth) to establish and approve policies, standards and guidelines for managing cybersecurity risks and protecting CII against cybersecurity threats, and to also review the policies, standards and guidelines against the current CII cyber operating environment and cybersecurity threat landscape at least once a year, starting from the date of the last review or the effective date of each policy, standard or guideline. 716. SingHealth acknowledged that based on the present relationships, generally, domain expertise and resources lie with IHiS on the one hand, whereas risks and responsibilities lie with SingHealth on the other. In order to improve on the current governance and risk management framework, SingHealth requires The CCoP was issued on 1 September 2018. |