COI Report – Part VII
Page
293 of
425 849.
In this regard, we therefore recommend that a) For CII systems, IHiS must engage independent third-party penetration testing service providers to conduct the penetration testing. These external penetration testers must fulfil CSA’s accreditation and certification requirements under the CCoP. For non-CII systems which are nevertheless critical, IHiS should also consider periodic penetration testing by accredited independent third-party service providers. b)
In addition, there should be a strong in-house penetration testing capability, which would include having the in-house penetration testers regularly trained, accredited and certified. c) Such in-house penetration testing function should be
independent of IHiS in nature, and could be parked in GIA or another department reporting directly to MOH. For clarity, there should not be any double-hatting in this process, and the person responsible for this function should not bean IHiS employee. d) There should also be clarity on what in-house penetration tests are being
conducted and by whom and when, to avoid overlap, or the inadvertent omission of applications/systems/networks for testing. In this connection, the penetration testing department pursuant to c) above could consider drawing up schedules to track regular penetration testing and coverage of all relevant applications/systems/networks. e)
IHiS should consider whether there is any serious need (
e.g. prompted by any
particular threat intelligence, or alerts from its monitoring and detection systems) for any particular application/system/network to be subject to an advanced penetration test by CSA, and if so, to engage CSA.
