COI Report – Part VII Page 294 of 425 39.3.6 A process must be established to track that vulnerabilities uncovered by a penetration test are addressed 850. IHiS and SingHealth (as the CII owner) must own the remediation process. The Committee recommends that there needs to be a process to address and track vulnerabilities uncovered in a penetration test, and to validate that all uncovered vulnerabilities have been adequately addressed. This process mirrors the requirement for CII under the CCoP, and asset out in paragraph 821 (at pg 283) above. We note in this regard that IHiS has, since April 2018, setup a centralised audit liaison team to track all audit issues and remediation actions (across Clusters, and IHiS could build on this in formulating its processes for tracking and addressing other vulnerabilities that are discovered via other security checks such as vulnerability assessments and penetration tests. 39.3.7 A more comprehensive penetration test of the SCM application should be conducted 851. Given that (a) the SCM application is used for SingHealth’s mission- critical EMR system, (b) the protection of SingHealth network’s crown jewels, i.e.the patient database, is critically dependent on how secure or not the SCM application is, and (c) the basic insecure coding vulnerability already shown to be inherent in the SCM application, the penetration testing department referred to in paragraphs band (c) above should consider conducting a more comprehensive and advanced penetration test of the SCM application to see if any other vulnerabilities will be detected. 39.4 Red teaming should be carried out periodically 852. As explained by Dan, red teaming is a more advanced measure that goes beyond penetration testing. Red teaming is conducted by an independent external group that assumes an adversarial role and can simulate an APT attack on an organisation, and includes vulnerability assessment, penetration testing, bug hunting and more. By providing an end-to-end and full-scope attack cycle, red
