Table of contents exchange of letters with the minister executive summary



Download 5.91 Mb.
View original pdf
Page255/329
Date27.11.2023
Size5.91 Mb.
#62728
1   ...   251   252   253   254   255   256   257   258   ...   329
Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019

COI Report – Part VII
Page 316 of 425

and this level of preparation would be best achieved by participation in simulation exercises.
41.1.2
Employees must be made aware of the procedures in place for
reporting security incidents
920. People have a key role to play in an effective cybersecurity strategy, with many of the most basic attacks being avoidable if existing policies and procedures are followed. There should be a clear and established procedure for reporting a security incident. Sufficient attention must therefore be placed on ensuring that employees are aware of response plans that have been put in place.
921. A more fundamental problem emerged during the Cyber Attack – many
IHiS employees who first witnessed signs of the attack were not even aware of any response plan for dealing with a security incident. As regards the Cyber Attack, the first responders who demonstrated initiative, like Sze Chun, Lum, and Katherine (all IT staff) stated that they were completely unaware of any security incident reporting procedure and hence had no guidance or training on how to collectively respond to the incidents before them. This is an obvious area for improvement.
922. As explained above, IHiS’ incident reporting processes as regards Cluster
CII systems are covered in two documents – SIRF and IR-SOP.
923. The above documents appear to be focused on reporting by the Cluster. The reporting lines in the documents begin with the Cluster ISO and GCIO. As acknowledged by Director CSG Kim Chuan, there is no written protocol for how
IHiS staff, who discover an IT security incident affecting a Cluster’s IT system, are to escalate the matter internally within IHiS, or to determine when and how to inform the Cluster ISO and/or GCIO.


COI Report – Part VII
Page 317 of 425

924. It is also clear that many front-line IT staff were not even aware of the above documents, including a)
Sze Chun; b) Katherine c)
Lum; d) Steven e) Henry and f) Chan Chee Choong.
925. There is no clarity on whom staff ought to raise any potential security incidents to. Director CSG, Kim Chuan’s position is that staff should inform their boss or the SMD. On the other hand, GCIO Benedict has emphasised that speed of reporting matters more than the chain of reporting, and maintained a presence in a TigerConnect chat group containing staff from the delivery group, whom he expected to raise IT issues directly to him. IHiS CEO Bruce stated that in addition to the GCIO, the SMD Lead, Hann Kwang, should also be kept informed of IT security incidents, even though Hann Kwang does not appear in any documented reporting flow.
926. Further, even within the SMD team for SingHealth, processes were inconsistent and unclear. During the response to the Cyber Attack, Benjamin was reporting his observations to various individuals including both Wee and Ernest through multiple modes, including TigerConnect, Whatsapp, email, and in person, and it was unclear who had the responsibility for reporting upwards. This lack of consistency had been flagged several times during earlier TTXes. During the 2016 TTX, the external conductors had found that the members of the SIRT were not familiar with the written incident response procedures. A TTX in 2018


Download 5.91 Mb.

Share with your friends:
1   ...   251   252   253   254   255   256   257   258   ...   329



The database is protected by copyright ©ininet.org 2024
send message
    Main page
united states
total number
vast majority
federal government
other side
next generation
supreme court
information contained
current state
executive director
national association
middle east
east coast
general assembly
private sector
same time
west coast
united kingdom
united nations
total amount
full range
highest level
soviet union
european union
national academy