Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part VII Page 343 of 425 very difficult to distinguish the attacker’s activity and even if they are discovered, it becomes extremely difficult to take meaningful action to contain them without breaking the business. Using asset classification to prioritise risk is a systemic weakness. 995. Inline with the weakness identified by Vivek, we would caution against a fixed practice of prioritising cybersecurity risks according to asset classification. Instead, we recommend that, similar to the identification of risks, the prioritisation of risks also be carried out proactively and thoughtfully. 43.1.4 A clear process and methodology for cybersecurity risk assessment, and treatment and monitoring of cybersecurity risk should be established, and staff must be trained on the same 996. Wee explained the procedure which he followed for completing the 2016 and 2017 risk assessment forms as follows a) His role was to initiate the annual risk assessment process for CII, and he would use the IT Security Risk Assessment Form template in the HITSPS. He would make an initial assessment of the risks and fill up the form. He would then submit the draft form to the Infrastructure and Application groups in IHiS’ Delivery Group for review. Once they completed their reviews, he would send the form to GCIO Benedict to review. After GCIO Benedict reviewed the form, Wee would present it to the SingHealth IT Steering Committee (a management-level committee. b) According to Benedict, the form was sent to him for his “reference and information, but his approval of the completed risk assessment is not required”. If new technical controls were required in response to the risks identified, Wee would coordinate with the relevant teams in the IHiS Delivery Group to ensure they provided and implemented the necessary measures.
