COI Report –
Part VIIPage
349 of
425 1010. Dr Lim also recommended that SingHealth and IHiS should conduct regular security reviews and audits to validate the security measures that have been put in place to protect the database systems. This is especially important when systems are being upgraded,
maintained and serviced, as well as when there are changes in the system configuration. The audit should be done by an independent third party who has no preconceived opinions on the security or configuration of the system.
1011. We recommend that in respect of CII systems a) Audits be conducted at the intervals specified by the Commissioner and under the CCoP; b) Audits also be conducted when the
CII systems are being upgraded, maintained and serviced, and when there are changes in the system configuration and c) Such audits be conducted by independent third parties who had no input into the design or operation of the system in question.
43.2.2 Periodic audits on other IT systems should be conducted inline with Audit Committee requirements 1012. Under the HITSPS, GIA shall conduct independent audits of PHIs’ IT systems periodically to evaluate
and test the adequacy of, and the compliance to prevailing IT security policies and standards. The HITSPS provides that the frequency and scope of audits shall be directed by the Audit Committees of the respective institutions. This policy remains acceptable in respect of other non-
CII systems, although IHiS/SingHealth should consider whether there are non-
CII but important systems which should be audited more regularly or frequently.
