COI Report – Part VII
Page
397 of
425 49 RECOMMENDATION #14: INCIDENT RESPONSE PLANS MUST MORE CLEARLY STATE WHEN AND HOW Ab bSECURITY INCIDENT IS TO BE REPORTED #VIGILANCE DETECTION #RESPONSE
1152. Employees should be trained on how to respond to security incidents so that they know what to do when an attack occurs. Without
an incident response plan, it will be difficult to minimise the damage of a security breach as employees will be left to their own devices. Precious time can be lost trying to figure out what actions to take. Some malware infections spread at lightning speed as was seen in May 2017 with the WannaCry ransomware outbreak, where infections crossed borders and hopped between continents in a matter of hours.
49.1 An incident response plan for IHiS staff must be formulated for security incidents relating to Cluster systems and assets 1153.
As mentioned before, IHiS’ incident reporting processes are set out in the following documents a)
SIRF – translates the requirements of the NCIRF into the context of PHIs; and b)
IR-SOP – cluster-level standard operating procedure for responding to security incidents.
1154. The SIRF is meant primarily
fora sector-to-CII level, and it is for the Cluster CIOs and their IT leads to develop lower level processes to comply with its requirements.
1155. In relation to the IR-SOP, the reporting lines in the document begin
with the Cluster ISO and GCIO, but there is no established procedure for reporting a security incident
to the Cluster ISO or GCIO. There was no written protocol for how IHiS staff were to escalate a matter internally
or determine when to report 
