COI Report – Part VII
Page 398 of 425
to the Cluster ISO or GCIO. This was not covered in either of the documents mentioned above.
As such, key front line personnel like Katherine, Lum, and Sze
Chun, were unaware of who to report to when suspicious indicators were observed. This resulted in confusion and consequent delays in response. While a process for Cyber Incident Security Response was developed for IHiS staff, this relates to IHiS company systems, rather than to Cluster systems. In addition, no incident reporting process was developed for SingHealth officers.
1156. IHiS is not alone in this regard. A 2018 study
111
found that found that 77 percent of organisations surveyed did not have a formal security incident response plan. Almost half of the organisations indicated that their plan was either informal and ad hoc, or nonexistent.
49.1.1
The need for an incident response plan
1157. An effective incident response plan is critical for all levels of employees, with specific plans in place for Cluster staff and IHiS employees. This is essential because it is not a matter of if a cyber attack will happen it’s a matter of when. As CE, CSA said We need to assume the mindset that it is a matter of when, not if, our systems are breached. There is no such thing as “100% cybersecurity”, and defending our cyberspace will be a ceaseless battle
1158. The lack of an incident response plan increases the likelihood of security incidents going undetected and unreported. Even where an incident is detected, the lack of a clear and well-thought out response plan would result in confusion and fragmentation of response. This would give the attacker valuable time in The 2018 study was by the Ponemon Institute, which conducts independent research on consumer trust, privacy, data protection and emerging data security technologies.
|
