Table of contents exchange of letters with the minister executive summary



Download 5.91 Mb.
View original pdf
Page316/329
Date27.11.2023
Size5.91 Mb.
#62728
1   ...   312   313   314   315   316   317   318   319   ...   329
Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019

COI Report – Part VII
Page 402 of 425

(b) The SIRM, Ernest, failed to appreciate that the definition of a security incident included attempts to access a CII. Ernest claimed that only successful attacks that had been 100% confirmed to possess malicious intent would be reportable. c) The Cluster ISO, Wee, understood that attempts would constitute a reportable security incident, but did not apply this definition consistently when it came to the crunch – although Wee knew that someone had been trying to access the SCM database, he did not report it as he was waiting for confirmation.
1168. Ernest and Wee’s misinterpretation of the definition of a security incident was at odds with the understanding possessed by IHiS management. Bruce, Kim
Chuan and Benedict all expected that attempts to access a CII would be escalated and reported. The author of the IR-SOP, Hann Kwang, also never intended that there be a requirement for an incident to be confirmed for it to be considered reportable.
1169. The definition of a security incident is currently found in the SIRF and the
IR-SOP, and the Committee has found that there are ambiguities in the language used in these documents. Any ambiguity in the definition of security incidents should be addressed going forward. Language can be adapted from other comparable security documents. For example, the US Code of Federal Regulations, which in relation to the Security Standards for the Protection of Electronic Protected Health Information, applicable to information systems that come under the purview of the US. Department of Health and Human Services, uses the following definition


COI Report – Part VII
Page 403 of 425

“Security incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”
113
(emphasis added)
1170. Another example is the definition of a computer security incident in the
NIST Computer Security Incident Handling Guide:
114
“A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.”
115

(emphasis added)
1171. In other words, the definition must unambiguously and clearly state the both attempts and successful attacks are to be reported. Further, staff can be encouraged to err on the side of over-reporting. Bruce said that IHiS has now implemented two policies a) For all staff to keep their reporting officers informed if the incident is not resolved within 24 hours and b) To inform supervisors even of incidents that turnout not to be security-related.
1172. These are steps in the right direction. The IR plan should emphasise that, where staff are unclear on the definition or on how to apply the definition to the current situation, they should seek guidance and report the incident so that it can be properly assessed.
113 45 CFR (US) § 164.304: Definitions.
114
NIST.SP.800-61 Revision 2.
115
Ibid at [2.1].


Download 5.91 Mb.

Share with your friends:
1   ...   312   313   314   315   316   317   318   319   ...   329



The database is protected by copyright ©ininet.org 2024
send message
    Main page
united states
total number
vast majority
federal government
other side
next generation
supreme court
information contained
current state
executive director
national association
middle east
east coast
general assembly
private sector
same time
west coast
united kingdom
united nations
total amount
full range
highest level
soviet union
european union
national academy