Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part II Page 30 of 425 82. CSG also performs the function of Sector Lead, which is explained in detail below. 9.2.2 CSG’s healthcare Sector Lead role 83. CSA requires Sector Leads to oversee and regulate CII owners within their respective sectors. For example, the National Cyber Incident Response Framework (“NCIRF”) places obligations on Sector Leads to report security incidents to CSA. CSG’s role is also to ensure that there is proper incident response for security incidents within the healthcare sector. 84. To avoid any conflict of interest that may arise from its undertaking of the Sector Lead’s operational activities, CSG does not have operational responsibilities for any CII systems in the healthcare sector. CSG is also independent of the Delivery Group in IHiS, which performs all functions relating to the operation of IT systems (including the CII systems. 85. CSG also communicates threat intelligence and any indicators of compromise from CSA via IT security-related circulars and directives to the Cluster CIOs and the Cluster ISOs in each of the healthcare Clusters, for them to carryout the necessary checks and followup. 9.2.3 Conducting compliance reviews and penetration tests 86. CSG performs the inhouse red teaming function for the public healthcare system. Red teaming refers to ethical hacking i.e. penetration testing to test the IT systems of PHIs for vulnerabilities. Since 2015, Kim Chuan's team (then at MOHH ISSD, now CSG in IHiS) has been conducting ethical hacking on PHIs' internet-facing systems, and reporting the results to the PHIs' management. Apart from this, CSG does not conduct any compliance assurance, i.e. going on the ground to check whether IT security policies and standards are being complied with by the PHIs. 87. In April 2018, CSG started to form a compliance and assurance team to carryout compliance reviews of PHI systems, as well as to move beyond ethical
