COI Report – Part II Page 31 of 425 hacking of internet-facing systems and conduct penetration tests of internal systems. This was in response to discussions at the November 2017 IHiS ARC meeting that CSG should take on such a role as an independent check on PHIs' compliance levels in respect of IT security policies and standards. IHiS is in the process of assembling this team. 88. The relative roles of CSG and GIA with respect to audit and compliance function is explained further at section 12.7 (pg 47) below. 9.2.4 Conducting Table Top Exercises (“TTXes”) 89. CSA mandates that all CII sectors carryout cybersecurity exercises annually within their respective sectors. In 2016, 2017 and 2018, TTXes were conducted to understand the healthcare sectors, including the Cluster’s and IHiS', effectiveness and preparedness in responding to cyber attacks. The TTXes were discussion-based sessions where team members met in a classroom setting to discuss their roles and responses during various emergency scenarios. A facilitator guided participants through a discussion of the scenarios and evaluated their responses. 90. Upon completion of an exercise, an After Action Report covering the key observations and areas of improvement shall be prepared, and CSG shall track the progress of the followup implementation plans on the areas for improvement. 10 NATIONAL INCIDENT REPORTING FRAMEWORK FOR CRITICAL INFORMATION INFRASTRUCTURE 91. Having established the parties involved and their relationships, we now turn to the incident reporting responsibilities as at the time of the Cyber Attack. 10.1 Identification of SCM as a CII system 92. The SingHealth Electronic Medical Records (“EMR”) system was identified as CII in a review initiated by the Singapore InfoComm Security
