COI Report – Part II
Page
38 of
425 108. With reference to Figure 5 above, the bottom-up reporting flow for IT security incidents in the SingHealth Cluster would be as follows a) Cluster ISO Wee is the first in the reporting chain, who is then to report IT security incidents upwards
to multiple stakeholders, including GCIO Benedict and to CSG as Healthcare Sector Lead. Wees reporting to CSG would be as per the NCIRF incident categorisation and IHiS’ internal reporting timelines. Before Hann
Kwang
wrote the IR-SOP, both communications (including incident reporting) and technical incident handling roles were supposed to be done by the Cluster ISO. But Hann Kwang decided to split the roles in the IR-SOP such that Cluster ISO is in charge of communications (including incident reporting, and Security Incident Response Manager (“
SIRM”),
in this case Ernest, would lead technical incident handling. Nonetheless Cluster ISO Wee gave evidence of his close working relationship with Ernest and
SMD
in practice, for reporting security incidents i) Wee would typically come to know about security incidents when informed by Ernest or SMD; and ii) Upon the
receipt of this information, Wee would have a
“
two-way conversation” with Ernest who is the “
subject-matter expert”, to determine if the incident had been confirmed and the category of incident,
before escalation to GCIO and Healthcare Sector Lead. b)
GCIO Benedict is to report the incident to SingHealth senior management. GCIO Benedict does not usually have a
direct role in
the subsequent investigation, response or containment measures, but given that
SingHealth is system owner, Benedict would be involved in incident tracking, oversight and management.
