COI Report – Part II Page 44 of 425 122. An overview of audit findings, including cybersecurity findings for IT- related audits, is tabled for discussion at IHiS ARC meetings, which oversee and review systems of risk management within IHiS, including audit and business processes to manage risks. IHiS ARC also agrees on the appropriate followup actions to betaken to address the audit findings. 12.3.2 Internal IT security risk assessments 123. In accordance with CSA’s requirements, all CII owners are to conduct risk assessment of their CII at least once every 12 months, and are to submit the risk assessment results, together with the risk mitigation plan and timeline, to the Sector Lead for tracking. 124. Cluster ISO Wee handles the IT risk assessment for SingHealth including the annual risk assessment of the SCM system. To prepare the risk assessment, Wee coordinates with the relevant teams in the IHiS Delivery Group (e.g. the Systems team, and the Security team) to obtain their views, and submits the risk assessment results to CSG (Healthcare Sector Lead) while also sharing the results with with GCIO Benedict for his information. If any new technical controls are required in response to the risks identified, Wee will coordinate with the relevant teams in the IHiS Delivery Group to ensure they provide and implement the necessary measures. CSG is to track the risk assessments of CII. 125. Relevant to the Inquiry is the FY risk assessment report for the SCM system (“FY16 CII Risk Assessment”) prepared by Wee with inputs from the Infrastructure and Application Teams, dated 3 January 2017. This will be discussed in section 18.3 (pg 104) below. 126. It is worth noting that the HITSPS, the internal IT policy document for the healthcare sector, also has a requirement for security risk assessments on mission-critical IT systems (which includes the SCM), but there is no fixed frequency for conducting risk assessments.
