COI Report – Part II Page 46 of 425 Update (“APU”) meetings which are held quarterly and at SingHealth's Audit Committee meetings. 131. Of relevance to the Inquiry is the FY network penetration testing from SGH to H-Cloud, conducted by GIA in January 2017, as part of its internal audit activities for FY (the “FY16 H-Cloud Pen-Test”). GIA had engaged an external consultant to conduct a set of network penetration tests from three PHI’s systems (including SGH) to H-Cloud. By March 2017, certain high-risk weaknesses had been uncovered from these penetration tests, and IHiS senior management and MOHH ARC were notified that month. The findings from and response to the FY H-Cloud Pen-Test were reflected in an Internal Audit Report published in May 2017 (the “FY16 GIA Audit Report”), and will be discussed further in section 15.7 (pg 89) below. 12.5 Compliance reviews and tracking of progress on action plans from audits 132. CSG carries out annual compliance reviews of mission-critical IT systems which includes the SCM system) for compliance with prevailing IT security policies and standards. Before the formation of CSG, the Cluster GCIOs were initiating such compliance reviews, but with the formation of CSG in November 2016, CSG has been coordinating compliance reviews for all Clusters. 133. CSG is also responsible for tracking the progress status of action plans arising from CII audits, for reporting to MOHH senior management. Specifically, CSG is to (a) compile all submitted audit results in an Audit Tracking Sheet (b) collate updates from SingHealth on the progress of the mitigation/improvement plans for the SCM system every 6 months (c) gather the corresponding evidence of the completion of mitigation/improvement plan for closures (d) update the Audit Tracking Sheet accordingly and (e) update the CSC on the results of the audit conducted, and the progress of the CII owner's mitigation/improvement plan, once every 6 months.
