COI Report – Part IV
Page 163 of 425
explanation. Further, Benjamin was still communicating in a somewhat fragmented manner, over both email and TigerConnect chat. In Vivek’s expert opinion, such problems could have been mitigated by consolidating communications in a single, formal channel, to prevent fragmentation of information and facilitate ease of understanding.
512. On the other hand, Ernest’s response was severely inadequate. As the
SIRM, Ernest was expected to lead and coordinate the incident response, and also to decide on whether to escalate the matter. Up to 4 July 2018, Ernest had not properly applied himself to the events. He was aware of Benjamin’s investigations and updates via TigerConnect and email, but withheld any further action pending confirmation of a security incident. On 4 July 2018, Ernest finally realised something out of the ordinary was happening. But even so, his response from this point onwards left much to be desired. As Vivek has observed a) Under the IR-SOP, it is the responsibility of the SIRM to lead and coordinate activities during an incident response but there was no formal coordination happening between the different teams. This wasted valuable time without making any real progress. b) Under the IR-SOP, the SIRM needs to report the incident up the command line so a formal incident can be declared, and all available resources can be deployed or redeployed to respond to the incident. However, no formal incident was declared and therefore key experts and stakeholders kept operating in silos (or remained uninformed, which significantly hampered the incident response.
513. In respect of (b) above, Ernest’s view on the information that is required before a security incident is ‘reportable’ is equally, if not more, unacceptable next to his misguided view of what constitutes a security incident. By his definition, it would be necessary to obtain all information about the attack, including its source and impact, and the identity of the attacker, before a security
|
