COI Report – Part IV
Page 187 of 425
audit findings. In this regard, the Committee notes that IHiS CEO, Bruce Liang, had limited visibility over some of the matters raised above. a) In respect of the events of 11 June to 9 July 2018, Bruce did not have any sight over IHiS’ incident response. Bruce’s evidence is that due to the scale of IHiS’ operations, he relied on the processes and frameworks in place for visibility over security incidents. However, on the facts, the reporting process had broken down, with a bottleneck resulting from Ernest and Wee’s failure to escalate the matter. Without a sufficiently robust system for oversight and information flow in place, Bruce did not have visibility over the incident until nearly one month after the first signs of suspicious activities were discovered. b) Insofar as the vulnerabilities in the SingHealth IT network identified in the FY H-Cloud Pen-Test are concerned, Bruce’s evidence is that he relied on various dashboards presented at the
ARCs (IHiS Audit Risk Committees) where issues were classified broadly into green, amber, dark amber, and red categories, with general information on whether remedial measures were implemented or in progress. While recognising that the vulnerabilities identified in the FY H-Cloud Pen-Test were serious, he did not raise any specific queries as to the completion and adequacy of remedial measures. Instead, he relied on the processes that were in place for the remediation of vulnerabilities, which proved to be inadequate.
596. In order to prevent and respond effectively to future attacks, the cybersecurity posture and readiness of IHiS must be strengthened. In this regard, effective leadership from the CEO and other members of IHiS’ senior management is essential, and the starting point must be to improve their visibility overall matters relating to cybersecurity.
COI Report – Part V Page 188 of 425 Share with your friends: |
