COI Report –
Part VIIPage
243 of
425 but by senior management who have responsibility and oversight of the operational and business imperatives.
704. To this end, IHiS and the Clusters must review their organisational and reporting structure, to ensure that cybersecurity considerations and decisions are escalated to the appropriate decision-makers. Some examples are highlighted below.
36.4 Ensuring appropriate lines of reporting 705. On the issue of appropriate decision-makers, an issue that came up in course of the proceedings was whether the double-hatting of officers such as Bruce (as IHiS, CEO and MOH CIO) and Kim Chuan (as Director,
CSG and MOH CISO) raised conflict of interest concerns. As mentioned by MD, MOHH,
“
there will always be the real possibility that there is a conflict of interest because the person promulgating the policy is the one who implements, and the one checking is the person who promulgated the policy”. There was an attempt to explain this conflict of interest by showing that the double-hatting enables alignment between (i) MOH’s priorities in
IT and cybersecurity strategy, policy and programmes; (ii) IHiS’ planning and implementation of the same for MOH; and (iii) it ensures a channel for IHiS to provide to MOH feedback from the running
of programmes on the ground, so as to inform MOH’s policy-making. In an organisation, there needs to be alignment of organisational
objectives and processes, but there should not be any conflict of interest. While the Committee can understand the need for alignment of organisational objectives and processes, alignment alone does not address conflicts of interest. The oversight of IHiS by entities such as the CSC does not fully resolve conflicts of interest for IT and cybersecurity strategy and programmes.
706. The Committee notes that MOH is considering setting up an independent
CISO office within MOH. This is a step in the right direction in this matter. If such an office is setup, it should be independent of IHiS.
