Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part VII Page 247 of 425 the ability (through empowerment and domain expertise) to carryout the independent oversight function of IT operations in the cluster in three main areas a) Strategic oversight policy and project alignment with a cluster's strategic and business interests, and horizon scanning. b) Risk management audit and risk assessments about IT projects and security risks, and checks and balances in decision-making and assessments. c) Project management operations and implementation of IT projects and pricing, terms, competitiveness and value of project proposals. 717. It is important that there is appropriate cybersecurity expertise at the SingHealth senior management level. One way to do this would be to give the GCIO the right personnel and resources to perform his cybersecurity functions effectively. This minimally would mean increasing manpower in the GCIO office specifically in the area of cybersecurity, and also ensuring that the additional manpower includes personnel with technical and IT security expertise. This way, the GCIO is better equipped to educate and advise SingHealth senior management on cybersecurity risks and the trade-offs that can or cannot be made. There are however, two potential challenges with this approach. 718. First, at a practical level, there maybe a challenge in terms of being able to attract enough quality staff at each Cluster CIO office and there is also the concern of duplication of resources (i.e. staff with technical and IT security expertise being spread across IHiS and each of the Clusters. Second, there maybe a challenge in terms of managing conflicts of interest, given that under the current structure, the GCIO: a) Has responsibility over a number of functions (as mentioned in paragraph 712 (pg 245) above, and the GCIO will have to balance between the imperatives of each function, and compromises may have to be made in the allocation of limited operational and
