Table of contents exchange of letters with the minister executive summary



Download 5.91 Mb.
View original pdf
Page253/329
Date27.11.2023
Size5.91 Mb.
#62728
1   ...   249   250   251   252   253   254   255   256   ...   329
Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019

COI Report – Part VII
Page 313 of 425

41 RECOMMENDATION
#6:
INCIDENT
RESPONSE
PROCESSES MUST BE IMPROVED FOR MORE
EFFECTIVE RESPONSE TO CYBER ATTACKS
#DETECTION RESPONSE #GOVERNANCE
910. An effective incident response plan can reduce the extent and impact of an attack by identifying its source and shutting it down quickly. In the event of a cyber attack, warnings may come at short notice and the pace at which an attack escalates maybe rapid. The correlation between the effectiveness of an incident response plan and recovery is evident, with organisations recovering from attacks proportionally to their incident response preparedness.
911. While IHiS’ existing security incident response framework and IR-SOP envisage proper and prompt incident detection, investigation and reporting, the evidence led reveals that many of the security incidents involved in the Cyber Attack went undetected, were poorly investigated or were unreported. Had early detection, proper investigation and timely reporting occurred, the unauthorised access to, and exfiltration of, patient data from the SCM database could likely have been prevented.
912. A proactive response is key to mitigating damage and facilitating recovery efforts. It is thus imperative that the incident response process is sharpened through the measures recommended in this section.
41.1 Incident response plans must be tested with regular frequency
before areal incident occurs
913. To ensure that response plans are effective, they must be tested. Plans must not only be used in real-world incidents – they must be tested with regular frequency before areal incident occurs.



COI Report – Part VII
Page 314 of 425

41.1.1
Testing of incident response plans is critical
914. Testing is critical because it provides an opportunity to reveal weaknesses and omissions that ought not to be discovered only after a breach already has occurred. Planning can only go so far, and while organisations can strive to create comprehensive incident response plans, failure to test such plans until areal event occurs, may result in the realisation (too late) that the plans fail at the first step because they are unworkable, or did not adequately consider real-world constraints or difficulties. The failure to frequently test an incident response plan could result in increased response time, confusion amongst the responders, and at its worst, a failure to even respond to a serious security incident.
915. Organisations, in particular IHiS, must ensure that training and building familiarity with incident response plans is ongoing. Training should be continuous and not limited to a onetime event. Continuous mechanisms must be in place for ensuring that reporting triggers and reporting procedures are known, understood, and complied with. This should be led by CEO, IHiS. At the same time, SingHealth and MOHH are to have oversight of this, as the system owner and the holding company respectively.
916. All relevant parties should be drilled on the response plan, with exercises and simulations carried out regularly. The creation of an incident response plan must not be viewed as a onetime exercise. It is an ongoing process, and refinements to the plan must be made when drills demonstrate the need for the plans to be modified. Ensuring that plans are reviewed and amended on an ongoing basis will allow incorrect information regarding tools and people to be updated, and for reviewing of response measures that do notwork, or are out of order. This is consistent with Vivek’s expert testimony that “a plan that is a Word
document that is filed somewhere, or a PDF that is filed somewhere does not
help” and that the plan should be kept current and effective by constantly updating it after every incident and after every TTX. For example, simulation exercises can prevent confusion by engaging with all the key stakeholders to set clear expectations, contributing to the completeness and clarity of post-breach actions and responsibilities. Gen. Alexander’s evidence was explicit that,


Download 5.91 Mb.

Share with your friends:
1   ...   249   250   251   252   253   254   255   256   ...   329



The database is protected by copyright ©ininet.org 2024
send message
    Main page
united states
total number
vast majority
federal government
other side
next generation
supreme court
information contained
current state
executive director
national association
middle east
east coast
general assembly
private sector
same time
west coast
united kingdom
united nations
total amount
full range
highest level
soviet union
european union
national academy