Table of contents exchange of letters with the minister executive summary



Download 5.91 Mb.
View original pdf
Page303/329
Date27.11.2023
Size5.91 Mb.
#62728
1   ...   299   300   301   302   303   304   305   306   ...   329
Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019

COI Report – Part VII
Page 383 of 425

the updates are worth incorporating and must further, give adequate attention to and place due emphasis on security improvements in the upgrades. In essence, the team can make a holistic and comprehensive assessment of the implications of the upgrade on their respective areas of expertise, and then make a combined recommendation to Cluster management as to how and when the upgrade should be adopted.
47.1.3
Identification of upgrades significant to security
1116. There must bean identifiable individual or appointment holder taking current responsibility for every piece of software deployed, from a security standpoint. Those responsible for software must monitor relevant sources of information which may alert them to a need to act in relation to new security vulnerabilities.
1117. The policy should require the individual to closely review all software releases, and to critically assess whether there are security improvements which are significant. An upgrade significant to security would, for example, be one where a known vulnerability (i.e. one that has been publicised or one that has been exploited in a cyber attack) has been fixed. The functional improvements in the upgrade aside, a risk-assessment based approach should be adopted in assessing the software release. Staff involved in managing software must have experience, training or qualification commensurate with the importance of the software and risk levels involved. Staff involved must be aware of, and proactive in managing, information security-related risks associated with the software.
1118. There is no evidence that any such proactive security assessment of new software releases is currently carried out by IHiS.



COI Report – Part VII
Page 384 of 425

47.1.4
Risk assessment and prioritisation
1119. The policy should acknowledge limited resources, which make it unfeasible to purchase and install all upgrades immediately, and address the fact that administrators will need to prioritise the deployment of new upgrades, by performing a risk assessment to determine which software should be upgraded first.
1120. In general, this prioritisation should be based on the following criteria ab Threatb – A threat is any potential direct danger to information systems, or software that is exposed to a higher degree of risk (e.g. by virtue of its exposure to the internet. Special focus must be placed on upgrading of email applications, as email attacks are now the most common vector for initial intrusions into systems. b)

Download 5.91 Mb.

Share with your friends:
1   ...   299   300   301   302   303   304   305   306   ...   329



The database is protected by copyright ©ininet.org 2024
send message
    Main page
united states
total number
vast majority
federal government
other side
next generation
supreme court
information contained
current state
executive director
national association
middle east
east coast
general assembly
private sector
same time
west coast
united kingdom
united nations
total amount
full range
highest level
soviet union
european union
national academy