Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part II Page 29 of 425 77. The centralised IHiS team in the GCIO office supports the Clusters and GCIOs by delivering the necessary services. IT projects are articulated in the Clusters annual work plans which are agreed between the GCIOs and the IHiS Delivery Group management, with resiliency projects having the highest priority. Members of the Cluster CIO office and the IHiS Delivery group meet regularly to synchronise demand and supply, and review projects and operations. 9.2 IHiS Cyber Security Governance (“CSG”) 9.2.1 Overview of CSG 78. IHiS Cyber Security Governance (“CSG”) comprises 12 staff who report directly to Director of CSG Kim Chuan, who provides both IHiS CEO and the CSC with abroad overview of security from the governance perspective. The formation of CSG was detailed at section 6.4.1 (pg 14) above. 79. CSG is in charge of (i) developing cybersecurity policies and standards ii) liaising with Clusters and IHiS Delivery Group about their implementation of cybersecurity policies for the Clusters and (iii) tracking and providing compliance assurance on the implementation of cybersecurity policies. CSG acts as the Secretariat for CSC, and proposes policies and make recommendations for CSC’s approval. 80. As mentioned, Kim Chuan has a dual appointment as Director of CSG, IHiS and MOH Chief Information Security Officer, which he said “allows (him) to align IHiS’ cybersecurity policies with broader Government standards and facilitates engagement with the Clusters on cybersecurity policies”. 81. CSG is separate from the Security Management Department (located within the Delivery Group) which provides security advisory services and subject matter expertise as well as the Cluster ISOs which spearhead cybersecurity in their respective Clusters. Both the Security Management Department and Cluster ISOs do not report to Kim Chuan.
