COI Report – Part II
Page
47 of
425 12.6 Followup for IT Security audits 134. Where the audit concerned the SingHealth network or systems, the Infrastructure Services Lead would ordinarily lead the followup on the audit observations and findings. For followup of audit findings in 2017, including the followup
for the FY H-Cloud Pen-Test, it would have been Serena Yong’s role as Infrastructure Services Lead for SingHealth, to work with the Tower Leads. In 2017, the Tower Leads would have been a) Nick Thoo for Network Services b)
Loh Khim Huat for End-User Computing c) Ernest for Security Services and d)
Woon Lan for Data Centre Services.
135.
Verification of audit findings,
i.e. that followup action has indeed been taken, is conducted a) By CSG on a 6 monthly basis pertaining to the tracking of progress of
action plans from CII audits, for updating to SingHealth management and b) By GIA on a yearly basis, as part of the overall audit process for that financial year.
12.7 Relative roles of MOHH GIA and CSG 136. There have been various discussions on the role of MOHH GIA vis-à-vis
CSG. IHiS ARC agreed in March 2017 on the following roles and responsibilities for CSG and MOHH GIA, with concurrence
from IHiS CEO Bruce COI Report – Part II
Page
48 of
425 (a)
CSG would perform all necessary checks of security implementation through its compliance programs and MOHH GIA would review the adequacy of the compliance programs carried out by CSG. b)
MOHH GIA could also conduct independent tests including network penetration tests periodically to validate the effectiveness of controls.
137. Since 2017, there has been discussion at the IHiS ARC over the three lines of defence model for effective cyber risk management and control, which is being designed. In brief, this would comprise
operations as the first line, compliance checks at the second line, and internal audit as the third line of defence. At
the time of the Cyber Attack, the respective roles of GIA and and CSG were not yet finalised. The Committee will discuss this further when it makes its recommendations in section 36.1 (pg 235) below.
