SingHealth COI: IHiS’ systems were built for business efficiency instead of security, says CSA chief
While IHiS has done well in implementing technological advances to a large healthcare system, it did not pay enough attention to potential cyber threats arising from tech adoption, says Cyber Security Agency chief David Koh.
(Updated: )
Ricky Lim
During his testimony, Mr Koh said that Integrated Health Information Systems (IHiS) – Singapore’s central IT agency for the healthcare sector – had a “relatively low level” of security oversight.
Employees who worked on cybersecurity were embedded in the service delivery group instead of having their own reporting line, he added.
These two points led him to believe that the senior management of IHiS had little line of sight of cybersecurity issues.
--
Ricky Lim
CISSP do give the knowledge.
But implementing all the security knowledge in a highly complex IT infrastructure that cut across all IT domain is a challenge and not many can do it.
Imagine putting all the above security recommendation and implement it on the below IT domain without causing disruption to the IT operation SingHealth-wide.
If I am not wrong, I have come across many IT infrastructure - that did not implement all the above security recommendation - even though they have CISSP and many other certifications around.
Like · Reply · 1m
Employees who worked on cybersecurity were embedded in the service delivery group instead of having their own reporting line, he added.
These two points led him to believe that the senior management of IHiS had little line of sight of cybersecurity issues.
--
Ricky Lim
CISSP do give the knowledge.
But implementing all the security knowledge in a highly complex IT infrastructure that cut across all IT domain is a challenge and not many can do it.
Imagine putting all the above security recommendation and implement it on the below IT domain without causing disruption to the IT operation SingHealth-wide.
If I am not wrong, I have come across many IT infrastructure - that did not implement all the above security recommendation - even though they have CISSP and many other certifications around.
Like · Reply · 1m
Ricky Lim
Mr Koh recommended that IHiS adopt a “defence-in-depth” approach when developing or upgrading their systems and networks.
----
Posted on :- PROTECTION OF PUBLIC WEB SERVICE AND WEB ACCESS
Posted on:- 20 Jul 2018
Ricky Lim
Eg. of "Defense in Depth" :-
The above measures are recommended on top and above the below:-
(Assuming that all traditional security measures are put in place like firewall, segregration of web, apps, database, network IPS, host IPS, WAF - web application firewall, vpn ipsec, digital cert, encryption, authentication, directory service, desktop security features like personal firewall, anti-virus, latest security patches etc that have undergone security posture assessment such as BYOD, port authentication, secured shell for admin management, ssl etc have been put in place).
----
Posted on :- PROTECTION OF PUBLIC WEB SERVICE AND WEB ACCESS
Posted on:- 20 Jul 2018
Ricky Lim
Eg. of "Defense in Depth" :-
The above measures are recommended on top and above the below:-
(Assuming that all traditional security measures are put in place like firewall, segregration of web, apps, database, network IPS, host IPS, WAF - web application firewall, vpn ipsec, digital cert, encryption, authentication, directory service, desktop security features like personal firewall, anti-virus, latest security patches etc that have undergone security posture assessment such as BYOD, port authentication, secured shell for admin management, ssl etc have been put in place).
No comments:
Post a Comment