Friday, 29 November 2019

Data security review for Singapore's public sector: 5 key recommendations

All govt agencies to take steps to safeguard personal data; measures to be in place in most systems by end-2021
By Hariz Baharudin, The Straits Times, 27 Nov 2019

The Public Sector Data Security Review Committee has made recommendations in five key areas for entities that handle public sector data to adopt, following a comprehensive inspection of 336 systems in 94 agencies.

The Prime Minister's Office said in a statement on Wednesday (Nov 27) that the Government accepts these recommendations. They will be rolled out in 80 per cent of its systems by the end of 2021, with a deadline of end-2023 for full implementation.

The five key recommendations are:


- Government agencies to collect data only when necessary and limit their retention period.

- Minimise devices which hold data by allowing file access only on secured platforms. Use data only for tasks that require the data, and giving selective access.

- Enhance how data use is monitored through digital watermarking and checking how data moves through the network.

- Detect suspicious activity, through e-mail data protection tools and data loss protection tools.

- Protect stored data by making it unusable and unreadable even if stolen.

- Protecting the data when it is being distributed through password protection and encryption, as well as distribution through secure channels.


- Establish a central contact point for public to report government data incidents.

- Set up the Government Data Office to monitor and analyse security incidents.

- Designate the Government IT management committee as the central body to respond to large-scale incidents that involve multi-agencies.

- Install a framework for all public agencies to notify individuals affected by data incidents promptly.

- Have a standard process for post-incident inquiry for data incidents and share takeaways across all agencies.


- Specify roles for groups of officers involved in management of data security.

- Ensure all public officers are regularly updated on data security considerations through an annual training programme.

- Inculcate a culture of excellence around sharing and using data, and cultivate an environment conducive to open reporting of data incidents.


- Install organisational key performance indicators for data security.

- Hold top leadership of all public sector organisations accountable for installing strong organisational data security practices.

- Ensure accountability of third party handling government data by amending the Personal Data Protection Act to cover Government vendors and non-public officers who mishandle personal data.

- Publish government policies and standards relating to data protection and update this annually.


- Appoint the Digital Government Executive Committee to oversee public data security.

- Set up the Government Data Security unit to drive data security efforts in the public sector.

- Deepen the Government's expertise in data protection technologies.

New steps by public agencies to safeguard personal data
Govt accepts review panel's recommendations; single contact point for public to report incidents
By Hariz Baharudin, The Straits Times, 28 Nov 2019

Public agencies will collect and retain an individual's data only when it is strictly necessary. They will also make sure the data is properly safeguarded, adopting new measures that will be rolled out across the entire public service.

In case of a data incident involving ministries, statutory boards or other public agencies, anyone affected will have to be notified promptly.

A single contact point will also be established for the public to report data incidents.

An exercise that began eight months back following a spate of data breaches has culminated with a series of suggestions submitted to Prime Minister Lee Hsien Loong on improving data security.

The Government said yesterday it has accepted these recommendations from the Public Sector Data Security Review Committee (PSDSRC) and they will be rolled out in 80 per cent of its systems by end-2021.

The rest will follow by the end of 2023, as some systems will require significant redesign.

The committee was convened on March 31 and tasked with reviewing data security practices across the public sector and suggesting ways to improve it. It carried out detailed inspections of 336 systems in all 94 government agencies.

In a letter accepting the committee's recommendations, PM Lee said: "Data is the lifeblood of the digital economy and a digital government. We need to use and share data as fully as possible to provide better public services.

"In doing so, we must also protect the security of the data and preserve the privacy of individuals, and yet not stifle digital innovation."

As part of moves to improve the culture of safeguarding data, all public sector officers will have to go through an annual data security training programme.

Third-party vendors handling government data who misuse personal data will also come under the Personal Data Protection Act (PDPA), following changes to the Act which will likely be announced next year.

This means that these agents of government, who were previously exempt from the PDPA, will be liable to its financial penalties of up to $1 million.

These steps come under five broad measures: better protect data and stop it from being compromised; improve the detection of data incidents and the response to them; raise competencies in the public service with regard to data security; ensure accountability for data protection at every level of government; and make sure that data security is a sustained effort in the public service.

The PSDSRC was formed after a spate of cyber-security breaches.

In March, the personal data of 800,000 blood donors was uploaded on an unauthorised server.

And in June last year, hackers stole the data of 1.5 million SingHealth patients and the outpatient prescription information of 160,000 people, including PM Lee.

PM Lee said in his letter that given the amount of data the Government gathers, it must do all it can to minimise the risk of data security incidents. "At the same time, when such breaches do occur, it is essential that we detect them quickly, and respond effectively to limit the breach and minimise the harm done," he said.

Senior Minister Teo Chee Hean, who chaired the panel, said that had these measures been in place earlier, the impact of the breaches would have been less severe.

"These measures will significantly enhance safeguards and hold officers to account. They are compatible to international and industry best practices," said SM Teo.

How government data incidents could have been prevented
Recommended measures could have enabled stronger detection
By Hariz Baharudin, The Straits Times, 28 Nov 2019

The impact of past breaches of government data would have been minimised - or the incidents even prevented - if data security measures announced yesterday had been in place, said Senior Minister Teo Chee Hean.

These various data security incidents, like the cyber attack on SingHealth last year which saw the data of 1.5 million people stolen, had prompted the Government to set up the high-level Public Sector Data Security Review Committee.

Yesterday, it announced a host of recommendations, which the Government has accepted and will implement across most of its systems by the end of 2021, with the rest by the end of 2023. Here is a look at how some of these breaches could have been prevented with these new recommendations:


In what was Singapore's worst cyber attack, the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong, were stolen by hackers in June last year.

A skilled attacker managed to enter SingHealth's system, get past its defences and move around in the network without anyone noticing.

Reporting of the incident was delayed by the information technology security team, which gave the attacker more time to steal the data.


• Monitoring access of authorised and privileged users of the health data would have flagged unauthorised use of such accounts. The lack of monitoring meant that the attacker's unauthorised use was not detected.

• Increase in training for IT security staff would have enabled them to better recognise the signs of an attack and handle it.

• Enhancing the data incident management framework would have ensured that any suspected incident was promptly reported.


Between 2012 and 2013, a copy of the HIV registry was downloaded onto a thumb drive, and the data was leaked on the Internet this year.

The confidential details of over 14,000 people on the HIV Registry were illegally made public by American Mikhy Farrera-Brochez.

He had obtained the information through his partner, Ler Teck Siang, a doctor who was head of the Ministry of Health's National Public Health Unit and who had access to the data.


• Unusual activity such as downloading of the registry would have been detected, and downloading of the data to an unauthorised device like a thumb drive would have been disabled.

• Digital watermarking of the files would have helped in identifying the source of the leaked file.

• Replacing names and details on the registry with unique identifiers, also known as tokenisation, would have prevented identification of individuals.


A Microsoft Excel spreadsheet containing pupils' particulars was mistakenly sent out to some 1,200 parents, as the officer did not check the e-mail recipient list.

This document contained the names and birth certificate numbers of all 1,900 pupils in the school, along with the names, phone numbers and e-mail addresses of their parents.


• An e-mail data protection tool would have alerted the officer that sensitive data was being sent to external parties.


Secur Solutions Group (SSG), a vendor for the Health Sciences Authority (HSA), improperly stored the data of over 800,000 blood donors on an unsecured server for more than two months.

There were inadequate safeguards in place to prevent unauthorised access.


• With better accountability of third parties that handle government data and a framework to manage them, the HSA could have better monitored and audited SSG's data security performance and identified unsafe practices.

Government will continue to work with private sector over data security: Senior Minister Teo Chee Hean
Both sectors offer good examples of high data integrity, says SM Teo
By Yip Wai Yee, The Straits Times, 28 Nov 2019

The public and private sectors will work as partners when it comes to dealing with data security, said Senior Minister Teo Chee Hean who heads the Public Sector Data Security Review Committee.

He noted yesterday that many organisations in both the public and private sectors today are data-driven and both sectors "offer good examples of how to maintain high integrity of data". SM Teo was speaking to the media about his committee's recommendations.

Adding that the two sides will continue to work together in the future, he said: "We have benefited greatly from the perspectives that the private sector members have brought to the committee."

Besides Mr Teo and four ministers involved in Singapore's Smart Nation efforts - Dr Vivian Balakrishnan, Mr S. Iswaran, Mr Chan Chun Sing, and Dr Janil Puthucheary - the committee includes five private sector representatives with expertise in data security and technology.

Mr Teo, who is also the Minister-in-charge of Public Sector Governance, highlighted how data security-related legislation and guidelines for the public and private sectors constantly referenced one another over the years.

For example, he said, the Ministry of Communications and Information may apply a certain provision of the Public Sector Governance Act, which penalises public officers who egregiously breach data privacy, to the Personal Data Protection Act as well, which is a data protection law for the private sector.

"So actually, we are learning from each other the best practices, the best standards," he added.

Mr Chan, who is Minister-in-charge of the Public Service, said at the same press conference that the public service sector "must not think of ourselves in isolation".

"The strength of the Singapore system is determined by the weakest link. For us, it is necessary, but not sufficient, to just look at our own internal processes. We must see how we interface with the private sector because only by doing so, can the entire system be robust," he said.

Mr Iswaran, who is Minister-in-charge of Cybersecurity, pointed out that whether it is the public or private sector, there needs to be an assurance that data security is being taken seriously. Those handling data security should also demonstrate the capability to prevent data breaches, and respond to them quickly should they happen.

Accountability and transparency are also necessary when such breaches occur, he added.

Dr Balakrishnan, who is in charge of the Smart Nation initiative, said: "If you don't have data security, we cannot proceed with all the projects and the services that people expect us to deliver," he said.

In a statement, committee member Ho Wah Lee, a former KPMG partner, said the recommendations would prove effective. "With the recommended enhancements to the audit frameworks, the Government should be able to prevent, detect and respond swiftly and effectively to data incidents," he said.

Mr David Gledhill, former chief information officer for DBS who was also on the panel, said the recommendations are "extremely comprehensive".

He added that it helps that a high-level body will oversee public sector data security.

"It ensures not only that current measures are implemented, but also that the group is continuously looking at how this is an evolving space... I think things will evolve and the process of (having) a team responsible for always looking forward is a very, very robust addition."

About the Public Sector Data Security Review Committee

The Public Sector Data Security Review Committee was convened in March 2019 by Prime Minister Lee Hsien Loong to look at and strengthen data security practices across the entire public service, following a series of data-related breaches.

It is chaired by Senior Minister Teo Chee Hean, who is also Minister-in-charge of Public Sector Data Governance, and includes five private sector representatives with expertise in data security and technology, as well as the four ministers involved in Singapore's Smart Nation efforts.

The four ministers are Dr Vivian Balakrishnan, who is Minister-in-charge of the Smart Nation Initiative; Mr S. Iswaran, Minister-in-charge of Cybersecurity; Mr Chan Chun Sing, Minister-in-charge of the Public Service; and Dr Janil Puthucheary, Minister-in-charge of the Government Technology Agency.

The private sector members are Sir Andrew Witty, chief executive of Optum; Professor Anthony Finkelstein, the British government's chief scientific adviser for national security; Mr David Gledhill, senior adviser and former chief information officer for DBS Bank; Mr Ho Wah Lee, a former KPMG partner; and Mr Lee Fook Sun, chairman of Ensign InfoSecurity.

The committee was supported by a separate expert group consisting of seven international experts and industry professionals, as well as by an inter-agency task force formed by public officers across the Government.

In formulating its recommendations, the committee inspected 336 systems across 94 agencies in Singapore to identify security risks and the common causes of data breaches.

In addition, it examined global and industry best practices and reviewed the Government's data-security-related legislation and guidelines against the requirements for private sector organisations.

It also evaluated whether the proposed recommendations would have prevented the past data incidents or mitigated their impact.

*  Public agencies have 72 hours to decide to notify people affected by data breach under new data security rules
By Hariz Baharudin, The Straits Times, 14 Dec 2019

Data protection rules governing the country's public sector will be harmonised with those for the private sector, in the first major revision to address longstanding criticisms that private companies were subject to stricter measures.

The seeming gap in the two sets of data protection measures became starker after a series of public-sector breaches that involve the sensitive data of patients and students.

In an interview with The Straits Times, the Government Data Office's director Quek Su Lynn said the public sector's internal data protection rules, known as Instruction Manual 8 (IM8), will be updated next year to make data protection measures "clearer" and plug "gaps".

For instance, all public sector agencies will be required by way of the IM8 to decide within 72 hours whether or not to notify affected parties about a data breach.

If they are unsure if they should inform affected parties, like in the case of an incident with national security concerns, they have to notify the Government Data Office, which provides directions on data management across the public sector.

This requirement was not spelt out as a standard practice in the IM8. For the private sector, the Personal Data Protection Commission (PDPC) advises private companies to notify affected individuals as soon as practicable, as a best practice.

The updated IM8, which will take effect within the next year, follows recommendations aimed at sharpening existing data protection practices.

The proposals, announced on Nov 27, were made by the Public Sector Data Security Review Committee (PSDSRC).

The committee was convened by Prime Minister Lee Hsien Loong on March 31 after a spate of cyber-security breaches and incidents in the past few years.

This includes a data breach involving the personal information of more than 800,000 blood donors in March.

In June last year, hackers stole the data of 1.5 million SingHealth patients and the outpatient prescription information of 160,000 people, including PM Lee.

These high-profile data breaches led privacy advocates to ask if the security measures in the public sector were as robust as the private sector's.

With the new additions to the IM8, public servants will be told for the first time specific instructions on the different types of documents that a secure password has to be applied to.

This is in line with the obligations of private companies as set out in the PDPA, and that is to have reasonable security arrangements to prevent unauthorised access, collection or use of personal data in their possession.

Additionally, some technical measures to protect data that were previously not specified in the IM8 will be spelt out and made mandatory.

These include digital watermarking of files downloaded to aid investigations in the case of data incidents, adding random strings of data used to modify stored passwords so that bad actors cannot use them if they steal them, and mandating that files are transferred only through secure internal file-sharing channels.

Professor Atreyi Kankanhalli, deputy head of information systems and analytics at the NUS School of Computing, applauded the steps the review committee had proposed and how it would bridge the gap for both sectors.

"The harmonisation of policies and guidelines for both sectors... as well as publishing the policies and updates would increase accountability of the public sector in the area of personal data protection," she said.

The Government has said it will roll out the review committee's recommendations in 80 per cent of its systems by end-2021. The rest will follow by the end of 2023, as some systems will require redesign.

Ms Quek told ST the recommendations will be set out as policies and processes in the IM8, after which the agencies will be given time to make adjustments.

She said: "We will be updating (the IM8) in tranches. We do have some internal timelines, but within the next nine to 12 months, everything should be updated."

All public servants need to comply with the IM8, which specifies government policies, standards, regulations and codes of practice for IT security. Agencies are regularly audited for compliance with the IM8.

Failure to comply with data security rules under the IM8 leading to reckless or knowing misuse or unauthorised disclosure of data could be an offence under the Public Sector (Governance) Act.

The penalties include fines of up to $5,000 or a jail term of up to two years, or both.

No comments:

Post a Comment