Michael McGrath (Cork South Central, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

89. To ask the Minister for Finance the amount of money spent in his Department and in the State entities under the remit of his Department on cyber security in each of the years 2012 to 2016 and to date in 2017; the number of employees dedicated to cyber security in the same entities; the number of job vacancies in the area of cyber security; and if he will make a statement on the matter. [23832/17]

Michael Noonan (Limerick City, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I understand that the Deputy is interested in cyber security arrangements for my Department and a number of Bodies under the Aegis of my Department, namely the National Treasury Management Agency (NTMA), the Central Bank, the Financial Services Ombudsman and  the Office of the Revenue Commissioners.

In relation to my Department, I wish to advise that ICT services are provided by the Office of the Government Chief Information Officer (OGCIO) under the Department of Public Expenditure and Reform.  On behalf of my Department, the OGCIO implements a multi-layered approach to cyber security and to protecting ICT systems, infrastructures, and services.  The threat landscape is constantly evolving and significant effort is expended to continually enhance and strengthen ICT security to mitigate against emerging threats, risks, vulnerabilities and cybersecurity issues. In addition to deploying intrusion protection systems, software vulnerabilities are managed by maintaining up-to-date versions.  OGCIO also continues to work closely with the National Cyber Security Centre (NCSC). The NCSC is a division of the Department of Communications, Climate Action & Environment and encompasses the State's national/governmental Computer Security Incident Response Team (CSIRT-IE). 

In relation to the Bodies under the Aegis of my Department as requested, I am advised of the following responses from three of the Bodies as set out as follows. It was not possible for the National Treasury Management Agency to provide the information sought in the time available and therefore I will make arrangements to provide the outstanding information in line with Standing Orders.

Central Bank of Ireland

The Central Bank does not comment on its IT security arrangements. The Bank actively monitors potential threats and implements measures wherever possible to prevent threats to its information security.

Financial Services Ombudsman Bureau/ Financial Services Ombudsman Council

The Financial Services Ombudsman’s Bureau and the Financial Services Ombudsman’s Council apply a multi-layered strategy to cyber-security.  The threat landscape is constantly evolving and significant effort is expended to continually enhance and strengthen ICT security to mitigate against emerging threats, risks, vulnerabilities and cybersecurity issues. In addition to deploying intrusion protection systems, software vulnerabilities are managed by maintaining up-to-date versions.

Office of the Revenue Commissioners

Revenue implements a very comprehensive approach to cyber security to protect technical infrastructure, tax-payer data and services. Revenue Data centres operate at and are independently audited to the ISO27001 standard for IT security and ISO22301 for business continuity.  Security is fundamental to all of our online services and built-in to all our systems from the design stage. Amongst the numerous initiatives taken to reduce the risk are the careful design of hardware and software architectures, firewalls, intrusion protection systems, penetration testing, hardening of operating systems and maintaining software patch levels etc.  As a result of this integrated approach, it is very difficult to specifically cost the spending on cyber security on an annual basis.

IT security is a key role for all Revenue IT staff.  Revenue has a number of specialised technical teams that constantly monitor all systems and evaluate the dangers posed by new and existing threats and take appropriate actions as required. These Revenue ICT staff also work closely with the National Cyber Security Centre (NCSC) and the OGCIO in evaluating the threat landscape.