Fergus O'Dowd (Louth, Fine Gael)
Link to this: Individually | In context | Oireachtas source

221. To ask the Minister for Public Expenditure and Reform if his Department is fully compliant with GDPR EU requirements, the EU network and Information Security Directive and standards with respect to his Department’s IT infrastructure including Article 29 of GDPR which requires that data processors access only the data they need for their task; if ISO 27001 Annex 9 standards on privileged access are fully met; and if he will make a statement on the matter. [27344/21]

Michael McGrath (Cork South Central, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

In relation to my Department, I wish to advise that ICT services are provided by the Office of the Government Chief Information Officer (OGCIO). The services provided by the OGCIO are compliant with GDPR. In reference to your question which points to in Article 29 of the GDPR in particular, I can assure you as a data processor OGCIO has taken all reasonable measures to prevent unauthorised access to personal data through the use of appropriate security processes and controls. These processes and controls include the ability to ensure the ongoing confidentiality, compliance, integrity, availability and resilience of processing systems and services; and the ability to restore the availability and access to Personal Data in a timely manner in the event of a cybersecurity, physical or technical incident.

The OGCIO has adopted a defence-in-depth security strategy which is achieved by utilisation of people, processes, and technology to support the implementation of ICT security services. The threat landscape is constantly evolving and significant effort is expended to continually enhance and strengthen ICT security to mitigate against emerging threats, risks, vulnerabilities and cybersecurity issues. In addition to deploying perimeter security measures, such as intrusion protection systems, software vulnerabilities are managed by maintaining up-to-date versions and aggressively deploying updates and patches to endpoints and applications as they become available.

The OGCIO has employed a policy of least privilege security principle. IT staff are only assigned security roles with levels of access which are essential to perform the tasks and duties associated with their functions. The allocation and usage of privileged user accounts is reviewed and monitored.

The OGCIO has developed an Information Security Management System (ISMS) aligned with the industry security standard ISO27001. This ISMS provides an overall governance framework for information security and sets out security policies, objectives, management oversight, practices and governance and ensures continual improvement of information security management.

Fergus O'Dowd (Louth, Fine Gael)
Link to this: Individually | In context | Oireachtas source

222. To ask the Minister for Public Expenditure and Reform if any state or semi state bodies which report to his Department are fully compliant with GDPR EU requirements and the EU network and Information Security Directive and standards with respect to their IT infrastructure including article 29 of GDPR which requires that data processors access only the data they need for their task; if ISO 27001 annex 9 standards on privileged access are fully met; and if he will make a statement on the matter. [27363/21]

Michael McGrath (Cork South Central, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I wish to advise the Deputy that a deferred reply will be issued to him in respect of this Parliamentary Question, in line with Standing Order 51B.