Fergus O'Dowd (Louth, Fine Gael)
Link to this: Individually | In context | Oireachtas source

262. To ask the Taoiseach and Minister for Defence if his Department is fully compliant with GDPR EU requirements and the EU network and Information Security Directive and standards with respect to his Departments IT infrastructure including Article 29 of GDPR which requires that data processors access only the data they need for their task; if ISO 27001 Annex 9 standards on privileged access are fully met; and if he will make a statement on the matter. [27335/21]

Simon Coveney (Cork South Central, Fine Gael)
Link to this: Individually | In context | Oireachtas source

My Department's core IT infrastructure is provided by the Office of the Government Chief Information Officer (OGCIO) under the 'Build to Share Managed Desktop' shared service. The services provided by the OGCIO are compliant with GDPR. In reference to your question which points to in Article 29 of the GDPR in particular, OGCIO processes data under instruction from my Department. I have been advised by OGCIO that as a data processor, they have taken all reasonable measures to prevent unauthorised access to personal data through the use of appropriate security processes and controls. These processes and controls include the ability to ensure the ongoing confidentiality, compliance, integrity, availability and resilience of processing systems and services; and the ability to restore the availability and access to Personal Data in a timely manner in the event of a cybersecurity, physical or technical incident.

The OGCIO has adopted a defence-in-depth security strategy which is achieved by utilisation of people, processes, and technology to support the implementation of ICT security services. The threat landscape is constantly evolving and significant effort is expended to continually enhance and strengthen ICT security to mitigate against emerging threats, risks, vulnerabilities and cybersecurity issues. In addition to deploying perimeter security measures, such as intrusion protection systems, software vulnerabilities are managed by maintaining up-to-date versions and aggressively deploying updates and patches to endpoints and applications as they become available.

The OGCIO has employed a policy of least privilege security principle. IT staff are only assigned security roles with levels of access which are essential to perform the tasks and duties associated with their functions. The allocation and usage of privileged user accounts are reviewed and monitored.

The OGCIO has developed an Information Security Management System (ISMS) aligned with the industry security standard ISO27001. This ISMS provides an overall governance framework for information security and sets out security policies, objectives, management oversight, practices and governance and ensures continual improvement of information security management.

Fergus O'Dowd (Louth, Fine Gael)
Link to this: Individually | In context | Oireachtas source

263. To ask the Taoiseach and Minister for Defence if any state or semi state bodies which report to his Department are fully compliant with GDPR EU requirements and the EU network and Information Security Directive and standards with respect to their IT infrastructure including article 29 of GDPR which requires that data processors access only the data they need for their task; if ISO 27001 annex 9 standards on privileged access are fully met; and if he will make a statement on the matter. [27353/21]

Simon Coveney (Cork South Central, Fine Gael)
Link to this: Individually | In context | Oireachtas source

The only state body under the aegis of the Department of Defence is the Army Pensions Board. The Army Pensions Board is an independent statutory body, established under the Army Pensions Act 1927. Day to day worked related to the Board is undertaken by Board's Secretary who is a full time civil servant employed in the Department of Defence. The Board does not employ any staff directly.

I wish to advise that ICT services for the Army Pensions Board are provided by the Office of the Government Chief Information Officer (OGCIO) under the 'Build to Share Managed Desktop' shared service. The services provided by the OGCIO are compliant with GDPR. In reference to your question which points to in Article 29 of the GDPR in particular, OGCIO processes data under instruction from my Department. I have been advised by OGCIO that as a data processor, they have taken all reasonable measures to prevent unauthorised access to personal data through the use of appropriate security processes and controls. These processes and controls include the ability to ensure the ongoing confidentiality, compliance, integrity, availability and resilience of processing systems and services; and the ability to restore the availability and access to Personal Data in a timely manner in the event of a cybersecurity, physical or technical incident.

The OGCIO has adopted a defence-in-depth security strategy which is achieved by utilisation of people, processes, and technology to support the implementation of ICT security services. The threat landscape is constantly evolving and significant effort is expended to continually enhance and strengthen ICT security to mitigate against emerging threats, risks, vulnerabilities and cybersecurity issues. In addition to deploying perimeter security measures, such as intrusion protection systems, software vulnerabilities are managed by maintaining up-to-date versions and aggressively deploying updates and patches to endpoints and applications as they become available.

The OGCIO has employed a policy of least privilege security principle. IT staff are only assigned security roles with levels of access which are essential to perform the tasks and duties associated with their functions. The allocation and usage of privileged user accounts are reviewed and monitored.

The OGCIO has developed an Information Security Management System (ISMS) aligned with the industry security standard ISO27001. This ISMS provides an overall governance framework for information security and sets out security policies, objectives, management oversight, practices and governance and ensures continual improvement of information security management.