I propose to take Questions Nos. 209 and 210 together.
My Department has a range of contracts with external cyber security and related ICT firms which enable the provision of essential products and services required by the Department such as security advice, penetration testing, provision of security software and related services.
My Department conducts ongoing security assessments and evaluations against the relevant external specialist guidance and standards (including the National Cyber Security Centre’s (NCSC) Cyber Security Baseline Standard and the NIS2 Directive which is a new European Union cyber security directive which will be transposed into Irish law during 2024). These reviews inform the ongoing programme of security work by staff of the ICT Unit of the Department which is undertaken with support (where required) from external consultants.
For operational and security reasons, the advice from the NCSC recommends that public bodies do not disclose details of systems and related projects/ processes as there is a risk that this disclosures could in turn compromise cyber security measures in place in those bodies. In particular, it is not considered appropriate to disclose information which might assist criminals to identify potential vulnerabilities in departmental cybersecurity arrangements.
This constrains the level of detail which can be put into the public domain in relation to the ongoing programme of work around the Department’s cyber- security arrangements. Specifically, it is not considered appropriate to disclose particular arrangements in place in relation to cyber security tools and services, and for these reasons my Department does not comment in detail or make disclosures around operational security arrangements.
A breakdown of the expenditure categories specifically sought in the Deputy’s question PQ 50813/23 is detailed below:
-
|
2020 (€)
|
2021 (€)
|
2022 (€)
|
Cyber Security Audits
|
-
|
-
|
16,789.50
|
Cyber security advice/consultancy
|
139,215.17
|
33,866.12
|
101,160.08
|
Total
|
139,215.17
|
33,866.12
|
117,949.58
|
Please note that the expenditure detailed in the table above relates only specifically to the categories of expenditure security audits and security advice sought by the Deputy and therefore does not represent the totality of security expenditure by my Department in so far as it excludes many other areas of security expenditure within the Department falling outside of these categories such as (but not limited to) specialist staff, licenses for security products and capabilities, security related ICT infrastructure etc.