Tuesday, 5 November 2019

Questions (137)

Alan Kelly

Question:

137. Deputy Alan Kelly asked the Minister for Finance his plans to protect his Department in the event of a malware attack or security risks as a result of the failure to upgrade computers from an operating system (details supplied) in his Department and the agencies under his remit; and if he will make a statement on the matter. [44743/19]

View answer

Written answers (Question to Finance)

Provisions are being made to upgrade all Microsoft Windows 7 personal computing devices to Microsoft Windows 10, this project will be completed by the end of 2020. Microsoft Windows 7 extended support will be put in place for all the Department’s personal computing devices running Microsoft Windows 7 while this upgrade project is ongoing. The Department’s Windows 7 personal computing devices will continue to receive security updates and patches to protect against malware attack as part of this Microsoft Windows 7 extended support.

There are 17 bodies under the aegis of my Department and it should be noted that none of the bodies share a computer network with my Department.

The Credit Union Advisory Committee is a committee that advises the Minister on credit union issues and uses the department offices for its, usually once a month, meetings and therefore no security issues relating to Windows 7 arise. The Credit Union Restructuring Board has been wound down and legislation formally dissolving the body is currently going through the Houses of the Oireachtas and therefore no security issues relating to Windows 7 arise.

The remaining 15 bodies have provided the following on the measures taken by them to negate any potential malware attacks or security risks:

Body

Plans to protect the Body in the event of a malware attack or security risks as a result of the failure to upgrade computers from Windows 7

Office of the Comptroller and Audit General (C&AG)

The devices used by the Office of the C&AG run Windows 10 apart from two devices which host legacy applications. These devices will be discontinued or updated prior to the expiry of support for Windows 7.

Central Bank

While in excess of 95% of the Central Bank’s estate is Windows 10, due to 3rd party requirements there remains a small number of Windows 7 users. Compensating controls are in place for these, such as network segregation, and they reside in a closed network with no Internet connectivity.The Central Bank has a strategy in place to upgrade these devices in the coming months.

Credit Review Office

The Credit Review Office upgraded from Windows 7 to Windows 10 in 2017. All of their security and operating systems are operated through Enterprise Ireland.

Disabled Drivers Medical Board of Appeal

The National Rehabilitation Hospital supplies all of the facilities and infrastructure for the Disabled Drivers Medical Board of Appeal.

Financial Services and Pensions Ombudsman (FSPO)

The FSPO has upgraded 80% of its PCs to Windows 10. It plans to upgrade the remaining PCs by the end Q4 2019. The FSPO is aware that Extended Support for Windows 7 will expire in mid-January 2020 and it does not anticipate having any PC operating with Windows 7 at that time.

Home Building Finance Ireland (HBFI)

The NTMA assigns staff and provides business and support services and systems to HBFI. This includes primary ICT services. As such, the NTMA maintains a robust cyber security posture to proactively protect against malware attacks and manage security risks. All computers in HBFI currently run the Microsoft Windows 10 Operating System.

Investor Compensation Company DAC

The Investor Compensation Company DAC has upgraded from Windows 7 to Windows 10, with the latter fully operational for some months.

Irish Bank Resolution Corporation (IBRC)

IBRC initiated a project in September of this year to ensure that the upgrade from Windows 7 to Windows 10 is completed before the end of life support date of the 14th of January 2020, ensuring that the user environment is protected from any potential security vulnerabilities.

Irish Financial Services Appeals Tribunal (IFSAT)

IFSAT is running Windows 10 on an encrypted device so the security risk does not arise in this case.

Irish Fiscal Advisory Council (IFAC)

IFAC has policies in place in respect of (a) Business Continuity and Disaster Recovery and (b) Information Security Policies and Procedures. It has a Shared Service Agreement in place which includes the provision of IT services and it is provided with regular updates on the assessment of its IT infrastructure. The IT services provided mainly relate to the provision of servers, disk space, backups, internet access, operating system and MS Office software updates/patching, network infrastructure including switches and firewall, and antivirus monitoring. IFAC data is regularly backed up, hosted both on- and off-site, and multiple versions of key files are saved and are periodically tested.

National Asset Management Agency (NAMA)

The NTMA assigns staff and provides business and support services and systems to NAMA. This includes primary ICT services. As such, the NTMA maintains a robust cyber security posture to proactively protect against malware attacks and manage security risks. In relation to the Microsoft Windows 7 Operating System, the NTMA has an active programme of work underway replacing existing Windows 7 computers with Windows 10. Extended Security Updates will be availed of for computers running Windows 7 post January 14 2020 to ensure that the NTMA continues to maintain a robust cyber posture.

National Treasury Management Agency (NTMA)

The NTMA maintains a robust cyber security posture to proactively protect against malware attacks and manage security risks. In relation to the Microsoft Windows 7 Operating System, the NTMA has an active programme of work underway replacing Windows 7 computers with Windows 10. Extended Security Updates will be availed of for computers running Windows 7 post January 14 2020 to ensure that the NTMA continues to maintain a robust cyber security posture.

Office of the Revenue Commissioners

The security of the Revenue Commissioners systems and data are the highest priority for the organisation. Revenue has sophisticated cyber defence mechanisms in place and constantly monitors its systems for any malware or cyber-attacks. Revenue is certified to ISO27001 (information security) and ISO22301 (business continuity) standards and is regularly audited for compliance. Approximately 15% of PCs/laptops in use remain on the Windows 7 operating system. All Windows 7 machines are protected by Symantec Antivirus and receive Windows updates on a frequent basis. These devices have additional security permissions in place by using Microsoft’s group policy. All USB access is disabled by default. Additionally, all Revenue laptops are fully encrypted. Revenue are currently upgrading Windows 7 workstations to a Revenue customised Windows 10 image and introducing additional security features using Microsoft’s AppLocker. The plan is to have 80% of these workstations upgraded with Windows 10 by the end of December 2019 and the remaining 20% to follow in January 2020. Where workstations are not compatible with Windows 10, these will be destroyed and replaced with new workstations.

Strategic Banking Corporation of Ireland

The NTMA assigns staff and provides business and support services and systems to the SBCI. This includes primary ICT services. As such, the NTMA maintains a robust cyber security posture to proactively protect against malware attacks and manage security risks. In relation to the Microsoft Windows 7 Operating System, the NTMA has an active programme of work underway replacing existing Windows 7 computers with Windows 10. Extended Security Updates will be availed of for computers running Windows 7 post January 14 2020 to ensure that the NTMA continues to maintain a robust cyber posture.

Tax Appeals Commission

The PCs in the Tax Appeal Commission operate only on Windows 10 and have the latest version of Symantec antivirus, which is updated daily.