Tuesday, 5 November 2019

Questions (322)

Alan Kelly

Question:

322. Deputy Alan Kelly asked the Minister for Justice and Equality his plans to protect his Department in the event of a malware attack or security risks as a result of the failure to upgrade computers from an operating system (details supplied) in his Department and the agencies under his remit; and if he will make a statement on the matter. [44746/19]

View answer

Written answers (Question to Justice)

There are approximately 3,700 desktop computers supported by the ICT Shared Service within my Department which currently run on the Microsoft Windows 7 Operating System. The ICT Shared Service also supports 34 other bodies.

A project to upgrade all computers supported by the ICT Shared Service is underway and is scheduled for completion prior to Windows 7 going out of support in January 2020. Accordingly, it is not envisaged that malware or security threats will arise due to the ending of support. In the event that it is not possible to complete upgrades prior to the ending of support, any necessary measures will be put in place to ensure ICT security.

The operation of the individual desktop computers on the shared service is already controlled within a virtualized and secure network environment. The shared service deploys a number of different layers of security to deal with internal and external threats, including firewalls, malware and virus detection and spam filtering on email and web traffic, as well as threat emulation.

I have set out further information with respect to An Garda Síochána, the Irish Prison Service and the Courts Service below.

An Garda Síochána

An Garda Síochána currently operates an estate of over 9,500 desktop PCs and has security measures in place in order to reduce potential risks posed by devices and ensure data security and integrity.

Over 95% of the standard desktops are currently running the latest patched operating system Windows 10, with an additional 3% planned to be upgraded before year end. There are a small number of specific purpose devices that are unable to be upgraded, due in the majority of cases to bespoke software applications in use on them not supporting newer operating systems. These computers have a specific security and threat mitigation plan assigned to them, which limits the usage, services and communication on these devices. All devices are subject to the standard security regime and benefit from threat detection as well as organisation-wide security monitoring and filtering.

The Garda Síochána Ombudsman Commission and the Criminal Assets Bureau have completed upgrade projects and no computers in those bodies run Windows 7.

Irish Prison Service

The Irish Prison Service currently uses Windows 7 widely and is putting a plan in place to upgrade to the Windows 10 to prevent and mitigate the risk of malware attacks or other security risks. Various threat detection and security systems are in place to mitigate against risks to data security and integrity.

Courts Service

The large majority of Courts Service users use thin client devices and virtualized applications which do not use Windows desktop operating systems. Where Windows 7 had previously been deployed, many instances have been upgraded to newer operating systems and work is continuing on upgrading or migrating the remainder.

There is limited exposure to the risk of malware attack or security risks from the failure to upgrade computers from Windows 7. The computers deployed in the Courts Service have a locked down configuration which provides an additional layer of security and measures are in place at our firewalls which make it difficult for malware to enter the Courts network. These include mail scanning, link filtering and blocking of suspect websites. A patching policy ensures appropriate security patching is applied. A detailed user security policy ensures that permissions are restricted and the potential for security breaches is limited. End user security awareness is provided through periodic general security advice and notifications in relation to specific threats.