Skip to main content
Normal View

Data Protection

Dáil Éireann Debate, Thursday - 20 May 2021

Thursday, 20 May 2021

Questions (262)

Fergus O'Dowd

Question:

262. Deputy Fergus O'Dowd asked the Minister for Defence if his Department is fully compliant with GDPR EU requirements and the EU network and Information Security Directive and standards with respect to his Departments IT infrastructure including Article 29 of GDPR which requires that data processors access only the data they need for their task; if ISO 27001 Annex 9 standards on privileged access are fully met; and if he will make a statement on the matter. [27335/21]

View answer

Written answers

My Department's core IT infrastructure is provided by the Office of the Government Chief Information Officer (OGCIO) under the 'Build to Share Managed Desktop' shared service. The services provided by the OGCIO are compliant with GDPR. In reference to your question which points to in Article 29 of the GDPR in particular, OGCIO processes data under instruction from my Department. I have been advised by OGCIO that as a data processor, they have taken all reasonable measures to prevent unauthorised access to personal data through the use of appropriate security processes and controls. These processes and controls include the ability to ensure the ongoing confidentiality, compliance, integrity, availability and resilience of processing systems and services; and the ability to restore the availability and access to Personal Data in a timely manner in the event of a cybersecurity, physical or technical incident.

The OGCIO has adopted a defence-in-depth security strategy which is achieved by utilisation of people, processes, and technology to support the implementation of ICT security services. The threat landscape is constantly evolving and significant effort is expended to continually enhance and strengthen ICT security to mitigate against emerging threats, risks, vulnerabilities and cybersecurity issues. In addition to deploying perimeter security measures, such as intrusion protection systems, software vulnerabilities are managed by maintaining up-to-date versions and aggressively deploying updates and patches to endpoints and applications as they become available.

The OGCIO has employed a policy of least privilege security principle. IT staff are only assigned security roles with levels of access which are essential to perform the tasks and duties associated with their functions. The allocation and usage of privileged user accounts are reviewed and monitored.

The OGCIO has developed an Information Security Management System (ISMS) aligned with the industry security standard ISO27001. This ISMS provides an overall governance framework for information security and sets out security policies, objectives, management oversight, practices and governance and ensures continual improvement of information security management.

Top
Share