My Department adopts a defence in depth approach to cyber security. This approach uses multiple layers and disparate systems to deliver security which is not dependent on any single component. Given the heightened level of risk which has pertained in recent months, my Department’s technical staff has adopted a posture of increased vigilance and oversight of systems.
My Department takes advice from its own external security advisers, and monitors advice and guidance coming from the National Cyber Security Centre (NCSC) on any additional steps which should be implemented in the light of current risks. State agencies under the remit of my Department also have access to advice and guidance from the NCSC and evaluate this advice in the context of their own cyber security arrangements.
On foot of increased threat levels from cyber criminals and the advice from the NCSC, my Department has implemented a number of additional controls, and has also reviewed existing controls to ensure that they are still being applied consistently.
An independent review of my Department’s cyber security controls was carried out in 2019. The review was based on the ISO 27001 standard for good practice in an information security management system. Overall, the review found that the Department’s security posture was rated as good and above the standard which is usually seen in its sector. The review has also been used as the basis for an ongoing programme of further improvements to information security standards. Given the current threat levels and the significant resources which cyber criminals are prepared to use to hack into systems, it is important that we are not complacent in our approach to cyber security. Cyber security is an ongoing process in my Department, and we will continue to review the controls we have in place and implement new controls and protections where necessary and as new cyber defence technologies become available.
For operational and security reasons, we are advised by the NCSC not to disclose details of systems and processes which could in any way compromise cyber security measures in place in public bodies. In particular, it is not considered appropriate to disclose information which might assist criminals to identify potential vulnerabilities in departmental cybersecurity arrangements.
Therefore, it is not considered appropriate to disclose particular arrangements in place in relation to cyber security tools and services, and my Department does not comment on operational security matters.