I propose to take Questions Nos. 402 to 405, inclusive, together.
In relation to my Department, I wish to advise that ICT services for my Department are provided by the Office of the Government Chief Information Officer (OGCIO) which is a division of the Department of Public Expenditure and Reform. Information relating to services provided and or responses initiated to events in other Departments should be directed to these Departments.
My Department implements a multi-layered approach to cyber security and to protecting ICT systems, infrastructures, and services. The threat landscape is constantly evolving and significant effort is expended to continually enhance and strengthen ICT security to mitigate against emerging threats, risks, vulnerabilities and cyber security issues. In addition to deploying intrusion protection systems, software vulnerabilities are managed by maintaining up-to-date versions.
The vulnerability referenced in the question was identified by my Department on Friday 10 December. In accordance with current standard operational procedures my staff immediately began to examine the Department’s internal and external facing systems in a coordinated fashion to identify potential vulnerabilities. Vendors of key software applications, equipment, and services were consulted to identify any potential issues with their applications, equipment or services. The recommendations that were detailed in advisory alerts issued by the National Cyber Security Centre on the vulnerability were followed which included checking through system logs for exploits and ensuring that mitigation measures such as applying security patches were put in place.
There were no unplanned stoppages of my Department’s online or other services and there is no evidence to indicate that any computers, devices or services were compromised by the vulnerability.
No additional costs have arisen to date to address the vulnerability. As the vulnerability was investigated and addressed where necessary by existing Department resources and under existing support arrangements, there was no need for additional dedicated specialist teams to be established, recruited or contracted.