Cyber Security Strategy 2019- 2021 - Department of Housing
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Cyber Security Strategy 2019-
2021
Supporting the Department of Housing, Planning and Local
Government Statement of Strategy 2017-2020, and Met
Éireann Strategic Plan 2017-2027
Prepared by the Department of Housing, Planning and Local Government
housing.gov.ie
1
Contents
Foreword................................................................................................................................................ 3
1 Introduction ........................................................................................................................................ 4
1.1 What exactly is Cyber Security?.............................................................................................. 4
1.2 Cyber Security is a subset of Information Security .............................................................. 4
1.3 Our Cyber Security Vision: Being Secure and Resilient to Cyber Threats ....................... 5
1.4 Our Cyber Security Mission, building cyber resilience......................................................... 5
2 A Risk Based Approach ................................................................................................................... 6
2.1 The Functions Underpinning a Cyber Security Framework ................................................ 7
3 Identify ................................................................................................................................................ 9
3.1 What will this look like? ............................................................................................................. 9
3.2 Governance and Organisation................................................................................................. 9
3.3 Identify what matters most to protect.................................................................................... 10
3.4 Understand the threats ........................................................................................................... 11
3.5 Define the risks ........................................................................................................................ 12
4 Protect .............................................................................................................................................. 14
4.1 What will this look like? ........................................................................................................... 14
4.2 Cyber Education and End User Awareness ........................................................................ 14
4.3 Implement fundamental protections...................................................................................... 16
4.4 Implement additional automated protections ...................................................................... 17
5 Detect................................................................................................................................................ 18
5.1 What will this look like? ........................................................................................................... 18
5.2 Detect an attack ....................................................................................................................... 18
6 Respond ........................................................................................................................................... 19
6.1 What will this look like? ........................................................................................................... 19
6.2 Prepared to react ..................................................................................................................... 19
6.3 Adopt a risk based approach to resilience ........................................................................... 21
7 Recover ............................................................................................................................................ 22
7.1 What will this look like? ........................................................................................................... 22
7.2 Challenge and test regularly .................................................................................................. 22
8 A final word ...................................................................................................................................... 24
Appendix 1 Glossary.......................................................................................................................... 25
2
Foreword
This is the Department of Housing, Planning and Local Government’s (Department)
inaugural Cyber Security Strategy 2019-2021. We live in an increasingly digitized
world where technological developments offer exciting innovative solutions and
advancements in how we do our business. The Department of Housing, Planning
and Local Government, like other government departments, continually seek to
leverage these opportunities to support and enhance service delivery. As reliance on
technology grows, so too does the scope for those who seek to compromise these
systems for their gain, financial or otherwise.
The EU Cybersecurity Strategy ‘An Open, Safe and Secure Cyberspace’ published
2013, outlines the EU's vision on how to enhance security in cyberspace. Ireland’s
National Cyber Security Strategy sets out Government's approach to facilitating the
resilient, safe and secure operation of computer networks and associated
infrastructure used by Irish citizens and businesses.
It is important to protect the Department, the citizens we serve and our critical
infrastructure, to develop cyber security experts, to enhance user proficiency and
engage in the national and international arenas to better understand and respond to
a constantly changing environment.
Over this four year period we will actively work together to protect and defend the
Department against cyber threats, building cyber resilience, further developing cyber
talent within Information and Communication technology (ICT) unit and developing
cyber awareness and capability of all staff in the Department.
We would like to acknowledge the contributions made by all staff and our
stakeholders, who participated in a comprehensive engagement process to develop
this strategy. We look forward to our continuing partnership, to deliver this strategy
together in the years ahead.
Marita Gonsalves and Shay Greene
3
1 Introduction
The Department of Housing, Planning and Local Government (Department)
Statement of strategy 2017-2020 mission is “To support sustainable development,
with a particular focus on strategic planning, the efficient delivery of well-planned
homes in vibrant communities and the sustainable management of our water
resources, and to ensure effective local government”. Met Éireann Strategic Plan
2017-2027 mission is “To monitor analyse and predict Ireland’s weather and climate
and to provide a range of high quality meteorological and related information”.
The responsibilities of this Department are wide and varied, covering a huge range
of aspects of everyday living for all the citizens of Ireland.
The Department Cyber Security Strategy 2019 – 2021 outlines the steps we will take
to safeguard the Department’s hardware, software, and our information assets, to
assure the confidentiality, integrity, and availability of the information in our
possession as per the Data Protection Act 20181. The details of how we will share
information, counter new and evolving threats, and continue to develop methods of
protecting information and our systems are outlined.
1.1 What exactly is Cyber Security?
The USA National Institute of Standards and Technology (NIST) define Cyber
Security as:
“The ability to protect or defend the use of cyberspace from cyber-attacks”2
The NIST Framework for Improving Critical Infrastructure Cybersecurity builds on
this defining Cyber Security as, “The process of protecting information by preventing,
detecting, and responding to attacks”3 Our Department Cyber Security Strategy
considers:
The value of information assets we, as a Department have
The people who want access to those assets; (threat actors) and
The methods by which they attempt to get access to those assets (threat
vectors).
1.2 Cyber Security is a subset of Information Security
Information security and cyber security are very closely related.
1 http://www.irishstatutebook.ie/eli/2018/act/7/enacted/en/html
2 USA National Institute of Standards and Technology, (NIST) Department of Commerce (2013)
CNSSI-4009 Glossary of Key Information Security Terms
https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=913810
3 Ibid (2018) Framework for Improving Critical Infrastructure Cybersecurity Page 52 Available at
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
4
Information Security is defined by NIST as “The protection of information and
information systems from unauthorized access, use, disclosure, disruption,
modification, or destruction in order to provide confidentiality, integrity, and
availability”4 Information security is broader than cyber security because it protects
information whether on paper or held on electronic systems or assets. Today, a lot of
our Department information is on physical and virtual systems and assets. The risk
of cyber-attack will always be part of information security.
1.3 Our Cyber Security Vision: Being Secure and Resilient to Cyber
Threats
Our Cyber Security Vision focus is on agility and resilience.
Cyber Security Vision
‘To create an agile, effective, and cost-efficient approach to cyber security
aligned with current threats by strengthening the protection of systems and data’.
1.4 Our Cyber Security Mission, building cyber resilience
The World Economic Forum’s Global Risks Report 2019 rates two types of cyber-
attacks theft of data or money, and disruption of operations and infrastructure,
amongst the top 10 high-impact risks. There are two types of cybercrime:
Crimes committed through ICT devices, where criminals use devices to commit
the crime and the target for the crime. Examples include; malware, hacking,
ransomware and Distributed Denial of Service (DDOS) attacks.
Cyber enabled crime where traditional crimes are committed using ICT devices.
Examples include cyber enabled fraud, data theft, forgery, or intellectual
copyright infringement.
Our mission statement concentrates on building cyber-resilience.
Cyber Security Mission Statement
‘To protect and defend the Department against cyber threats, building cyber
resilience, by developing cyber talent within all ICT teams and developing cyber
awareness and capability of all staff in the Department.
4USA NIST, Department of Commerce (2013) CNSSI-4009 Glossary of Key Information Security
Terms https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=913810
5
2 A Risk Based Approach
Our staff are our greatest strength. Together with proper processes, and good
technology, our staff, work to ensure we are cyber secure.
Figure 1: Three focal elements of Cyber Security
People
1. Staff Training and
Awareness
2. Professional Skills
and Qualifications
3. Competent
Resources
4. Incident Response
Technology
Process
1. Access controls
1. Management
Systems 2. Anti Virus
Software
2. Governance
Frameworks 3. Air Gap
3. Best Practice 4. Automated
Monitoring
4. IT Audit
Software
People, processes and technology protect the Confidentiality, Integrity and
Availability of information. Confidentiality means the measures taken by the
Department, to limit access to information e.g. passwords, encryption. Integrity of
information means providing assurance that the information is accurate and
trustworthy e.g. by having access controls. Availability means reliable access to the
information by authorised people e.g. disaster recovery in place.
6
Figure 2: Protecting the Confidentiality, Integrity and Availability of
Information, CIA triad
National Cyber Security Centres (NCSCs), including Ireland’s, identify the three key
focal elements of Cyber Security risk management, the risks associated with People,
Process and Technology. Successful accomplishment of the goals and objectives of
our Cyber Strategy 2019 – 2021 will comprise these main areas of focus.
2.1 The Functions Underpinning a Cyber Security Framework
The Department Cyber Security Framework will be based on 5 pillars. They are
‘Identify, Protect, Detect, Respond, and Recover’.
The Department’s approach is based on the USA National Institute of Standards and
Technology (NIST) 5 functions of the Cyber Security Framework5 which represents
key pillars of a successful and holistic cyber security programme. These functions
underpin standards on Cyber and Information Security, including the Irish National
Cyber Security Centre (NCSC) who have, as well as their Cyber Security Strategy,
issued a ‘Five Point Guide’ issued to all Departments, setting out a baseline for the
security of Government ICT and a guidance document, ‘12 steps to cyber security’.
The five pillars of the NIST Cyber Security Framework enable management of
cybersecurity risk at a high level and enabling better risk management decisions.
We have used this framework, also drawing on EU Strategy, Ireland’s National
Cyber Security Centre strategy and guidance, our National Cyber Security Strategy,
5-point plan, 12 steps to cyber security for small business, ‘Protect, Develop,
Engage’ and the NIS Compliance Guidelines for Operators of Essential Services.
Cyber threats are constantly evolving, and risk management is key to our strategic
approach. This means the cyber security measures we implement are based on the
actual risks our Department faces. We identify risks associated with the loss of
confidentiality, integrity and availability for information within the scope of the
information security management systems and update in line with our Department
5USA NIST (2014) https://www.nist.gov/cyberframework see also DPER October (2018) Policy
Advice note: Considering Information Security Management Page 32
https://www.nist.gov/cyberframework
7
risk management approach, on an ongoing basis. The remainder of this Strategy
sets out a wide-ranging set of cyber security desired outcomes, and actions we will
take and are already undertaking, to achieve these outcomes, under the five themes.
Figure 3: The Five Themes Underpinning our Cyber Security Framework6
Source: DCCAE NIS Compliance Guidelines for Operators of Essential Services
6
Department of Communications, Climate Action and Environment (2019) NIS Compliance
Guidelines for Operators of Essential Services (OES) Page 22 Available at
https://www.dccae.gov.ie/en-
ie/communications/publications/Pages/NIS_Compliance_Guidelines_for_Operators_of_Essential_Ser
vice_OES.aspx
83 Identify
3.1 What will this look like?
The Identify Function assists in developing the Department’s
management of cybersecurity risk to systems, people, assets,
data, and capabilities. In our commitments under this
Function, we will:
Identify and implement a cyber-risk management strategy
Define and implement a cyber-governance programme
Identify all Department physical, virtual and software assets
Implement an Asset Management programme for all Department physical,
virtual and software assets
Identify the assets we need to protect, prioritise them using the Department
classification policy and build security outwards from there
Identify threat actors and threat vectors for our assets.
3.2 Governance and Organisation
The Department’s ICT Governance Committee has a pivotal role to ensure that the
ICT performance is progressive and meeting the Department’s needs from a cyber-
perspective.
Through development of this Cyber Security Strategy 2019-2021 and its
commitments, we will manage this risk through the steps below. Our progress in
delivering will be reported to ICT Governance Committee.
3.2.1 Technology
We will review current metrics and establish new metrics to gather information, which
enables reporting both at a technical and executive level across all aspects of our
cyber risk management programme, and report to ICT Governance Committee on
same.
3.2.2 People
We will establish a cyber-risk management cross Divisional group to progress these
commitments and to identify education and experience standards for key cyber
security personnel.
3.2.3 Policies and Process
We will refresh the Department ICT Security Policies annually, in partnership with
HR.
93.3 Identify what matters most to protect
Identifying what and where Department Digital Assets are is the first step to
protecting them.
3.3.1 Technology
We will use existing and, where required, new technologies to identify all Department
physical, virtual and software assets including major platform and network
infrastructure, applications etc.
3.3.2 People
We will continue to develop specialist skills sets and capabilities that will help us to
keep pace with the evolving technology and combat the associated cyber risks.
3.3.3 Policies and Process
We will prioritize the Department assets we need to protect, using the Department
classification policy and continue to build security standards to protect them. We will
ensure cyber risks are quantified, mitigated and recorded Department’s risk
management process.
103.4 Understand the threats
A threat refers to anything that has the potential to cause serious harm to an ICT
system. This threat may or may not happen but has the potential to cause serious
harm.
Understanding who might want to attack the Department, why, and how they might
go about carrying out such an attack will allow us to focus on our efforts on how to
respond to the most likely threats. Every new relevant piece of work undertaken by
the Department should be reviewed from an ICT perspective and recorded in the
Risk Register if appropriate. The Cyber Incident Response Plan will be updated as
needed.
A major cyber-incident is a form of crime and often needs to be reported. They can
have a critical impact and could bring Department business to a halt. We will comply
with national and EU cyber incident reporting obligations.
3.4.1 Technology
We will map all applications, networks and assess the threat vectors to same.
3.4.2 People
We will identify the threat actors and what motivates them (money, ideology, etc.)
3.4.3 Policies and Process
The NCSC encompasses the State's national/governmental Computer Security
Incident Response Team (CSIRT-IE). They are tasked with sharing knowledge,
addressing systemic vulnerabilities and providing leadership on key national cyber
security issues. All advice notes on actual or potential threats will be taken seriously
and circulated Department-wide as necessary/appropriate.
CSIRT-IE “supports Government departments and core agencies in responding to
cyber security incidents. This includes in particular malicious cyber-attacks that could
hamper the integrity of Government information system assets and/or harm the
interests of the Irish State” and “also acts as a national point of contact for cyber-
attacks involving entities within Ireland”. “The scope of CSIRT-IE’s activities covers
prevention, detection, response and mitigation services to Government departments
and core state agencies”.7
We will map our systems using attack trees, to find how the identified threat actors
might attack us using ransomware, fraud, website defacement (the original content is
replaced by a message intended to convey a point the cyber attacker wants to get
across) etc.
7
Ireland DCCAE (2019) National Cyber Security Centre (NCSC-ie) RFC-2350 CSIRT-ie Charter 3.1 Mission
Statement (last updated November 16 2018)
113.5 Define the risks
A cyber risk management framework as part of Department risk management will
help define the most likely cyber-attacks. The Department’s risk appetite statement
will inform the level of risk allowed in respect of cyber. The Department
acknowledges risk via a corporate risk register. The Department also mitigates cyber
risk through:
End-user awareness training
Cyber Incident Response Plan
Implementation of the Department joint ICT Strategy
ICT security teams
High-level security team.
3.5.1 Technology
Operating on a low appetite for risk in this area, innovative protection, detection, and
response technologies will be deployed and monitored to counteract any efforts to
access Department systems and reports will be submitted to ICT Governance
Committee to ensure compliance.
3.5.2 People
We will run a programme of Cyber risk management workshops to identify and
quantify risks, controls and actions needed to address security gaps.
3.5.3 Policies and Process
We will use the risk register risk-identification processes to map business objectives/
products/ services that support people, processes and technology and data flows
and rank criticality to our business. This will be updated quarterly and amended
accordingly as ICT and the Department cyber security evolves. This also links to
Business Continuity planning.
We will further develop risk assessments of the financial and reputational cost to the
Department of the cyber-attack scenarios, and take steps to mitigate same through
cyber-risk quantification of controls as part of risk management process.
123.6 Risk management lifecycle
The Department depends on our ability to manage Cyber Risk and to secure our
technology, data and networks from the many threats we face.
The fast growing development and increased reliance of ICT has resulted in
improvements in quality of equipment, the delivery of new and innovative services
and sweeping changes in the way in which the Department operates. This increases
the need for ongoing operations and resilience of these systems to support that. In a
budget-constrained environment, the Department must balance and prioritise
security activities based on risk and prioritisation, and translate its Cyber Strategy
into effective actions.
3.6.1 Technology
We will identify functions, activities, products, and services including dependencies,
such as third parties, and assess their respective cyber risks. This will involve the
need to identify and implement controls including network systems, policies,
procedures, and training to protect against and manage those risks within the
Department. Reflecting on all areas of our cyber risk is essential to meeting our goal
of protecting the Department. We must identify areas of improvement on a regular
basis, updating risk assessments and reviewing compliance with relevant
regulations.
3.6.2 People
All staff have a responsibility when it comes to cyber security, however, the ICT staff
must lead by example. Staff must be aware of the dangers and highlight any threats
that they may encounter. All staff will be adequately trained to deal with any cyber
incidents .
3.6.3 Policies and Process
Cyber Incident Response Plan: We will have periodic drills to ensure that the plan
remains relevant and that it is kept up to date..
134 Protect
4.1 What will this look like?
The Protect Function outlines appropriate safeguards to
ensure delivery of critical infrastructure services and
supports the ability to limit or contain the impact of a
potential cyber security event. In our commitments under
this Function, we will:
Establish and maintain Data Security protection to protect the confidentiality,
integrity and availability of data in the cyber domain.
Manage Department protective technology to ensure the security and resilience
of systems and assets
Empower staff through Awareness and Training
Implement Information Protection Processes and Procedures to maintain and
manage the protections of information systems and assets
Protect Department resources through maintenance including remote
maintenance activities
Protect identity management and access control within the department
including physical and remote access
Manage access on a least privilege basis
Manage technology to ensure the security and resilience of systems and assets
are consistent with policies, procedures, and agreements.
4.2 Cyber Education and End User Awareness
A cyber education and awareness programme will continue to be rolled out across
the Department ensuring all of the Department’s employees, contractors and third
parties can identify a cyber-attack and are aware of the role they play in defending
the Department.
4.2.1 Technology
Following training workshops for all Department staff, interactive login methods will
be installed on departmental staff devices bringing up messages/ videos to staff
when logging on to their devices, to ensure important educational messages/videos
are viewed and understood. Social engineering penetration testing will be introduced
by 2020 to assess staff levels of awareness. This will also give a good indication if
the previous training methods were effective or need to be tailored further.
14We will continue in ensuring that our Firewall capability is up to date and maintained,
which is critical in providing perimeter defence by blocking unwanted network traffic,
forming a barrier between a trusted and an untrusted network.
We will ensure proper controls and procedures are in place for our network Active
Directory (AD) which effectively manage the lifecycle of Department users,
passwords, data, applications and systems. AD authentication and authorisation will
be implemented for our applications and systems to ensure that data isonly
accessed by authorised users.
4.2.2 People
We established a Department Cyber Security End User Awareness Training
Programme, which was launched across all of the Departments locations in 2018.
The purpose of this training is to deliver a high-level overview of everyone’s role in
protecting the Department and themselves and the steps involved in achieving this.
We will foster a culture of cyber awareness across the Department, including through
the education system, with industry and through the promotion of events like
European Cyber Security Month and end-user’s training. Training videos will be
constantly updated and available on the Departments intranet.
From Q4 of 2018, HR induction training now includes a session on the Department
‘Cyber Security End User Awareness Training Programme’.
By 2021, we aim to have ‘Cyber Security End User Awareness’ a mandatory
component of PMDS across the entire Department.
4.2.3 Policies and Process
During 2018 and 2019 the Department ‘Cyber Security End User Awareness
Training Programme’ will be rolled out to all users and, following this, a continuing
programme of end user awareness will require all Department asset users to view
cyber training videos when logging on, and to confirm they have read, understand
and agree to all Departmental ICT policies, rules and procedures.
The Information Security Office, through email and Intranet updates, will provide
regular notifications. This will inform personnel of any issues they should be aware of
and how they can assist in protecting the Department and its digital assets.
154.3 Implement fundamental protections
Cyber criminals can exploit vulnerabilities if basic protections aren’t in place e.g.
malware protection, secure configuration, patch management, whole Systems
Development Lifecycle (SDL) for software development from initial design to
deployment.
4.3.1 Technology
We will continue to secure the Department at the technology level by deploying
crucial protections to prevent cyber threats, including:
Secure configuration for all of our technologies
o Apply security patches
o Ensure secure configuration of all systems is maintained
o Create a system inventory and define a baseline build for all devices.
Network Security
o Perimeter defending
o Filtering out unauthorised access and malicious content
o Monitor and test security controls and report on same.
Patch management
Firewalls
Anti-Virus/Malware prevention report on anti-malware defences,
Removable media controls
o Limit media types and use
o Scan all media for malware before placing onto the Department systems.
Remote access controls and encryption.
Threats have the potential to cause serious harm to an ICT system they may or may
not happen. We will produce monitoring reports for same and report on an agreed
basis to ICT Governance Committee.
4.3.2 People
An Identity and Access Management (IAM) programme will be established to control
access to data.
Manage User Privileges by limiting the number of privileged accounts, also by
monitoring user activity and reporting in summary format to ICT Governance
Committee.
We will focus on data protection and privacy (technical and compliance) managing
third parties who have access to and or control of our data.
4.3.3 Policies and Process
We will establish protocols, which will identify and manage vulnerabilities from
identification through to remediation. We will control access to activity and audit
logs.
164.4 Implement additional automated protections
Cyber threats and vulnerabilities evolve rapidly, as do best practices and technical
standards to address them.
4.4.1 Technology
We will continue to mature our existing capabilities by automating virtual machine
(VM) and Identity and Access Management (IAM) processes using specialist
technology, such as Intrusion Prevention Systems (IPS), Intrusion Detection
Systems (IDS), Web Application Firewalls (WAF) and Data Loss Prevention (DLP)
systems.
4.4.2 People
We will provide specialist training in new technology as required. All staff will be
provided with ICT Cyber awareness training.
4.4.3 Policies and Process
Penetration testing will be introduced and take place on a regular basis. The results
of the testing will be gathered and reports will be generated and presented to
Management Board and the ICT Governance Committee in accordance with usual
security procedures.
175 Detect
5.1 What will this look like?
The Detect function defines the appropriate activities to
identify the occurrence of a cyber security event. The detect
function enables timely discovery of cyber security events. In
our commitments under this Function, we will:
Implement continuous monitoring capabilities including the NCSC 5 Point
Guide suggested measures to monitor events for improved cyber security
Verify the effectiveness of protective measures, including network and physical
activities
Ensure anomalies and events are detected and their potential impact is
understood
Maintain and monitor Detection Processes to provide awareness of anomalous
events including intrusion detection systems, intrusion prevention systems and
daily and weekly operational security reports on security outcomes.
5.2 Detect an attack
A security monitoring capability will be established which can detect an attack
through monitoring activity at various levels within the Department. IT security tools
combined with the cyber awareness training will assist the Department’s ability to
reduce vulnerabilities and mitigate effects of exploits made by Cyber incidents.
5.2.1 Technology
We will define all the activities on Department systems which should be logged and
how long those logs should be retained.
We will continue to mature our existing capabilities by automating IAM processes
using specialist technology, such as Intrusion Detection Systems (IDS), Web
Application Firewalls (WAF) and Data Loss Prevention (DLP) systems.
5.2.2 People
We will provide specialist training in cyber security as required.
5.2.3 Policies and Process
We have, in 2018 developed a Cyber Incident Response Plan. We will build on the
scenarios within it to develop our Disaster Recovery capability.
We will use CSIRT-IE information on Cyber threats notification to evaluate current
management of identified threats.
186 Respond
6.1 What will this look like?
The Respond function relates to business continuity
and includes appropriate activities to take action
regarding a detected cyber security incident, enabling
us to contain the impact of a potential cyber security
incident. In our commitments under this function, we
will:
Ensure response-planning processes are executed during and after an
incident
Conduct analysis to ensure effective Cyber Incident Response and support
recovery activities, including forensic analysis, and determine the impact of
incidents
Manage communications during and after an event with all relevant
stakeholders
Implement improvements by incorporating lessons learned from current and
previous detection / response activities
Adhere to Business Continuity Management Standard ISO22301.
6.2 Prepared to react
In 2018, the Department developed a Cyber Incident Response Plan to put the
Department on the best footing should we be attacked. This plan will be reviewed
and updated on a regular basis.
6.2.1 Technology
We will review Forensics Technologies that can be used to investigate cyber
breaches and gather evidence and/or record/report on incidents in general.
6.2.2 People
We will engage a Forensics Team in 2020 who can be called upon by the
Department and who will have training to react to a cyber breach, investigate the
causes and report on same to the appropriate authorities as well as Department
Senior Management.
6.2.3 Policies and Process
The Cyber Incident Response Plan sets out a sequence of steps designed to
minimise the impact on the department and other stakeholders within the
Departments’ network, and to prevent further incidents.
19The plan contains steps to resume business operations while allowing for continued
remediation, including
(a) investigations eliminating any harmful remnants of the incident;
(b) restoring systems and data to normal and confirming normal state;
(c) identifying and mitigating all vulnerabilities that were exploited; and
(d) communicating appropriately internally and externally. The plan refers to
notification obligations e.g. reporting to the Gardaí, and reporting required under
regulations, including GDPR and the Network and Information Security Directive.
206.3 Adopt a risk based approach to resilience
Resilience is about recovering from an incident. Through Business Continuity
planning, recovery plans are developed for all processes and supporting
technologies in line with their criticality to the function of the Department. These
plans will be reviewed regularly.
6.3.1 Technology
The department has backup procedures in place, with full, incremental and
differential backups being run in all of the locations. The Backup strategy is
imperative against data loss and gives a way to restore data. It has the following
advantages:
Protecting the Department in the event of failure of any hardware, unintentional
loss of data or disaster;
Protecting against unlawful changes that a cyber-incident may cause;
Providing with a history of an incident by looking through archived, older
backups.
6.3.2 People
The team will work thoroughly with critical business units to ascertain any potential
threats, and offer solutions so that any risks are reduced.
The Cyber Incident Response Plan is in place to manage any incidents that may
occur.
6.3.3 Policies and Process
We will work to Business Continuity Management standard ISO22301. This standard
will give a strong footing to help form a solid dependable approach to business
continuity. It will benefit the Department when an incident occurs.
Disaster recovery plans ensure that the Department resumes essential functions
swiftly following a disaster.
Disaster recovery plans for all locations will be kept up to date. These plans will be
kept in a secure location; with only authorised staff will have access. The plans will
change when new technology is introduced.
217 Recover
7.1 What will this look like?
The recover function relates to business continuity. It
identifies appropriate activities to maintain plans for
resilience and to restore any capabilities or services
that were impaired due to a cyber security incident.
The recover function supports timely recovery to
normal operations to reduce the impact from a cyber
security incident. In our commitments under this
function, we will:
Adhere to Business Continuity Management Standard ISO22301
Ensure the Department develops and implements a Cyber Incident Response
Plan processes and procedures to restore systems and/or assets affected by
cybersecurity incidents
Implement improvement based on lessons learned from cyber incidents and
disaster recovery/ business continuity events and reviews of existing strategies
Ensure internal and external communications are coordinated during and
following the recovery from a cybersecurity incident.
Together these functions will further develop our understanding of managing cyber
security risk to systems, people, assets, data and capabilities. We will achieve all this
through the NCSC 12 steps programme, our ICT Security Policies and working
together to manage cyber security risk.
7.2 Challenge and test regularly
A cyber incident simulation exercise will be carried out periodically to test
management’s ability to manage the response to a significant cyber attack.
Technical simulations will be carried out to test our ability to detect and respond to
sophisticated attacks. The effectiveness of identified controls, including through
network monitoring, testing, audits and exercises shall be reviewed. There will be
added emphasis on responses to promptly detect any cyber incidents and the ability
to react will be evaluated periodically.
Effective monitoring will ensure that the Department adheres to established risk
tolerances and enable us to enhance or mitigate weaknesses in existing controls.
22Testing and auditing protocols will provide essential assurance mechanisms for the
department.
7.2.1 Technology
Cyber security capabilities will be dynamic, sufficiently robust and agile and will have
controlled points of access to reduce the possibility of human error.
Backup systems will be managed as per our Disaster Recovery plans and will
ensure the integrity of data.
Penetration testing will be completed to identify security weaknesses, to test the
Department’s security policies, its adherence to compliance requirements, its
employees' security awareness and the Department’s ability to identify and respond
to security incidents.
7.2.2 People
ICT staff will be supported to consistently demonstrate the highest skill levels in
deploying the latest technologies and methods, including proficiency in implementing
Disaster Recovery plans.
Department staff will recognise the importance of cyber security, be constantly
vigilant and be aware of their vital role in protecting the Department and its assets.
We will develop specialist skills sets and capabilities that will help us to keep pace
with the evolving technology and combat the associated cyber risks.
7.2.3 Policies and Process
Continued review of Department & Met Éireann processes, supported by the ICT
Governance Committee, will help achieve our goals and objectives and help us be
sufficiently dynamic and agile to accommodate rapidly changing needs.
We will continually review and implement industry best practice including those
recommended by CSIRT-IE, European Union Agency for Network and Information
Security (ENISA), International Organization for Standardisation (ISO) and NIST.
We will have periodic cyber drills to ensure that the Cyber Incident Response plan is
relevant and departmental staff is adequately skilled to deal with any cyber incidents.
In the event of any Cyber Security Incident, the Department Information Security
Officer, Head of ICT, Head of Technology Met Éireann will report to the Head of HR,
ICT Governance Committee, Management Board and anyone EU or Irish law
requires the Department to inform.
238 A final word
The Cyber Strategy 2019-2021 outlines the Department’s objectives, steps and
commitments, to manage Cyber Security risk, over the coming years.
The Cyber Strategy is an integral component in helping the Department achieve our
goals but, as such, we must be cognisant of the various and wide ranging ICT needs
of each of the sections within the Department, including Met Éireann, and each
section’s interactions with each other, and their interactions with local authorities and
outside agencies. Therefore, we have developed a cohesive strategy, delivering a
unified approach to Cyber from the top of the organisation to the end user.
The development of this cyber strategy has taken into consideration numerous other
strategies, including:
National Cyber Security Strategy8
Europe 2020 Strategy9
Department of Housing, Planning and Local Government Statement of Strategy
2017- 202010
Met Éireann Strategic Plan 2017 - 202711
By taking these steps to achieve these objectives, together, we will realise our Vision
for Cyber Security:
‘To create an agile, effective, and cost efficient approach to cyber security
aligned with current threats by strengthening the protection of systems and
data’.
8 https://www.dccae.gov.ie/documents/NationalCyberSecurityStrategy20152017.pdf
9 https://ec.europa.eu/info/business-economy-euro/economic-and-fiscal-policy-coordination/eu-
economic-governance-monitoring-prevention-correction/european-semester/framework/europe-2020-
strategy_en
10 https://www.housing.gov.ie/sites/default/files/publications/files/20180501_-
_statement_of_strategy_2017-2020_english_published.pdf
11 https://www.met.ie/cms/assets/uploads/2017/08/Met_Eireann_Strategy_2017-2027.pdf
24Appendix 1 Glossary
This appendix defines selected terms and abbreviations used in the publication.
Access The process of permitting or restricting access to applications at a
Controls granular level, such as per-user, per-group, and per-resources.
NIST SP 800-113 https://csrc.nist.gov/glossary/term/access-control
Active Manages user permissions, computers and other devices for
Directory example a printer, on a network.
Air Gap An ‘air gap’ is an interface between two systems at which (a) they
are not connected physically, and (b) any logical connection is not
automated (i.e., data is transferred through the interface only
manually, under human control).
https://csrc.nist.gov/glossary/term/air-gap
Anti-Virus A program specifically designed to detect many forms of malware
Software and prevent them from infecting computers, as well as cleaning
computers that have already been infected.
NIST SP 800-69 https://csrc.nist.gov/glossary/term/Antivirus-
Software
Application A system acquired / developed at the request of one or more
System business areas within the Department to achieve specific objectives
as defined by that business area(s). This will consist of the
application programs, screens and data. Examples are documents,
a spreadsheet, a web browser, a media player.
Automated Use of automated procedures to ensure security controls are not
Monitoring circumvented or the use of these tools to track actions taken by
Service subjects suspected of misusing the information system
https://csrc.nist.gov/glossary/term/automated-security-monitoring
Browser Short for web browser, a software application used to locate and
display web pages.
CSIRT – IE/ National Cyber Security Centre of Ireland’s (NCSC-IE) Computer
NCSC- IE Security Incident Response Team (CSIRT-IE)
The Irish national/governmental Computer Security Incident
Response Team for Irish Government Departments and core State
Agencies. Consisting of specialists who handle ICT security
25incidents, and Cyber Security Protection of data and systems
connected to the internet.
CSIRT-IE provides assistance to constituents in handling the
technical and organizational aspects of incidents. Advisories on
risks, threats and vulnerabilities are provided to constituents on a
need-to-know basis. These advisories can include recommendations
and mitigating measures. Alerts are provided to specified
constituents in response to specific information security intelligence.
https://www.dccae.gov.ie/en-ie/communications/topics/Internet-
Policy/cyber-security/national-cyber-security-centre/Pages/RFC-
2350.aspx
Cyber All activities necessary to protect cyberspace, its users, and
Security impacted persons from cyber threats.
https://www.enisa.europa.eu/publications/enisa-position-papers-and-
opinions/enisa-overview-of-cybersecurity-and-related-terminology
Cyber Space the time-dependent set of tangible and intangible assets, which store
and/or transfer electronic information.
https://www.enisa.europa.eu/publications/enisa-position-papers-and-
opinions/enisa-overview-of-cybersecurity-and-related-terminology
Cyber A cybersecurity change that may have an impact on organizational
Security operations (including mission, capabilities, or reputation).
Event https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
Cyber Any occurrence that has impact on any of the components of the
Security cyber space or on the functioning of the cyber space, independent if
Incident it’s natural or human made; malicious or non-malicious intent;
deliberate, accidental or due to incompetence; due to development
or due to operational interactions is called a cyber incident. Also we
call cyber incident any incident generated by any of cyber space
components even if the damage/disruption, dysfunctionality is
caused outside the cyber space.
https://www.enisa.europa.eu/publications/enisa-position-papers-and-
opinions/enisa-overview-of-cybersecurity-and-related-terminology
Department Department of Housing, Planning and Local Government
DLP Data Loss Prevention Systems software products that help a
network administrator control what data users can transfer.
26DOS and Denial of service is the prevention of authorized access to resources
DDOS or the delaying of time-critical operations.
https://www.enisa.europa.eu/publications/definition-of-cybersecurity
Distributed Denial of Service - a malicious attempt to disrupt a
service, server or network by overwhelming it with internet traffic
from multiple compromised computer systems.
ENISA European Union Agency for Network and Information Security
https://www.enisa.europa.eu/
Firewall A Firewall is a network security device that monitors incoming and
outgoing network traffic and decides whether to allow or block
specific traffic based on a defined set of security rules
Information The approach to protect and manage the risk to information and
Security information systems from unauthorized access, use, disclosure,
disruption, modification, or destruction in order to provide
confidentiality, integrity, and availability.
https://www.nist.gov/itl/smallbusinesscyber/cybersecurity-
basics/glossary The classic model for information security defines
three objectives: Confidentiality, Integrity, and Availability
https://www.enisa.europa.eu/publications/enisa-position-papers-and-
opinions/enisa-overview-of-cybersecurity-and-related-terminology
Hardware This includes such items as computers (PCs, laptops, servers,
mobile devices etc.) and printers.
IAM Identity and Access Management involves both a technology
solution and business processes to manage user identity and their
access to the Department systems and applications.
ICT Information and Communications Technology.
ICT Security How business critical electronic networks and systems that process
data or communicate with each other are protected.
ICT Systems Systems for collecting, storing, processing, transmitting and
presenting data. Also referred to as Information Systems.
IDS/ IPS Intrusion Detection System (IDS) is a system or software that
monitors and analyzes network or system events for the purpose of
finding and providing real-time or near real-time warning of attempts
to access system resources in an unauthorized manner.
27Intrusion prevention systems (IPS) can carry out same function while
also attempting to stop the activity, ideally before it reaches its
targets.
https://www.nist.gov/itl/smallbusinesscyber/cybersecurity-
basics/glossary
Internet A worldwide electronic system of computer networks which provides
communications and resource sharing services to government
employees, businesses, researchers, scholars, librarians and
students as well as the general public.
Intranet Like the Internet itself, an intranet is used to share information. It is
a network belonging to an organisation, accessible only by the
organisation's employees, or others with authorisation.
ISO International Organization for Standardisation
NCSC National Cyber Security Centre.
Network A group of two or more computer systems linked together. This
includes such items as Wide Area Network (WAN), Local Area
Network (LAN), protocols and telecommunications hardware.
NIS Network and Information Systems Directive
Directive
https://www.dccae.gov.ie/en-ie/communications/topics/Internet-
Policy/cyber-security/network-and-information-systems-
directive/Pages/default.aspx
Network and As defined in the ENISA regulation 526/2013, means the ability of a
Information network or an information system to resist, at a given level of
Security confidence, accidental events or unlawful or malicious actions that
(NIS) compromise the Availability, Authenticity, Integrity and
Confidentiality of stored or transmitted data and the related
services offered by or accessible via those networks and systems.
https://www.enisa.europa.eu/publications/enisa-position-papers-and-
opinions/enisa-overview-of-cybersecurity-and-related-terminology
NIST USA National Institute of Standards and Technology USA
Operating The software “master control application” that runs a computer or
System electronic device.
28https://www.nist.gov/itl/smallbusinesscyber/cybersecurity-
basics/glossary
Operating The operating systems and ancillary software.
Software
Patch A set of changes to a computer program or its supporting data
designed to update, fix, or improve it.
PC Personal Computer
Risk A measure of the extent to which an entity is threatened by a
potential circumstance or event, and typically a function of: (i) the
adverse impacts that would arise if the circumstance or event
occurs; and (ii) the likelihood of occurrence.
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
Risk The process of identifying, assessing, and responding to risk.
Management https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
SDL Systems Development Lifecycle – five stages of a system
development lifecycle, plan, design, implement, test, maintenance.
Server A computer or device on a network that manages network
resources.
Social Attempting typical social engineering scams on employees to
engineering ascertain the organization's level of vulnerability to that type of
penetration exploit, usually for Phishing exploits.
testing
Software The operating information and programmes used by computers and
other devices. An example is Windows and the various standardised
packages such as electronic mail, word processing, electronic
spread sheets, etc., that are supplied within this environment along
with the data/documents associated with each package.
Threat Refers to anything that has the potential to cause serious harm to an
ICT system. This threat may or may not happen but has the
potential to cause serious harm.
NIST definition of Threat is “Any circumstance or event with the
potential to adversely impact organizational operations (including
mission, functions, image, or reputation), organizational assets,
individuals, other organizations, or the Nation through an information
system via unauthorized access, destruction, disclosure,
modification of information, and/or denial of service.
29https://www.nist.gov/itl/smallbusinesscyber/cybersecurity-
basics/glossary
VM Virtual Machine, a software computer which runs an operating
system and applications like a physical computer.
Webmaster An individual who manages and maintains one or more websites.
Website A site or location on the World Wide Web. Each website contains a
home page, which is the first document users see when they enter
the site. The site might also contain additional documents and files.
Each site is owned and managed by an individual, company or
organisation.
Cover photograph by: Sirkka Heinonen
3031
housing.gov.ie
Department of Housing, Planning and Local Government
32You can also read
