Most state agencies we reviewed do not have adequate security plans, processes, or staffing to carry out fundamental security functions that protect their information systems and data. The Office of the State Chief Information Officer is responsible for ensuring agencies carry out these critical functions, but has not yet provided sufficient standards and oversight to help agencies achieve appropriate information technology security. In September 2016, the Governor signed an executive order to unify cyber security in Oregon, but much work and cooperation remains to fulfill the requirements of the executive order and improve statewide security.
State agency security efforts fall short
We reviewed 13 state agencies’ information security plans and a selection of security functions to determine if agencies were adequately protecting their systems and data. More than half of the agencies had security weaknesses in six of the seven fundamental security controls reviewed and all agencies had at least two weaknesses.
These agencies represented a cross section of state government agencies. They process and store different types of information ranging from mostly public documents to highly sensitive tax, court, and medical records that require a higher level of protection to comply with federal law.
Overall, planning efforts were often perfunctory, security staffing was generally insufficient, and critical security functions were not always performed. These weaknesses collectively increase the risk of a security incident at one or more of the agencies.
Office of the State Chief Information Officer not fully prepared to centrally administer the state’s security function
State law gives the state Chief Information Officer responsibility for planning statewide security, setting security standards and policies, and ensuring remedial actions are undertaken to correct known security weaknesses. However, the Office of the State Chief Information Officer (OSCIO) has not yet provided state agencies with sufficient and appropriate information technology security standards and oversight. In addition, the OSCIO does not have processes to ensure that agencies comply with the published statewide standards and the regulations imposed by federal requirements.
Recent executive order shifts security functions from the agencies to the Office of the State Chief Information Officer but much work remains
In September 2016, the Governor signed Executive Order No. 16-13 Unifying Cyber Security in Oregon. This directive outlines a process to unify information technology security, including a process to transfer state agency security functions and staffing into the OSCIO until June 30, 2017. In addition, it directs agencies to work with the OSCIO’s newly formed security group to develop and implement security plans, rules, policies, and standards. The directive also requires agencies to fully cooperate with the OSCIO to implement a statewide agency-by-agency risk-based security assessment and remediation program.
However, the executive order may not fully resolve the state’s information technology security weaknesses. The need to securely operate information systems competes for resources with the needs of the agencies to provide services to Oregonians. The executive order transfers security functions but does not add additional resources or describe how agency security staff will work with the OSCIO while remaining under agency management direction for day-to-day activities. In addition, at the time of this report, the OSCIO has not yet developed plans detailing how the OSCIO and agencies will achieve the requirements of the executive order.
Ultimately, the Governor, the OSCIO, agency directors, and the Legislature must cooperate to create, fund, endorse, and implement a statewide security plan. Without full cooperation of these key stakeholders, it is unlikely that the state’s security posture will significantly improve.
We recommend that the Office of the State Chief Information Officer:
- Collaborate with state agencies to develop detailed plans in order to fully implement the requirements of Executive Order No. 16-13.
- Develop sufficient statewide standards and processes for oversight to ensure security of agency computer systems.
- Collaborate with state agencies to ensure remediation of the specific weaknesses communicated to state agencies in separate management letters.
- Work with the Governor, Legislature, and agency directors to ensure staffing and resources are available to implement agency security measures.
The Office of the State Chief Information Officer generally agrees with the findings and recommendations in this report. The full agency response can be found at the end of the report.