Or. Admin. Code § 125-800-0020 - State Information Security
(1)
Duties:
(a) Department of
Administrative Services (Department): The Department shall serve as the primary
point of accountability and coordination for information security in state
government except for elected offices as identified in section 4, Elected
Offices Exception. The Department, in collaboration with state agencies, shall
routinely take necessary actions, proactive and reactive, to protect and verify
protection of the state's shared computing and network infrastructure
including, but not limited to: active scanning and monitoring; intrusion
prevention and detection; scheduled and unscheduled security reviews and
compliance audits; protection, containment and mitigation actions taken to
address threats, vulnerabilities, and security problems; termination or
filtering of connections to mitigate problematic network traffic or
unauthorized access; quarantine of infected systems to allow for the forensic
identification and analysis of system threats; and the application of other
steps and practices as may be required.
(A)
Leadership. The Department shall provide central leadership for
state government-wide information security including, but not limited to:
centrally directing and coordinating all enterprise information security
activities; determining security risks to the state's Information assets and
collaboratively working with state agencies in taking those actions required to
mitigate unacceptable risks; collaboratively work with state agencies to
determine appropriate state and agency security activities to maintain
appropriate levels of security preparedness and competency; reducing the cost
of providing security by implementing an enterprise approach; detecting and
eliminating unnecessary duplication of efforts and obstacles to forward
progress in information security; creating the processes and process linkages
necessary to maintain a fully functional state government security capability;
and creating and maintaining the tools and practices necessary to manage the
host of simultaneous and interoperable activities that comprise information
security.
(B)
Planning. The Department, in collaboration with state agencies,
shall direct information security planning including, but not limited to:
determining strategic security objectives and associated performance measures;
analyzing and evaluating state, agency and trusted partner security practices;
proposing and subsequently prescribing solutions for information security
challenges; establishing a process to determine, prioritize and schedule
security enhancements on a state government-wide basis; ensuring through
validation that information security is an essential part of state and agency
business planning and operations; determining essential state information
security roles and responsibilities; and identifying opportunities for security
master contracting and other procurement efficiencies. The Department may plan,
manage and undertake enterprise-level information security projects and
initiatives.
(C)
Policy. The Department, in collaboration with state agencies,
shall develop, recommend, implement and maintain the full spectrum of
administrative rules, policies, architecture, standards, guidelines, and
procedures necessary to create and maintain an appropriate state
government-wide information security competency.
(D)
Coordination. The Department
shall coordinate the security activities of state government including, but not
limited to: providing the security communications, coordination, planning and
development hub for state government; establishing collaborative partnerships
with local and regional governments and the Federal government in the realm of
security planning and implementation; and enterprise coordination of all
information security-related activities and initiatives across state
government.
(E)
Security
Assessments. The Department shall work collaboratively with state
agencies to conduct information security assessments and testing within Oregon
state government including, but not limited to: determining when it is
appropriate to outsource security testing of state or agency Information
assets; coordinating security assessments and tests; establishing standards for
the timing and nature of agency information security assessments and tests
including, but not limited to internal and external, third-party assessments;
provide oversight for agency vulnerability and risk mitigation planning and
actions; and ensuring the dissemination of any security assessment and test
report data is restricted to only those who, in the judgment of the State Chief
Information Security Officer, Agency Director, and/or appropriate state agency
staff, have a business need for such information. The Department shall
determine qualifications for vendors contracted to perform security
assessments.
(F)
Incident
Response. The Department shall create a state incident response
capability including, but not limited to: appointing a standing, multi-agency
State Incident Response Team (SIRT) as described in section (2) of this rule;
ensuring the SIRT, in collaboration with state agencies, prescribes and takes
those actions necessary to immediately assemble and deploy the coordinated
expertise, tools, communications infrastructure, methodologies and controls
required to prevent or mitigate damage caused by an Incident. SIRT will perform
a structured investigation into the nature and cause of an Incident; document
evidence of computer crime, misuse or Incident; employ forensic techniques and
controls; evaluate Incidents for improvement of information security; perform
any duties required to appropriately defend against an Incident and
subsequently prosecute the perpetrator; and cooperate with law enforcement and
other authorities.
(G)
System
Management. The Department, in collaboration with state agencies, shall
provide policies, standards and consultation on systems management associated
with information security including, but not limited to management of:
firewalls; routers; intrusion detection and protection mechanisms; identity and
access management; patch/configuration management; digital certificates; secure
transmission and access controls (encryption); wireless devices; change
controls, and automated system log aggregation and monitoring.
(H)
Security Awareness and
Training. The Department will provide the communications practices and
tools necessary to form and maintain a viable information security community of
practice across Oregon state government including, but not limited to: creation
and maintenance of an information security knowledge and document repository;
creation and maintenance of a enterprise level user awareness program, and
participation with state and national stakeholder groups; provide the training
or training curriculum required to: inform managers, users and technologists on
the policies and practices of state information security; work with agencies to
ensure all who have access to information assets are provided training on their
security-related responsibilities and the specific security-related actions
they are expected to take; and identifying, conducting or arranging appropriate
security certification for key state and agency staff.
(I)
Reporting. The Department
shall continually track and share relevant enterprise security information
including, but not limited to: creation and dissemination of standardized
reports demonstrating the status and progress of information security efforts
across state government. Keep state executive management and the Legislature
appraised of the state's information security posture.
(J)
Performance Management. The
Department shall identify, track, analyze, adjust and report information
security performance measurement and management to the Legislature, state
executive management.
(K)
Compliance and Oversight. The Department shall require and enforce
compliance with information security practices including, but not limited to:
performing or directing compliance reviews to ensure agencies are taking
appropriate information security actions and adhering to laws, rules, policies,
architecture, standards, procedures and guidelines; routinely inventory and
evaluate the information security capabilities of the agencies of state
government; prescribing a standardized approach for responding to audit and
security assessment issues; and taking appropriate action when there is a
failure to adhere to information security practices.
(L)
Financial Management. The
Department shall develop budgets and manage the finances for enterprise
security projects and initiatives.
(M)
Procurement. The Department
shall manage procurements for the enterprise information security program
including, but not limited to: procurement of hardware, software and expertise;
approving enterprise security-related procurements; and issuing and managing
enterprise-level, information security program contracts; ensuring contract
language regarding information security is properly addressed in
contracts.
(N)
Evaluation. The Department shall evaluate and report the risk,
feasibility, effectiveness and cost implications of potential enterprise
information security issues and provide recommendations for
mitigation.
(O)
State Chief
Information Security Officer. The Department will designate a State
Chief Information Security Officer to manage and promote information security
across the agencies of state government.
(b)
Agency Responsibilities. The
chief executive of each agency is accountable for their agency's information
security. Each agency head must: provide active leadership for information
security practices within the agency and be responsible for agency security
practices; designate an agency security liaison to participate in the
collaborative development and implementation of the state security plan, and
ensure agency compliance with this rule and the state information security
plan; support, cooperate with and participate in the state information security
program; report security-related information including, but not limited to,
incident reporting, security status reporting, security-related financial
reporting, and security audit or risk mitigation action. The agency head may
delegate his/her authority for information security to an agency Information
Security Officer (ISO), although the overall responsibility for agency
information system remains with the agency head.
(c)
Approval of Agency Security
Plans. The Department, in collaboration with state agencies, shall
establish standards for agency information assets security plans. Should an
agency security plan contradict or contravene, or fail to meet minimum
standards established by the state information systems security plan, the
Department shall have the right to return the plan to the agency for revision
and may decline to certify such plans until the plan has been modified to
satisfy the overarching objective of protecting the state's information
assets.
(d)
Security
Assessment. The Department shall notify an agency of any negative
outcome of any security assessment. If, as a result of a security assessment,
the Department determines that there are severe vulnerabilities, the agency
must take appropriate actions in a timely fashion to mitigate identified
vulnerabilities. Additionally, the agency shall draft and implement a Security
Assessment mitigation plan, subject to the Department's approval, to mitigate
the risks identified in the security assessment. The Department shall ensure
that the vulnerabilities described in the assessment are mitigated following
the approved plan. The Department, in collaboration with the agency, may take
any action prudently required to protect the states information assets from
unacceptable risks. For the purposes of this rule, risks or vulnerabilities
identified by a security assessment, test, or in some other way, may constitute
an incident requiring an incident response. The Department shall determine if a
risk or vulnerability constitutes an incident.
(e)
Interagency Collaboration.
The Department will work with other governmental jurisdictions within the State
of Oregon including, but not limited to all state, local and regional
governmental entities contingent upon their written request and an agreement
for appropriate cost sharing. The objective of such interaction is development
of a cost-effective, common approach resulting in optimization of limited
resources and enhanced strategic capabilities.
(2)
State Incident Response
Team:
(a)
Authority: The
State Incident Response Team (SIRT) shall be advised by and collaborate with
the State Chief Information Officer, the state Chief Information Security
Officer, and appropriate advisory bodies. Each state agency is responsible for
creating and implementing an agency-level incident response
capability.
(b)
SIRT
Membership: The SIRT is appointed by the Department and is, at a
minimum, comprised of: representatives from the Department, Office of Emergency
Management (OEM) and Oregon State Police (OSP); agency information security
experts; and resources dedicated to incident communications. The members of the
SIRT will work collaboratively to develop procedures, rules of engagement, and
resource commitments to the SIRT.
(c)
SIRT Agency Duties: Each
agency shall report incidents to the SIRT as prescribed in applicable rules,
policies, and procedures. Agencies are required to report incidents, cooperate
with and support SIRT activities, and adhere to SIRT policies and
procedures.
(3)
(a)
Applicability to Oregon University
System: Oregon University System computers, hardware, software, storage
media, networks directly connected to the state's computing and network
infrastructure, and not exempted by the provisions of 2005 Oregon Laws Chapter
739, are subject to these rules. The Department, in conjunction with Oregon
University System, shall determine when such connection has occurred.
(b)
Applicability to Oregon
Lottery: These rules shall apply only to Oregon Lottery computer systems
and network devices directly connected to the state's backbone network using
publicly addressable interfaces. The Department, in conjunction with the Oregon
Lottery, shall determine when such connection has occurred. Subject to
constitutional and statutory limitations, the Oregon Lottery will notify the
Department in the event of any incident adversely affecting Lottery gaming
systems and networks that could impact the state's shared computing and network
infrastructure.
(4)
Elected Offices Exception: The Department shall establish, in
collaboration with Elected Officers, criteria to determine compatibility
between the information security plans adopted by the Secretary of State, the
State Treasurer and the Attorney General (elected officers) and the state
information security plan and associated standards, policies and procedures. If
a joint information security plan and associated operational standards and
policies cannot be agreed upon by the Department and the elected officers, or
if the Department determines the information security plans adopted by the
elected officers are not compatible with the state information security plan
and associated standards, policies and procedures, the Department will continue
to work with the elected office agencies to resolve outstanding
issues.
Notes
Stat. Auth.: ORS 182.122, 291.038
Stats. Implemented: ORS 182.122
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
No prior version found.