Oregon secretary of state: State agency audit shows need to do more on cybersecurity
SALEM, Ore. (KTVZ) – Oregon Secretary of State Shemia Fagan released an audit Wednesday of Enterprise Information Services, a divisional unit of the Department of Administrative Services. The Oregon Secretary of State’s Audits Division finds while EIS has established an Information Technology governance framework, it must do more to address cybersecurity management.
“As cyberattacks increase, it is critical the state of Oregon’s cybersecurity strategy include comprehensive guidance and fully-defined expectations for agencies to protect their critical data from threats,” Fagan said. “The state of Oregon cannot effectively deliver public services without sufficient IT governance and cybersecurity controls. EIS’s work is critical because cybersecurity remains a high-risk area for public and private entities alike.”
Increasing cyberattacks, which target vulnerabilities, place networks and data at risk of damage or loss. A strong IT governance framework provides the necessary guidance and internal controls to mitigate risks in an ever-increasing digital world as well as assisting organizations in efficiently and effectively using resources for new IT investments and initiatives.
Within the state of Oregon, enterprise governance consists of the Governor and State Chief Information Officer working together in consultation with state agency leaders to develop strategic direction for state IT. Some EIS responsibilities are described in statute, including working with agencies to develop state systems information security plans, policies, and procedures.
Auditors found EIS has developed an IT governance program that addresses the oversight, security, and acquisition of new IT investments, but has not yet addressed enterprise level cybersecurity risk governance. The existing governance framework approves cybersecurity documents that provide direction to agencies, but there are no governance entities charged with defining the state’s risk appetite – a necessary first step to prioritize risk mitigation activities across executive agencies.
With the passage of Senate Bill 90 in 2017, cybersecurity functions for most state agencies were consolidated into one group within EIS. While this consolidation gave EIS more responsibility for security, in practice many responsibilities still lie with individual agencies.
The audit found EIS has defined some roles and responsibilities for cybersecurity, but more work is needed to clarify and communicate which activities are agency responsibilities. Additional work is needed to fully define enterprise strategies and centralized cybersecurity services. The audit also found that EIS performs only limited centralized risk or vulnerability management, which means known risks and vulnerabilities may not be mitigated in a timely manner by agencies and may affect the security of other state agencies.
Auditors found that EIS tracks specific areas of compliance and conducts agency assessments. They noted that statute directs EIS to assess and report agency compliance with statewide rules, policies, and standards to the Governor and the Joint Legislative Committee on Information and Technology (JLCIMT). Auditors also found:
- Compliance is not the primary purpose of the EIS agency assessments
- EIS is not consistently meeting the requirement to report compliance to the Governor and JLCIMT. The last report was issued in 2016
- There is no mechanism or process in place for agencies to report compliance to EIS
- EIS leadership indicates they do not have the necessary resources to conduct biennial compliance assessments for each agency
Read the full audit on the Secretary of State website.
Gloss