An audit released by the Oregon Secretary of State found that many state agencies do not provide adequate security for computer systems and that the Office of the State Chief Information Officer (OSCIO) is not yet prepared to provide centralized oversight over the state IT security system.
“State computer systems store and process many types of sensitive information, including restricted tax, court, and medical records that require a high level of protection to comply with federal law,” Secretary of State Jeanne P. Atkins said. “The growth of state information and services available online allows citizens to do business with the state without leaving their home or office. However, it also increases the risk of hackers breaching state computer systems. It’s crucial that the state IT system keep up with security protocols to protect sensitive data.”
State auditors evaluated security at 13 state agencies and found more than half had weaknesses in six of the seven security controls reviewed. Auditors found security planning efforts were often perfunctory, security staffing was generally insufficient, and fundamental security tasks were not always performed. While security efforts for a few agencies were satisfactory overall, some weakness existed at each of the agencies auditors reviewed.
The audit also found that the Office of the State Chief Information is not fully prepared to centrally administer security for the state agencies it oversees because sufficient standards and oversight processes have yet to be developed. Oregon law places the state chief information officer in a position of leadership and accountability for most of the agencies included in the audit.
In September 2016, Gov. Kate Brown signed Executive Order 16-13, titled “Unifying Cyber Security in Oregon.” Because managing security for state computer systems and data is complicated with many competing priorities, the Executive Order may not fully resolve the weaknesses identified in the report. Ultimately, the Governor, the OSCIO, agency directors, and the Legislature must cooperate to create, fund, endorse, and implement a statewide security plan that will adequately protect that state’s computer systems.
Auditors recommend that the Office of the State Chief Information Officer work with state agencies to develop detailed plans to complement with Executive Order 16-13; develop sufficient statewide standards and processes for oversight over agency computer systems; collaborate with state agencies to ensure specific weaknesses are addressed; and work with the Governor, the Legislature and agency directors to ensure adequate staffing and resources are available to implement security measures.
“Our audit found that this is a critical time for the Office of the State Chief Information Officer to provide more leadership and oversight to ensure the security of our state computer systems,” Atkins said. “We also need the Legislature and the Governor’s office to continue engaging on this mission so that the CIO has adequate support as more and more government services are provided online.”
