Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I skip having an information security program in place in Oregon? What are the requirements?

Information Security Program Requirements in Oregon

In Oregon, it is not possible to skip having an information security program in place. The state has established rules and regulations that require state agencies to implement information security programs to protect the availability, integrity, and confidentiality of information systems and the information stored in them [1.1].

Requirements for State Agencies

State agencies are responsible for securing computers, hardware, software, storage media, networks, operational procedures, and processes used in collecting, processing, storing, sharing, or distributing information outside the state’s shared computing and network infrastructure. They must follow information security standards, policies, and procedures established by the State Chief Information Officer and developed collaboratively with the agencies. Independent agency security plans must be developed within the framework of the state information systems security plan [1.1].

State Chief Information Officer Responsibilities

The State Chief Information Officer has responsibility for and authority over information systems security in the executive department, including responsibility for taking all measures that are reasonably necessary to protect the availability, integrity, or confidentiality of information systems or the information stored in information systems. The State Chief Information Officer shall, after consultation and collaborative development with agencies, establish a state information systems security plan and associated standards, policies, and procedures. The plan must align with and support the Enterprise Information Resources Management Strategy described in ORS 276A.203 [1.1].

Coordination with Oregon Department of Administrative Services

The State Chief Information Officer may coordinate with the Oregon Department of Administrative Services to review and verify the security of information systems operated by or on behalf of state agencies, monitor state network traffic to identify and react to security threats, and conduct vulnerability assessments of state agency information systems for the purpose of evaluating and responding to the susceptibility of information systems to attack, disruption, or any other event that threatens the availability, integrity, or confidentiality of information systems or the information stored in information systems [1.1].

Penalties for Non-Compliance

State agencies that fail to comply with the information security program requirements may face penalties. The State Chief Information Officer shall ensure that reasonably appropriate remedial actions are undertaken when the State Chief Information Officer finds that such actions are reasonably necessary by reason of vulnerability assessments of information systems, evaluation of events, and other evaluations and audits [1.1].

Oregon Transparency Website

In addition to the information security program requirements, the State Chief Information Officer is required to maintain and make available an Oregon transparency website [1.2]. The website must allow any person to view information that is a public record and is not exempt from disclosure under ORS 192.311 to 192.478. State agencies and education service districts are required to furnish information to the Oregon transparency website by posting reports and providing links to existing information system applications in accordance with standards that the State Chief Information Officer establishes. The website must contain information about each state agency and education service district, including but not limited to annual revenues, expenditures, human resources expenses, tax expenditures, and audit reports. The State Chief Information Officer is also required to post on the Oregon transparency website notices of public meetings the state agency must provide under ORS 192.640 [1.2].

Source(s):
Jurisdiction

Oregon