Information systems security in executive department; rules.

Checkout our iOS App for a better way to browser and research.


(a) "Executive department" has the meaning given that term in ORS 174.112.

(b) "Information systems" means computers, hardware, software, storage media, networks, operational procedures and processes used in collecting, processing, storing, sharing or distributing information within, or with any access beyond ordinary public access to, the state’s shared computing and network infrastructure.

(2) The State Chief Information Officer has responsibility for and authority over information systems security in the executive department, including responsibility for taking all measures that are reasonably necessary to protect the availability, integrity or confidentiality of information systems or the information stored in information systems. The State Chief Information Officer shall, after consultation and collaborative development with agencies, establish a state information systems security plan and associated standards, policies and procedures. The plan must align with and support the Enterprise Information Resources Management Strategy described in ORS 276A.203.

(3) The State Chief Information Officer may coordinate with the Oregon Department of Administrative Services to:

(a) Review and verify the security of information systems operated by or on behalf of state agencies;

(b) Monitor state network traffic to identify and react to security threats; and

(c) Conduct vulnerability assessments of state agency information systems for the purpose of evaluating and responding to the susceptibility of information systems to attack, disruption or any other event that threatens the availability, integrity or confidentiality of information systems or the information stored in information systems.

(4) The State Chief Information Officer shall contract with qualified, independent consultants for the purpose of conducting vulnerability assessments under subsection (3) of this section.

(5) In collaboration with appropriate agencies, the State Chief Information Officer shall develop and implement policies for responding to events that damage or threaten the availability, integrity or confidentiality of information systems or the information stored in information systems, whether those systems are within, interoperable with or outside the state’s shared computing and network infrastructure. In the policies, the State Chief Information Officer shall prescribe actions reasonably necessary to:

(a) Promptly assemble and deploy in a coordinated manner the expertise, tools and methodologies required to prevent or mitigate the damage caused or threatened by an event;

(b) Promptly alert other persons of the event and of the actions reasonably necessary to prevent or mitigate the damage caused or threatened by the event;

(c) Implement forensic techniques and controls developed under subsection (6) of this section;

(d) Evaluate the event for the purpose of possible improvements to the security of information systems; and

(e) Communicate and share information with appropriate agencies, using preexisting incident response capabilities.

(6) After consultation and collaborative development with appropriate agencies and the Oregon Department of Administrative Services, the State Chief Information Officer shall implement forensic techniques and controls for the security of information systems, whether those systems are within, interoperable with or outside the state’s shared computing and network infrastructure. The techniques and controls must include using specialized expertise, tools and methodologies to investigate events that damage or threaten the availability, integrity or confidentiality of information systems or the information stored in information systems. The State Chief Information Officer shall consult with the Oregon State Police, the Oregon Department of Emergency Management, the Governor and others as necessary in developing forensic techniques and controls under this section.

(7) The State Chief Information Officer shall ensure that reasonably appropriate remedial actions are undertaken when the State Chief Information Officer finds that such actions are reasonably necessary by reason of vulnerability assessments of information systems under subsection (3) of this section, evaluation of events under subsection (5) of this section and other evaluations and audits.

(8)(a) State agencies are responsible for securing computers, hardware, software, storage media, networks, operational procedures and processes used in collecting, processing, storing, sharing or distributing information outside the state’s shared computing and network infrastructure, following information security standards, policies and procedures established by the State Chief Information Officer and developed collaboratively with the agencies. Agencies may establish plans, standards and measures that are more stringent than the standards established by the State Chief Information Officer to address specific agency needs if the plans, standards and measures do not contradict or contravene the state information systems security plan. Independent agency security plans must be developed within the framework of the state information systems security plan.

(b) A state agency shall report the results of any vulnerability assessment, evaluation or audit conducted by the agency to the State Chief Information Officer for the purposes of consolidating statewide security reporting and, when appropriate, to prompt a state incident response.

(9) This section does not apply to:

(a) Research and student computer systems used by or in conjunction with any public university listed in ORS 352.002; and

(b)(A) Gaming systems and networks operated by the Oregon State Lottery or contractors of the State Lottery; or

(B) The results of Oregon State Lottery reviews, evaluations and vulnerability assessments of computer systems outside the state’s shared computing and network infrastructure.

(10) The State Chief Information Officer shall adopt rules to implement the provisions of this section. [Formerly 182.122; 2021 c.539 §28]

Note: The amendments to 276A.300 by section 28, chapter 539, Oregon Laws 2021, become operative July 1, 2022. See section 155, chapter 539, Oregon Laws 2021. The text that is operative until July 1, 2022, is set forth for the user’s convenience.
(1) As used in this section:

(a) "Executive department" has the meaning given that term in ORS 174.112.

(b) "Information systems" means computers, hardware, software, storage media, networks, operational procedures and processes used in collecting, processing, storing, sharing or distributing information within, or with any access beyond ordinary public access to, the state’s shared computing and network infrastructure.

(2) The State Chief Information Officer has responsibility for and authority over information systems security in the executive department, including responsibility for taking all measures that are reasonably necessary to protect the availability, integrity or confidentiality of information systems or the information stored in information systems. The State Chief Information Officer shall, after consultation and collaborative development with agencies, establish a state information systems security plan and associated standards, policies and procedures. The plan must align with and support the Enterprise Information Resources Management Strategy described in ORS 276A.203.

(3) The State Chief Information Officer may coordinate with the Oregon Department of Administrative Services to:

(a) Review and verify the security of information systems operated by or on behalf of state agencies;

(b) Monitor state network traffic to identify and react to security threats; and

(c) Conduct vulnerability assessments of state agency information systems for the purpose of evaluating and responding to the susceptibility of information systems to attack, disruption or any other event that threatens the availability, integrity or confidentiality of information systems or the information stored in information systems.

(4) The State Chief Information Officer shall contract with qualified, independent consultants for the purpose of conducting vulnerability assessments under subsection (3) of this section.

(5) In collaboration with appropriate agencies, the State Chief Information Officer shall develop and implement policies for responding to events that damage or threaten the availability, integrity or confidentiality of information systems or the information stored in information systems, whether those systems are within, interoperable with or outside the state’s shared computing and network infrastructure. In the policies, the State Chief Information Officer shall prescribe actions reasonably necessary to:

(a) Promptly assemble and deploy in a coordinated manner the expertise, tools and methodologies required to prevent or mitigate the damage caused or threatened by an event;

(b) Promptly alert other persons of the event and of the actions reasonably necessary to prevent or mitigate the damage caused or threatened by the event;

(c) Implement forensic techniques and controls developed under subsection (6) of this section;

(d) Evaluate the event for the purpose of possible improvements to the security of information systems; and

(e) Communicate and share information with appropriate agencies, using preexisting incident response capabilities.

(6) After consultation and collaborative development with appropriate agencies and the Oregon Department of Administrative Services, the State Chief Information Officer shall implement forensic techniques and controls for the security of information systems, whether those systems are within, interoperable with or outside the state’s shared computing and network infrastructure. The techniques and controls must include using specialized expertise, tools and methodologies to investigate events that damage or threaten the availability, integrity or confidentiality of information systems or the information stored in information systems. The State Chief Information Officer shall consult with the Oregon State Police, the Office of Emergency Management, the Governor and others as necessary in developing forensic techniques and controls under this section.

(7) The State Chief Information Officer shall ensure that reasonably appropriate remedial actions are undertaken when the State Chief Information Officer finds that such actions are reasonably necessary by reason of vulnerability assessments of information systems under subsection (3) of this section, evaluation of events under subsection (5) of this section and other evaluations and audits.

(8)(a) State agencies are responsible for securing computers, hardware, software, storage media, networks, operational procedures and processes used in collecting, processing, storing, sharing or distributing information outside the state’s shared computing and network infrastructure, following information security standards, policies and procedures established by the State Chief Information Officer and developed collaboratively with the agencies. Agencies may establish plans, standards and measures that are more stringent than the standards established by the State Chief Information Officer to address specific agency needs if the plans, standards and measures do not contradict or contravene the state information systems security plan. Independent agency security plans must be developed within the framework of the state information systems security plan.

(b) A state agency shall report the results of any vulnerability assessment, evaluation or audit conducted by the agency to the State Chief Information Officer for the purposes of consolidating statewide security reporting and, when appropriate, to prompt a state incident response.

(9) This section does not apply to:

(a) Research and student computer systems used by or in conjunction with any public university listed in ORS 352.002; and

(b)(A) Gaming systems and networks operated by the Oregon State Lottery or contractors of the State Lottery; or

(B) The results of Oregon State Lottery reviews, evaluations and vulnerability assessments of computer systems outside the state’s shared computing and network infrastructure.

(10) The State Chief Information Officer shall adopt rules to implement the provisions of this section.

Note: Sections 1 and 2, chapter 394, Oregon Laws 2021, provide:

Sec. 1. (1) The office of Enterprise Information Services shall prepare recommendations for elevating consideration of privacy, confidentiality and data security measures in the design, delivery and management of enterprise and shared information technology services for state government. In preparing the recommendations, the office shall consider and address, at a minimum:

(a) The merits of either establishing and appointing a dedicated state privacy officer within the office of Enterprise Information Services to manage and oversee information protection and privacy guidance for state government, or continuing to delegate such duties to the Chief Data Officer or another officer within the office’s current management team;

(b) The merits of developing and embedding a robust privacy assessment tool within existing evaluative frameworks for state government information technology projects and investments; and

(c) The merits of outreach, education and engagement with those whose information is collected, stored, compiled, utilized, commodified or otherwise used as part of a state agency information technology project or investment.

(2) The office shall provide the recommendations required by subsection (1) of this section in a report, in the manner provided by ORS 192.245, to the interim committees of the Legislative Assembly related to government accountability and information technology no later than September 15, 2022. [2021 c.394 §1]

Sec. 2. Section 1 of this 2021 Act is repealed on January 2, 2023.

[2021 c.394 §2]


Download our app to see the most-to-date content.