125-800-0005
Purpose, Application, and Authority

These rules are adopted under 2005 Oregon Laws Chapter 739. These rules set forth the policies for state government-wide information security.

Statutory/Other Authority: ORS 182.122 & 291.038
Statutes/Other Implemented: ORS 182.122
History:
DAS 8-2006, f. & cert. ef. 12-28-06

125-800-0010
Definitions

(1) “Incident” means any material adverse event that impairs the confidentiality, integrity or availability of information resources.

(2) “Information Resources” means all categories of automated or non-automated systems and data, including but not limited to, records, files, and databases, information technology equipment, facilities, and software owned or leased by the state.

(3) “Material adverse event” means an adverse event whereby some aspect of computer security could be threatened: loss of data confidentiality, disruption of data or system integrity, or disruption or denial of availability.

(4) “Ordinary Public Access” means unauthenticated access to systems or online resources intentionally provided for public use, such as an agency’s public web site.

(5) “Publicly addressable interfaces” means any network device or software application using Internet protocols that can be accessed using addresses that are routable over the public Internet infrastructure, including the state's backbone network.

(6) “Privately addressed interfaces” means any network device or software application using Internet protocols accessed using addresses that are not routable over the public Internet infrastructure, including the state's backbone network.

(7) “State Information Security Plan” means a compilation of documents including, but not limited to, statutes, administrative rules, policies, and plans, prescribing the information security practices of the State of Oregon.

(8) “Security Assessment” means any organized method of determining the risk or vulnerability including, but not limited to: risk assessment; vulnerability assessment; security penetration test, and security audits and reviews.

(9) “State Shared Computing and Network Infrastructure” means all network and information assets under the direct control or maintained by the Executive Department.

Statutory/Other Authority: ORS 184.305; 182.122
Statutes/Other Implemented: 2005 Oregon Laws Chapter 739
History:
DAS 8-2006, f. & cert. ef. 12-28-06

125-800-0020
State Information Security

(1) Duties:

(a) Department of Administrative Services (Department): The Department shall serve as the primary point of accountability and coordination for information security in state government except for elected offices as identified in section 4, Elected Offices Exception. The Department, in collaboration with state agencies, shall routinely take necessary actions, proactive and reactive, to protect and verify protection of the state’s shared computing and network infrastructure including, but not limited to: active scanning and monitoring; intrusion prevention and detection; scheduled and unscheduled security reviews and compliance audits; protection, containment and mitigation actions taken to address threats, vulnerabilities, and security problems; termination or filtering of connections to mitigate problematic network traffic or unauthorized access; quarantine of infected systems to allow for the forensic identification and analysis of system threats; and the application of other steps and practices as may be required.

(A) Leadership. The Department shall provide central leadership for state government-wide information security including, but not limited to: centrally directing and coordinating all enterprise information security activities; determining security risks to the state’s Information assets and collaboratively working with state agencies in taking those actions required to mitigate unacceptable risks; collaboratively work with state agencies to determine appropriate state and agency security activities to maintain appropriate levels of security preparedness and competency; reducing the cost of providing security by implementing an enterprise approach; detecting and eliminating unnecessary duplication of efforts and obstacles to forward progress in information security; creating the processes and process linkages necessary to maintain a fully functional state government security capability; and creating and maintaining the tools and practices necessary to manage the host of simultaneous and interoperable activities that comprise information security.

(B) Planning. The Department, in collaboration with state agencies, shall direct information security planning including, but not limited to: determining strategic security objectives and associated performance measures; analyzing and evaluating state, agency and trusted partner security practices; proposing and subsequently prescribing solutions for information security challenges; establishing a process to determine, prioritize and schedule security enhancements on a state government-wide basis; ensuring through validation that information security is an essential part of state and agency business planning and operations; determining essential state information security roles and responsibilities; and identifying opportunities for security master contracting and other procurement efficiencies. The Department may plan, manage and undertake enterprise-level information security projects and initiatives.

(C) Policy. The Department, in collaboration with state agencies, shall develop, recommend, implement and maintain the full spectrum of administrative rules, policies, architecture, standards, guidelines, and procedures necessary to create and maintain an appropriate state government-wide information security competency.

(D) Coordination. The Department shall coordinate the security activities of state government including, but not limited to: providing the security communications, coordination, planning and development hub for state government; establishing collaborative partnerships with local and regional governments and the Federal government in the realm of security planning and implementation; and enterprise coordination of all information security-related activities and initiatives across state government.

(E) Security Assessments. The Department shall work collaboratively with state agencies to conduct information security assessments and testing within Oregon state government including, but not limited to: determining when it is appropriate to outsource security testing of state or agency Information assets; coordinating security assessments and tests; establishing standards for the timing and nature of agency information security assessments and tests including, but not limited to internal and external, third-party assessments; provide oversight for agency vulnerability and risk mitigation planning and actions; and ensuring the dissemination of any security assessment and test report data is restricted to only those who, in the judgment of the State Chief Information Security Officer, Agency Director, and/or appropriate state agency staff, have a business need for such information. The Department shall determine qualifications for vendors contracted to perform security assessments.

(F) Incident Response. The Department shall create a state incident response capability including, but not limited to: appointing a standing, multi-agency State Incident Response Team (SIRT) as described in section (2) of this rule; ensuring the SIRT, in collaboration with state agencies, prescribes and takes those actions necessary to immediately assemble and deploy the coordinated expertise, tools, communications infrastructure, methodologies and controls required to prevent or mitigate damage caused by an Incident. SIRT will perform a structured investigation into the nature and cause of an Incident; document evidence of computer crime, misuse or Incident; employ forensic techniques and controls; evaluate Incidents for improvement of information security; perform any duties required to appropriately defend against an Incident and subsequently prosecute the perpetrator; and cooperate with law enforcement and other authorities.

(G) System Management. The Department, in collaboration with state agencies, shall provide policies, standards and consultation on systems management associated with information security including, but not limited to management of: firewalls; routers; intrusion detection and protection mechanisms; identity and access management; patch/configuration management; digital certificates; secure transmission and access controls (encryption); wireless devices; change controls, and automated system log aggregation and monitoring.

(H) Security Awareness and Training. The Department will provide the communications practices and tools necessary to form and maintain a viable information security community of practice across Oregon state government including, but not limited to: creation and maintenance of an information security knowledge and document repository; creation and maintenance of a enterprise level user awareness program, and participation with state and national stakeholder groups; provide the training or training curriculum required to: inform managers, users and technologists on the policies and practices of state information security; work with agencies to ensure all who have access to information assets are provided training on their security-related responsibilities and the specific security-related actions they are expected to take; and identifying, conducting or arranging appropriate security certification for key state and agency staff.

(I) Reporting. The Department shall continually track and share relevant enterprise security information including, but not limited to: creation and dissemination of standardized reports demonstrating the status and progress of information security efforts across state government. Keep state executive management and the Legislature appraised of the state’s information security posture.

(J) Performance Management. The Department shall identify, track, analyze, adjust and report information security performance measurement and management to the Legislature, state executive management.

(K) Compliance and Oversight. The Department shall require and enforce compliance with information security practices including, but not limited to: performing or directing compliance reviews to ensure agencies are taking appropriate information security actions and adhering to laws, rules, policies, architecture, standards, procedures and guidelines; routinely inventory and evaluate the information security capabilities of the agencies of state government; prescribing a standardized approach for responding to audit and security assessment issues; and taking appropriate action when there is a failure to adhere to information security practices.

(L) Financial Management. The Department shall develop budgets and manage the finances for enterprise security projects and initiatives.

(M) Procurement. The Department shall manage procurements for the enterprise information security program including, but not limited to: procurement of hardware, software and expertise; approving enterprise security-related procurements; and issuing and managing enterprise-level, information security program contracts; ensuring contract language regarding information security is properly addressed in contracts.

(N) Evaluation. The Department shall evaluate and report the risk, feasibility, effectiveness and cost implications of potential enterprise information security issues and provide recommendations for mitigation.

(O) State Chief Information Security Officer. The Department will designate a State Chief Information Security Officer to manage and promote information security across the agencies of state government.

(b) Agency Responsibilities. The chief executive of each agency is accountable for their agency’s information security. Each agency head must: provide active leadership for information security practices within the agency and be responsible for agency security practices; designate an agency security liaison to participate in the collaborative development and implementation of the state security plan, and ensure agency compliance with this rule and the state information security plan; support, cooperate with and participate in the state information security program; report security-related information including, but not limited to, incident reporting, security status reporting, security-related financial reporting, and security audit or risk mitigation action. The agency head may delegate his/her authority for information security to an agency Information Security Officer (ISO), although the overall responsibility for agency information system remains with the agency head.

(c) Approval of Agency Security Plans. The Department, in collaboration with state agencies, shall establish standards for agency information assets security plans. Should an agency security plan contradict or contravene, or fail to meet minimum standards established by the state information systems security plan, the Department shall have the right to return the plan to the agency for revision and may decline to certify such plans until the plan has been modified to satisfy the overarching objective of protecting the state’s information assets.

(d) Security Assessment. The Department shall notify an agency of any negative outcome of any security assessment. If, as a result of a security assessment, the Department determines that there are severe vulnerabilities, the agency must take appropriate actions in a timely fashion to mitigate identified vulnerabilities. Additionally, the agency shall draft and implement a Security Assessment mitigation plan, subject to the Department’s approval, to mitigate the risks identified in the security assessment. The Department shall ensure that the vulnerabilities described in the assessment are mitigated following the approved plan. The Department, in collaboration with the agency, may take any action prudently required to protect the states information assets from unacceptable risks. For the purposes of this rule, risks or vulnerabilities identified by a security assessment, test, or in some other way, may constitute an incident requiring an incident response. The Department shall determine if a risk or vulnerability constitutes an incident.

(e) Interagency Collaboration. The Department will work with other governmental jurisdictions within the State of Oregon including, but not limited to all state, local and regional governmental entities contingent upon their written request and an agreement for appropriate cost sharing. The objective of such interaction is development of a cost-effective, common approach resulting in optimization of limited resources and enhanced strategic capabilities.

(2) State Incident Response Team:

(a) Authority: The State Incident Response Team (SIRT) shall be advised by and collaborate with the State Chief Information Officer, the state Chief Information Security Officer, and appropriate advisory bodies. Each state agency is responsible for creating and implementing an agency-level incident response capability.

(b) SIRT Membership: The SIRT is appointed by the Department and is, at a minimum, comprised of: representatives from the Department, Office of Emergency Management (OEM) and Oregon State Police (OSP); agency information security experts; and resources dedicated to incident communications. The members of the SIRT will work collaboratively to develop procedures, rules of engagement, and resource commitments to the SIRT.

(c) SIRT Agency Duties: Each agency shall report incidents to the SIRT as prescribed in applicable rules, policies, and procedures. Agencies are required to report incidents, cooperate with and support SIRT activities, and adhere to SIRT policies and procedures.

(3)(a) Applicability to Oregon University System: Oregon University System computers, hardware, software, storage media, networks directly connected to the state’s computing and network infrastructure, and not exempted by the provisions of 2005 Oregon Laws Chapter 739, are subject to these rules. The Department, in conjunction with Oregon University System, shall determine when such connection has occurred.

(b) Applicability to Oregon Lottery: These rules shall apply only to Oregon Lottery computer systems and network devices directly connected to the state's backbone network using publicly addressable interfaces. The Department, in conjunction with the Oregon Lottery, shall determine when such connection has occurred. Subject to constitutional and statutory limitations, the Oregon Lottery will notify the Department in the event of any incident adversely affecting Lottery gaming systems and networks that could impact the state's shared computing and network infrastructure.

(4) Elected Offices Exception: The Department shall establish, in collaboration with Elected Officers, criteria to determine compatibility between the information security plans adopted by the Secretary of State, the State Treasurer and the Attorney General (elected officers) and the state information security plan and associated standards, policies and procedures. If a joint information security plan and associated operational standards and policies cannot be agreed upon by the Department and the elected officers, or if the Department determines the information security plans adopted by the elected officers are not compatible with the state information security plan and associated standards, policies and procedures, the Department will continue to work with the elected office agencies to resolve outstanding issues.

Statutory/Other Authority: ORS 182.122 & 291.038
Statutes/Other Implemented: ORS 182.122
History:
DAS 8-2006, f. & cert. ef. 12-28-06