ORS 276A.303
Information systems security for Secretary of State, State Treasurer and Attorney General


(1)

Notwithstanding ORS 276A.300 (Information systems security in executive department), the Secretary of State, the State Treasurer and the Attorney General have sole discretion and authority over information systems security in their respective agencies, including the discretion and authority to take all measures that are reasonably necessary to protect the availability, integrity or confidentiality of information systems or the information stored in information systems.

(2)

The Secretary of State, the State Treasurer and the Attorney General shall each establish an information systems security plan and associated standards, policies and procedures in collaboration with the State Chief Information Officer as provided in ORS 276A.300 (Information systems security in executive department).

(3)

The plan established under subsection (2) of this section, at a minimum, must:

(a)

Be compatible with the state information systems security plan and associated standards, policies and procedures established by the State Chief Information Officer under ORS 276A.300 (Information systems security in executive department) (2);

(b)

Assign responsibility for:

(A)

Reviewing, monitoring and verifying the security of the Secretary of State’s, the State Treasurer’s and the Attorney General’s information systems; and

(B)

Conducting vulnerability assessments of information systems for the purpose of evaluating and responding to the susceptibility of information systems to attack, disruption or any other event that threatens the availability, integrity or confidentiality of information systems or the information stored in information systems;

(c)

Contain policies for responding to events that damage or threaten the availability, integrity or confidentiality of information systems or the information stored in information systems, whether the systems are within, interoperable with or outside the state’s shared computing and network infrastructure;

(d)

Prescribe actions reasonably necessary to:

(A)

Promptly assemble and deploy in a coordinated manner the expertise, tools and methodologies required to prevent or mitigate the damage caused or threatened by an event;

(B)

Promptly alert the State Chief Information Officer and other persons of the event and of the actions reasonably necessary to prevent or mitigate the damage caused or threatened by the event;

(C)

Implement forensic techniques and controls developed under paragraph (e) of this subsection;

(D)

Evaluate the event for the purpose of possible improvements to the security of information systems; and

(E)

Communicate and share information with agencies, using preexisting incident response capabilities; and

(e)

Describe and implement forensic techniques and controls for the security of information systems, whether those systems are within, interoperable with or outside the state’s shared computing and network infrastructure, including the use of specialized expertise, tools and methodologies, to investigate events that damage or threaten the availability, integrity or confidentiality of information systems or the information stored in information systems.

(4)

The Secretary of State, the State Treasurer and the Attorney General shall participate in the planning process that the State Chief Information Officer conducts under ORS 276A.300 (Information systems security in executive department) (2).

(5)

If the State Chief Information Officer cannot agree with the Secretary of State, the State Treasurer or the Attorney General on a joint information systems security plan and associated operational standards and policies, the State Chief Information Officer, in collaboration with the Oregon Department of Administrative Services, may take steps reasonably necessary to condition, limit or preclude electronic traffic or other vulnerabilities between information systems for which the Secretary of State, State Treasurer or Attorney General has authority under subsection (1) of this section and the information systems for which the State Chief Information Officer has authority under ORS 276A.300 (Information systems security in executive department) (2). [Formerly 182.124]

Source: Section 276A.303 — Information systems security for Secretary of State, State Treasurer and Attorney General, https://www.­oregonlegislature.­gov/bills_laws/ors/ors276A.­html.

276A.200
Legislative findings on information resources
276A.203
State Chief Information Officer
276A.206
Oversight of state information and telecommunications technology by State Chief Information Officer
276A.209
State Information Technology Operating Fund
276A.223
Requirement that state agency or public corporation obtain quality management services when implementing information technology initiative
276A.230
Definitions
276A.233
Information technology portfolio-based management
276A.236
Enterprise information resources management
276A.239
Portfolio-based management of information technology resources for Secretary of State
276A.242
Portfolio-based management of information technology resources for State Treasurer
276A.250
Definitions
276A.253
Oregon transparency website
276A.256
Reports of tax expenditures connected to economic development
276A.259
Transparency Oregon Advisory Commission
276A.262
Transparency Oregon Advisory Commission Fund
276A.270
Definitions
276A.273
Electronic Government Portal Advisory Board
276A.276
Ability to offer government services through portal
276A.300
Information systems security in executive department
276A.303
Information systems security for Secretary of State, State Treasurer and Attorney General
276A.306
Information security incidents and assessments
276A.323
State agency coordination
276A.326
Oregon Cybersecurity Advisory Council
276A.329
Oregon Cybersecurity Center of Excellence
276A.332
Authority of State Chief Information Officer to enter into agreements
276A.335
Moneys from federal government and other sources
276A.350
Definitions
276A.353
Chief Data Officer
276A.356
Open data standard
276A.359
Technical standards manual
276A.362
Release of publishable data on web portal
276A.365
Information management by state agencies
276A.368
Purpose of data
276A.371
Obligations of state agency under public records law
276A.374
Application to Secretary of State and State Treasurer
276A.400
Policy
276A.403
Coordination of telecommunications systems
276A.406
Acquisition of broadband and communications services
276A.409
Use of agency travel and transportation funds for telecommunications services
276A.412
Contracts for telecommunications equipment and services not to exceed 10 years
276A.415
Agreements to fund or acquire telecommunications equipment and services
276A.418
Public contracts for broadband Internet access service
276A.421
Provision of broadband services that compete with services of private telecommunications provider
276A.424
Connecting Oregon Schools Fund
276A.500
Definitions
276A.503
Oregon Geographic Information Council
276A.506
Powers of council
276A.509
Public body duty to share geospatial framework data with council
276A.512
Oregon Geographic Information Council Fund
276A.515
State geographic information officer
Green check means up to date. Up to date