ORS 182.122¹
Information systems security in executive department
  • rules

(1) As used in this section:

(a) "Executive department" has the meaning given that term in ORS 174.112 ("Executive department" defined).

(b) "Information systems" means computers, hardware, software, storage media, networks, operational procedures and processes used in the collection, processing, storage, sharing or distribution of information within, or with any access beyond ordinary public access to, the state’s shared computing and network infrastructure.

(2) The Oregon Department of Administrative Services has responsibility for and authority over information systems security in the executive department, including taking all measures reasonably necessary to protect the availability, integrity or confidentiality of information systems or the information stored in information systems. The Oregon Department of Administrative Services shall, after consultation and collaborative development with agencies, establish a state information systems security plan and associated standards, policies and procedures.

(3) The Oregon Department of Administrative Services, in its sole discretion, shall:

(a) Review and verify the security of information systems operated by or on behalf of agencies;

(b) Monitor state network traffic to identify and react to security threats; and

(c) Conduct vulnerability assessments of agency information systems for the purpose of evaluating and responding to the susceptibility of information systems to attack, disruption or any other event that threatens the availability, integrity or confidentiality of information systems or the information stored in information systems.

(4) The Oregon Department of Administrative Services shall contract with qualified, independent consultants for the purpose of conducting vulnerability assessments under subsection (3) of this section.

(5) In collaboration with agencies, the Oregon Department of Administrative Services shall develop and implement policies for responding to events that damage or threaten the availability, integrity or confidentiality of information systems or the information stored in information systems, whether those systems are within, interoperable with or outside the state’s shared computing and network infrastructure. In the policies, the department shall prescribe actions reasonably necessary to:

(a) Promptly assemble and deploy in a coordinated manner the expertise, tools and methodologies required to prevent or mitigate the damage caused or threatened by an event;

(b) Promptly alert other persons of the event and of the actions reasonably necessary to prevent or mitigate the damage caused or threatened by the event;

(c) Implement forensic techniques and controls developed under subsection (6) of this section;

(d) Evaluate the event for the purpose of possible improvements to the security of information systems; and

(e) Communicate and share information with agencies, using preexisting incident response capabilities.

(6) After consultation and collaborative development with agencies, the Oregon Department of Administrative Services shall implement forensic techniques and controls for the security of information systems, whether those systems are within, interoperable with or outside the state’s shared computing and network infrastructure. The techniques and controls must include the use of specialized expertise, tools and methodologies, to investigate events that damage or threaten the availability, integrity or confidentiality of information systems or the information stored in information systems. The department shall consult with the Oregon State Police, the Office of Emergency Management, the Governor and others as necessary in developing forensic techniques and controls under this section.

(7) The Oregon Department of Administrative Services shall ensure that reasonably appropriate remedial actions are undertaken when the department finds that such actions are reasonably necessary by reason of vulnerability assessments of information systems under subsection (3) of this section, evaluation of events under subsection (5) of this section and other evaluations and audits.

(8)(a) Agencies are responsible for the security of computers, hardware, software, storage media, networks, operational procedures and processes used in the collection, processing, storage, sharing or distribution of information outside the state’s shared computing and network infrastructure following information security standards, policies and procedures established by the Oregon Department of Administrative Services and developed collaboratively with agencies. Agencies may establish plans, standards and measures that are more stringent than the standards established by the department to address specific agency needs if those plans, standards and measures do not contradict or contravene the state information systems security plan. Independent agency security plans shall be developed within the framework of the state information systems security plan.

(b) An agency shall report the results of any vulnerability assessment, evaluation or audit conducted by the agency to the department for the purposes of consolidating statewide security reporting and, when appropriate, to prompt a state incident response.

(9) This section does not apply to:

(a) Research and student computer systems used by or in conjunction with the State Board of Higher Education or any state institution of higher education within the Oregon University System; and

(b)(A) Gaming systems and networks operated by the Oregon State Lottery or its contractors; or

(B) The results of Oregon State Lottery reviews, evaluations and vulnerability assessments of computer systems outside the state’s shared computing and network infrastructure.

(10) The Oregon Department of Administrative Services shall adopt rules to carry out its responsibilities under this section. [2005 c.739 §1]

Note: 182.122 (Information systems security in executive department) and 182.124 (Information systems security for Secretary of State, State Treasurer and Attorney General) were enacted into law by the Legislative Assembly but were not added to or made a part of ORS chapter 182 or any series therein by legislative action. See Preface to Oregon Revised Statutes for further explanation.

1 Legislative Counsel Committee, CHAPTER 182—STATE ADMINISTRATIVE AGENCIES, https://­www.­oregonlegislature.­gov/­bills_laws/­Archive/­2007ors182.­pdf (2007) (last ac­cessed Feb. 12, 2009).
 
2 OregonLaws.org contains the con­tents of Volume 21 of the ORS, inserted along­side the per­tin­ent statutes. See the preface to the ORS An­no­ta­tions for more information.
 
3 OregonLaws.org assembles these lists by analyzing references between Sections. Each listed item refers back to the current Section in its own text. The result reveals relationships in the code that may not have otherwise been apparent. Currency Information