ORS 182.124¹
Information systems security for Secretary of State, State Treasurer and Attorney General

(1) Notwithstanding ORS 182.122 (Information systems security in executive department), the Secretary of State, the State Treasurer and the Attorney General have sole discretion and authority over information systems security in their respective agencies, including taking all measures reasonably necessary to protect the availability, integrity or confidentiality of information systems or the information stored in information systems.

(2) The Secretary of State, the State Treasurer and the Attorney General shall each establish an information systems security plan and associated standards, policies and procedures in collaboration with the Oregon Department of Administrative Services as provided in ORS 182.122 (Information systems security in executive department).

(3) The plan established under subsection (2) of this section, at a minimum, must:

(a) Be compatible with the state information systems security plan and associated standards, policies and procedures established by the department under ORS 182.122 (Information systems security in executive department) (2);

(b) Assign responsibility for:

(A) Reviewing, monitoring and verifying the security of the agency’s information systems; and

(B) Conducting vulnerability assessments of information systems for the purpose of evaluating and responding to the susceptibility of information systems to attack, disruption or any other event that threatens the availability, integrity or confidentiality of information systems or the information stored in information systems;

(c) Contain policies for responding to events that damage or threaten the availability, integrity or confidentiality of information systems or the information stored in information systems, whether those systems are within, interoperable with or outside the state’s shared computing and network infrastructure;

(d) Prescribe actions reasonably necessary to:

(A) Promptly assemble and deploy in a coordinated manner the expertise, tools and methodologies required to prevent or mitigate the damage caused or threatened by an event;

(B) Promptly alert other persons of the event and of the actions reasonably necessary to prevent or mitigate the damage caused or threatened by the event;

(C) Implement forensic techniques and controls developed under paragraph (e) of this subsection;

(D) Evaluate the event for the purpose of possible improvements to the security of information systems; and

(E) Communicate and share information with agencies, using preexisting incident response capabilities; and

(e) Describe and implement forensic techniques and controls for the security of information systems, whether those systems are within, interoperable with or outside the state’s shared computing and network infrastructure, including the use of specialized expertise, tools and methodologies, to investigate events that damage or threaten the availability, integrity or confidentiality of information systems or the information stored in information systems.

(4) The Secretary of State, the State Treasurer and the Attorney General shall participate in the planning process conducted by the department under ORS 182.122 (Information systems security in executive department) (2).

(5) If a joint information systems security plan and associated operational standards and policies cannot be agreed upon by the Oregon Department of Administrative Services and a statewide elected official named in subsection (1) of this section, the department may take steps reasonably necessary to condition, limit or preclude electronic traffic or other vulnerabilities between information systems for which the official has authority under subsection (1) of this section and the information systems for which the department has authority under ORS 182.122 (Information systems security in executive department) (2). [2005 c.739 §2]

Note: See note under 182.122 (Information systems security in executive department).

1 Legislative Counsel Committee, CHAPTER 182—STATE ADMINISTRATIVE AGENCIES, https://­www.­oregonlegislature.­gov/­bills_laws/­Archive/­2007ors182.­pdf (2007) (last ac­cessed Feb. 12, 2009).
 
2 OregonLaws.org contains the con­tents of Volume 21 of the ORS, inserted along­side the per­tin­ent statutes. See the preface to the ORS An­no­ta­tions for more information.
 
3 OregonLaws.org assembles these lists by analyzing references between Sections. Each listed item refers back to the current Section in its own text. The result reveals relationships in the code that may not have otherwise been apparent. Currency Information