Auditors say Oregon’s central administrative agency lacks basic controls to protect its information and systems from a cyber attack.
That means the Department of Administrative Services’ information and systems are at risk for “unauthorized use, disclosure, or modification,” according to a report released July 3 by Secretary of State Bev Clarno.
Auditors used six criteria from the Center for Internet Security to evaluate the agency’s basic security controls.
"The security of Oregon’s data is a serious issue,” Clarno said in a statement. "DAS should take immediate action to address the findings outlined in this report."
Auditors said a fragmented organizational structure and approach to managing security concerns may be parts of the problem. The agency’s roughly 30 subdivisions “receive varying levels of support” from the agency’s IT department, which supports only 16 of the 85 applications that workers use. The rest are supported by non-IT employees scattered throughout those divisions, and don’t receive oversight or involvement from the agency’s IT department, auditors said.
That has created inconsistency, and means the agency’s subdivisions may not be aligning with best practices when it comes to security.
Auditors said cyber-threats are a growing worry.
“Cyberattacks, whether big or small, are a growing concern for both the private and public sector,” auditors wrote. “Recent breaches at Oregon state agencies have only escalated this concern.”
In January, the sensitive information of more than 600,000 people was compromised after nine employees at the Department of Human Services opened a phishing email and clicked on a link “that gave the sender access to their email accounts,” according to that agency.
Agency leaders said they agreed with auditors’ recommendations, and plan to start implementing some of them by 2021.
“We are committed to improve our efforts in this area going forward,” wrote the state’s Chief Operating Officer Katy Coba, and Chief Information Officer Terrence Woods, in a letter responding to the audit.
DAS has its own IT department, in addition to housing the state chief information officer, which is a separate office that oversees IT and policy for all state agencies.
In 2016, Gov. Kate Brown ordered that state agency cybersecurity responsibilities be consolidated within the Chief Information Office.