Audit: Oregon DAS Behind on Basic Cybersecurity Safeguards

The Oregon Secretary of State's office released an audit evaluating the cybersecurity of the Department of Administrative Services, making seven recommendations to be fully implemented by 2023.

by / July 3, 2019
Shutterstock/deepadesigns

The Oregon Secretary of State’s office released an audit today identifying a lack of basic cybersecurity safeguards within the Department of Administrative Services (DAS) exposing the agency’s systems and data to the risk of unauthorized use, disclosure and modification.

The report details how a fragmented organizational structure and legacy applications within DAS hindered a security management program, which provides a framework for the assessment of risk, development and implementation of security procedures, and the monitoring of how effective those procedures are.

DAS has about 30 subdivisions and business units that receive different levels of IT support, the report states. Of 85 key applications used within DAS, the agency’s IT division only services 16. Each division and unit have individual IT processes and procedures that may not align with DAS IT or accepted best practices.

DAS spokeswoman Liz Craig told Government Technology that her department appreciates the work the Secretary of State’s Audits Division put into the audit.

“IT security is critically important and, while we have made some improvements, we know there is still more work to do,” Craig said. “The audit recommendations will be invaluable in moving forward to address critical IT security responsibilities. We look forward to providing updates as we begin implementing the recommendations.”

The report outlines seven recommendations for DAS to implement with help from the Office of the State Chief Information Officer (OSCIO), Enterprise Security Office (ESO) and Enterprise Technology Services (ETS). The audit recommends remedies be made for hardware inventory, software inventory, vulnerability assessment, privileged access, secure configurations and audit logs.

Secretary of State Bev Clarno stressed the importance of data security in a prepared statement publicizing the audit.

“DAS should take immediate action to address the findings outlined in this report,” Clarno said.

DAS Director and State Chief Operating Officer Katy Coba and State Chief Information Officer Terrence Woods penned a letter responding to each recommendation. The response was included in the published audit. The letter agrees with the points made in the report and states that with the approval of the DAS budget during the 2019 legislative session the department will be able to implement improvements.

“DAS is currently in a transition phase as it relates to IT Security,” the response states. “… DAS has already made some progress in improving how DAS IT functions. There is a project to develop a formal IT governance structure.”

The target dates provided in the letter to fully implement the recommendations range from 2021 to 2023. Assessment management of hardware and software will begin in October and is slated for completion in July 2021. DAS will work with ESO and ETS to assess vulnerability, privileged access, secure configurations and audit logs, which has an expected finish date of July 2023.

Patrick Groves Staff Writer

Patrick Groves is a staff writer for Government Technology. Previously, he worked for five years at newspapers in Washington state, Idaho, Florida and Northern California. He has a Bachelor’s degree in communication from Washington State University and lives in Northern California.

Platforms & Programs