The report from the Oregon Secretary of State's auditing division was published last week and recommends that the agency take "immediate action" to address the findings.
Many cybersecurity policies appear disorganized or inconsistent, as the police agency does not monitor authorized use of devices or audit device activity logs, vulnerability assessments are conducted on an "ad hoc" basis, and the agency does not "appropriately manage all users who have significant, high level access to important systems and data," according to the report.
The audit, which sourced metrics from the Center for Internet Security, is one of several audits that the same office has conducted recently, said Kip Memmott, audits division director.
"The idea is that we go in and get a pulse on cybersecurity for these major state agencies," said Memmott, speaking with Government Technology.
Teresa Furnish, IT audit manager, said the office had conducted a number of audits in recent years and found similar results. None of those findings have been good, but with OSP there's a particular danger, she said.
"The difference with OSP is that they are the keepers of the criminal justice information system for the state of Oregon ... we would've expected to find them to be a strong example of cybersecurity controls and that's not what we found," Furnish said.
Looking ahead, officials with the Oregon Department of Enterprise Information Services (EIS) said that the State Police should continue to collaborate with the EIS' Cyber Security Services division on security policy. Enterprise Information Services oversees cybersecurity strategy for all state agencies.
"The [Secretary of State] audits serve as a reminder and is another opportunity to continue to improve the cybersecurity posture for the state overall," Joe Wells, EIS communications manager, said in an email. "OSP and all state agencies should continue to partner with Cyber Security Services to mitigate any [Secretary of State] findings or other cybersecurity concerns as appropriate."
According to the report, a lot of the deficiencies in OSP policy may have to do with insufficent staffing and leadership. The OSP has had three CIOs and three interim CIOs since 2014 — a leadership environment that may have undermined the agency's ability to develop consistent policies and procedures, the audit asserts.
EIS may have partially contributed to this leadership void. According to the findings, a 2017 state IT consolidation project saw top cybersecurity officials from numerous agencies reassigned to work out of the Cyber Security Services office. In exchange, Cyber Security Services was supposed to send trained officials back to the agencies. However, the division never assigned an official to OSP, despite multiple requests for such an assignment, the audit states.
"Cyber Security Services will continue to partner with OSP based on need/skillset," said Wells, in reference to the agencies' partnership. "Cyber Security Services partners with all state agencies to improve our security posture with the resources we have currently."
As Furnish notes, this kind of leadership turnover is not uncommon in public-sector technology. Due to the nature of the job and the industry, IT leadership in many public agencies sees a high turnover rate, and state police are no different, she said.
Despite the negative findings the OSP has been extremely responsive to the report and its suggestions, Furnish and Memmott said.
Indeed, the police force plans to use the audit as an opportunity to better its practices, said Capt. Tim Fox, OSP public information officer.
"OSP is devoted to not only fixing the issues identified but expanding to long-term planning and action going forward. This audit will serve as a baseline for future audits to track the future of OSP's security management and compliance program," said Fox. The statement also thanked the Secretary of State's Audits Division for its effort.
However, some of these changes may be difficult given the state's current preoccupation with the COVID-19 crisis and the expected budgetary shortfalls in the coming years. Recent reports show that Oregon state agencies have been told to expect spending cuts of as much as 8.5 percent for the current budget cycle.
OSP recently hired a new CIO and is looking to hire two new people to address risk abatement but its unclear whether the money will be there given the budgetary constraints, said Furnish.
