Text Size:   A+ A- A   •   Text Only
Site Image
Enterprise Security Policies
Security Strategy
The goal of information security is to protect the confidentiality, integrity, and availability of information assets. ORS 182.122 (House Bill 3145, 2005 Legislative Session) designates DAS as the "single point of accountability" for information security at the state.
In support of this mandate, the Enterprise Security Office (ESO) is instituting a security strategy wherein DAS works collaboratively with state agencies to ensure the state's security posture is at an acceptable level. Information security management enables information to be shared while ensuring protection of that information and its associated technology assets.

Purpose of Policies
Information security policies are the foundation of any security program. These policies will guide ESO and state agencies in:
  • Conducting business security risk assessments
  • Conducting technical vulnerability assessments
  • Promoting and maintaining baseline enterprise security rules, policies, guidelines, and procedures
  • Establishing a state Incident Response Team
  • Instituting an information security awareness capability
  • Monitoring for compliance
The State of Oregon enterprise information security policies:
  • Represent a baseline minimum necessary level of security that agencies must conform to.
  • Set the direction and define requirements for information security-related processes and actions across the state enterprise.
  • Are a statement of the minimum requirements to establish and maintain a secure environment, and achieve enterprise security objectives.
  • Emphasize the state's commitment to information security.
  • Establish clear expectations for staff performance, behavior and accountability.

Policy Set
In effect:

Policy/OAR number
eff. date
State Information Security Administrative Rule 125-800-0005 -- 0020 
Acceptable Use of State Information Assets (pdf)107-004-11010/16/07
Controlling Portable and Removable Storage Devices (pdf) 107-004-0517/30/07 
Employee Security (pdf)107-004-0537/30/07
Information Asset Classification (pdf) 107-004-0501/31/08
Information Security (pdf) 107-004-0527/30/07
Information Security Incident Response (pdf) 107-004-12011/10/08
Transporting Information Assets (pdf)107-004-1001/31/08
Business Continuity Plan Statewide Policy (pdf) 107-001-0107/27/09
Drafts for comment:

Under development:

Policy Review and Approval Process
Enterprise Information Security Policy Review and Approval Process - 01/01/2009 (pdf)

Policy Implementation Guidance

Contact Us
If you have any questions, comments or feedback, please contact us at security.office@state.or.us or call (503) 378-6557.