|Governance and Control Objectives
This policy identifies required agency governance and control objectives for information and related technology.
Authority - ORS 291.038, ORS 283.500, ORS 461.055, EO 94-16, EO 98-5, EO 99-5
Agencies are required to satisfy select governance and control objectives for information and related technology. In this policy, objectives are identified as published in the 3rd Edition (July 2000) of Control Objectives for Information Technology (COBIT). The IT Governance Institute publishes COBIT at http://www.isaca.org. Related objectives, unique to State government, are described in this document.
Each Agency takes responsibility for implementation of the control objectives consistent with the Agency´s size, available resources, and programs. Agency governance and control objectives conform to the State of Oregon Information Technology Strategy.
The required Governance and Control Objectives are:
Planning & Organization
1.0 Define a Strategic IT Plan
3.0 Determine the Technological Direction
4.0 Define the Information Technology Organization and Relationships
5.0 Manage the IT Investment
10.13 Post-Implementation Review Plan
Acquisition and Implementation
1.0 Identify Automated Solutions
3.3 System Software Security
5.11 Management´s Post-Implementation Review
Delivery and Support
2.0 Manage Third Party Services
4.0 Ensure Continuous Service
In addition, each Agency shall ensure that adequate Restoration Fund coverage exists for information systems equipment. Contact the DAS Risk Management Division for more information about the Restoration Fund.
5.0 Ensure Systems Security
In addition, each agency shall designate an individual responsible for information security. This person will function as agency liaison on all information technology security matters.
9.5 Unauthorized Software
In addition, each agency must check their computers for unauthorized software at least once each year. The following policy shall apply when an agency lacks a written policy restricting the use of unauthorized software.
"No State Government employee, volunteer, or organization may install or execute unlicensed software on a State Government information system. For the purpose of this policy, State Government considers software not licensed for use by the State of Oregon to be unlicensed software."
9.8 Software Accountability
Effective 6/30/02, each Agency shall respond to an auditor request for copies of software inventory records and reports within 10 business days. The policy does not require an agency to conduct a software inventory within the 10-day period. The inventory shall indicate the license status for each software item listed in the inventory.
11.23 Back-up and Restoration
In addition, each agency shall ensure that adequate Restoration Fund coverage exists for stored information. Contact the Risk Management Division for more information about the Restoration Fund.
11.24 Back-up Jobs
11.25 Back-up Storage
In addition, each agency protects valuable computer data in the State´s secure, off site Archive Center located in Burns, Oregon.