The goal of information security is to protect the confidentiality, integrity, and availability of information assets. ORS 182.122 (House Bill 3145, 2005 Legislative Session) designates DAS as the "single point of accountability" for information security at the state.
In support of this mandate, the Enterprise Security Office (ESO) is instituting a security strategy wherein DAS works collaboratively with state agencies to ensure the state's security posture is at an acceptable level. Information security management enables information to be shared while ensuring protection of that information and its associated technology assets.
Purpose of Policies
Information security policies are the foundation of any security program. These policies will guide ESO and state agencies in:
Conducting business security risk assessments
Conducting technical vulnerability assessments
Promoting and maintaining baseline enterprise security rules, policies, guidelines, and procedures
Establishing a state Incident Response Team
Instituting an information security awareness capability
Monitoring for compliance
The State of Oregon enterprise information security policies:
Represent a baseline minimum necessary level of security that agencies must conform to.
Set the direction and define requirements for information security-related processes and actions across the state enterprise.
Are a statement of the minimum requirements to establish and maintain a secure environment, and achieve enterprise security objectives.
Emphasize the state's commitment to information security.
Establish clear expectations for staff performance, behavior and accountability.
