Security Operations Center

The CSS Security Operation Center (SOC) responds to information security incidents that potentially impact multiple agencies or which pose a significant threat to the State of Oregon. The SOC is responsible for coordinating interagency security incident response resources and communications during or about an information security incident that impacts multiple agencies. The SOC collects, classifies and catalogs all reported information security incidents. When an information security incident occurs that does not require SOC involvement, the SOC may assist agencies in responding to an information security incident upon request. The SOC maintains confidentiality in accordance with agency policy, rules and legal requirements on all information security incidents reported to it.

DAS, through the Cyber Security Services, has authority and responsibility for the statewide incident response program. The program establishes enterprise procedures, standards, and guidelines for statewide and agency-level information security incident response. The SOC maintains a forensics program capable of assisting agencies.

The SOC maintains the Statewide Incident Response Plan as well as a template for Agency use to help meet their statutory obligation per ORS 276A.323. To report an incident or request a copy of the Agency Incident Response Plan template, contact the SOC using the information at the top of this page.

Primary responsibilities

• Vulnerability Management
• Support the enterprise vulnerability management infrastructure
• Enterprise uses Tenable for vulnerability scanning
• Agencies are responsible for reviewing and patching/remediating vulnerabilities in their environment
• Agencies are responsible for configuring scans within the agency
• Agencies are to participate with CISA Cyber Hygiene Scanning

• Enterprise Security Information and Event Monitoring (SIEM)
• Enterprise uses Microsoft Sentinel SIEM with Microsoft Defender for endpoint detection and response
• CSS SOC is solely responsible for monitoring the SIEM
• Agencies are responsible for ensuring all systems are on boarded with Microsoft Defender

• Incident Response
• In accordance with DAS statewide policy 107-004-120  “Each agency must report information security incidents to CSS SOC no later than 24 hours after discovery via the CSS SOC Hotline, 503-378-5930.”
• Enterprise Information Services : Cyber Security Services : Cyber Security Services : State of Oregon – be familiarized with the Statewide Incident Response Plan
• Ensure the agency has an incident response plan and that it has been submitted to the CSS SOC
• The CSS SOC maintains the Statewide Incident Response Retainer and there is no need for agencies to acquire independent IR/Forensic Response

• Phishing analysis
• Monitoring and analyzing emails sent to the report phish mailbox

• Cybersecurity Assessments
  
• Assessments are conducted every 2 years, using the Center for Internet Security (CIS) Controls
  

Additional Reporting Contacts

• CISA Contacts for Reporting
  
• Reporting site: https://www.cisa.gov/report
• Direct form: https://www.cisa.gov/forms/report
  
• Email: report@cisa.gov
  
• Phone number: (888) 282-0870
  
• Site includes reporting form, different reporting types (incident, malware, ransomware, Indicators, etc.)
  
• FBI Contacts for Reporting
  
• Reporting site: https://www.ic3.gov/
  
• Direct page: https://www.ic3.gov/Home/ComplaintChoice
• FBI local field offices: https://www.fbi.gov/contact-us/field-offices/
• MS-ISAC Contacts for Reporting (Primarily for SLTT, but can contact regardless)
  
• Reporting site: https://www.cisecurity.org/isac/report-an-incident
  
• ISAC SOC email: soc@cisecurity.org
  
• ISAC SOC phone number: (866) 787-4722