Guidance for State Agencies

Guidance for State Agencies

Enterprise Information Services (EIS) has responsibility for statewide information and cybersecurity standards, and policies on information security, under the authority of Oregon Revised Statute 276A.300. As part of EIS, Cyber Security Services (CSS) is responsible for creation and maintenance of the Statewide Information and Cyber Security Standards.

CSS sets the statewide direction for cybersecurity and follows guidance from National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS) as well as other cybersecurity organizations such as the Cloud Security Alliance (CSA) where appropriate.

State and Local Cybersecurity Grant Program (SLCGP)

For more details, please visit the Oregon Department of Emergency Management (OEM) SLCGP page.

Regulation Guidance

• 2023 Statewide Information Security Program Plan
  
• 2023 Statewide Information Technology (IT) Control Standards
  
• Standards Alignment with CIS Critical Security Controls
• 2019-2023 Standards Change Overview
• Timeline Requirements for Statewide Standards and Plan
  
• Information Security Incident Response Plan
• For additional controls and system hardening, see the CIS Benchmarks site.
• System Security Plan Template
  

CSS Service Catalog 2022

This service catalog describes the services currently available to agencies through Enterprise Information Services (EIS), Cyber Security Services (CSS). The services are grouped by service category with each individual service summarized separately within that category. Some of these services are provided on an enterprise-wide basis, as noted in their descriptions, and thus do not normally require a specific request from an agency. Many services will be tailored to an individual agency's situation and requirements. In that case, CSS will work with the requesting agency to define specific agency and CSS responsibilities.

• Cyber Security Responsibilities 2022
• CSS NIST Cybersecurity Framework 2022

CSS assessment schedule for calendar years 2024-2025

Human Risk Management - Awareness & Training

HRM Program documents

• HRM-ISAT Program Plan 2022-23
  
• HRM ISAT advisory board charter 2022-23

Phishing Awareness Program

The Phishing Awareness Program is a service offered to state of Oregon government agencies for the purpose of reducing human risk. All documents provided are as a courtesy to the agency and should be edited in whatever way is appropriate for their staff. All internal communication, data analysis and troubleshooting are the responsibility of the agency.
The Security Culture Survey is used to gauge the effectiveness of the program. All staff participating in the Phishing Awareness Program will receive the survey annually.

Phishing Awareness Program documents:

• Phishing Program Expectations
  
• Phishing Program kick off presentation
  
• Phishing Implementation Checklist
  
• Phishing Awareness Program One Pager
  
• Phishing Program FAQ
  
• Email template - CIO to Managers
  
• Email template - Director letter to staff
  
• Manager/Direct Supervisor Resources
  
• How to spot a phish.pdf
  
• Phishing Presentation for Staff
  
• Learner and Team dashboard overview 
  
• Hybrid Phish Alert Button
  

Information Security Annual Training Information


ORS 276A.323 requires annual information security awareness training for all employees, board and commission members, temporary employees, contractors, and volunteers and applies to all Executive Branch agencies as defined in ORS 174.112. Please refer to the FAQ for questions regarding the training:
EIS/CSS does not exempt anyone from the statutory requirement as Agencies, Boards, & Commission staff, contractors, and volunteers that meet the statutory requirement language noted above are required to take the EIS Information Security Training. We are aware that some individuals don't have access to Workday to complete the required training, so we provide an alternative format (see instructions below).

There are three (3) options you may choose.

1. If the individuals have access to Workday, please have them complete the 30 min Security Training in Workday.
2. If they don't have access to Workday, provide the alternative format. The instructions are located below.
3. As an agency, you may decide internally that you are going to exempt certain individuals from the requirement.
• You will need to document why you made that decision for your auditing purposes. EIS/CSS does not exempt anyone from the statutory requirement.
• It is our understanding that if they have Workday access, they would continue to receive the notices to complete the training from Workday and they would be entered as an incomplete.

This statutory requirement is limited to Executive Branch agencies as defined in ORS 174.112 but is not limited to those with state system access. It includes all information assets; written, verbal, and electronic information related to the state of Oregon.

• Tips and troubleshooting - DAS EIS Information Security Training Foundations course.pdf
  
• FAQ - DAS EIS Information Security Training Foundations course.pdf
  
If you need to deliver the DAS EIS Information Security Training: Foundations course outside of Workday Learning please follow the instructions below.
• Instructions - Alternative Format and Recording - DAS EIS InfoSec Training Foundations course.pdf
  
  

General Guidance