Salem, OR—The Audits Division of the Oregon Secretary of State’s office released a cybersecurity audit of the Oregon State Treasury
today. The audit found the agency has a robust security management program that establishes a framework for assessing risk, developing and implementing effective security procedures, and monitoring the effectiveness of those procedures while providing some areas for improvement.
“I commend the Oregon State Treasury’s ongoing efforts to improve their cybersecurity infrastructure and protocols,” said Oregon Secretary of State Shemia Fagan. “Oregonians should be confident that Treasury is among the top cybersecurity performers our audits team has reviewed in state government. Though there is always more work to do, they should be proud of what they have accomplished.”
The audit makes several recommendations, which Treasury has agreed to implement, including:
1. Updates to the agency’s security plan to detail how the agency currently addresses security for its information resources, and the need to create supporting security plans that address how key applications are appropriately protected.
2. Automating processes for updating the inventory of hardware assets.
3. Updates to software policies and procedures to ensure there is a complete list of approved software, and whitelisting to ensure only authorized software can be installed on agency systems.
4. More work is needed to ensure that all devices are appropriately configured and monitored to ensure configuration settings remain appropriate.
5. An additional independent time source should be added to ensure audit logs time stamps are accurate.
Cybersecurity audits by the Audits Division assess first whether the agency has a formal security management and compliance program, and then assess whether they have implemented six basic controls recommended by the Center for Internet Security.
Due to the sensitive nature of information technology security, and in accordance with Oregon state law and government auditing standards, details of the extent of the security weaknesses are shared only with agency management in a confidential appendix.
View the full audit: https://sos.oregon.gov/audits/Documents/2021-12.pd...