Oregon IT audit highlights cyber policy gaps
Oregon Secretary of State Shemia Fagan published an audit Wednesday that calls for the state’s technology division to improve its governance of cybersecurity across the state government.
State Chief Information Officer Terrence Woods said he agreed with the intent of Fagan’s recommendations, but that his office is sometimes challenged by a “unique” arrangement in which cybersecurity is centralized under his office, while overall IT operations remain decentralized.
The audit included 10 recommendations, including calls for the state’s Enterprise Information Services division to update outdated definitions and clarify the roles of various cybersecurity officials. Another recommendation asks for a “more detailed” IT security strategic plan with “measurable goals” for the state’s enterprise security program. But it also recognized progress the technology office has made since the state passed a 2016 law requiring cybersecurity to be centralized.
“EIS has developed a formal governance framework for new IT investments, and enterprise-level governance committees generally approve statewide IT documents that provide direction to agencies,” the report reads. “However, cybersecurity risk governance should be established to define enterprise-level risk appetite.”
Woods told StateScoop his division’s dealings with Fagan’s office were “really good,” and that of the three “partial agreements” with recommendations, and one disagreement, the disputes were chiefly semantic. But Woods, who was appointed CIO in 2018, said that while he supports the decision in 2016 to centralize cybersecurity, the overall lack of centralization is sometimes challenging.
“That creates maturity challenges where things are a little more complex,” Woods said. “It doesn’t mean that agency directors and others aren’t committed to cybersecurity, it just takes us a lot more partnerships and a lot more planning when it comes to do some of these things.”
In EIS’ formal response to Fagan’s recommendation that it develop processes to evaluate and report on agency compliance with cybersecurity rules and standards, the IT division points out that the state’s IT is “highly decentralized.”
“As such, enforcement/compliance may or may not be supported by statute,” EIS wrote in its only “disagree” response to a recommendation. “Compliance through partnerships in a ‘coalition of the willing’ environment can be very effective, but typically has to be confirmed by internal or external audit. Motivation to be compliant may be minimal and/or difficult and repercussions for missing the mark nearly non-existent.”
But Woods said that some newer technologies — perhaps a reference to the rise of cloud computing — are pushing many organizations toward centralized services.
“It means we have to really, really keep pushing on governance, particularly when we have enterprise efforts,” Woods said. “I can’t emphasize governance enough. I think the state of Oregon with governance does a pretty good job overall. It’s just we’ve got to continue to mature like everyone else. We’ve just got to keep pushing.”