Oregon developing statewide cyber incident plan
Oregon is in the early-stages of developing a statewide plan for cyber incident response, Theresa Masse, the state’s chief information security officer, told StateScoop.
Masse said the state wants to work with its critical infrastructure partners to create a plan for cyber incidents similar to physical disasters like floods and earthquakes to provide a two-way flow of information during emergencies and incidents.
“We want to get on the same page with our critical infrastructure partners to look at how we can stop a cyber attack from spreading,” Masse said. “We want to understand what they have planned, how we would respond, and build a closer partnership.”
Masse said Oregon created an annex plan for cyber as part of the state’s emergency management plan and now intends to expand it over the next year to be more comprehensive and include critical infrastructure partners and agencies within the state.
The state would work with the critical infrastructure partners through its agencies, something Masse said the agencies have shown a lot of enthusiasm for.
In addition to the cyber plan, Masse said she will be focused at the enterprise level on the mobile space as a number of agencies within the state already have implemented “Bring Your Own Device.”
Masse wants to have statewide standards for devices and applications to protect confidential information as other agencies within the state explore BYOD.
As for larger trends across state information security officers, Masse, who serves on the executive committee of the Multi-State Information Sharing & Analysis Center, an organization comprised of state CISOs, said mobility is at the top of the list when it comes to information security.
“Another big issue is transparency,” Masse said. “A major initiative across states and the federal government is looking to find ways to make information available, not only for people to see what the government is doing, but creating ways for them to interact with it.”
However, sharing information, particularly confidential information, has significant security implications.
Masse said Oregon is undertaking a 10-year plan to redesign the way state government builds its budget and makes investment decisions. The new design is outcome-based that helps to maximize public resources, and aids decision makers in prioritizing public investments to align with the services citizens need.
Masse said a big part of that will be looking at streamlining services and she expects the role of security to play a significant part.
“It’s all about becoming more efficient,” said Masse, who has served as Oregon’s CISO since 2004 where she provides enterprise leadership and strategic direction focused on reducing risk and protecting the state’s information assets.