An audit of the Oregon State Police’s cybersecurity practices published this week found that the agency is not following basic policies widely promoted by government agencies nationwide, including active management of its hardware and software inventory and user authorization.
The report, which was delivered by the office of Secretary of State Bev Clarno, also found that Oregon’s Enterprise Information Services, the statewide IT agency, has fallen short in its duties to assist the state police with information security protocols.
Specifically, Clarno’s auditors reported that OSP has barely implemented the top cybersecurity controls recommended by the Center for Internet Security, a nonprofit organization whose guidelines are widely considered a gold standard for enterprise IT security. CIS’s full set of controls includes 20 items, but the audit only reviewed OSP for its compliance with the first six, none of which the agency showed anything better than partial implementation.
The audit stated that OSP is not keeping an active inventory of hardware that connects to its network, both authorized and unauthorized. The inventory tool it currently uses does not integrate with a majority of devices, forcing OSP to use a “manual process” to track incompatible hardware. But the audit went on to reveal that the hardware inventory is only updated once a year. Although OSP told auditors it is replacing its inventory tool, its tracking of IT assets “remains incomplete, out-of-date, and inaccurate until the agency fully implements the replacement.”
Clarno’s office found similar results when reviewing OSP’s software inventory, finding that the agency does not adequately vet programs it installs on its computers.
“Among other weaknesses, we noted that OSP lacked policies and procedures, had an incomplete list of approved software, and had not implemented whitelisting to ensure only authorized software can be installed on agency systems,” the audit stated.
More shortcomings came with respect to CIS controls concerning vulnerability assessments, administrative privileges, secure configurations of computers and mobile devices and maintenance of audit logs. The audit found that while OSP works with EIS’s cybersecurity division to conduct monthly vulnerability scans, patching and remediation is done on an ad hoc basis. It also reported that state police frequently let their software licenses lapse, resulting in outdated systems that do not receive the latest security updates.
In a press release, Clarno said that OSP’s failure to follow the CIS controls jeopardizes Oregon’s criminal-justice data. Her office also noted that in being required to adhere to cybersecurity standards set by the FBI’s Criminal Justice Information Services division, it is responsible for ensuring other agencies with access to that data follow those guidelines.
“As such, they should set an example for other agencies to follow when it comes to implementing basic security controls,” Clarno’s office said.
While the bulk of the audit focused on the CIS controls, it also found that EIS is not fully supporting the Oregon State Police on its cybersecurity tasks. Under an IT consolidation process that started in 2017, Oregon agencies’ information security officers were reassigned to an EIS unit called Cyber Security Services. But the consolidation plan also called for EIS to assign major agencies — including OSP — a “business information security officer” tasked with leading the duties normally carried out by a CISO. At the time the audit was conducted, EIS had not assigned anyone to the Oregon State Police. EIS and Oregon Chief Information Officer Terrence Woods did not respond to requests for comment about this section of the audit.
The audit recommended that the Oregon State Police finish implementing the six CIS controls it was reviewed for, as well as develop a security management and compliance program that includes continuous risk assessment.
Oregon State Police Superintendent Travis Hampton wrote in response to the audit that the agency expects to finish implementing the CIS controls by June 2022, though some could be completed as soon as October. He said OSP is hiring a new agency chief information officer, a position that has bounced between three full-time and three interim CIOs since 2014. Hampton said he also plans to request funding to hire two IT risk assessment personnel, though implementation of the CIS protocols, he wrote, is not incumbent on those positions being added.
“OSP is devoted to not only fixing the issues identified but expanding to long term planning and action going forward,” Hampton wrote.