Audit: Oregon Dept. of Education has more to do on cybersecurity

SALEM, Ore. (KTVZ) -- Although critical cybersecurity protections are in place at the Oregon Department of Education, the agency needs to fully implement and mature their defenses to address security risks, according to an audit released Wednesday by Secretary of State Bev Clarno.

“Protecting the privacy of student records and ensuring the security of data the department collects, shares, and stores is of high importance,” said Secretary of State Bev Clarno. “Strong and fully implemented security defenses are the only way to ensure this protection.”

Auditors concluded the agency has implemented, or partially implemented, the majority of the cybersecurity controls reviewed during this audit. This includes tools for managing hardware and software inventories, tools for identifying and remediating security weaknesses, and implementing agency wide security awareness trainings.

However, the audit also identified specific areas where ODE could improve security controls. In particular, the agency does not have a formal security management and compliance program that establishes a framework for assessing risk, developing and implementing effective security procedures, and monitoring the effectiveness of those procedures. In addition, although ODE performs many critical security tasks, significant work remains to fully implement and mature all six basic cybersecurity controls.

Read the full audit on the Secretary of State website.