Audit: Oregon State Police lack basic cybersecurity safeguards
Agency says it is 'devoted to fixing issues'; August 2022 target
SALEM, Ore. (KTVZ) — The Oregon State Police agency lacks basic cybersecurity safeguards, according to an audit report released Wednesday by Secretary of State Bev Clarno.
“The security of Oregon’s criminal justice data is a serious issue,” Clarno said. “OSP should take immediate action to address the findings outlined in this report.”
While some controls are partially implemented, auditors found OSP lacks basic, foundational IT controls for all six Center for Internet Security (CIS) controls reviewed as part of this assessment. This is largely due to a lack of prioritization for implementing these controls, as well as a perception by management that such controls are unnecessary, they said.
Additionally, auditors concluded that OSP does not have a proper security management program that identifies necessary security protocols.
OSP is required by the Federal Bureau of Investigation to follow Criminal Justice Information Systems (CJIS) IT security standards and is also responsible for making sure state and local agencies with access to CJIS data are following those security standards. As such, they should set an example for other agencies to follow when it comes to implementing basic security controls, Clarno noted
OSP management agreed with all the recommendations and intends to request two additional IT staff to assist with implementation. The agency plans to have all recommendations fully implemented by August 2022.
Read the full audit on the Secretary of State website.
Statement from Oregon State Police:
"The Oregon State Police would like to thank the Secretary of State's Audits Division for all their effort, professionalism, and expertise they provided during this Cybersecurity Audit. OSP is devoted to not only fixing the issues identified but expanding to long -term planning and action going forward. This audit will serve as a baseline for future audits to track the future of OSP's security management and compliance program."