State audit: Dept. of Consumer and Business Services needs to improve cybersecurity

SALEM, Ore. (KTVZ) – Oregon Secretary of State Shemia Fagan on Tuesday released a cybersecurity audit of the Oregon Department of Consumer and Business Services. Auditors found the agency has yet to fully implement some basic cybersecurity safeguards, despite multiple communications about the weaknesses. 

“The security of Oregon’s information resources should be a top priority for all state agencies,” Fagan said. “DCBS should take immediate action to address the findings outlined in this report. I’m glad to see DCBS leadership agrees with all of the recommendations in this audit.” 

The Center for Internet Security has developed a series of prioritized best practices to help protect and safeguard information, known as controls. 

Auditors found DCBS has not yet fully implemented cybersecurity controls for all six basic foundational CIS controls reviewed, although some of the controls are partially implemented. This is largely due to a lack of prioritization for addressing these controls, as most of the weaknesses identified had been previously communicated to DCBS in 2016 and 2018, with limited progress, the auditors said.  

Auditors also concluded while DCBS has established a security management and compliance program, extensive work remains to ensure agency systems and data are protected against unauthorized use, disclosure or modification. DCBS management agreed with all the recommendations in the audit. 

Read the full report on the Secretary of State's website.