Secretary of state’s cybersecurity audit finds gaps in Oregon Department of Corrections defenses

SALEM, Ore. (KTVZ) — The Oregon Department of Corrections has yet to fully implement some critical cybersecurity safeguards, according to an audit report released Wednesday by Secretary of State Shemia Fagan.

This is the eighth in a series of cybersecurity audits conducted by the Secretary of State’s Office. These audits evaluate IT security risks and provide a high-level view of an agency’s current state. As criteria, auditors use the Center for Internet Security’s CIS Controls (TM), a prioritized list of defensive actions providing a framework for enterprises to improve cyber defense.

Cyberattacks are a growing concern for both the private and public sector, with some breaches occurring at Oregon state agencies. The threat of these attacks puts the data DOC collects and stores on adults in custody at risk. Moreover, if the state IT network is compromised, operations in other state agencies could be adversely impacted. To protect against these threats, IT management professionals should apply robust cybersecurity controls.

“The security of Oregon’s information resources should be a top priority of all state agencies,” said Fagan. “My mission as Secretary of State is to build trust between Oregonians and their state government. Agencies and service providers must work together to address the findings outlined in our cybersecurity reports because a lapse in security can quickly erode the public’s trust.”

Auditors found DOC has only partially implemented the 17 CIS controls reviewed for this audit. This is consistent with prior cybersecurity audits that have found state agencies have significant gaps in cybersecurity prevention, detection, and response capabilities.

For example, agencies consistently have gaps, to varying extents, in inventory practices. Without strong inventory controls, agencies are unable to ensure that all technology assets are protected, securely configured, and monitored. DOC management agreed with all recommendations in the audit.

Based on the sensitive nature of these types of audit findings, each report is accompanied by a confidential appendix that is issued separately to the agency and to Enterprise Information Services.

Read the full public report and other recent audits on the Secretary of State website.