Audit finds gaps in Oregon Department of Corrections cybersecurity

PORTLAND, Ore. (KOIN) – The Oregon Department of Corrections could do more to protect against cybersecurity threats, the Oregon Secretary of State’s Office said in an audit report released Wednesday. 

The Secretary of State’s Office said this is the eighth report in a series of cybersecurity audits it’s conducted and that while the DOC has partially implemented 16 of the 17 Center for Internet Security controls, it could not be sure that all controls were fully in place. 

The things the Secretary of State’s Office is concerned about include safeguards in data management, configuration management, vulnerability management and malware defense. The audit also found gaps in training, specifically role-based training, and said this may be the cause for some of the identified deficiencies. 

The cybersecurity audits evaluate IT security risks and provide a high-level view of an agency’s current state. Auditors use the Center for Internet Security’s controls, a prioritized list of defensive actions that give a framework for agencies and businesses to improve their cyber defense, as criteria. 

The Secretary of State’s Office said there have been cybersecurity breaches at Oregon state agencies in the past and the threat of these attacks puts the data the DOC collects on adults in custody at risk. 

If the state IT network is ever compromised, operations in other state agencies could also be impacted. 

“The security of Oregon’s information resources should be a top priority of all state agencies,” said Secretary of State Shemia Fagan. “My mission as Secretary of State is to build trust between Oregonians and their state government. Agencies and service providers must work together to address the findings outlined in our cybersecurity reports because a lapse in security can quickly erode the public’s trust.” 

Fagan’s office said state agencies consistently have gaps in inventory practices. Without strong inventory controls, agencies can’t ensure that all their technology assets are protected and monitored, auditors said. 

DOC management agreed with all the recommendations in the audit. The full audit report is available to read online. However, the report states that based on the sensitive nature of its findings, some details have been excluded from the public.