OAR 943-014-0315
Security Information Assets


No organization or user shall access an information asset for any purpose other than that specifically authorized by the Authority access control process.


Except as specified or approved by the Authority, no organization or user shall alter, delete, or destroy any information asset.


The organization shall prohibit unauthorized access by their staff, contractors, agents, or others to the network and information systems, or Authority information assets, and shall implement safeguards to prevent unauthorized access in accordance with section (4) of this rule.


The organization shall develop a security risk management plan. The organization shall ensure that the plan includes, but is not limited to the following:


Administrative, technical, and physical safeguards commonly found in the International Standards Organization 27002: 2005 security standard or National Institute of Standards and Technology (NIST) 800 Series;


Standards established in accordance with HIPAA Security Rules, 45 CFR Parts 160 and 164, applicable to an organization or user regarding the security and privacy of a client record, any information asset, or network and information system;


The organization’s privacy and security policies;


Controls and safeguards that address the security of equipment and storage of any information asset accessed to prevent inadvertent destruction, disclosure, or loss;


Controls and safeguards that ensure the security of an information asset, regardless of the media, as identified below:


The user keeps Authority-assigned access control requirements such as identification of authorized users and access control information (passwords and personal identification numbers (PIN’s)), in a secure location until access is terminated;


Upon request of the Authority, the organization makes available all information about the user’s use or application of the access controlled network and information system or information asset; and


The organization or user ensures the proper handling, storage, and disposal of any information asset obtained or reproduced, and, when the authorized use of that information ends, is consistent with any applicable record retention requirements.


Existing security plans developed to address other regulatory requirements, such as Sarbanes-Oxley Act of 2002 (PL 107-204), Title V of Gramm Leach Bliley Act of 1999, Statement on Auditing Standards (SAS) number 70, will be deemed acceptable as long as they address the above requirements.


The Authority may request additional information related to the organization’s security measures.


The organization or user must immediately notify the Authority when access is no longer required, and immediately cease access to or use of all information assets or network and information systems.

Source: Rule 943-014-0315 — Security Information Assets, https://secure.­sos.­state.­or.­us/oard/view.­action?ruleNumber=943-014-0315.

Last Updated

Jun. 8, 2021

Rule 943-014-0315’s source at or​.us