ORS 276A.300
Information systems security in executive department

  • rules

(1)

As used in this section:

(a)

“Executive department” has the meaning given that term in ORS 174.112 (“Executive department” defined).

(b)

“Information systems” means computers, hardware, software, storage media, networks, operational procedures and processes used in collecting, processing, storing, sharing or distributing information within, or with any access beyond ordinary public access to, the state’s shared computing and network infrastructure.

(2)

The State Chief Information Officer has responsibility for and authority over information systems security in the executive department, including responsibility for taking all measures that are reasonably necessary to protect the availability, integrity or confidentiality of information systems or the information stored in information systems. The State Chief Information Officer shall, after consultation and collaborative development with agencies, establish a state information systems security plan and associated standards, policies and procedures. The plan must align with and support the Enterprise Information Resources Management Strategy described in ORS 276A.203 (State Chief Information Officer).

(3)

The State Chief Information Officer may coordinate with the Oregon Department of Administrative Services to:

(a)

Review and verify the security of information systems operated by or on behalf of state agencies;

(b)

Monitor state network traffic to identify and react to security threats; and

(c)

Conduct vulnerability assessments of state agency information systems for the purpose of evaluating and responding to the susceptibility of information systems to attack, disruption or any other event that threatens the availability, integrity or confidentiality of information systems or the information stored in information systems.

(4)

The State Chief Information Officer shall contract with qualified, independent consultants for the purpose of conducting vulnerability assessments under subsection (3) of this section.

(5)

In collaboration with appropriate agencies, the State Chief Information Officer shall develop and implement policies for responding to events that damage or threaten the availability, integrity or confidentiality of information systems or the information stored in information systems, whether those systems are within, interoperable with or outside the state’s shared computing and network infrastructure. In the policies, the State Chief Information Officer shall prescribe actions reasonably necessary to:

(a)

Promptly assemble and deploy in a coordinated manner the expertise, tools and methodologies required to prevent or mitigate the damage caused or threatened by an event;

(b)

Promptly alert other persons of the event and of the actions reasonably necessary to prevent or mitigate the damage caused or threatened by the event;

(c)

Implement forensic techniques and controls developed under subsection (6) of this section;

(d)

Evaluate the event for the purpose of possible improvements to the security of information systems; and

(e)

Communicate and share information with appropriate agencies, using preexisting incident response capabilities.

(6)

After consultation and collaborative development with appropriate agencies and the Oregon Department of Administrative Services, the State Chief Information Officer shall implement forensic techniques and controls for the security of information systems, whether those systems are within, interoperable with or outside the state’s shared computing and network infrastructure. The techniques and controls must include using specialized expertise, tools and methodologies to investigate events that damage or threaten the availability, integrity or confidentiality of information systems or the information stored in information systems. The State Chief Information Officer shall consult with the Oregon State Police, the Oregon Department of Emergency Management, the Governor and others as necessary in developing forensic techniques and controls under this section.

(7)

The State Chief Information Officer shall ensure that reasonably appropriate remedial actions are undertaken when the State Chief Information Officer finds that such actions are reasonably necessary by reason of vulnerability assessments of information systems under subsection (3) of this section, evaluation of events under subsection (5) of this section and other evaluations and audits.

(8)

Intentionally left blank —Ed.

(a)

State agencies are responsible for securing computers, hardware, software, storage media, networks, operational procedures and processes used in collecting, processing, storing, sharing or distributing information outside the state’s shared computing and network infrastructure, following information security standards, policies and procedures established by the State Chief Information Officer and developed collaboratively with the agencies. Agencies may establish plans, standards and measures that are more stringent than the standards established by the State Chief Information Officer to address specific agency needs if the plans, standards and measures do not contradict or contravene the state information systems security plan. Independent agency security plans must be developed within the framework of the state information systems security plan.

(b)

A state agency shall report the results of any vulnerability assessment, evaluation or audit conducted by the agency to the State Chief Information Officer for the purposes of consolidating statewide security reporting and, when appropriate, to prompt a state incident response.

(9)

This section does not apply to:

(a)

Research and student computer systems used by or in conjunction with any public university listed in ORS 352.002 (Public universities); and

(b)

Intentionally left blank —Ed.

(A)

Gaming systems and networks operated by the Oregon State Lottery or contractors of the State Lottery; or

(B)

The results of Oregon State Lottery reviews, evaluations and vulnerability assessments of computer systems outside the state’s shared computing and network infrastructure.

(10)

The State Chief Information Officer shall adopt rules to implement the provisions of this section. [Formerly 182.122; 2021 c.539 §28]

Source: Section 276A.300 — Information systems security in executive department; rules, https://www.­oregonlegislature.­gov/bills_laws/ors/ors276A.­html (accessed May 26, 2025).

276A.200
Legislative findings on information resources 276A.203
State Chief Information Officer 276A.206
Oversight of state information and telecommunications technology by State Chief Information Officer 276A.209
State Information Technology Operating Fund 276A.223
Requirement that state agency or public corporation obtain quality management services when implementing information technology initiative 276A.230
Definitions 276A.233
Information technology portfolio-based management 276A.236
Enterprise information resources management 276A.239
Portfolio-based management of information technology resources for Secretary of State 276A.242
Portfolio-based management of information technology resources for State Treasurer 276A.250
Definitions 276A.253
Oregon transparency website 276A.256
Reports of tax expenditures connected to economic development 276A.259
Transparency Oregon Advisory Commission 276A.262
Transparency Oregon Advisory Commission Fund 276A.270
Definitions 276A.273
Electronic Government Portal Advisory Board 276A.276
Ability to offer government services through portal 276A.300
Information systems security in executive department 276A.303
Information systems security for Secretary of State, State Treasurer and Attorney General 276A.306
Information security incidents and assessments 276A.323
State agency coordination 276A.332
Authority of State Chief Information Officer to enter into agreements 276A.335
Moneys from federal government and other sources 276A.340
Definitions 276A.342
State agencies prohibited from using covered products 276A.344
Policies and standards 276A.346
Secretary of State prohibited from using covered products 276A.348
State Treasurer prohibited from using covered products 276A.350
Definitions 276A.353
Chief Data Officer 276A.356
Open data standard 276A.359
Technical standards manual 276A.362
Release of publishable data on web portal 276A.365
Information management by state agencies 276A.368
Purpose of data 276A.371
Obligations of state agency under public records law 276A.374
Application to Secretary of State and State Treasurer 276A.400
Policy 276A.403
Coordination of telecommunications systems 276A.406
Acquisition of broadband and communications services 276A.409
Use of agency travel and transportation funds for telecommunications services 276A.412
Contracts for telecommunications equipment and services not to exceed 10 years 276A.415
Agreements to fund or acquire telecommunications equipment and services 276A.418
Public contracts for broadband Internet access service 276A.421
Provision of broadband services that compete with services of private telecommunications provider 276A.424
Connecting Oregon Schools Fund 276A.500
Definitions 276A.503
Oregon Geographic Information Council 276A.506
Powers of council 276A.509
Public body duty to share geospatial framework data with council 276A.512
Oregon Geographic Information Council Fund 276A.515
State geographic information officer 276A.550
Definitions 276A.555
Oregon Cybersecurity Center of Excellence 276A.560
Oregon Cybersecurity Advisory Council 276A.565
Oregon Cybersecurity Center of Excellence Operating Fund 276A.570
Oregon Cybersecurity Workforce Development Fund 276A.575
Oregon Cybersecurity Grant Program Fund

Current through early 2026

§ 276A.300. Info. systems security in executive department's source at oregon​.gov