2021 Oregon Revised Statutes
Chapter 276A - Information Technology
Section 276A.303 - Information systems security for Secretary of State, State Treasurer and Attorney General.


(2) The Secretary of State, the State Treasurer and the Attorney General shall each establish an information systems security plan and associated standards, policies and procedures in collaboration with the State Chief Information Officer as provided in ORS 276A.300.
(3) The plan established under subsection (2) of this section, at a minimum, must:
(a) Be compatible with the state information systems security plan and associated standards, policies and procedures established by the State Chief Information Officer under ORS 276A.300 (2);
(b) Assign responsibility for:
(A) Reviewing, monitoring and verifying the security of the Secretary of State’s, the State Treasurer’s and the Attorney General’s information systems; and
(B) Conducting vulnerability assessments of information systems for the purpose of evaluating and responding to the susceptibility of information systems to attack, disruption or any other event that threatens the availability, integrity or confidentiality of information systems or the information stored in information systems;
(c) Contain policies for responding to events that damage or threaten the availability, integrity or confidentiality of information systems or the information stored in information systems, whether the systems are within, interoperable with or outside the state’s shared computing and network infrastructure;
(d) Prescribe actions reasonably necessary to:
(A) Promptly assemble and deploy in a coordinated manner the expertise, tools and methodologies required to prevent or mitigate the damage caused or threatened by an event;
(B) Promptly alert the State Chief Information Officer and other persons of the event and of the actions reasonably necessary to prevent or mitigate the damage caused or threatened by the event;
(C) Implement forensic techniques and controls developed under paragraph (e) of this subsection;
(D) Evaluate the event for the purpose of possible improvements to the security of information systems; and
(E) Communicate and share information with agencies, using preexisting incident response capabilities; and
(e) Describe and implement forensic techniques and controls for the security of information systems, whether those systems are within, interoperable with or outside the state’s shared computing and network infrastructure, including the use of specialized expertise, tools and methodologies, to investigate events that damage or threaten the availability, integrity or confidentiality of information systems or the information stored in information systems.
(4) The Secretary of State, the State Treasurer and the Attorney General shall participate in the planning process that the State Chief Information Officer conducts under ORS 276A.300 (2).
(5) If the State Chief Information Officer cannot agree with the Secretary of State, the State Treasurer or the Attorney General on a joint information systems security plan and associated operational standards and policies, the State Chief Information Officer, in collaboration with the Oregon Department of Administrative Services, may take steps reasonably necessary to condition, limit or preclude electronic traffic or other vulnerabilities between information systems for which the Secretary of State, State Treasurer or Attorney General has authority under subsection (1) of this section and the information systems for which the State Chief Information Officer has authority under ORS 276A.300 (2). [Formerly 182.124]

<< Previous
Next >>

Structure 2021 Oregon Revised Statutes

2021 Oregon Revised Statutes

Volume : 07 - Public Facilities and Finance

Chapter 276A - Information Technology

Section 276A.200 - Legislative findings on information resources.

Section 276A.203 - State Chief Information Officer; qualifications; duties; Enterprise Information Resources Management Strategy; rules.

Section 276A.206 - Oversight of state information and telecommunications technology by State Chief Information Officer; policy; rules; application for designation as community of interest.

Section 276A.209 - State Information Technology Operating Fund.

Section 276A.223 - Requirement that state agency or public corporation obtain quality management services when implementing information technology initiative; reports; exceptions.

Section 276A.230 - Definitions.

Section 276A.233 - Information technology portfolio-based management; inventory; standards; rules; exception.

Section 276A.236 - Enterprise information resources management; adoption and implementation of strategy; state agency information technology initiatives costing more than $1 million.

Section 276A.239 - Portfolio-based management of information technology resources for Secretary of State.

Section 276A.242 - Portfolio-based management of information technology resources for State Treasurer.

Section 276A.253 - Oregon transparency website.

Section 276A.256 - Reports of tax expenditures connected to economic development.

Section 276A.259 - Transparency Oregon Advisory Commission; members; duties; terms; reports.

Section 276A.262 - Transparency Oregon Advisory Commission Fund.

Section 276A.270 - Definitions.

Section 276A.273 - Electronic Government Portal Advisory Board.

Section 276A.276 - Ability to offer government services through portal; portal provider fee; rules.

Section 276A.300 - Information systems security in executive department; rules.

Section 276A.303 - Information systems security for Secretary of State, State Treasurer and Attorney General.

Section 276A.306 - Information security incidents and assessments; reports.

Section 276A.323 - State agency coordination.

Section 276A.326 - Oregon Cybersecurity Advisory Council.

Section 276A.329 - Oregon Cybersecurity Center of Excellence.

Section 276A.332 - Authority of State Chief Information Officer to enter into agreements.

Section 276A.335 - Moneys from federal government and other sources.

Section 276A.350 - Definitions.

Section 276A.353 - Chief Data Officer; duties; rules.

Section 276A.356 - Open data standard.

Section 276A.359 - Technical standards manual.

Section 276A.362 - Release of publishable data on web portal; exemptions; rules.

Section 276A.365 - Information management by state agencies.

Section 276A.368 - Purpose of data; limitation of liability; publishable data in public domain.

Section 276A.400 - Policy.

Section 276A.403 - Coordination of telecommunications systems.

Section 276A.406 - Acquisition of broadband and communications services.

Section 276A.412 - Contracts for telecommunications equipment and services not to exceed 10 years; exception for broadband infrastructure; contract benefits for designated communities of interest.

Section 276A.418 - Public contracts for broadband Internet access service; prohibitions; exceptions; rules.

Section 276A.421 - Provision of broadband services that compete with services of private telecommunications provider; circumstances of competition; broadband services advisory committee; rules.

Section 276A.424 - Connecting Oregon Schools Fund; rules.

Section 276A.500 - Definitions.

Section 276A.503 - Oregon Geographic Information Council; establishment; purposes; membership; terms of office.

Section 276A.506 - Powers of council; advisory committees.

Section 276A.509 - Public body duty to share geospatial framework data with council; conditions and exceptions; methods for sharing; limitations of liability.

Section 276A.512 - Oregon Geographic Information Council Fund; records and reports.

Section 276A.515 - State geographic information officer; qualifications; duties.