By Hillary Borrud
SALEM — Cybersecurity weaknesses at state agencies are putting Oregonians’ sensitive data at risk, according to a new audit released on Wednesday.
Adding to the problem, auditors found that state information technology officials were unprepared to shoulder responsibility for fixing the agencies’ issues, something Gov. Kate Brown directed them to do in September.
“The Office of the State Chief Information Officer is responsible for ensuring agencies carry out these critical functions, but has not yet provided sufficient standards and oversight to help agencies achieve appropriate information technology security,” auditors wrote.
Intruders hacked into several state agencies’ computer systems in recent years, with security breaches at the Secretary of State’s Office and Employment Department in 2014 and the state data center in 2015. Federal law requires the state to keep certain types of sensitive information secure, Secretary of State Jeanne Atkins said in a statement on Wednesday.
“State computer systems store and process many types of sensitive information, including restricted tax, court and medical records that require a high level of protection to comply with federal law,” Atkins said. The Audits Division is housed at the Secretary of State’s office.
Auditors reviewed security at 13 state agencies, a cross section of state government where the information stored ranged from public records to “highly sensitive tax, court, and medical records that require a higher level of protection to comply with federal law.”
The review turned up security weaknesses in “fundamental security controls” at more than half the agencies. Among the agencies involved in the review were the Department of Revenue, which processes tax returns, the Oregon Health Authority, Department of Education, Oregon State Police and Department of Justice. Auditors did not identify which agencies had specific problems.
“Overall, planning efforts were often perfunctory, security staffing was generally insufficient, and critical security functions were not always performed,” auditors wrote.
The unit headed up by the state’s chief information officer, Alex Pettit, hasn’t taken the steps necessary to make sure the agencies are meeting federal cybersecurity requirements, auditors wrote.
At the same time auditors were documenting the agencies’ security shortfalls, Brown signed an executive order in September transferring responsibility for technology security to Pettit’s Office of the State Chief Information Officer. However, auditors wrote that the order itself did not guarantee any improvements and in fact Pettit’s staff had yet to come up with a plan to implement the governor’s order.
In response, Pettit wrote that his office is still working on a security risk assessment and improvement plan that will wrap up in mid‑2017. “Not all gaps identified in this audit report are of equivalent risk level,” Pettit wrote. “With limited resources available, a balance must constantly be struck to address the highest risks while mitigating and/or accepting some smaller risks.”
Oregon’s government has struggled for more than a decade with cybersecurity failures. State auditors have repeatedly documented security shortfalls in the decade since Oregon consolidated many agencies’ computer systems at the state data center in 2006. Despite the warnings, auditors found many of the problems continued to fester. Brown and lawmakers took steps in 2015 to begin improving cybersecurity at the data center.