Skip to main content

Oregon State Flag An official website of the State of Oregon »

Guidance for State Agencies

Guidance for State Agencies

Enterprise Information Services (EIS) has responsibility for statewide information and cybersecurity standards, and policies on information security, under the authority of Oregon Revised Statute 276A.300. As part of EIS, Cyber Security Services (CSS) is responsible for creation and maintenance of the Statewide Information and Cyber Security Standards.

CSS sets the statewide direction for cybersecurity and follows guidance from National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS) as well as other cybersecurity organizations such as the Cloud Security Alliance (CSA) where appropriate.


State and Local Cybersecurity Grant Program (SLCGP)

The goal of SLCGP is to assist state, local and tribal governments with managing and reducing systemic cyber risk through projects such as:
  • Advanced Endpoint Protection (AEP)
  • Domain Migration Services (Migration to .gov)
  • Immutable Data Backup and Recovery Testing
  • Multifactor Authentication Capability (MFA)
  • Albert Sensors
  • Information Security Awareness Training
  • URL/Web/Content filtering
  • Vulnerability Management Services & Scanning
  • Consulting and Planning Services

For more details, please visit the Oregon Department of Emergency Management (OEM) SLCGP page.

Regulation Guidance

2023 Statewide Information Security Program Plan

2023 Statewide Information Technology (IT) Control Standards

Information Security Incident Response Plan (also found on the EIS and CSS home page)

For additional controls and system hardening, see the CIS Benchmarks site.

Other Guidance

CSS System Security Plan Template and associated spreadsheet


CSS Service Catalog 2022

This service catalog describes the services currently available to agencies through Enterprise Information Services (EIS), Cyber Security Services (CSS). The services are grouped by service category with each individual service summarized separately within that category. Some of these services are provided on an enterprise-wide basis, as noted in their descriptions, and thus do not normally require a specific request from an agency. Many services will be tailored to an individual agency's situation and requirements. In that case, CSS will work with the requesting agency to define specific agency and CSS responsibilities.

CSS assessment schedule for calendar years 2024-2025

Human Risk Management - Awareness & Training

HRM Program documents

HRM-ISAT Program Plan 2022-23

HRM ISAT advisory board charter

Phishing Awareness Program

The Phishing Awareness Program is a service offered to state of Oregon government agencies for the purpose of reducing human risk. All documents provided are as a courtesy to the agency and should be edited in whatever way is appropriate for their staff. All internal communication, data analysis and troubleshooting are the responsibility of the agency.
The Security Culture Survey is used to gauge the effectiveness of the program. All staff participating in the Phishing Awareness Program will receive the survey annually.

Information Security Annual Training Information

ORS 276A.323 requires annual information security awareness training for all employees, board and commission members, temporary employees, contractors, and volunteers and applies to all Executive Branch agencies as defined in ORS 174.112. Please refer to the FAQ for questions regarding the training:
EIS/CSS does not exempt anyone from the statutory requirement as Agencies, Boards, & Commission staff, contractors, and volunteers that meet the statutory requirement language noted above are required to take the EIS Information Security Training. We are aware that some individuals don't have access to Workday to complete the required training, so we provide an alternative format (see instructions below).

There are three (3) options you may choose.

  1. If the individuals have access to Workday, please have them complete the 30 min Security Training in Workday.
  2. If they don't have access to Workday, provide the alternative format. The instructions are located below.
  3. As an agency, you may decide internally that you are going to exempt certain individuals from the requirement.
    • You will need to document why you made that decision for your auditing purposes. EIS/CSS does not exempt anyone from the statutory requirement.
    • It is our understanding that if they have Workday access, they would continue to receive the notices to complete the training from Workday and they would be entered as an incomplete.

This statutory requirement is limited to Executive Branch agencies as defined in ORS 174.112 but is not limited to those with state system access. It includes all information assets; written, verbal, and electronic information related to the state of Oregon.

If you need to deliver the DAS EIS Information Security Training: Foundations course outside of Workday Learning please follow the instructions below.

General Guidance