Guidance for State Agencies

Enterprise Information Services (EIS) has responsibility for statewide information and cybersecurity standards, and policies on information security, under the authority of Oregon Revised Statute 276A.300. As part of EIS, Cyber Security Services (CSS) is responsible for creation and maintenance of the Statewide Information and Cyber Security Standards.

CSS sets the statewide direction for cybersecurity and follows guidance from National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS) as well as other cybersecurity organizations such as the Cloud Security Alliance (CSA) where appropriate.

State and Local Cybersecurity Grant Program (SLCGP)

The goal of SLCGP is to assist state, local and tribal governments with managing and reducing systemic cyber risk through projects such as:

Advanced Endpoint Protection (AEP)
Domain Migration Services (Migration to .gov)
Immutable Data Backup and Recovery Testing
Multifactor Authentication Capability (MFA)
Albert Sensors
Information Security Awareness Training
URL/Web/Content filtering
Vulnerability Management Services & Scanning
Consulting and Planning Services

For more details, please visit the Oregon Department of Emergency Management (OEM) SLCGP page.

Regulation Guidance

2023 Statewide Information Security Program Plan

2023 Statewide Information Technology (IT) Control Standards

Information Security Incident Response Plan (also found on the EIS and CSS home page)

For additional controls and system hardening, see the CIS Benchmarks site.

System Security Plan Template

Other Guidance

Software Security Assessment - For software security assessments and reviewing new applications, CSS recommends the OWASP Application Security Verification Standard (ASVS).

CSS Service Catalog 2022

This service catalog describes the services currently available to agencies through Enterprise Information Services (EIS), Cyber Security Services (CSS). The services are grouped by service category with each individual service summarized separately within that category. Some of these services are provided on an enterprise-wide basis, as noted in their descriptions, and thus do not normally require a specific request from an agency. Many services will be tailored to an individual agency's situation and requirements. In that case, CSS will work with the requesting agency to define specific agency and CSS responsibilities.

CSS assessment schedule for calendar years 2024-2025

Human Risk Management - Awareness & Training

HRM Program documents

HRM-ISAT Program Plan 2022-23

HRM ISAT advisory board charter

Phishing Awareness Program

The Phishing Awareness Program is a service offered to state of Oregon government agencies for the purpose of reducing human risk. All documents provided are as a courtesy to the agency and should be edited in whatever way is appropriate for their staff. All internal communication, data analysis and troubleshooting are the responsibility of the agency.
The Security Culture Survey is used to gauge the effectiveness of the program. All staff participating in the Phishing Awareness Program will receive the survey annually.

Phishing Awareness Program Expectations

Phishing Awareness Program kick off presentation

Phishing Awareness Program Implementation Checklist

Phishing Awareness Program One Pager

Phishing Awareness Program Talking Points & FAQ

Email template - CIO to Managers

Email template - Director letter to staff

Phishing Awareness Program Manager/direct supervisor resources

How to spot a phish.pdf

Phishing Awareness Program Presentation for staff

Phishing Awareness Program Learner and Team dashboard overview

Hybrid Phish Alert Button (PAB)

Information Security Annual Training Information

ORS 276A.323 requires annual information security awareness training for all employees, board and commission members, temporary employees, contractors, and volunteers and applies to all Executive Branch agencies as defined in ORS 174.112. Please refer to the FAQ for questions regarding the training:
EIS/CSS does not exempt anyone from the statutory requirement as Agencies, Boards, & Commission staff, contractors, and volunteers that meet the statutory requirement language noted above are required to take the EIS Information Security Training. We are aware that some individuals don't have access to Workday to complete the required training, so we provide an alternative format (see instructions below).

There are three (3) options you may choose.

If the individuals have access to Workday, please have them complete the 30 min Security Training in Workday.
If they don't have access to Workday, provide the alternative format. The instructions are located below.
As an agency, you may decide internally that you are going to exempt certain individuals from the requirement.

You will need to document why you made that decision for your auditing purposes. EIS/CSS does not exempt anyone from the statutory requirement.
It is our understanding that if they have Workday access, they would continue to receive the notices to complete the training from Workday and they would be entered as an incomplete.

This statutory requirement is limited to Executive Branch agencies as defined in ORS 174.112 but is not limited to those with state system access. It includes all information assets; written, verbal, and electronic information related to the state of Oregon.

If you need to deliver the DAS EIS Information Security Training: Foundations course outside of Workday Learning please follow the instructions below.

Instructions - Alternative Format and Recording - DAS EIS InfoSec Training Foundations course.pdf

General Guidance

Oregon Consumer Information Protection Act defined under sections 646A.600-628
MS-ISAC Center for Internet Security Advisories
SANS Internet Storm Center
Cybersecurity & Infrastructure Security Agency, CISA

Guidance for State Agencies