The Office of the State Chief Information Officer (OSCIO for short) sets government cybersecurity standards on the federal level. Likewise, the guidelines for Oregon’s state-level government cybersecurity is mandated at the state level. For the sake of cybersecurity, it is important for every business to make sure they are in compliance with these guidelines.
While these compliance standards are specific to Oregon, they were crafted with input from federal-level agencies. Such government agencies include the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS). Federal statutes concerning cybersecurity are also directly used as reference when maintaining these standards.
Access Control – How many accounts have access to information systems, and how are they managed? Are failed login attempts logged or otherwise recorded? Does anyone have permission to access the information systems from outside agency-owned devices? Is the idea of “least privilege” being applied (nobody having more access than they absolutely require to do their jobs)?
Issues presented by wireless vs wired connections or access from mobile devices can be avoided. We will be able to determine your inherent risk factors during an initial audit.
Awareness & Training – Are individuals with access trained to recognize social engineering scams (otherwise known as phishing)? Is there a team trained to recognize when someone within the network of information systems presents a threat? It is important that teams have the appropriate training to recognize cybersecurity threats. These can then be mitigated at the initial level of contact, at the very minimum.
Audit and Accountability – How often are internal audits performed on information systems? How are those with access held accountable for specific incidents? Are audits part of an automated system that can be time stamped and archived for review?
Regular audits will provide a continually up-to-date map of inherent security risks. This is true even after initial efforts to become OSCIO compliant have been achieved.
Security Assessment & Authorization – How often are existing security controls assessed or audited? Are there tests in place to simulate external threats of penetration? Do these assessments evaluate the connections between information systems under a single agency? How are these assessments used to recommend changes/upgrades to security controls?
Configuration Management – How are software/firmware updates managed within the agency? Are backups of specific systems kept in secure places or protocols? How does each device with access impact the risk factors of the network? Are devices configured with as little access than is needed for a job, in place?
Contingency Planning – Are multiple departments in communication? In case essential business functions are compromised and must be relocated in order to maintain productivity.
Are there other facilities that can handle essential functions? In event of an emergency, should one or more be severely compromised and unable to complete the task? Are there other facilities to move sensitive information and backups to, if compromised? How is system recovery handled to restore normal functions to normal facilities?
Identification & Authorization – How are authorized access connections identified? Is two-factor authentication established for connections? How often are passwords changed? Are there security questions as well as passwords when establishing access?
Maintenance – How are system tools and authorized media maintained? What protocol is in place when a workstation begins to malfunction? Is there a specific team on-site to deal with IT issues or is it outsourced to an established IT service? How timely are IT issues addressed?
Media Protection – What kind of media is allowed to be viewed/consumed on agency devices? How is media authenticated or otherwise searched for potentially harmful software or attachments?
Physical & Environmental Protection – Outside network security, how is the physical facility protected? Are there security cameras or motion sensors? Are entryways armed with alarms?
Is the fire suppression system up-to-date and functioning as it should? How would the activation of said fire suppression affect the equipment? Are there systems in place to move equipment to a new location in the event of physical compromise?
Planning – What does the agency Code of Conduct do to encourage security of information and informational systems? What rules are all employees expected to follow?
Program Management – When a plan is made to improve security and mitigate risks, how is it enforced or applied? Who is in charge of heading the effort and holding engaged employees responsible for meeting timelines?
Personnel Security – Who is responsible for creating access for new hires, or disabling access for those who are terminated? Is a third party agency responsible for personnel security, both digitally and in the physical space? What kind of agreements do employees sign in terms of cybersecurity?
Risk Assessment – How many facets of normal operations are subject to risk audits? How are your vendors assessed and vetted? How often are vulnerability scans performed and on what machines are they performed?
System & Services Acquisition – When new machines are procured or new services initiated, how are they logged in an agency’s inventory? Is there a standard set of software pieces and updates that apply to all devices with access?
System & Communications Protection – How is communication between systems protected from compromise? How are an agency’s systems protected from external penetration?
System & Information Integrity – How are communications between systems monitored, and sensitive information within kept confidential from outside influence? How are wireless intrusions on the network identified and mitigated?
How are flaws in confidential data resolved and confirmed? What protections are in place against malicious code (malware)? What protections are in place against spam?
There has been a lot of careful consideration that has gone into the OSCIO guidelines for Oregon cybersecurity. Not every Oregon business is equipped or prepared to meet these information technology guidelines. This is why Velox Systems is here to help. Our experienced team provides both business IT consulting and IT support. We ensure your day to day operations run smoothly and your organization is secure.
Contact our team today if you are ready to elevate your cybersecurity.