2023 Oregon Cybersecurity Plan
6 | Page
Standards and Technology (NIST), the Center for Internet Security (CIS) Critical Security Controls (CSC)
for Effective Cyber Defense, etc., that contain prioritized sets of best practices to help defend against
the most pervasive and dangerous cyber threats.
•
Implement policies and standards to securely protect organizational information and information
systems while maintaining compliance with applicable statutory and regulatory requirements
pertaining to confidentiality, integrity, availability, privacy, and safety.
•
Implement administrative, technical, and physical controls necessary to safeguard information assets
in all their forms from threats to their confidentiality, integrity, or availability, whether internal or
external, deliberate, or accidental.
•
Establish procedures and implement tools and technologies to identify and maintain an accurate
inventory of all organizationally owned, leased, licensed, or managed information assets.
•
Establish processes to categorize assets and information according to their sensitivity and criticality
and require that protection mechanisms be implemented commensurate with the impact should there
be a loss of confidentiality, integrity, or availability of the asset or information.
Strategic Goal 2: Risk Management
Objective 2.1: Develop and implement a cybersecurity risk management program.
Action Items:
•
Build the necessary structures and processes to identify, assess, and mitigate cyber risks within and
across Oregon state and local government organizations.
•
Implement continuous risk management processes and tools that account for the identification,
assessment, and treatment of risks that can adversely impact state and local government operations,
information, or information systems.
•
Develop and grow the capability to conduct cybersecurity surveys and assessments of systems
connected to or sharing data with Oregon public-sector cybersecurity programs and systems.
•
Develop statewide and individual organization capabilities to continually test state and local
government networks, systems, and applications to identify vulnerabilities, gaps in cyber defenses, and
configuration weaknesses.
Objective 2.2: Measure, assess and mitigate cyber risk and threats which may degrade or impact
information systems within Oregon.
Action Items:
• Establish uniformity of cybersecurity framework, controls, technologies, and procedures across state
government, and give guidance to other public entities so they may follow suit.
• Increase coordination and collaboration between federal, state, and local government for
cybersecurity incident handling, including emergency management entities and critical infrastructure.
• Routinely test state networks, systems, applications, and other connected systems to identify
vulnerabilities, gaps, and threats.
•
Identify, assess, and mitigate, to the greatest degree possible, cybersecurity risks and cybersecurity
threats relating to critical infrastructure and key resources, the degradation of which may impact the
performance of information systems.