Auditor, State’s Chief Information Officer Disagree Over Agency Cybersecurity Precautions

The CIO notes the consequences for agencies’ technical shortcomings are “nearly nonexistent.”

Oregon Secretary of State Shemia Fagan this week released an audit of state government’s efforts to protect Oregonians’ personal information and to make state agency systems as robust and impervious to cyberattack as possible.

“As cyberattacks increase, it is critical the state of Oregon’s cybersecurity strategy include comprehensive guidance and fully defined expectations for agencies to protect their critical data from threats,” Fagan said in a statement. “The state of Oregon cannot effectively deliver public services without sufficient IT governance and cybersecurity controls.”

After data breaches, lawmakers have passed bills aimed at streamlining IT functions, have centralized responsibility for cybersecurity with the state’s chief information officer Terrence Woods, and have established a direct reporting line to the governor.

In their evaluation of state systems, auditors found a variety of places the state could improve its practices and procedures. One area they highlighted: agencies’ compliance with state guidelines aimed at making state computer systems more resilient. Agencies aren’t regularly communicating their compliance with best practices to the CIO’s office, and the CIO isn’t meeting the requirement to report on how agencies are doing on cybersecurity to the governor and the Legislature.

“Without ensuring compliance with rules, policies, and standards, the state does not have assurance that the important safeguards defined in those documents are being implemented as required at agencies,” auditors wrote. “If safeguards are not applied uniformly, the state is at a higher risk that a vulnerability at one agency could negatively affect other agencies.”

Although Woods and his team mostly agreed with the 10 suggestions auditors made for improvement, they rejected the suggestion that said Woods’ office should “develop processes to evaluate and report as to whether agencies are complying with key rules, policies, and standards.”

Woods’ response to that recommendation: He marked the box “disagree.”

That’s a little unusual in an audit, especially given the sensitivity of cybersecurity and agencies’ history of struggles to keep data secure.

Woods provided an explanation in the audit.

“There needs to be clear understanding of what ‘key’ refers to in this recommendation,” he wrote. “The state of Oregon executive branch operates through a highly decentralized organization model. Information technology is no exception. As such, enforcement/compliance may or may not be supported by statute. Compliance through partnerships in a ‘coalition of the willing’ environment can be very effective, but typically has to be confirmed by internal or external audit. Motivation to be compliant may be minimal and/or difficult and repercussions for missing the mark nearly nonexistent.”

In a follow-up interview, Wood said that he strongly supported the direction of the audit—to increase the security of state systems. He added, however, that the vagueness of exactly what “key rules, policies, and standards” are caused him to disagree. The difference is semantics rather than substance, he said.

“With our model being highly decentralized, we have to be very intentional which ‘key policies’ we need folks to comply with,” Woods said. “I really want to understand which policies they are talking about. If I agreed to it when it comes time for a follow-up audit, we won’t know the benchmarks are.”