The Oregon State Police (OSP) agency lacks basic cybersecurity safeguards, according to an audit report released today by Secretary of State Bev Clarno.
“The security of Oregon’s criminal justice data is a serious issue,” said Secretary of State Bev Clarno. “OSP should take immediate action to address the findings outlined in this report.”
While some controls are partially implemented, auditors found OSP lacks basic, foundational IT controls for all six Center for Internet Security (CIS) controls reviewed as part of this assessment. This is largely due to a lack of prioritization for implementing these controls, as well as a perception by management that such controls are unnecessary. Additionally, auditors concluded that OSP does not have a proper security management program that identifies necessary security protocols.
OSP is required by the Federal Bureau of Investigation to follow Criminal Justice Information Systems (CJIS) IT security standards and is also responsible for making sure state and local agencies with access to CJIS data are following those security standards. As such, they should set an example for other agencies to follow when it comes to implementing basic security controls.
OSP management agreed with all the recommendations and intends to request two additional IT staff to assist with implementation. The agency plans to have all recommendations fully implemented by August 2022.