Audit of Department of Revenue Cybersecurity Controls

SALEM, OR — The Oregon Department of Revenue (DOR) should take steps to improve its information security controls, according to an audit released today by the Secretary of State. The findings are outlined in the report entitled: “Oregon Department of Revenue: Cybersecurity Controls Assessment.”

Recognizing cybersecurity as a growing concern for both the private and the public sector, the Secretary of State’s Audits Division has developed a repeatable audit program to evaluate cybersecurity risks and provide a high-level view of the current state of an agency’s cybersecurity environment. The evaluation measures an agency’s level of implementation for the six basic controls defined by the Center for Internet Security, otherwise known as CIS Controls™, as well as a high-level evaluation of the agency’s security management program. According to the Center for Internet Security, these six basic controls should be implemented in every organization for essential cyber defense readiness.

The assessment of DOR’s controls found that the agency should update its security management program and strengthen controls in all six CIS Control areas. Under the state’s newly centralized security model, DOR plans to work with the Office of the State Chief Information Security Officer to strengthen areas such as hardware and software inventory controls, policies for scanning server and workstation configurations, and security and event logging and monitoring.

“Cybersecurity is an important topic in today’s information landscape,” said Secretary of State Dennis Richardson. “All state agencies need to ensure every reasonable action is being taken to protect private information from unauthorized access.”

The report provides assessment results as a series of graphs depicting whether a particular control is not implemented, partially implemented, or fully implemented. DOR has at least partially implemented the controls in most areas assessed.

Specifically, auditors found:

  • DOR has implemented an appropriate security management program, but associated plans and procedures need to be updated to reflect current staffing levels and reorganization of statewide security.

  • DOR lacks specific policies and fully automated controls for inventory management, vulnerability management, control of administrative accounts, configuration change management, and audit logging processes.

The audit recommended improvements in these areas, mainly focused on updating policy statements and improving automation of the controls.

Read the full audit on the Secretary of State website.