| Enterprise Security Policies |
|
|
|
 |
| Security Strategy |
|
The goal of information security is to protect the confidentiality, integrity, and availability of information assets. ORS 182.122 (House Bill 3145, 2005 Legislative Session) designates DAS as the "single point of accountability" for information security at the state.
In support of this mandate, the Enterprise Security Office (ESO) is instituting a security strategy wherein DAS works collaboratively with state agencies to ensure the state's security posture is at an acceptable level. Information security management enables information to be shared while ensuring protection of that information and its associated technology assets.
|
|
|
| Purpose of Policies |
|
Information security policies are the foundation of any security program. These policies will guide ESO and state agencies in:
- Conducting business security risk assessments
- Conducting technical vulnerability assessments
- Promoting and maintaining baseline enterprise security rules, policies, guidelines, and procedures
- Establishing a state Incident Response Team
- Instituting an information security awareness capability
- Monitoring for compliance
The State of Oregon enterprise information security policies:
- Represent a baseline minimum necessary level of security that agencies must conform to.
- Set the direction and define requirements for information security-related processes and actions across the state enterprise.
- Are a statement of the minimum requirements to establish and maintain a secure environment, and achieve enterprise security objectives.
- Emphasize the state's commitment to information security.
- Establish clear expectations for staff performance, behavior and accountability.
|
|
|
| Policy Set |
|
In effect:
Drafts for comment:
Under development:
Policy Review and Approval Process
Enterprise Information Security Policy Review and Approval Process - 01/18/2008 (pdf)
|
|
|
| Policy Implementation Guidance |
|
|
|
|
|
