ORS § 276A.306

Current through 2024 Regular Session legislation
Section 276A.306 - Information security incidents and assessments; reports
(1) As used in this section:
(a) "Information resources" means data and the means for storing, retrieving, connecting or using data, including but not limited to records, files, databases, documents, software, equipment and facilities that a state agency owns or leases.
(b) "Information security assessment" means:
(A) An organized method to determine a risk to or a vulnerability of a state agency's information system or a third party information service to which a state agency subscribes; and
(B) An independent examination and review of records, logs, policies, activities and practices to:
(i) Assess whether a state agency's information system is vulnerable to an information security incident;
(ii) Ensure compliance with rules, policies, standards and procedures that the State Chief Information Officer or a state agency, under the state agency's independent authority, adopts or otherwise promulgates; and
(iii) Recommend necessary changes to a state agency's rules, policies, standards and procedures to ensure compliance and prevent information security incidents.
(c) "Information security incident" means an incident that creates a risk of harm to a state agency or the state agency's operations and in which:
(A) Access to, or viewing, copying, transmission, theft or usage of, a state agency's sensitive, protected or confidential information occurs without authorization from the state agency;
(B) A failure of compliance with a state agency's security or acceptable use policies or practices occurs that results in access to a state agency's information system or information resources for viewing, copying, transmission, theft or use without the state agency's authorization; or
(C) A state agency's information system or information resources or a third party information service to which a state agency subscribes becomes unavailable in a reliable and timely manner to authorized individuals or organizations, or is modified or deleted under circumstances that the state agency does not intend, plan or initiate.
(d)
(A) "Information system" means a system of computers and related hardware, software, storage media and networks and any other means by which a state agency collects, uses or manages the state agency's information resources.
(B) "Information system" does not include a third party information service to which a state agency subscribes if the third party information service incorporates or uses hardware, software, storage media and networks that the state agency does not own or lease or that the state agency does not have the legal authority to directly monitor or control.
(e) "State agency" means an officer, board, commission, department, agency or institute of state government, as defined in ORS 174.111, except:
(A) Public universities listed in ORS 352.002; and
(B) The Oregon State Lottery and entities with which the Oregon State Lottery has a contract or agreement with respect to the Oregon State Lottery's gaming systems or networks.
(2) A state agency shall promptly notify the Legislative Fiscal Office of an information security incident and describe the actions the state agency has taken or must reasonably take to prevent, mitigate or recover from damage to, unauthorized access to, unauthorized modifications or deletions of or other impairments of the integrity of the state agency's information system or information resources.
(3) Each state agency shall periodically conduct or contract for an information security assessment of the state agency's information system and information resources and shall request results from a third party's information security assessment of an information service that the third party provides and to which the state agency subscribes. Each state agency shall notify the Legislative Fiscal Office of the information security assessment after the state agency receives the results of the information security assessment.
(4)
(a) The State Chief Information Officer, the Secretary of State, the State Treasurer, the Attorney General, the State Court Administrator and the Legislative Administrator shall each submit to, and present in an appropriate hearing or other proceeding before, the Joint Legislative Committee on Information Management and Technology an annual report concerning the security of the information systems and information resources over which the State Chief Information Officer, the Secretary of State, the State Treasurer, the Attorney General, the State Court Administrator or the Legislative Administrator has direct or supervisory control.
(b) The annual report described in paragraph (a) of this subsection may not include information security information or other materials that are exempt from disclosure under ORS 192.311 to 192.478.
(5)
(a) The Legislative Fiscal Office shall use the notifications the office receives under subsections (2) and (3) of this section, and any other information about an information security assessment or an information security incident that a state agency provides to the office, via a method and at a level of detail to which the state agency and the office agree, solely for the purpose of providing support and assistance to the Joint Legislative Committee on Information Management and Technology, the Joint Committee on Ways and Means and the Joint Legislative Audit Committee.
(b)
(A) Except as provided in subparagraph (B) of this paragraph, the Legislative Fiscal Officer or an employee of the Legislative Fiscal Office may not disclose to any other person the nature or contents of the notifications that the office receives under subsections (2) and (3) of this section or any other information described in paragraph (a) of this subsection to the extent that the notifications or the information are exempt from disclosure under ORS 192.311 to 192.478.
(B) The Legislative Fiscal Officer or an employee of the Legislative Fiscal Office may disclose the nature or contents of the notifications or information described in subparagraph (A) of this paragraph if the officer or employee obtains the written consent of:
(i) The State Chief Information Officer, with respect to notifications and information that a state agency within the executive department, as defined in ORS 174.112, provided;
(ii) The Secretary of State, with respect to notifications and information that the office of the Secretary of State provided;
(iii) The State Treasurer, with respect to notifications and information that the office of the State Treasurer provided;
(iv) The Attorney General, with respect to notifications and information that the Department of Justice provided;
(v) The State Court Administrator, with respect to notifications and information that a court or a state agency within the judicial department, as defined in ORS 174.113, provided; or
(vi) The Legislative Administrator, with respect to notifications and information that a state agency within the legislative department, as defined in ORS 174.114, provided.

ORS 276A.306

2016 c. 110, § 1