Oregon State Police not Implementing Basic Cybersecurity Policies

An audit of the Oregon State Police’s (OSP’s) cybersecurity practices published this week found that the agency is not following basic policies widely promoted by government agencies nationwide, including active management of its hardware and software inventory and user authorization.

Specifically, auditors reported that OSP has barely implemented the top cybersecurity controls recommended by the Center for Internet Security, a nonprofit organization whose guidelines are widely considered a gold standard for enterprise IT security. CIS’s full set of controls includes 20 items, but the audit only reviewed OSP for its compliance with the first six, none of which the agency showed anything better than partial implementation.