Overview

Description: The Security Rule requires DHS to develop and implement policies and procedures and to assign responsibility for creating security measures that will ensure accountability for the overall security of the organization.

Purpose/Rationale: It is the policy of the State of Oregon to ensure the privacy, integrity, and availability of information assets entrusted to the State by the citizens by protecting those assets from unauthorized access, modification, destruction, or disclosure and to ensure their physical security.

DHS will establish an Information Security Program that complies with State policies and other federal and state regulations. The Information Security Program will clearly state organization-wide objectives, clarify and assign responsibilities, develop and implement security policies and practices, and provide a framework for enforcement. DHS has a responsibility to ensure that all information held by the department, is appropriately secure.

The purpose of the DHS Information Security Program is three-fold:

• Establish policies and procedures and provide standard tools to secure DHS data in compliance with state and federal security requirements, using minimum levels of industry standards;
• Support the DHS mission to provide continuity of service to customers; and
• Maintain unbroken trust with customers and stakeholders through practice of good stewardship of information assets.

Applicability: All DHS workforce members including, full and part-time employees, volunteers, contractors, temporary workers, and those employed by others to perform work on behalf of DHS, and have been granted access to DHS information assets or systems, are covered by this policy and must comply with associated policies, procedures, and guidelines.

Failure to Comply: Failure to comply with this policy and associated policies, standards, guidelines, and procedures may result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.

Back to top

Policy

1. Information Security Program
1. Organization-wide objective: DHS will secure its information assets to maintain confidentiality, integrity, and availability of those assets.
2. DHS will establish an Information Security Program. The program will provide risk assessment of DHS information assets, appropriate and effective policies for adequate protection, and assurance that the security policies are effectively applied. The Information Security Program will clearly state organization-wide objectives, clarify and assign responsibilities, develop and implement security policies and practices, and provide a framework for enforcement.
3. The Information Security Program will address, at a minimum, information asset classification, access control, personnel security, physical and environmental security, operational security, systems security, and business continuity management.
4. Security policies and program will be reviewed at least annually to accommodate organizational changes.
2. Scope
1. This policy applies to all types of information generated, used, or held by DHS that are used within the scope of DHS business processes. This policy covers information assets in all formats, including electronic, magnetic, paper, or other.
2. All individuals who have been granted access to DHS information or information systems, including but not limited to full- and part-time employees, contractors, temporary workers, those employed by others to perform DHS work, and others granted access are covered by this policy and shall comply with this and associated policies, procedures and guidelines.
3. Compliance

Failure to comply with this policy and associated policies, standards, guidelines, and procedures may result in disciplinary actions up to and including dismissal from state service for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.

4. Responsibilities.
Individuals, groups, or organizations identified in the scope of this policy are accountable for one or more of the following levels of responsibility when using DHS information assets:
1. All information generated, acquired by or on behalf of, or held by DHS within its systems of operation is the property of the Department of Human Services, unless otherwise stated in a contractual agreement. DHS has a responsibility to ensure that all information held by the department, is appropriately secure.
2. DHS Director is responsible and accountable for the information assets held by the agency. The Director is responsible for establishing policies and procedures governing:
1. The integrity of information assets.
2. The authorization of access to those assets.
3. Compliance with legal requirements for information privacy.
4. Implementation of a security program within DHS.
3. DHS Information Security Officer is responsible for:
1. Development and maintenance of the DHS Information Security Program.
2. Development and documentation of specific roles and responsibilities for each member of the Security Team.
3. Development of a security strategy that aligns with business and technology objectives.
4. Creation and formalization of a program for implementing the security policies.
5. Development of a process to keep the program and policies current as changes to technology and business occur.
6. Establishment of procedures for appropriate actions when information security policies have been violated.
7. Development of measurable outcomes that assess the success of the security program.
4. All DHS employees share the responsibility for the security and integrity of information assets. DHS employees are responsible for:
1. Compliance with all information security policies.
5. Information Users (users) are the individuals, groups, or organizations authorized by DHS to access information assets. Users are responsible for:
1. Using the information only for its intended purposes. If the user has a question about appropriate use or the intended purpose of information, the user must check with the appropriate supervisor or manager for clarification.
2. Maintaining the confidentiality, integrity, and availability of the information.

Back to top

Procedure(s)

• None

Back to top

Form(s)

• None

Back to top

Reference(s)

• State of Oregon Information Technology Security Policy
• International Standards Organization (ISO/IEC 17799:2000(E))
• Control Objectives for Information Technology (CoBIT)

Back to top

Definition(s)

• See Privacy/Security Glossary of Common Terms
• See Common Terms for department-wide support services policies.

Back to top

Contact

• Name: Kyle Miller; Phone: (503) 945-6815; Email: dhsinfo.security@state.or.us

Back to top

Policy History

• Version 2.0:
  • 11/22/2004 - Clarifies and assigns responsibilities of the Information Security Officer.
• Version 1.0:
  • 12/09/2002 - Initial Release

Back to top

If you have comments about this site, send email to dhs.policyinfo@state.or.us.

Oregon Department of Human Services
500 Summer St. NE E25, Salem, OR 97301-1098
Phone: (503) 945-5944
Fax: (503) 378-2897
TTY: (503) 947-5330