|
August 2024
View in Browser
Upcoming Events
State Government Artificial Intelligence Advisory Council Meeting - September 4, 2024
Oregon Geographic Information Council (OGIC) Meeting - October 30, 2024
Electronic Government Portal Advisory Board Meeting August 27, 2024
Joint Committee on Information Management & Technology Meeting September 24, 2024
Oregon Public Sector Cybersecurity Summit September 25, 2024
About EIS
Enterprise Information Services ensures accessible, reliable and secure state technology systems that equitably serve Oregonians.
|
ASCIOs Play Crucial Role
In alignment with the Governor's Agency Expectations for Information Technology Performance, Assistant State CIOs (ASCIOs) play a crucial role in partnering with agencies to develop coordinated and collaborative multi-year modernization strategies across six key policy areas. A vital part of this effort involves creating Modernization Action Plans for individual agencies, along with establishing common definitions, templates, assessment tools, and standardized processes. This also includes developing business-driven Agency IT Strategic Plans and enhancing agency IT governance.
Beyond these deliverables, ASCIOs are committed to fostering trusted relationships with their agency partners and promoting Oregon's modernization vision, which focuses on people, processes, and technology. ASCIOs guide agencies through their digital transformation journeys, ensuring alignment with this vision.
In collaboration with agency leadership and IT teams, ASCIOs will help agencies create comprehensive plans and roadmaps covering:
- Modernization
- Governance
- Transformation of Service Delivery
- Alignment with Enterprise Policies and Guidance
- Business Process Improvement
- IT Strategic Plans
- IT Positions and Organizational Structure
- Agency IT Policy Development
This collaborative approach aims to ensure a cohesive and efficient modernization effort, driving Oregon's digital transformation forward.
|
|
Election Reporting Guidance
Cybersecurity & Infrastructure Security Agency (CISA) released the 2024 General Election Cycle: Voluntary Incident Reporting Guidance for Election Infrastructure Stakeholders. Election infrastructure stakeholders are encouraged to share information regarding incidents in accordance with their incident response plans. Voluntarily sharing incident information facilitates faster access to incident response resources, greater understanding of threat actor tactics, and alerts to other election stakeholders about current threats and actions to help them protect their infrastructure.
|
Council Continues AI Subcommittees
The State Government Artificial Intelligence Advisory Council met in July in a series of subcommittee meetings to develop recommended principles and definitions in the areas of Equity, Ethics, and Security.
The Council subcommittees will continue meeting in August to develop recommended actions on each principle. The Council will provide a recommended framework to the Governor by September 19, 2024, and continue to work to draft the final recommendation action plan by March of 2025.
|
Critical Incident Preparedness
On Tuesday, July 16, 2024, EIS Cyber Security Services staff held a cyber security exercise for EIS Management. After months of planning and meticulously developing a cross-program scenario, the coordinated effort exercised how to maintain business during a critical incident.
The exercise topic was unknown to the participants, so they were unable to plan ahead. The commitment and effort of the team was highly recognized, and the exercise has increased the preparedness to maintain services for all Oregonians.
|
|
AVOIDING BAD PHISH
Phishing Tactics, Malware, and Malicious Content
Phishing can be a term that is easy to misunderstand since it has many different meanings. CISA has a guide that attempts to separate the two main tactics that we lump into the generic term “phishing”. The first tactic is phishing to obtain login credentials where the attacker sends an email with a link to an imposter site that convinces them to enter their username and password.
The second tactic is malware phishing in which the attacker sends an email with a malicious attachment. Phishing will continue to be popular because of how well it works. The best ways to defend against it is to build defenses with the right models. For more information on how to not be a victim, visit this phishing infographic and explore the CISA website.
ANTI-Phishing Tips
-
Verify the sender: Ensure the sender's email address matches the official domain of the organization. Look for misspellings or unusual domains.
-
Check the domain: Ensure the domain name is correct and not a variation or misspelling of the legitimate domain (e.g., "paypal.com" vs. "paypa1.com").
-
Check the display name: Verify that the display name corresponds with the actual email address.
-
Scrutinize urgent requests: Be cautious of emails that create a sense of urgency or use threatening language to prompt immediate action.
-
Analyze offers: Be skeptical of emails that offer something that seems too good to be true, like winning a lottery or a prize.
-
Hover over links: Before clicking any link, hover over it to check if the URL matches the expected destination. Look for subtle misspellings or variations in the URL.
-
Avoid shortened URLs: Be cautious with shortened URLs as they can obscure the actual destination.
-
Be wary of unexpected attachments: Avoid opening unexpected attachments, especially if they are executable files (.exe), compressed files (.zip, .rar), or unusual file types.
-
Check for errors: Legitimate organizations usually send professionally written emails. Spelling mistakes and poor grammar can be a red flag.
-
Check branding and design: Ensure the email uses consistent branding, logos, and professional design.
-
Verify consistency with previous communications: The email should make sense in the context of past interactions with the sender or organization.
-
Be skeptical of sensitive requests: Legitimate organizations usually do not ask for personal, financial, or login information via email.
-
Verify the email with the organization: If an email seems suspicious, contact the organization directly using a known and trusted method to verify its authenticity.
-
Stay informed: Regularly update yourself on common phishing tactics and indicators. Share infographics that educate others on how to avoid phishing.
|
|
New ADA Accessibility Requirements
EIS has confirmed Tyler Technologies is aware of the federal ADA accessibility requirements for websites and acknowledges that Oregon government websites and mobile apps will need to comply with WCAG 2.1 AA guidelines. Each agency will need to work with their respective IT teams.
Tyler Oregon currently strives to meet WCAG 2.1 AA compliance on the public SharePoint website environment by doing the following:
- Creating compliant website templates
- Providing the enterprise Siteimprove tool
- Providing training to agencies on use of the tool and general accessibility practices
|
FBI Revamps CJIS Policy
The FBI is rewriting the Criminal Justice Information Services Security Policy that sets the minimum criteria for how its criminal justice information is protected. This revision will affect all entities that have access to that data and the bureau aims to ensure that each user ramps up their own cybersecurity.
While complying with the updated requirements is hard work, the alternative of failing to do so can cause suffering a cyber-attack that downs government systems and shakes public trust.
There are many options for support and advice is to start now and do not delay on updating.
|
Cybersecurity Grant Program
Registration is open for Round Two of the State and Local Cybersecurity Grant Program (SLCGP). The goal of the SLCGP is to assist state, local, and tribal governments with managing and reducing systemic cyber risk. The Oregon Cybersecurity Plan has details on grant eligibility, resources, and how to apply.
The SLCGP Planning Committee invites you to join a webinar on September 4, 2024, to cover information on how to leverage lessons learned and successes from round one when applying.
To apply for funding:
- Complete a grant registration form by September 1, 2024
- Submit a completed SLCGP project application by October 15, 2024
|
|
|
The State Chief Information Officer is proud to sponsor ongoing free educational opportunities to agency CIOs and IT strategic planners through a series of 1-day workshops. The workshops will take place September 10th – 11th and October 9th – 10th. The workshops are on a first come basis so sign up today.
A sample rundown of topics includes:
- Strategic Alignment through Goal Cascade
- Creating Goal Measurements with Impact
- Investment Prioritization Framework
- Value Delivery and Demonstration
- IT Strategy Refresh and Communication Plan
- IT Strategy on a Page
|
|
EIS Strategy and Design (S&D) has announced a new intake process, designed to streamline collaboration with the team. Until now, there was a lack of systematic approach for engagement leading to inefficiencies, missed opportunities, and communication gaps.
The goal is to bridge this gap by introducing an intuitive intake process through the S&D Service Catalog offerings using the Ivanti Service Manager (ISM) to enhance collaboration by providing a clear path for submission requests.
On August 1st, all of EIS and agencies IT leadership gained access to the production version of the intake process. On July 25, 2024, a communication was sent with additional information, including a link to the ISM Portal and instructions for how to engage S&D using the Service Catalog with ISM.
|
|
Water Sector Cyber Action Plan Progress
Nationally, the Drinking Water and Wastewater Sector is increasingly being targeted by malicious cyber groups and nation states alike, including those associated with the Iranian Revolutionary Guard Corps (IRGC) and the People’s Republic of China (PRC). Cyber risk to the Water Sector is a threat to national security.
As such, states are being asked by the National Security Advisor to develop action plans that mitigate the most significant cybersecurity vulnerabilities in the state’s water systems operational technology (OT) and related information technology (IT).
In response to this request, EIS Cybersecurity Services (CSS) team has been working with our federal partner cybersecurity and infrastructure security agency (CISA) to conduct a cyber resiliency campaign across Oregon. CSS developed an action plan that outlines activities for Oregon’s Drinking Water and Wastewater Sector entities by bringing awareness of the cyber threats and steps to mitigate them. Learn more about the Cyber Action Plan.
|
|
|
On Thursday, September 5, 2024,, Gartner and Oregon’s new Agile Community of Practice (OACP) will host a forum in Salem that will provide perspectives on both internal and external Human-Centered Design (HCD) implementations, and its benefits. The forum is open to all individuals and organizations with an interest in public-sector Agile practices and HCD in Oregon. The OACP brings together the expertise of an extended network of public- and private-sector partners. Space is limited so register early. Its primary activities include:
- Agile + HCD Training
- Shared Learning
- Community
- Resource Library
|
|
A successful bill designating August 26th of each year as Women’s Equality Day, was introduced in 1971 by Representative Bella Abzug (D-NY) saying, “the President is authorized and requested to issue a proclamation annually in commemoration of that day in 1920, on which the women of America were first given the right to vote.”
Women’s Equality Day is celebrated to commemorate the 19th Amendment which gave women the right to vote nationally on August 18, 1920, and became official when it was certified by U.S. Secretary of State, Bainbridge Colby, on August 26, 1920, ending a struggle for the vote that had started a century earlier and is proclaimed each year by the Unites States President.
*Photo credit: womenemployed.org
|
|
Schools and Libraries Cybersecurity Pilot Program
The Federal Communications Commission published rules for the Schools and Libraries Cybersecurity Pilot Program which will provide up to $200 million to selected participants over a three-year term to purchase a wide variety of cybersecurity services and equipment. Schools, libraries, and consortia of schools and libraries (e.g., regional or statewide groups of schools or libraries that jointly apply for the Pilot Program) that meet the E-Rate program’s eligibility requirements may apply to participate in the Pilot Program. Applications are scheduled to open August 29.
|
|
|
|
|
