Oregon

In plain terms. Oregon centralizes state cybersecurity in the Office of Enterprise Information Services and protects several categories of sensitive records by statute.

Who it applies to. State agencies and their IT vendors; the records statutes also reach handling of personal and health information. Procurement runs under Oregon's public-contracting code.

What it requires. State law establishes the Office of Enterprise Information Services and an information-security function for state systems, and separate statutes protect records containing personal information and protected health information.

Why it matters. Vendors serving Oregon agencies must support the state's enterprise information-security requirements and the protections that attach to sensitive records they touch.

Citation. Or. Rev. Stat. §§ 276A.200 et seq. (Office of Enterprise Information Services) and 276A.300-276A.335 (Information Security); §§ 192.363-192.385 (personal information) and 192.553-192.581 (protected health information). Procurement under Or. Rev. Stat. 279A-279C.

In plain terms. Oregon's operational cyber rules come through Department of Administrative Services policy.

Who it applies to. State agencies and their IT vendors.

What it requires. The state's cyber and information-security policy sets security requirements for state systems, and IT-investment-oversight policy governs how technology projects are reviewed.

Why it matters. Vendors should expect Oregon's cyber and information-security policy expectations to shape both system requirements and project oversight.

Citation. Oregon DAS Statewide Policy 107-004-052 (Cyber and Information Security) and 107-004-130 (Information Technology Investment Oversight).