Citizen Portal
Sign In

State CISO outlines assessments, targets and projects as Oregon moves to stricter cybersecurity standards

3319937 · May 14, 2025

Get AI-powered insights, summaries, and transcripts

Sign Up Free
AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

The state’s chief information security officer briefed the General Government Subcommittee on May 14 on assessment results, mitigation priorities and several multi‑year projects aimed at raising agency cybersecurity posture.

The state’s chief information security officer briefed the General Government Subcommittee on May 14 on assessment results, mitigation priorities and several multi‑year projects aimed at raising agency cybersecurity posture.

Ben Gurizgeir, state chief information security officer, said Enterprise Information Services (EIS) uses Center for Internet Security (CIS) controls (version 8) as the baseline and now requires agencies to meet 70% of the first 56 safeguards; the goal is to reach higher maturity and expand adoption of the full control set in the next two to three years.

"We complete assessments of every state agency board and commission in a biennium," Gurizgeir said. He told the committee EIS is scheduling CIS assessments, web application assessments and four CISA risk and vulnerability assessments (RVAs) between January and June 2025 and that CISA RVAs involve intrusion and penetration testing for large, complex agencies.

Gurizgeir walked the committee through current and planned enterprise efforts: implementing Deloitte recommendations from a Microsoft 365 security review, modernizing network and security infrastructure (including an AI‑enabled threat detection platform under contract negotiation), expanding an enterprise mobile security program covering about 28,000 devices, and working with Gartner on an identity governance roadmap to standardize identity provisioning and deprovisioning across agencies.

He said the state’s security operations center currently operates on split shifts (12 hours on, 12 hours off) and that EIS will ask for funding to sustain a 24‑hour SOC so staff can monitor and respond continuously. Gurizgeir described frequent testing: weekly live ‘‘fire range’’ exercises for blue/red teams and quarterly exercises with agencies to rehearse incident response.

Shirlene Gonzales, legislative director for EIS, added that EIS maintains institutional documents — an incident response plan, a cyber disruption response and recovery guide for local and state coordination, service catalogs and other publications — so agencies and partners can follow standard procedures when incidents occur.

Committee members raised questions about procurement opt‑outs and AI controls. Gurizgeir said by statute executive‑branch agencies cannot opt out of cybersecurity services provided by the state, and that EIS is preparing enterprise AI guidance. Representative Chai Chi asked about House Bill 3936 (state devices and use of AI); Gonzales said EIS had reviewed the amended bill and would update administrative rules and processes for covered products if the statute changes.

Gurizgeir said EIS tracks mitigation progress with an integrated risk management (IRM) tool that inventories agency risks and helps manage remediation projects. He warned that AI has increased volumetric attacks and emphasized the need for AI‑capable detection technology across the enterprise.

No formal committee votes were taken; the briefing closed after the speakers invited questions and offered follow‑up documentation to the committee.