The organization or user shall not make any root level changes to any Department or State of Oregon network and information system. The Department recognizes that some application users have root level access to certain functions to allow the user to diagnose problems (such as startup or shutdown operations, disk layouts, user additions, deletions or modifications, or other operation) that require root privileges. This access does not give the user the right to make any changes normally restricted to root without explicit, written permission from the Department.
(1) Use and disclosure of any Department information asset is strictly limited to the minimum information necessary to perform the requested and authorized service.(2) The organization shall have established privacy and security measures that meet or exceed the standards set forth in the Department's privacy and information security policies, available from the Department, regarding the disclosure of an information asset.(3) The organization or user shall comply with all security and privacy federal and state laws, rules, and regulations applicable to the access granted.(4) The organization shall make the security risk plan available to the Department for review upon request.(5) The organization or user shall report to the Department all privacy or security incidents by the user that compromise, damage, or cause a loss of protection to Department information assets or network and information systems. The incident report shall be made no later than five business days from the date on which the user becomes aware of such incident. The user shall provide the Department a written report which must include the results of the incident assessment findings and resolution strategies.(6) Wrongful use of a network and information system or wrongful use or disclosure of a Department information asset by the organization or user may cause the immediate suspension or revocation of any access granted at the sole discretion of the Department without advance notice.(7) The organization or user shall comply with the Department's request for corrective action concerning a privacy or security incident and with laws requiring mitigation of harm caused by the unauthorized use or disclosure of confidential information, if any.Or. Admin. Code § 407-014-0320
DHSD 14-2007, f. 12-31-07, cert. ef. 1-1-08; DHSD 6-2011(Temp), f. & cert. ef. 8-9-11 thru 2-2-12; DHSD 1-2012, f. & cert. ef. 2-1-12Stat. Auth.: ORS 409.050
Stats. Implemented: ORS 182.122