Use the tabs below to learn more. If you don’t find the answer to your question or would like additional information, please contact us.
To ensure ongoing security compliance, ODOT monitors account manager data for anomalies, which includes trend analysis. ODOT uses the following tools to ensure volunteer information is protected:
ODOT has the ability to audit the account managers, and any other companies working in conjunction with them on the OReGO project. Account managers submit weekly, monthly, and quarterly reports to ODOT to monitor for anomalies and ensure security measures are enacted. Security requirements apply to all subsystems and functions.
Before they are allowed to participate in the program, account managers must pass through a certification process where they must prove compliance using a combination of test results, policy and procedure documents, and external compliance certificates.
Here is an example of a security requirements: The account manager shall provide a system architecture diagram that illustrates the location and key security measures proposed for its RUC program system. ODOT staff confirms this by evaluating the System Architecture Diagram to ensure these features are included:
Contractually, account managers are required to protect personally identifiable and are responsible for all costs associated with any losses due to a breach. Specifically, the contract requires: Contractor at all times shall comply with Agency’s security policies. Security Policies include but are not limited to: The federal Automobile Information Disclosure Act, ORS 319.915, ORS 802.179, and security requirements in the System Requirement Specifications document in the performance of this Price Agreement.
Account Managers must provide a SSAE-16 audit report annually, which ensures they are following best practices. These audits are required for service organizations that perform outsourced services that affect the financial statement of another entity. Because account managers are collecting road usage charges on ODOT’s behalf, and the revenues affect ODOT’s financial statement, these audits are required. These audit reports provide information and analysis on about the information technology general controls related to information security, access, environmental controls, physical security, system development and change management, and system monitoring and maintenance. It also includes an analysis on the account manager’s processing controls such as data receipt, data processes, data transmission, and data reporting. Security standards are confirmed through ODOT staff’s evaluation as well as through independent certified public accountant prepared reports.