Security Policies, Standards and Procedures

Agency Incident Response Guidelines: The Commonwealth Office of Technology (COT), Office of the Chief Information Security Officer (CISO) is responsible for the efficiency and effectiveness of IT security functions and responsibilities across the Commonwealth. As part of this responsibility, the CISO established the Agency Incident Response Guidelines to prepare for and react to threats to the Commonwealth's network and information systems at the agency level.

The objective of the Agency Incident Response Guidelines is to outline the steps to take when a security incident has occurred. The Agency Plan also aims to lessen the costs of disruption to the Commonwealth's services and assets, whether they are monetary, such as those associated with replacing equipment or infrastructure, or whether they be cost associated with the loss of business data or a loss to the Commonwealth's reputation. The plan contains templates that agencies can use to create a security event/incident evaluation and response process.


Security Standard Procedures Manual, (COT-067), as developed by and is maintained by Kentucky’s Commonwealth Office of Technology (COT). It is a customized and comprehensive document which contains IT security procedures that are to be reviewed and practiced by all COT employees, contractors and managed agencies. This manual provides guidance regarding security policies as they relate to Commonwealth of Kentucky’s goals, principles, ethics, and responsibilities and identifies the specific procedures that employees must follow to comply with the COT security objectives.


Enterprise IT Policies articulate the rules and policies of state government regarding information technology. Many of the enterprise policies are directly related to security issues or concerns. These policies determine the type of IT activities that are approved and required for both agencies and employees. The Enterprise Architecture framework is constructed of several interrelated components, including policies that support the business process and functions. COT administers the Enterprise Policy development, review and approval process. Enterprise IT policies are presented to the Commonwealth Technology Council for compliance by all appropriate agencies.

Specific Enterprise IT Policies relating to Security are listed below:


Security Domain of the Enterprise Architecture and Standards documents the enterprise standards that pertain specifically to IT security. The entire Enterprise Architecture and Standards process and comprehensive list of all enterprise standards can be found here.

This page was last modified 1/8/2015 6:48 AM
Security Policies Procedures Standards image