Enterprise Policies articulate the rules and regulations of state government regarding information technology. These policies determine the type of activities that are approved for both agencies and employees. The Enterprise Architecture framework is constructed of several interrelated components, including policies that support the business process and functions.
COT administers the Enterprise Policy development, review and approval process. Enterprise IT policies are presented to the Commonwealth Technology Council for compliance by all appropriate agencies.
Enterprise IT Policies
CIO-060 -- Internet and Electronic Mail Acceptable Use Policy
Revised August 24, 2010. Effective May 15, 1996
This policy is to define and outline acceptable use of Internet and Electronic mail
(E-mail) resources in state government.
CIO-061 -- Social Media Policy
Effective July 1, 2011
This policy is to define and outline acceptable use of Social Media resources in state government.
CIO-071 -- Wireless Voice & Data Services Policy
Revised September 18, 2008. Effective September 12, 2001
This policy defines deployment and acceptable use of wireless devices within the Executive Branch of state government.
CIO-072 -- UserID and Password Policy
Revised May 29, 2007. Effective June 1, 2002
This policy supports the Enterprise Architecture for end-user security and represents a set of standards to be followed by all employees for UserID and Password usage.
CIO-073 -- Anti-Virus Policy
Revised August 22, 2008. Effective June 1, 2002
The purpose of this policy is to help protect all computing devices from malicious software (viruses, Trojans, worms, hoaxes).
CIO-074 -- Enterprise Network Security Architecture Policy
Revised November 1, 2005. Effective December 1, 2002
In order to better protect and secure the resources of the state computing environment, it is necessary to enhance the Enterprise Network Security Architecture and segregate resources and types of activities.
CIO-075 -- Enterprise IT Project Approval Process
Revised January 7, 2010. Effective September 1, 2002
This policy is intended to enhance the probability of IT project success across the enterprise.
CIO-076 -- Firewall and Virtual Private Network Administration Policy
Revised July 21, 2010. Effective January 3, 2003
The administration of firewalls and virtual private networks (VPN) is a primary component in securing the infrastructure and must conform to this policy.
CIO-077 -- Sanitization of Information Technology Equipment and Electronic Media Policy
Revised January 21, 2011. Effective February 5, 2003
The purpose of this policy is to ensure secure and appropriate disposal of information technology equipment, devices, network components, operating systems, application software and storage media belonging to the Commonwealth to prevent unauthorized use or misuse of state information.
CIO-078 -- Wireless LAN Policy
Revised November 1, 2005. Effective June 10, 2003
The purpose of this policy is to outline security and data integrity measures required for secure wireless LAN installations within the state's intranet zone.
CIO-079 -- Logon Security Notice
Revised November 1, 2005 Effective April 1, 2004
This policy is intended to protect the confidentiality, availability, and integrity of the Commonwealth's information technology resources, by requiring all logon screens include a security notice indicating that the system must be used for authorized purposes only.
CIO-080 -- Password Auditing and Policy Enforcement for Network Domains
Revised November 1, 2005. Effective April 1, 2004
This policy has been enacted to outline the audit processes required to identify security vulnerabilities and threats as they relate to domain password usages and to measure compliance with the enterprise policy, UserID and Password Policy (CIO-072).
CIO-081 -- Securing Unattended Workstations Policy
Revised November 1, 2005. Effective April 1, 2004
This policy requires all workstations utilizing the Kentucky Information Highway to be adequately secured when unattended, in order to protect the confidentiality, availability, and integrity of the Commonwealth's information technology resources.
CIO-082 -- Critical Systems Vulnerability Assessments
Revised November 21, 2008. Effective May 15, 2004
The purpose of this policy is to establish procedures for network vulnerability assessments of the servers and operational environments of critical systems by state agencies utilizing the Kentucky Information Highway (KIH), hereinafter referred to as "Agency".
CIO-083 -- Storage of Confidential Information on Portable Devices and Media
Effective Date January 18, 2010
This policy requires all portable computing and storage devices containing confidential data to be encrypted in order to protect the confidentiality, availability, and integrity of the Commonwealth’s information technology resources.
CIO-084 -- Email Review Request
Revised July 28, 2009. Effective March 28, 2005
The purpose of this policy is to provide procedures for cabinets/agencies to follow when requesting e-mail review documentation.
CIO-085 -- Agency Security Contact
Effective August 1, 2005
The intent of this policy is to ensure the establishment of a formal communications link between COT and the organizational entities that use COT services.
CIO-086 -- State Agency Local Print Policy
Effective January 11, 2010
Where it does not impede the ability of state workers to conduct agency business, this policy directs agency staff to make conscious decisions to print only where there are tangible benefits for printed output, and, when printing is necessary, to print in black and white and in duplex.
CIO-087 -- Internet Usage Review Request Policy
Effective July 28, 2009
The purpose of this policy is to provide procedures for cabinets/agencies to follow when requesting internet usage documentation.
CIO-090 - Information Security Incident Response Policy
Effective March 5, 2013
This policy identifies the necessity and procedures for agencies and COT to identify and notify appropriate personnel when a security incident occurs.