Security Policies, Standards and Procedures - Commonwealth Office of Technology (Kentucky)

Agency Incident Response Guidelines: The Commonwealth Office of Technology (COT), Office of the Chief Information Security Officer (CISO) is responsible for the efficiency and effectiveness of IT security functions and responsibilities across the Commonwealth. As part of this responsibility, the CISO established the Agency Incident Response Guidelines to prepare for and react to threats to the Commonwealth's network and information systems at the agency level.

The objective of the Agency Incident Response Guidelines is to outline the steps to take when a security incident has occurred. The Agency Plan also aims to lessen the costs of disruption to the Commonwealth's services and assets, whether they are monetary, such as those associated with replacing equipment or infrastructure, or whether they be cost associated with the loss of business data or a loss to the Commonwealth's reputation. The plan contains templates that agencies can use to create a security event/incident evaluation and response process.

Agency Incident Response Guidelines.pdf

CIO-090 Information Security Incident Response Policy.pdf

FAC001 Determined Breach Notification Form.pdf

FAC002 Delay Notification Record.pdf

Security Domain of the Kentucky Information Technology Standards (KITS) documents the enterprise standards that pertain specifically to IT security. Kentucky Information Technology Standards (KITS) and related processes are documented here.

Enterprise IT Policies articulate the rules and policies of state government regarding information technology. Many of the enterprise policies are directly related to security issues or concerns. These policies determine the type of IT activities that are approved and required for both agencies and employees. The Enterprise Architecture framework is constructed of several interrelated components, including policies that support the business process and functions. COT administers the Enterprise Policy development, review and approval process. Enterprise IT policies are presented to the Commonwealth Technology Council for compliance by all appropriate agencies.

Specific Enterprise IT Policies relating to Security are listed below. To review these policies in further detail, please reference COT's Enterprise IT Policies webpage where a full list of Enterprise policies are displayed and a brief description of each is provided.

CIO-061 - Social Media Policy

CIO-072 - Identity and Access Management Policy

CIO-073 - Anti-Virus Policy

CIO-074 - Enterprise Network Security Architecture Policy

CIO-076 - Firewall and Virtual Private Network Administration Policy

CIO-078 - Wireless LAN Policy

CIO-084 - Email Review Request

CIO-085 - Authorized Agency Contacts

CIO-087 - Internet Usage Review Request Policy

CIO-090 - Information Security Incident Response Policy

CIO-091 - Enterprise Information Security Program

CIO-092 - Media Protection Policy