Security Policies, Standards and Procedures

Agency Incident Response Guidelines​: The Commonwealth Office of Technology (COT), Office of the Chief Information Security Officer (CISO) is responsible for the efficiency and effectiveness of IT security functions and responsibilities across the Commonwealth. As part of this responsibility, the CISO established the Agency Incident Response Guidelines to prepare for and react to threats to the Commonwealth's network and information systems at the agency level.

The objective of the Agency Incident Response Guidelines is to outline the steps to take when a security incident has occurred. The Agency Plan also aims to lessen the costs of disruption to the Commonwealth's services and assets, whether they are monetary, such as those associated with replacing equipment or infrastructure, or whether they be cost associated with the loss of business data or a loss to the Commonwealth's reputation. The plan contains templates that agencies can use to create a security event/incident evaluation and response process.


Security Domain of the Kentucky Information Technology Standards (KITS) documents the enterprise standards that pertain specifically to IT security. Kentucky Information Technology Standards (KITS) and related processes are documented here​.


Enterprise IT Policies articulate the rules and policies of state government regarding information technology. Many of the enterprise policies are directly related to security issues or concerns. These policies determine the type of IT activities that are approved and required for both agencies and employees. The Enterprise Architecture framework is constructed of several interrelated components, including policies that support the business process and functions. COT administers the Enterprise Policy development, review and approval process. Enterprise IT policies are presented to the Commonwealth Technology Council for compliance by all appropriate agencies.

Specific Enterprise IT Policies relating to Security are listed below.  To review these policies in further detail, please reference COT's Enterprise IT Policies​ webpage where a full list of Enterprise policies are displayed and a brief description of each is provided.

CIO-061 - Social Media Policy
CIO-072 - Identity and Access Management Policy
CIO-073 - Anti-Virus Policy
CIO-074 - Enterprise Network Security Architecture Policy
CIO-076 - Firewall and Virtual Private Network Administration Policy
CIO-078 - Wireless LAN Policy
CIO-084 - Email Review Request​
CIO-085 - Authorized Agency Contacts
CIO-087 - Internet Usage Review Request Policy
CIO-090 - Information Security Incident Response Policy
CIO-091 - Enterprise Information Security Program
CIO-092 - Media Protection Policy​