​Information Security Services

The Office of the CISO provides both complimentary services and services for a fee to agencies of the Commonwealth of Kentucky. For additional information, please contact the Service Desk at or click the link for the Security Services Brochure under "Additional Information" on the right side of this page.


COT has established a security program that aligns to the NIST 800-53 risk management framework.
COT undergoes an extensive AICPA SOC II Type 2 audit.
COT conducts third party program risk assessments to measure program effectiveness.
COT partners with national security organizations.
COT uses an extensive network intrusion detection system, a tiered network firewall system, email and web-filtering, strong endpoint defenses, along with other useful tools for optimum information protection.

Complimentary Services – Included in the Enterprise Security Assessment

Network monitoring
The COT Monitoring and Response Branch continually monitors the Kentucky Information Highway network for internal and external threats.

Incident handling
COT Security analysts coordinate responses to and remediation of information security events on the network and coordinates with agency incident response staff.  ​

Resource Access Control Facility (RACF) second level support (Agencies provide their own first level support unless they are consolidated)
Mainframe security personnel provide additions, deletions and changes to mainframe user IDs utilizing RACF (Resource Access Control Facility) as the z/OS operating system security software.

Alerts to customers of current threats
The Office of the CISO is constantly researching trends and threats in order to stay informed of security issues on the horizon. The branch is involved in cooperative efforts for preparedness and information sharing with other state and federal government entities.

Awareness and Training
The Office of the CISO provides annual security awareness training available through MyPurpose.  The Office of the CISO also conducts monthly phishing awareness exercises that help build good practices for all employees.

Enterprise security policies
Office of the CISO staff assist in the development and maintenance of enterprise policies to provide the latest security best practices and guidelines to our customers.

Penetration Testing
The COT Risk Management Branch conducts penetration testing activities at an enterprise level for core services used by all agencies.  Agency or application specific penetration testing is available as a rated service.

EIM User Guide
Enterprise Identity Management (EIM for short) is the Commonwealth Office of Technology’s (COT) solution for identity management for employees and other users in the Commonwealth. EIM as a centralized system designed to standardize account creation, modification, and removal for users in the Commonwealth. This EIM user guide​ is intended to assist users that have access to the EIM portal in using EIM. 

Rated Services
Vulnerability assessments
The COT Risk Managment Branch can assist customers by identifying, quantifying, and prioritizing the vulnerabilities in a system by scanning with automated tools.

Password audits
We perform a quarterly audit for consolidated agencies at no cost. The COT Security Administration Branch performs password audits for agencies by using automated password cracking tools that can identify weak passwords and passwords that do not comply with enterprise standards. This can be useful in ensuring security and integrity through password compliance.

Penetration Testing – automatic and manual
COT provides risk assessments to identify weaknesses or vulnerabilities in applications. Interpretations of the assessment findings and remediation recommendations are included in the service.

Infrastructure security consulting
The Office of the CISO provides consulting services to evaluate proposed or existing infrastructure for vulnerabilities and to improve or ensure an adequate security posture.

Computer forensics investigations
The COT Forensic Investigations Branch provides a wide range of data and system forensic services including system or employee investigations, open records requests, litigation requests, and email reviews.