Security Policies, Standards and Procedures

Agency Incident Response Guidelines: The Commonwealth Office of Technology (COT), Office of the Chief Information Security Officer (CISO) is responsible for the efficiency and effectiveness of IT security functions and responsibilities across the Commonwealth. As part of this responsibility, the CISO established the Agency Incident Response Guidelines to prepare for and react to threats to the Commonwealth's network and information systems at the agency level.

The objective of the Agency Incident Response Guidelines is to outline the steps to take when a security incident has occurred. The Agency Plan also aims to lessen the costs of disruption to the Commonwealth's services and assets, whether they are monetary, such as those associated with replacing equipment or infrastructure, or whether they be cost associated with the loss of business data or a loss to the Commonwealth's reputation. The plan contains templates that agencies can use to create a security event/incident evaluation and response process.


Security Domain of the Kentucky Information Technology Standards (KITS) documents the enterprise standards that pertain specifically to IT security. Kentucky Information Technology Standards (KITS) and related processes are documented here.


Enterprise IT Policies articulate the rules and policies of state government regarding information technology. Many of the enterprise policies are directly related to security issues or concerns. These policies determine the type of IT activities that are approved and required for both agencies and employees. The Enterprise Architecture framework is constructed of several interrelated components, including policies that support the business process and functions. COT administers the Enterprise Policy development, review and approval process. Enterprise IT policies are presented to the Commonwealth Technology Council for compliance by all appropriate agencies.

Specific Enterprise IT Policies relating to Security are listed below.  To review these policies in further detail, please reference COT's Enterprise IT Policies webpage where a full list of Enterprise policies are displayed and a brief description of each is provided.

  • CIO-061 - Social Media Policy
  • CIO-072 - Identity and Access Management Policy
  • CIO-073 - Anti-Virus Policy
  • CIO-074 - Enterprise Network Security Architecture Policy
  • CIO-076 - Firewall and Virtual Private Network Administration Policy
  • CIO-078 - Wireless LAN Policy
  • CIO-084 - Email Review Request​
  • CIO-085 - Authorized Agency Contacts
  • CIO-087 - Internet Usage Review Request Policy
  • CIO-090 - Information Security Incident Response Policy
  • CIO-091 - Enterprise Information Security Program
  • CIO-092 - Media Protection Policy
This page was last modified 9/22/2021 1:35 PM
Security Policies Procedures Standards image