Security Policies, Standards and Procedures

Agency Incident Response Guidelines: The Commonwealth Office of Technology (COT), Office of the Chief Information Security Officer (CISO) is responsible for the efficiency and effectiveness of IT security functions and responsibilities across the Commonwealth. As part of this responsibility, the CISO established the Agency Incident Response Guidelines to prepare for and react to threats to the Commonwealth's network and information systems at the agency level.

The objective of the Agency Incident Response Guidelines is to outline the steps to take when a security incident has occurred. The Agency Plan also aims to lessen the costs of disruption to the Commonwealth's services and assets, whether they are monetary, such as those associated with replacing equipment or infrastructure, or whether they be cost associated with the loss of business data or a loss to the Commonwealth's reputation. The plan contains templates that agencies can use to create a security event/incident evaluation and response process.


Security Standard Procedures Manual, (COT-067), as developed by and is maintained by Kentucky’s Commonwealth Office of Technology (COT). It is a customized and comprehensive document which contains IT security procedures that are to be reviewed and practiced by all COT employees, contractors and managed agencies. This manual provides guidance regarding security policies as they relate to Commonwealth of Kentucky’s goals, principles, ethics, and responsibilities and identifies the specific procedures that employees must follow to comply with the COT security objectives.


Security Domain of the Kentucky Information Technology Standards (KITS) documents the enterprise standards that pertain specifically to IT security. Kentucky Information Technology Standards (KITS) and related processes are documented here.


Enterprise IT Policies articulate the rules and policies of state government regarding information technology. Many of the enterprise policies are directly related to security issues or concerns. These policies determine the type of IT activities that are approved and required for both agencies and employees. The Enterprise Architecture framework is constructed of several interrelated components, including policies that support the business process and functions. COT administers the Enterprise Policy development, review and approval process. Enterprise IT policies are presented to the Commonwealth Technology Council for compliance by all appropriate agencies.

Specific Enterprise IT Policies relating to Security are listed below:

  • CIO-061 - Social Media Policy
    This policy is to define and outline acceptable use of Social Media resources in state government.
  • CIO-072 - Identity and Access Management Policy
    The purpose of this policy is to define access control measures for Commonwealth systems to protect the privacy, security, confidentiality, and integrity of the Commonwealth of Kentucky resources and data.
  • CIO-073 - Anti-Virus Policy
    The purpose of this policy is to help protect computing devices (servers, desktops, laptops and tablets) from malware (viruses, Trojans, worms, hoaxes, etc.).
  • CIO-074 - Enterprise Network Security Architecture Policy
    In order to better protect and secure the resources of the state computing environment, it is necessary to enhance the Enterprise Network Security Architecture and segregate resources and types of activities.
  • CIO-076 - Firewall and Virtual Private Network Administration Policy
    The administration of firewalls and virtual private networks (VPN) is a primary component in securing the infrastructure and must conform to this policy.
  • CIO-078 - Wireless LAN Policy
    The purpose of this policy is to outline security and data integrity measures required for secure wireless LAN installations within the state's intranet zone.
  • CIO-082 - Critical Systems Vulnerability Assessments
    The purpose of this policy is to establish procedures for network vulnerability assessments of the servers and operational environments of critical systems by state agencies utilizing the Kentucky Information Highway (KIH), hereinafter referred to as "Agency".
  • CIO-084 - Email Review Request
    The purpose of this policy is to provide procedures for cabinets/agencies to follow when requesting e-mail review documentation.
  • CIO-085 - Authorized Agency Contacts
    The intent of this policy is to ensure the establishment of a formal communications link between COT and the organizational entities that use COT services.
  • CIO-087 - Internet Usage Review Request Policy
    The purpose of this policy is to provide procedures for cabinets/agencies to follow when requesting internet usage documentation.
  • CIO-091 - Enterprise Information Security Program
    This policy has been created to align the Commonwealth's Enterprise Information Security Program with the security framework of the current National Institute of Security Standards (NIST) Special Publication 800-53.
  • CIO-092 - Media Protection Policy
    This policy ensures proper provisions are in place to protect information stored on media, both digital and non-digital, throughout the media's useful life until its sanitization or destruction.
This page was last modified 5/31/2019 12:59 PM