About the Office of the Chief Information Security Officer (OCISO)


David Carter 
Chief Information
Security Officer 

The Office of the Chief Information Security Officer (OCISO) is responsible for IT security functions. The Office works with the entire enterprise to establish the best security practices and risk management processes, and deploys strategies aimed at protecting and securing the Commonwealth's data. The Office also plays a major role in promoting security awareness.




Branch Manager: Roni Stone

The Compliance Branch participates in 20+ audits annually that have an IT component. This ranges from the annual audits conducted by the Auditor of Public Accounts to audits conducted by regulatory entities such as the Internal Revenue Service and Social Security Administration. Enterprise level audits and those specific to COT are part of the work effort of this Branch. Agency specific audits are billed to the agency at the security consulting rate. This Branch works with agencies to ensure compliance with the Enterprise Control Framework and conducts assessments to measure effectiveness. This Branch drives the enterprise risk assessment conducted bi-annually to ensure ongoing compliance with the NIST framework and industry best practices to develop an ongoing strategic roadmap for security. Development of Enterprise Security Policy and processes are within the scope of responsibility of the Compliance Branch

Branch Manager: Charles Columbia

The Directory Services Branch is responsible for the establishment  and management of an enterprise directory infrastructure that will provide effective and efficient state-wide authentication for computing resources. This includes the management of enterprise directory system level policies  that  ensure  the  appropriate application of  security controls to protect  enterprise  identities,  as well as identity federation to allow the Commonwealth to conduct business and interact with external entities  and  systems.

Branch Manager: Bradley Kayes

The Forensics Investigations Branch performs analysis of enterprise and agency level security events to determine method of attack and actions taken. This Branch provides feedback to the Security Operations Branch to help develop ongoing protection strategies based on the findings. The Branch gathers information for employee investigations to support personnel actions based on employee acceptable use violations. Investigations with a criminal component are referred to the Kentucky State Police and this Branch coordinates activities with law enforcement. The Branch also conducts activities to pull electronic records for Open Records and Litigation Requests. Information is filtered based on the required criteria and provided to the agency legal counsel for further review and filtering based on sensitivity and applicability. For agencies outside of COT, this is a billable service at the forensic consulting rate.


Branch Manager: Melinda Sanford

The Security Administration Branch is responsible for the development and management of an Enterprise Identity Management System, which consists of the implementation of Automated and Manual Processes for Provisioning and De­ Provisioning Enterprise User Identities Including; Active Directory Account, user home folders, Lync (Instant Messaging and Collaboration), email accounts, organization-based distribution list membership, access to enterprise level applications such as Enterprise Business Intelligence, security forms processing for exemptions, reviews, and assessments, management of multi-factor-authenticators, etc.



The Security Operations Branch is a tactical operations center that provides 24-hour per day monitoring of enterprise sources, to include data center  physical  security and environmental conditions, infrastructure stability monitoring, security incident monitoring, enterprise security incident management, enterprise risk and threat  management,  and security  architecture  and  infrastructure management.




Please visit the "Security Services" web page for additional information.

This page was last modified 9/30/2021 2:41 PM

Report Security Incidents:

Commonwealth Service Desk
(502) 564-7576


Contact Information:

Office of the Chief Information Security Officer

David J. Carter
Chief Information Security Officer
(502) 564-8734


Bob Brooks
Deputy Chief Information Officer
(502) 782-9517



Roni Stone
Branch Manager
Compliance Branch
(502) 782-8770

Melinda Sanford
Branch Manager:
Security Administration Branch
(502) 564-6375

Security Operations Branch
(502) 782-8640

 Bradley Kayes
Forensics Investigations Branch
(502) 782-4604

Charles Columbia
Directory Services Branch
(502) 782-2311

 - - - - - - - - - -

500 Mero Street 
Frankfort, KY 40601