Policies

Describes responsibilities and processes regarding the procurement, ownership and tracking of information technology (IT) assets.

Policy

Establishes the standards for the development and maintenance of Kentucky Information Technology Standards (KITS). This policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.

Policy

Describes the responsibilities and procedures to be followed when requesting access to IT equipment room areas at the Commonwealth Data Center.

Policy

Outlines the responsibilities and procedures to be followed when equipment is installed in or removed from the Commonwealth Data Centers.

Policy

Defines and outlines acceptable use of Commonwealth enterprise IT resources.

Policy

Defines and outlines acceptable use of social media.

Policy

Defines deployment and acceptable use of wireless devices within the Executive Branch of state government.

Policy

Provides guidance in decision-making and practices to mitigate risk, protect the privacy, security, confidentiality, and integrity of the Commonwealth of Kentucky resources and data, and prevent unauthorized access to such resources.

Policy

Helps protect computing devices (servers, desktops, laptops and tablets) from malware (viruses, Trojans, worms, hoaxes, etc.).

Policy

In order to better protect and secure the resources of the state computing environment, it is necessary to enhance the Enterprise Network Security Architecture and segregate resources and types of activities.

Policy

The administration of firewalls and virtual private networks (VPN) is a primary component in securing the infrastructure and must conform to this policy.

Policy

Outlines security and data integrity measures required for secure wireless LAN installations within the state's intranet zone.

Policy

Provides procedures for cabinets/agencies to follow when requesting e-mail review documentation.

Policy

Ensure the establishment of a formal communications link between COT and the organizational entities that use COT services.

Policy

Identifies the necessity and procedures for agencies and COT to identify and notify appropriate personnel when a security incident occurs.

Policy

This policy has been created to align the Commonwealth's Enterprise Information Security Program with the security framework of the current National Institute of Security Standards (NIST) Special Publication 800-53.

Policy

Ensures proper provisions are in place to protect information stored on media, both digital and non-digital, throughout the media's useful life until its sanitization or destruction.

Policy

Ensures proper application of risk management principles through proactive risk identification, management and acceptance pertaining to information technology activities. It also identifies the family of controls for Risk Assessment as defined in NIST Special Publication 800-53.

Policy

Establishes controls for the effective management of changes to IT systems.

Policy

Establishes the responsibilities for addressing technology in sunset status. Due to high support costs and increased security risks incurred through continuing use of out-of-support or "sunset" software that is non-compliant with the Commonwealth's Information Technology Standards, this policy is to establish appropriate cost recovery charges, in addition to normal services charges, when agencies continue to employ such software.

Policy

Establishes controls related to the management of information technology (IT) projects within the executive branch of the Commonwealth. The controls provides guidance in decision-making and practices that optimize resources, mitigate project risk, and maximize return on investments.

Policy

Provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment while also addressing purpose, scope, and compliance.

Policy

Establishes a COT Enterprise System and Information Integrity for managing risks from system flaws, vulnerabilities, malicious code, unauthorized code changes, and inadequate error handling through the implementation of an effective system and information integrity program.

Policy

Provides a structured set of principles for protecting privacy and serves as a roadmap for agencies to use in identifying and implementing privacy principles for the entire life cycle of Personal Information (PI), whether in paper or electronic form.

Policy

Provides a structured set of principles for Enterprise Managed Print Services (MPS). The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investments.

Policy

Establishes controls related to Commonwealth Office of Technology (COT) Enterprise requirements for Proof of Concept (POC) and Pilot Projects.

Policy

Establishes controls related to Enterprise Data Management. The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.​

Policy

Establishes controls addressing the approach to software development. The controls provide guidance in decision-making and practices that optimize resources, mitigate risk and maximize return on investments.

Standards

Establishes controls related to security planning. The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.

Policy

Establishes controls related to Contingency Planning. The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.

Policy

Establishes controls related to maintenance of the Commonwealth of Kentucky’s information systems. The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.

Policy

Establishes controls related to Physical and Environmental Protection. The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.

Policy

Establishes controls related to Personnel Security. The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.

Policy

Establishes controls related to System and Services Acquisition. The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.

Policy

Establishes controls related to system and communications protection. The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.

Policy

Establishes controls related to audit and accountability. The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.

Policy

Establishes controls related to security assessment and authorization. The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.

Policy

Establishes controls related to security awareness and training. The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.

Policy

Establishes controls related to enterprise document management, including associated standards and supporting guidelines. The policy's chief focus is the creation of executive branch agency-specific Document Management Plans.

Policy

Establishes controls related to identification and authentication. The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.

Policy

Establishes controls related to physical access to the Commonwealth Asset Warehouse. This policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment. Specifically, the policy ensures physical access is reviewed and implemented in a rational and predictable manner to increase efficiency and minimize the impact of change-related incidents upon service quality.

Policy

Establishes controls related to identification and authentication. The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.

Policy

Defines the classification scheme for public records and outli​nes data handling requirements throughout the lifecycle of data. It also provides recommended sample disclaimers for use when storing and transferring data of various classifications.

Standards

Defines how data is identified, classified, labeled, and properly handled and protected in accordance with its importance and potential impact to the Commonwealth.

Standards

These standards apply to all executive branch agency digitization (scanning) efforts; i.e., converting physical documents into a digital format.

Standards

Details the security controls that COT’s Office of the CISO requires for information systems and activities for the Commonwealth of Kentucky. COT established this security framework using the moderate-level controls outlined in NIST Special Publication 800-53 Rev 5.

Standards

Supports the CIO-060 Acceptable Use Policy and the CIO-061 Social Media Policy, and requires the same compliance as the policies.

Standards

These guidelines and best practices provide specific guidance regarding agency digitization (scanning) efforts, addressing each element of an agency's Digitization Plan.

Standards

These guidelines and best practices provide guidance regarding appropriate use of storage platforms, as part of proper document handling on the Commonwealth’s IT systems.

Standards