Policies


CIO-050 Enterprise Procurement of Information Technology Assets

Describes responsibilities and processes regarding the procurement, ownership and tracking of information technology (IT) assets.

CIO-051 IT Information Technology Standards Policy

Establishes the standards for the development and maintenance of Kentucky Information Technology Standards (KITS). This policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.

CIO-058 Commonwealth Data Center IT Equipment Room Physical Access (CIO-058)

Describes the responsibilities and procedures to be followed when requesting access to IT equipment room areas at the Commonwealth Data Center.

CIO-059 Equipment Installation and Removal at Commonwealth Data Centers

Outlines the responsibilities and procedures to be followed when equipment is installed in or removed from the Commonwealth Data Centers.

CIO-060 Acceptable Use Policy

Defines and outlines acceptable use of Commonwealth enterprise IT resources.

CIO-061 Social Media Policy

Defines and outlines acceptable use of social media.

CIO-071 Wireless Voice and Data Services Policy

Defines deployment and acceptable use of wireless devices within the Executive Branch of state government.

CIO-072 IT Access Control and User Access Management Policy

Provides guidance in decision-making and practices to mitigate risk, protect the privacy, security, confidentiality, and integrity of the Commonwealth of Kentucky resources and data, and prevent unauthorized access to such resources.

CIO-073 Anti-Virus Policy

Helps protect computing devices (servers, desktops, laptops and tablets) from malware (viruses, Trojans, worms, hoaxes, etc.).

CIO-074 Enterprise Network Security Architecture Policy

In order to better protect and secure the resources of the state computing environment, it is necessary to enhance the Enterprise Network Security Architecture and segregate resources and types of activities.

CIO-076 Firewall and, VPN Administration Policy

The administration of firewalls and virtual private networks (VPN) is a primary component in securing the infrastructure and must conform to this policy.

CIO-078 Wireless LAN Policy

Outlines security and data integrity measures required for secure wireless LAN installations within the state's intranet zone.

CIO-084 E-mail Review Request

Provides procedures for cabinets/agencies to follow when requesting e-mail review documentation.

CIO-085 Authorized Agency Contacts

Ensure the establishment of a formal communications link between COT and the organizational entities that use COT services.

CIO-090 Information Security Incident Response Policy

Identifies the necessity and procedures for agencies and COT to identify and notify appropriate personnel when a security incident occurs.

CIO-091 Enterprise Information Security Program

This policy has been created to align the Commonwealth's Enterprise Information Security Program with the security framework of the current National Institute of Security Standards (NIST) Special Publication 800-53.

CIO-092 Media Protection Policy

Ensures proper provisions are in place to protect information stored on media, both digital and non-digital, throughout the media's useful life until its sanitization or destruction.

CIO-093 Risk Assessment Policy

Ensures proper application of risk management principles through proactive risk identification, management and acceptance pertaining to information technology activities. It also identifies the family of controls for Risk Assessment as defined in NIST Special Publication 800-53.

CIO-101 Enterprise IT Change Management Policy

Establishes controls for the effective management of changes to IT systems.

CIO-102 Technology Sunset Policy

Establishes the responsibilities for addressing technology in sunset status. Due to high support costs and increased security risks incurred through continuing use of out-of-support or "sunset" software that is non-compliant with the Commonwealth's Information Technology Standards, this policy is to establish appropriate cost recovery charges, in addition to normal services charges, when agencies continue to employ such software.

CIO-103 Independent Verification and Validation Policy

Establishes controls related to the management of information technology (IT) projects within the executive branch of the Commonwealth. The controls provides guidance in decision-making and practices that optimize resources, mitigate project risk, and maximize return on investments.

CIO-104 Configuration Management Policy

Provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment while also addressing purpose, scope, and compliance.

CIO-105 System and Information Integrity Policy

Establishes a COT Enterprise System and Information Integrity for managing risks from system flaws, vulnerabilities, malicious code, unauthorized code changes, and inadequate error handling through the implementation of an effective system and information integrity program.

CIO-106 Enterprise Privacy Policy

Provides a structured set of principles for protecting privacy and serves as a roadmap for agencies to use in identifying and implementing privacy principles for the entire life cycle of Personal Information (PI), whether in paper or electronic form.

CIO-107 Enterprise Managed Print Services Policy

Provides a structured set of principles for Enterprise Managed Print Services (MPS). The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investments.

CIO-108 Proofs of Concept and Pilot Projects Policy

Establishes controls related to Commonwealth Office of Technology (COT) Enterprise requirements for Proof of Concept (POC) and Pilot Projects.

CIO-110 Enterprise Data Management Policy

Establishes controls related to Enterprise Data Management. The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.​

CIO-111 Software Development Life Cycle Policy

Establishes controls addressing the approach to software development. The controls provide guidance in decision-making and practices that optimize resources, mitigate risk and maximize return on investments.

CIO-112 Security Planning Policy

Establishes controls related to security planning. The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.

CIO-113 Contingency Planning Policy

Establishes controls related to Contingency Planning. The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.

CIO-114 System Maintenance Policy

Establishes controls related to maintenance of the Commonwealth of Kentucky’s information systems. The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.

CIO-115 Physical and Environmental Protection

Establishes controls related to Physical and Environmental Protection. The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.

CIO-116 Personnel Security Policy

Establishes controls related to Personnel Security. The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.

CIO-117 System and Services Acquisition Policy

Establishes controls related to System and Services Acquisition. The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.

CIO-118 System and Communications Protection

Establishes controls related to system and communications protection. The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.

CIO-119 Audit and Accountability Policy

Establishes controls related to audit and accountability. The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.

CIO-120 Security Assessment and Authorization Policy

Establishes controls related to security assessment and authorization. The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.

CIO-121 Security Awareness and Training Policy

Establishes controls related to security awareness and training. The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.

CIO-122 Enterprise Document Management Policy

Establishes controls related to enterprise document management, including associated standards and supporting guidelines. The policy's chief focus is the creation of executive branch agency-specific Document Management Plans.

CIO-123 Identification and Authentication Policy

Establishes controls related to identification and authentication. The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.

CIO–124 Commonwealth Asset Warehouse Physical Access Policy

Establishes controls related to physical access to the Commonwealth Asset Warehouse. This policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment. Specifically, the policy ensures physical access is reviewed and implemented in a rational and predictable manner to increase efficiency and minimize the impact of change-related incidents upon service quality.

ENT-101 Enterprise Data Classification Standard

Defines the classification scheme for public records and outli​nes data handling requirements throughout the lifecycle of data. It also provides recommended sample disclaimers for use when storing and transferring data of various classifications.

ENT-102 Enterprise Data Classification Process

Defines how data is identified, classified, labeled, and properly handled and protected in accordance with its importance and potential impact to the Commonwealth.

ENT-103 Enterprise Digitization Standards

These standards apply to all executive branch agency digitization (scanning) efforts; i.e., converting physical documents into a digital format.

ENT-201 Enterprise Security Controls and Best Practices

Details the security controls that COT’s Office of the CISO requires for information systems and activities for the Commonwealth of Kentucky. COT established this security framework using the moderate-level controls outlined in NIST Special Publication 800-53 Rev 4.

ENT-301 Acceptable Use and Social Media Guidelines

Supports the CIO-060 Acceptable Use Policy and the CIO-061 Social Media Policy, and requires the same compliance as the policies.

ENT-302 Enterprise Digitization Guidelines and Best Practices

These guidelines and best practices provide specific guidance regarding agency digitization (scanning) efforts, addressing each element of an agency's Digitization Plan.

ENT-303 Enterprise Document Storage Guidelines and Best Practices

These guidelines and best practices provide guidance regarding appropriate use of storage platforms, as part of proper document handling on the Commonwealth’s IT systems.

​​​​​​​​​​​​​​​​​​​