CIO-085 Authorized Agency Contacts

Office of the Chief Information Officer Enterprise Policy
 
CIO-085: Authorized Agency Contacts
Effective Date: 08/01/2005
Reviewed Date: 11/10/2016
Revision Date: 2/28/2019
 
Policy Statement: This policy establishes controls related to Authorized Agency Contacts.  The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.
 
Definition:
 
Agency - Within the Executive Branch, with the exception of the General Government Cabinet, "Agency" shall refer to the Cabinet as a whole, rather than any distinct divisions within the cabinet.  Within the General Government Cabinet, “Agency " refers to each unique Board or constitutional office within the Cabinet.
 
Policy:
This policy establishes formal communications links between the Commonwealth Office of Technology (COT) and the agencies that use COT services by maintaining four functional contact lists: Agency Human Resources Contacts, Agency IT Services Contacts, Agency Compliance Contacts, and Agency Security Contacts.
 
Each agency shall designate at least one contact for each contact list and will provide their contact names to the Commonwealth Service Desk.  Agencies may designate the same staff member for multiple functional contact lists.  COT shall maintain an up-to-date Agency Contact List. The agency contacts shall have the authority to act on behalf of their agency.  COT shall process requests only from properly authorized contacts and only through proper channels.

Agency Human Resources Contact
Each agency shall establish at least one Human Resources Contact. Agencies and COT shall authorize these contacts to submit requests for the establishment, modification, and deletion of end user identities and access. The contact shall have spending authority for core, user-based services such as e-mail, endpoint device support (i.e. desktop, laptop, tablet), VPN, etc. for their agency’s personnel. Agencies shall ensure that their human resources contacts understand basic identity protection and privacy practices and be knowledgeable regarding the process for requesting services.
 
Agency IT Services Contact
Each agency shall establish at least one IT Services Contact.  Agencies and COT shall authorize these contacts to request rated and non-rated services from COT (e.g., hardware, software, voice/data services, and disk space). Agencies shall ensure that these contacts are knowledgeable of COT rated services and the processes for requesting services. Agency IT Services Contacts shall be responsible for distributing communications from COT, such as Agency Contact Memos or Awareness Notifications, to the appropriate authorities and affected parties within their agency.
 
Agency Compliance Contact
Each agency shall establish at least one Compliance Contact. Agencies and COT shall authorize these to serve as the central coordinator for the various business units within the agency for matters of state, local, or federal regulatory compliance, such as audits.  This role shall be responsible for distributing communications pertaining to compliance to the appropriate authorities and affected parties within the agency.
 
Agency Privacy Contact
Each agency shall establish at least one Privacy Contact.  Agencies shall authorize the Privacy Contact to serve as the contact for privacy related issues.  This contact shall be authorized to act and respond to communications from COT and provide information to COT concerning the agencies’ privacy principles as required by CIO-106, Enterprise Privacy Policy.
 
Agency Security Contact
Each agency shall establish at least one Security Contact.  Agencies and COT shall authorize these to serve as the focal point for communications with the Office of the Chief Information Security Officer for security-related issues specifically affecting the agency, such as the protection of the agency’s data and computing resources. These contacts shall act and respond in a timely manner to security-related information based on COT and agency policies and procedures and in accordance with federal, state, and local laws. The security contacts shall be responsible for distributing security-related information to the appropriate authorities and affected parties within the agency.
 
Authority:  KRS 42.726 authorizes the Commonwealth Office of Technology (COT) to develop policies and compliance processes to support and promote the effective applications of information technology within the executive branch of state government.
 
Applicability:  All executive branch agencies and non-executive branch agencies using COT-managed infrastructure or services must adhere to this policy.  This includes employees, contractors, consultants, temporaries, volunteers, and other workers within state government.
 
Responsibility for Compliance:  Each agency must ensure that staff within their organizational authority are made aware of and comply with this policy. The agency is responsible for enforcing it.  Unauthorized and/or neglectful actions regarding this policy may result in disciplinary action up to and including dismissal.  COT may require additional service charges for remediation efforts due to non-compliance with this policy.
 
Maintenance:  COT is responsible for maintaining this policy.  Organizations may modify this policy to fulfill their responsibilities, but must obtain approval through an exception request.  Staff should refer to their internal policy, which may have additional information or clarification.
 
Review Cycle:  COT will review this policy at least every two years.
 
 
 

 

This page was last modified 3/1/2019 3:03 PM
 
Return to CIO Policies Home Page.
 
 
 
 
 
  
 
 
References:
 
·        COT rated services listing
 
·         Agency Contact Listinghttps://gotsource.ky.gov/docushare/dsweb/Get/Document-391539