Office of the Chief Information Officer Enterprise Policy
CIO-085: Authorized Agency Contacts
Effective Date: 08/01/2005
Reviewed Date: 11/10/2016
Revision Date: 2/28/2019
Policy Statement: This policy establishes controls related to Authorized Agency Contacts. The policy provides guidance in
decision-making and practices that optimize resources, mitigate risk, and maximize
return on investment.
Agency - Within the Executive Branch, with the
exception of the General Government Cabinet, "Agency" shall refer to
the Cabinet as a whole, rather than any distinct divisions
within the cabinet. Within the General Government Cabinet, “Agency
" refers to each unique Board or constitutional office within the Cabinet.
This policy establishes formal communications
links between the Commonwealth Office of Technology (COT) and the agencies that
use COT services by maintaining four functional contact lists: Agency Human
Resources Contacts, Agency IT Services Contacts, Agency Compliance Contacts, and
Agency Security Contacts.
Each agency shall designate at least one contact for
each contact list and will provide their contact names to the Commonwealth Service
Desk. Agencies may designate the same staff member for multiple
functional contact lists. COT shall maintain an up-to-date Agency
Contact List. The agency contacts shall have the authority to act on behalf of
their agency. COT shall process requests only from properly authorized
contacts and only through proper channels.
Agency Human Resources Contact
Each agency shall establish at least one Human Resources Contact.
Agencies and COT shall authorize these contacts to submit requests for the establishment,
modification, and deletion of end user identities and access. The contact shall
have spending authority for core, user-based services such as e-mail, endpoint
device support (i.e. desktop, laptop, tablet), VPN, etc. for their agency’s
personnel. Agencies shall ensure that their human resources contacts understand
basic identity protection and privacy practices and be knowledgeable regarding
the process for requesting services.
Agency IT Services Contact
Each agency shall establish at least one IT Services Contact. Agencies and COT shall authorize these
contacts to request rated and non-rated services from COT (e.g., hardware,
software, voice/data services, and disk space). Agencies shall ensure that
these contacts are knowledgeable of COT rated services and the processes for
requesting services. Agency IT Services Contacts shall be responsible for
distributing communications from COT, such as Agency Contact Memos or Awareness
Notifications, to the appropriate authorities and affected parties within their
Agency Compliance Contact
Each agency shall establish at least one Compliance Contact.
Agencies and COT shall authorize these to serve as the central coordinator for
the various business units within the agency for matters of state, local, or
federal regulatory compliance, such as audits. This role shall be
responsible for distributing communications pertaining to compliance to the
appropriate authorities and affected parties within the agency.
Agency Privacy Contact
Each agency shall establish at least one Privacy Contact. Agencies shall authorize the Privacy Contact
to serve as the contact for privacy related issues. This contact shall be authorized to act and
respond to communications from COT and provide information to COT concerning
the agencies’ privacy principles as required by CIO-106, Enterprise Privacy
Agency Security Contact
Each agency shall establish at least one Security Contact. Agencies and COT shall authorize these to
serve as the focal point for communications with the Office of the Chief
Information Security Officer for security-related issues specifically affecting
the agency, such as the protection of the agency’s data and computing
resources. These contacts shall act and respond in a timely manner to security-related
information based on COT and agency policies and procedures and in accordance
with federal, state, and local laws. The security contacts shall be responsible
for distributing security-related information to the appropriate authorities
and affected parties within the agency.
42.726 authorizes the Commonwealth Office of Technology (COT) to
develop policies and compliance processes to support and promote the effective
applications of information technology within the executive branch of state
Applicability: All executive branch agencies and
non-executive branch agencies using COT-managed infrastructure or services must
adhere to this policy. This includes
employees, contractors, consultants, temporaries, volunteers, and other workers
within state government.
Responsibility for Compliance: Each agency must
ensure that staff within their organizational authority are made aware of and
comply with this policy. The agency is responsible for enforcing it. Unauthorized and/or neglectful actions
regarding this policy may result in disciplinary action up to and including
dismissal. COT may require additional
service charges for remediation efforts due to non-compliance with this policy.
Maintenance: COT is responsible for maintaining this
policy. Organizations may modify this
policy to fulfill their responsibilities, but must obtain approval through an
exception request. Staff should refer to
their internal policy, which may have additional information or clarification.
Review Cycle: COT will review this policy at least every