Policy Statement:
This policy establishes the Commonwealth’s Enterprise Information Security Program.
Policy:
The Commonwealth Office of Technology (COT), Office of the Chief Information Security Officer (CISO) shall establish and maintain an Information Security Program with concomitant policies to adopt security controls and standards to protect the Commonwealth’s IT infrastructure, systems, and data.
The Office of the CISO will align the Commonwealth’s security program with 18 specific control families of the security framework described in the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 4,
Security and Privacy Controls for Federal Information Systems and Organizations
. The program shall establish policies and standards, using NIST’s
moderate
impact controls, to address the following families of the NIST framework:
AC Access
Control
AT Awareness
and Training
AU Audit
and Accountability
CA Security
Assessment and Authorization
CM Configuration
Management
CP Contingency
Planning
IA Identification
and Authentication
IR Incident
Response
MA Maintenance
MP Media
Protection
PE Physical
and Environmental Protection
PL Planning
PM Program
Management
PS Personnel
Security
RA Risk
Assessment
SA System
and Services Acquisition
SC System
and Communications Protection
SI System
and Information Integrity
Authority:
KRS 42.726 authorizes the Commonwealth Office of Technology (COT) to develop policies and compliance processes to support and promote the effective applications of information technology within the executive branch of state government.
Applicability
:
All executive branch agencies and non-executive branch agencies using COT-managed infrastructure or services must adhere to this policy. This includes employees, contractors, consultants, temporaries, volunteers, and other workers within state government.
Responsibility for Compliance:
Each agency must ensure that staff within their organizational authority are made aware of and comply with this policy. The agency is responsible for enforcing it. Unauthorized and/or neglectful actions regarding this policy may result in disciplinary action up to and including dismissal. COT may require additional service charges for remediation efforts due to non-compliance with this policy.
Maintenance:
COT’s Office of the CISO is responsible for maintaining this policy. Organizations may modify this policy to fulfill their responsibilities, but must obtain approval through an exception request. Staff should refer to their internal policy, which may have additional information or clarification.
Review Cycle:
COT’s Office of the CISO will review this policy at least every two years.