Enterprise Policies articulate the rules and regulations of state government regarding information technology. These policies determine the type of activities that are approved for both agencies and employees. The Enterprise Architecture framework is constructed of several interrelated components, including policies that support the business process and functions.
COT administers the Enterprise Policy development, review and approval process. COT policies have a biennial life cycle and are reassessed based upon their last review period. Enterprise IT policies are presented to the Technology Advisory Council (TAC) for compliance by all appropriate agencies.
Enterprise IT Policies
CIO-050 - Enterprise Procurement of Information Technology Assets Policy
This policy describes the responsibilities and procedures surrounding the procurement, ownership and tracking of information technology (IT) assets.
CIO-051 - Information Technology Standards Policy
policy establishes the standards for the development and maintenance of
Kentucky Information Technology Standards (KITS). This policy
provides guidance in decision-making and practices that optimize
resources, mitigate risk, and maximize return on investment.
This policy describes the responsibilities and procedures to be followed when requesting access to IT equipment room areas at the Commonwealth Data Center.
CIO-060 - Internet and Electronic Mail Acceptable Use Policy
This policy is to define and outline acceptable use of Internet and Electronic mail (E-mail) resources in state government.
CIO-061 - Social Media Policy
This policy is to define and outline acceptable use of Social Media resources in state government.
CIO-071 - Wireless Voice and Data Services Policy
This policy defines deployment and acceptable use of wireless devices within the Executive Branch of state government.
CIO-072 - IT Access Control and
User Access Management Policy
This policy provides
guidance in decision-making and practices to mitigate risk, protect the
privacy, security, confidentiality, and integrity of the Commonwealth of
Kentucky resources and data, and prevent unauthorized access to such resources
CIO-073 - Anti-Virus Policy
The purpose of this policy is to help protect computing devices (servers, desktops, laptops and tablets) from malware (viruses, Trojans, worms, hoaxes, etc.).
CIO-074 - Enterprise Network Security Architecture Policy
In order to better protect and secure the resources of the state computing environment, it is necessary to enhance the Enterprise Network Security Architecture and segregate resources and types of activities.
CIO-076 - Firewall and Virtual Private Network Administration Policy
The administration of firewalls and virtual private networks (VPN) is a primary component in securing the infrastructure and must conform to this policy.
CIO-078 - Wireless LAN Policy
The purpose of this policy is to outline security and data integrity measures required for secure wireless LAN installations within the state's intranet zone.
CIO-082 - Critical Systems Vulnerability Assessments
The purpose of this policy is to establish procedures for network vulnerability assessments of the servers and operational environments of critical systems by state agencies utilizing the Kentucky Information Highway (KIH), hereinafter referred to as "Agency".
CIO-084 - Email Review Request
The purpose of this policy is to provide procedures for cabinets/agencies to follow when requesting e-mail review documentation.
CIO-085 - Authorized Agency Contacts
The intent of this policy is to ensure the establishment of a formal communications link between COT and the organizational entities that use COT services.
CIO-087 - Internet Usage Review Request Policy
The purpose of this policy is to provide procedures for cabinets/agencies to follow when requesting internet usage documentation.
CIO-090 - Information Security Incident Response Policy
This policy identifies the necessity and procedures for agencies and COT to identify and notify appropriate personnel when a security incident occurs.
CIO-091 - Enterprise Information Security Program
This policy has been created to align the Commonwealth's Enterprise Information Security Program with the security framework of the current National Institute of Security Standards (NIST) Special Publication 800-53.
CIO-092 - Media Protection Policy
This policy ensures proper provisions are in place to protect information stored on media, both digital and non-digital, throughout the media's useful life until its sanitization or destruction.
CIO-093 - Risk Assessment Policy
This policy ensures proper application of risk management principles through proactive risk identification, management and acceptance pertaining to information technology activities. It also identifies the family of controls for Risk Assessment as defined in NIST Special Publication 800-53.
CIO-101 - Enterprise Software Change Management Policy
This policy describes the responsibilities and procedures to be followed when making modifications to the Commonwealth of Kentucky's production software application.
Due to high support costs and increased security risks incurred through continuing use of out-of-support or "sunset" software that is non-compliant with the Commonwealth's Information Technology Standards, this policy is to establish appropriate cost recovery charges, in addition to normal services charges, when agencies continue to employ such software.
CIO-103 - Independent Verification and Validation PolicyEstablishes controls related to the management
of information technology
(IT) projects within the executive branch of the Commonwealth. The controls provides guidance in decision-making and
practices that optimize resources, mitigate project risk, and maximize return
CIO-104 - Configuration Management Policy
Provides guidance in decision-making and
practices that optimize resources, mitigate risk, and maximize return on
investment while also addressing purpose, scope, and compliance.
CIO-105 - System and Information Integrity
Establishes a COT Enterprise System
and Information Integrity for managing risks from system flaws, vulnerabilities,
malicious code, unauthorized code changes, and inadequate error handling
through the implementation of an effective system and information integrity
Provides a structured set of principles for protecting
privacy and serves as a roadmap for agencies to use in identifying and
implementing privacy principles for the entire life cycle of Personal
Information (PI), whether in paper or electronic form.
CIO-107 - Enterprise Managed Print Services Policy
This policy provides a structured set of principles for Enterprise Managed Print Services
(MPS). The policy provides guidance in
decision-making and practices that optimize resources, mitigate risk, and maximize
return on investments.
CIO-108 - Proof of Concept (POC) and Pilot Projects
This policy establishes controls related to Commonwealth Office of
Technology (COT) Enterprise requirements for Proof of Concept (POC) and Pilot Projects.
CIO-110 Enterprise Data Management Policy - This policy establishes controls related to Enterprise Data Management. The policy provides guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investment.
CIO-111 Software Development Life Cycle Policy - This policy establishes controls addressing the approach to software development. The controls provide guidance in decision-making and practices that optimize resources, mitigate risk and maximize return on investments.