Enterprise Policies articulate the rules and regulations of state government regarding information technology. These policies determine the type of activities that are approved for both agencies and employees. The Enterprise Architecture framework is constructed of several interrelated components, including policies that support the business process and functions.
COT administers the Enterprise Policy development, review and approval process. COT policies have a biennial life cycle and are reassessed based upon their last review period. Enterprise IT policies are presented to the Technology Advisory Council (TAC) for compliance by all appropriate agencies.
Enterprise IT Policies
CIO-050 - Enterprise Procurement of Information Technology Assets Policy
This policy describes the responsibilities and procedures surrounding the procurement, ownership and tracking of information technology (IT) assets.
CIO-051 - Information Technology Standards Policy
This policy defines the Information Technology Standards Committee (ITSC) as the body responsible for the development of approved Kentucky Information Technology Standards (KITS).
This policy describes the responsibilities and procedures to be followed when requesting access to IT equipment room areas at the Commonwealth Data Center.
CIO-060 - Internet and Electronic Mail Acceptable Use Policy
This policy is to define and outline acceptable use of Internet and Electronic mail (E-mail) resources in state government.
CIO-061 - Social Media Policy
This policy is to define and outline acceptable use of Social Media resources in state government.
CIO-071 - Wireless Voice and Data Services Policy
This policy defines deployment and acceptable use of wireless devices within the Executive Branch of state government.
CIO-072 - Identity and Access Management Policy
The purpose of this policy is to define access control measures for Commonwealth systems to protect the privacy, security, confidentiality, and integrity of the Commonwealth of Kentucky resources and data.
CIO-073 - Anti-Virus Policy
The purpose of this policy is to help protect computing devices (servers, desktops, laptops and tablets) from malware (viruses, Trojans, worms, hoaxes, etc.).
CIO-074 - Enterprise Network Security Architecture Policy
In order to better protect and secure the resources of the state computing environment, it is necessary to enhance the Enterprise Network Security Architecture and segregate resources and types of activities.
CIO-076 - Firewall and Virtual Private Network Administration Policy
The administration of firewalls and virtual private networks (VPN) is a primary component in securing the infrastructure and must conform to this policy.
CIO-078 - Wireless LAN Policy
The purpose of this policy is to outline security and data integrity measures required for secure wireless LAN installations within the state's intranet zone.
CIO-082 - Critical Systems Vulnerability Assessments
The purpose of this policy is to establish procedures for network vulnerability assessments of the servers and operational environments of critical systems by state agencies utilizing the Kentucky Information Highway (KIH), hereinafter referred to as "Agency".
CIO-084 - Email Review Request
The purpose of this policy is to provide procedures for cabinets/agencies to follow when requesting e-mail review documentation.
CIO-085 - Authorized Agency Contacts
The intent of this policy is to ensure the establishment of a formal communications link between COT and the organizational entities that use COT services.
CIO-086 - State Agency Local Print Policy
Where it does not impede the ability of state workers to conduct agency business, this policy directs agency staff to make conscious decisions to print only where there are tangible benefits for printed output, and, when printing is necessary, to print in black and white and in duplex.
CIO-087 - Internet Usage Review Request Policy
The purpose of this policy is to provide procedures for cabinets/agencies to follow when requesting internet usage documentation.
CIO-090 - Information Security Incident Response Policy
This policy identifies the necessity and procedures for agencies and COT to identify and notify appropriate personnel when a security incident occurs.
CIO-091 - Enterprise Information Security Program
This policy has been created to align the Commonwealth's Enterprise Information Security Program with the security framework of the current National Institute of Security Standards (NIST) Special Publication 800-53.
CIO-092 - Media Protection Policy
This policy ensures proper provisions are in place to protect information stored on media, both digital and non-digital, throughout the media's useful life until its sanitization or destruction.
CIO-093 - Risk Assessment Policy
This policy ensures proper application of risk management principles through proactive risk identification, management and acceptance pertaining to information technology activities. It also identifies the family of controls for Risk Assessment as defined in NIST Special Publication 800-53.
CIO-101 - Enterprise Release Management Policy
This policy describes the responsibilities and procedures to be followed when making modifications to the Commonwealth of Kentucky's production software application.
Due to high support costs and increased security risks incurred through continuing use of out-of-support or "sunset" software that is non-compliant with the Commonwealth's Information Technology Standards, this policy is to establish appropriate cost recovery charges, in addition to normal services charges, when agencies continue to employ such software.
CIO-103 - Independent Verification and Validation PolicyEstablishes controls related to the management
of information technology
(IT) projects within the executive branch of the Commonwealth. The controls provides guidance in decision-making and
practices that optimize resources, mitigate project risk, and maximize return