Skip to:

Security

IT Security is a high-profile issue for agencies. OET takes the lead in providing directives, resources, and applications to aid agencies in protecting their information assets.

Policies


Enterprise Security Program Policy

June 2009 - The Office of Enterprise Technology, Enterprise Security Office, and the Information Security Council announce the publication of the Enterprise Security Program Policy.  Download the PDF


Enterprise Security Control Policies

The following management control policies represent the overarching policy direction for managing security risks to the State's information. The process of information security risk management is fundamental to enabling agency leadership to make more informed, risk-based decisions for addressing security risks across their environment and the Executive branch as a whole.

Enterprise Security Management Control Policies

These management control policies represent the overarching policy direction for managing security risks to the State's information. The process of information security risk management is fundamental to enabling agency leadership to make more informed, risk-based decisions for addressing security risks across their environment and the Executive branch as a whole.   Download the PDF

Enterprise Security Operational Control Policies

This document addresses security risks to the State's information assets at the process level. These policies provide direction on how to improve security around the processes that represent the daily activities of conducting State business; actions taken by people, not technology.  Download the PDF

Enterprise Security Technical Control Policy

December 2009 - This document identifies the core security technology policies that will support and enable the business processes of the State. This will guide the direction of the technologies that will be used for information security purposes. Download the PDF


Enterprise Security Policy on Electronic Mail

Download the PDF
 
 

Standards


Enterprise Information Security Sanitization and Destruction Standard

June 2009 - This standard defines the requirements that applicable Executive branch agencies must comply with for the proper destruction or sanitization of information. These requirements are necessary to ensure that not-public data is properly removed or destroyed from storage media of various forms at the end of its useful life/the end of its lease/as part of normal records purging, etc. This will help ensure that not public data is not accessible to unauthorized individuals. Download the PDF


Enterprise Physical Security and Environmental Protection Standard

March 2010 - This standard is designed to help agencies identify their physical and environmental control requirements for protecting the entity's information. It includes the requirements for identifying controls, having processes to help enforce and manage the controls, and ensuring the appropriate environmental protections are available for government entities' information systems. Download the PDF


Enterprise Information Security Incident Management Standard

December 2009 - This standard outlines the requirements for the identification and reporting of information security related incidents and events, which is one of the Operational Control Policy areas. Quickly responding to and coordinating the management of these events is vital to mitigating the effect these incidents could have on the State's information assets. Download the PDF


Enterprise Vulnerability Management Security Standard

December 2009 - This standard represents one of the technology control areas under the Technical Control Policies. It outlines the requirements for identification and remediation of security vulnerabilities within the State's information systems and related technology.  Download the PDF


Enterprise Security Program Applicability Standard

April 2011 - This, along with the Enterprise Security Program Policy, represents the scope, framework, and governance authority of the Enterprise Security Program.  Download the PDF


Enterprise Security Continuity of Operations Standard

April 2011 - Continuity of operation planning is the process of identifying, migrating and responding to an interruption of services. The purpose of this standard is to establish "when" continuity of operations planning is required, "what" is required and "why".  Download the PDF


Enterprise Security Portable Computing Devices Standard

April 2011 - State agencies shall implement controls to reduce theft and loss of portable computing devices and data stored on them.  Download the PDF


Enterprise Security Training and Awareness Standard

April 2011 - In order to create a security conscious workforce, ensure appropriately trained personnel for organizational security roles, and to comply with the Enterprise Security Operational Control Policy, OC05 – Awareness and Training, this standard identifies the requirements for security awareness training.  These requirements are designed to help ensure individuals possess the required knowledge and competence for their role related to the security of information and information systems. Download the PDF


Enterprise Security Configuration Management Standard

April 2011 - Baseline, secure configurations provide defined and documented specifications to which an information system is built.  Since a majority of security breaches occur because of system misconfigurations or unauthorized configuration changes, these baselines are critical to ensure systems operate as intended. This standard specifies the requirements for the implementation of information security configuration management process control for information systems and assets. Download the PDF


Enterprise Security Patch Management Standard

April 2011 - Patch management supports a number of security practices in addition to other operational activities that help mitigate the exploitation of known security vulnerabilities.  Well defined patch management processes help prevent the introduction of problems into an environment and prepares for when things go wrong due to changes. This standard specifies the requirements for the implementation of information security patch management process controls for information systems and assets. Download the PDF