LEGACY IT POLICIES AND STANDARDS

With the passage of Senate Bill 117 in May 2013 (Act 2013-68) and the creation of the position of the Secretary of Information Technology and the Office of Information Technology (OIT), the responsibilities of Information Technology (IT) Governance, to include Planning and Policy, were transferred from the Information Services Division (ISD), Department of Finance, to OIT.

Until such time that OIT can fully assimilate ISD IT policies, existing ISD IT policies shall be considered statewide OIT policies, and are promulgated under the authority of OIT.

The following ISD legacy policies (previously published on the cybersecurity.alabama.gov website) shall remain in effect until they are reissued or rescinded by OIT.

 

Information Technology (General)

ReleasedReviewedTitle
05/31/201303/2017Policy 100: Information Technology Policies
07/01/201303/2017Reference: Information Technology Dictionary

 

IT Planning, Budgeting and Procurement

ReleasedReviewedTitle
04/26/2011 03/2017 Policy 200: Information Technology Planning
04/26/201103/2017 Policy 220: Information Technology Budgeting
04/26/201103/2017 Policy 230: Information Technology Procurement
04/26/201103/2017 * Standard 230S1: IT Procurement

 

IT Architecture

ReleasedReviewedTitle
09/01/201103/2017Policy 500: Statewide Information Systems Architecture
09/12/201203/2017* Standard 500S1: Network Architecture Standard
10/14/201403/2017* Standard 500S2: Security Categorization
09/01/201103/2017Policy 520: Domain Naming & Registration
09/01/201103/2017Policy 530: Web Development
09/01/201103/2017* Standard 530S1: Online Privacy and Data Collection
09/01/201103/2017* Standard 530S2: Universal Accessibility
09/01/201103/2017* Standard 530S3: Online Security Statement
09/01/201103/2017* Standard 530S4: Hypertext Linking

 

Cybersecurity Management

ReleasedReviewedTitle
05/16/201103/2017Policy 600: Information Security
05/31/201103/2017Policy 602: Info Security for Service Providers
07/19/201203/2017Policy 604: Cyber Security Incident Response
06/06/201103/2017* Procedure 604P1: Incident Reporting
08/09/201203/2017* Procedure 604P2: Incident Handling
06/16/201103/2017Policy 605: Configuration Management
06/16/201103/2017* Guideline 605G1: CM Process
09/01/201103/2017Policy 606: Risk Management
09/01/201103/2017* Guideline 606G1: Risk Assessment
01/18/201203/2017* Guideline 606G2: Personnel Security

 

Cybersecurity Awareness Training

ReleasedReviewedTitle
09/01/201103/2017Policy 610: Security Awareness

 

Access Controls

ReleasedReviewedTitle
11/23/201103/2017Policy 621: Network & System Access
09/01/201103/2017Policy 622: Remote Access
09/01/201103/2017* Standard 622S1: Virtual Private Networks
09/01/201103/2017* Standard 622S2: Dial-In Access
07/01/201303/2017Policy 623: Authentication

 

System Use

ReleasedReviewedTitle
08/28/201203/2017Policy 630: System Use

 

Connections

ReleasedReviewedTitle
09/01/201103/2017 Policy 641: External Connections
09/01/201103/2017 * Standard 641S1: Interconnecting IT Systems
09/01/201103/2017 Policy 643: Wireless Security
09/01/201103/2017 * Standard 643S1: Wireless Networks
09/01/201103/2017 * Standard 643S2: Wireless Clients
09/01/201103/2017 * Standard 643S3: Bluetooth Security
09/01/201103/2017 Policy 644: Voice over Internet Protocol
09/01/201103/2017 * Standard 644S1: VoIP Security

 

Physical Security

ReleasedReviewedTitle
02/28/201203/2017Policy 651: Physical Security
10/23/201403/2017Policy 652: Card Key Access Control

 

System / Application Security

ReleasedReviewedTitle
09/01/201103/2017Policy 661: Application Security
12/01/201103/2017* Guideline 661G1: Application Security
01/26/201203/2017* Guideline 661G2: Security Engineering Principles
09/01/201103/2017Policy 662: Systems Security
06/24/201303/2017* Standard 662S1: Server Security
08/01/201303/2017* Standard 662S2: Client Systems Security
09/01/201103/2017* Standard 662S3: POS Systems Security
09/01/201103/2017* Guideline 662G1: Systems Security
12/14/2011 03/2017*Guideline 662G2: BIOS Protection

 

Security Administration

ReleasedReviewedTitle
04/15/201303/2017Policy 672: Vulnerability Scanning
09/01/201103/2017Policy 673: Backup and Recovery
03/03/201703/2017Policy 674: Virus Protection
09/01/201103/2017* Standard 674S1: Virus Protection
09/01/201103/2017Policy 675: Vulnerability Management
09/01/201103/2017Policy 676: Monitoring and Reporting
09/01/201103/2017Policy 677: Log Management
01/18/201203/2017* Standard 677S1: Log Management
09/01/201103/2017Policy 678: System Maintenance

 

Information / Data Management

ReleasedReviewedTitle
09/01/201103/2017Policy 681: Information Protection
09/01/201103/2017* Standard 681S1: Information Protection
09/01/201103/2017* Standard 681S2: Protecting PII
09/01/201103/2017* Standard 681S3: Media Sanitization
02/28/201203/2017* Procedure 681P1: Equipment Disposal
02/28/201203/2017*Form: Electronic Media Sanitization Declaration
09/01/201103/2017Policy 682: Information Release
09/01/201103/2017Policy 683: Encryption
01/18/201203/2017Policy 685: Data Breach Notification

 

Disaster Recovery

ReviewedReleasedTitle
04/26/201103/2017Policy 690: Disaster Recovery