With the passage of Senate Bill 117 in May 2013 (Act 2013-68) and the creation of the position of the Secretary of Information Technology and the Office of Information Technology (OIT), the responsibilities of Information Technology (IT) Governance, to include planning and policy, were transferred from the Information Services Division (ISD), Department of Finance, to OIT.
Until such time that OIT can fully assimilate ISD IT policies, existing ISD IT policies shall be considered statewide policies promulgated under the authority of OIT.
The following ISD legacy policies (previously published on the cybersecurity.alabama.gov website) shall remain in effect until they are reissued or rescinded by OIT.
IT Planning, Budgeting and Procurement
| Released | Reviewed | Title |
|---|---|---|
| 04/26/2011 | 03/2017 | Policy 200: Information Technology Planning |
| 04/26/2011 | 03/2017 | Policy 220: Information Technology Budgeting |
| 04/26/2011 | 03/2017 | Policy 230: Information Technology Procurement |
| 04/26/2011 | 03/2017 | * Standard 230S1: IT Procurement |
IT Architecture
| Released | Reviewed | Title |
|---|---|---|
| 09/01/2011 | 03/2017 | Policy 500: Statewide Information Systems Architecture |
| 09/12/2012 | 03/2017 | * Standard 500S1: Network Architecture Standard |
| 10/14/2014 | 03/2017 | * Standard 500S2: Security Categorization |
| 09/01/2011 | 03/2017 | Policy 520: Domain Naming & Registration |
| 09/01/2011 | 03/2017 | Policy 530: Web Development |
| 09/01/2011 | 03/2017 | * Standard 530S1: Online Privacy and Data Collection |
| 09/01/2011 | 03/2017 | * Standard 530S2: Universal Accessibility |
| 09/01/2011 | 03/2017 | * Standard 530S3: Online Security Statement |
| 09/01/2011 | 03/2017 | * Standard 530S4: Hypertext Linking |
Cybersecurity Management
| Released | Reviewed | Title |
|---|---|---|
| 05/16/2011 | 03/2017 | Policy 600: Information Security |
| 05/31/2011 | 03/2017 | Policy 602: Info Security for Service Providers |
| 07/19/2012 | 03/2017 | Policy 604: Cyber Security Incident Response |
| 06/06/2011 | 03/2017 | * Procedure 604P1: Incident Reporting |
| 08/09/2012 | 03/2017 | * Procedure 604P2: Incident Handling |
| 06/16/2011 | 03/2017 | Policy 605: Configuration Management |
| 06/16/2011 | 03/2017 | * Guideline 605G1: CM Process |
| 09/01/2011 | 03/2017 | Policy 611: Risk Management |
| 09/01/2011 | 03/2017 | * Guideline 611G1: Risk Assessment |
Access Controls
| Released | Reviewed | Title |
|---|---|---|
| 11/23/2011 | 03/2017 | Policy 621: Network & System Access |
| 09/01/2011 | 03/2017 | Policy 622: Remote Access |
| 09/01/2011 | 03/2017 | * Standard 622S1: Virtual Private Networks |
| 09/01/2011 | 03/2017 | * Standard 622S2: Dial-In Access |
Connections
| Released | Reviewed | Title |
|---|---|---|
| 09/01/2011 | 03/2017 | Policy 641: External Connections |
| 09/01/2011 | 03/2017 | * Standard 641S1: Interconnecting IT Systems |
| 09/01/2011 | 03/2017 | Policy 643: Wireless Security |
| 09/01/2011 | 03/2017 | * Standard 643S1: Wireless Networks |
| 09/01/2011 | 03/2017 | * Standard 643S2: Wireless Clients |
| 09/01/2011 | 03/2017 | * Standard 643S3: Bluetooth Security |
Physical Security
| Released | Reviewed | Title |
|---|---|---|
| 02/28/2012 | 03/2017 | Policy 651: Physical Security |
| 10/23/2014 | 03/2017 | Policy 652: Card Key Access Control |
System / Application Security
| Released | Reviewed | Title |
|---|---|---|
| 09/01/2011 | 03/2017 | Policy 661: Application Security |
| 12/01/2011 | 03/2017 | * Guideline 661G1: Application Security |
| 01/26/2012 | 03/2017 | * Guideline 661G2: Security Engineering Principles |
| 09/01/2011 | 03/2017 | Policy 662: Systems Security |
| 06/24/2013 | 03/2017 | * Standard 662S1: Server Security |
| 08/01/2013 | 03/2017 | * Standard 662S2: Client Systems Security |
| 09/01/2011 | 03/2017 | * Standard 662S3: POS Systems Security |
| 09/01/2011 | 03/2017 | * Guideline 662G1: Systems Security |
| 12/14/2011 | 03/2017 | *Guideline 662G2: BIOS Protection |
Security Administration
| Released | Reviewed | Title |
|---|---|---|
| 04/15/2013 | 03/2017 | Policy 672: Vulnerability Scanning |
| 09/01/2011 | 03/2017 | Policy 673: Backup and Recovery |
| 03/03/2017 | 03/2017 | Policy 674: Virus Protection |
| 09/01/2011 | 03/2017 | * Standard 674S1: Virus Protection |
| 09/01/2011 | 03/2017 | Policy 675: Vulnerability Management |
| 09/01/2011 | 03/2017 | Policy 676: Monitoring and Reporting |
| 09/01/2011 | 03/2017 | Policy 677: Log Management |
| 01/18/2012 | 03/2017 | * Standard 677S1: Log Management |
| 09/01/2011 | 03/2017 | Policy 678: System Maintenance |
Information / Data Management
| Released | Reviewed | Title |
|---|---|---|
| 09/01/2011 | 03/2017 | Policy 681: Information Protection |
| 09/01/2011 | 03/2017 | * Standard 681S1: Information Protection |
| 09/01/2011 | 03/2017 | * Standard 681S2: Protecting PII |
| 09/01/2011 | 03/2017 | * Standard 681S3: Media Sanitization |
| 02/28/2012 | 03/2017 | * Procedure 681P1: Equipment Disposal |
| 02/28/2012 | 03/2017 | *Form: Electronic Media Sanitization Declaration |
| 09/01/2011 | 03/2017 | Policy 682: Information Release |
| 09/01/2011 | 03/2017 | Policy 683: Encryption |
Disaster Recovery
| Reviewed | Released | Title |
|---|---|---|
| 04/26/2011 | 03/2017 | Policy 690: Disaster Recovery |