With the passage of Senate Bill 117 in May 2013 (Act 2013-68) and the creation of the position of the Secretary of Information Technology and the Office of Information Technology (OIT), the responsibilities of Information Technology (IT) Governance, to include planning and policy, were transferred from the Information Services Division (ISD), Department of Finance, to OIT.

Until such time that OIT can fully assimilate ISD IT policies, existing ISD IT policies shall be considered statewide policies promulgated under the authority of OIT.

The following ISD legacy policies (previously published on the cybersecurity.alabama.gov website) shall remain in effect until they are reissued or rescinded by OIT.


IT Planning, Budgeting and Procurement

04/26/2011 09/13/2017 Policy 200: Information Technology Planning
04/26/201109/13/2017 Policy 220: Information Technology Budgeting
04/26/201109/13/2017 Policy 230: Information Technology Procurement
04/26/201109/13/2017 * Standard 230S1: IT Procurement


IT Architecture

09/01/201109/18/2017Policy 500: Statewide Information Systems Architecture
09/12/201209/20/2017* Standard 500S1: Network Architecture Standard
10/14/201409/20/2017* Standard 500S2: Security Categorization
09/01/201109/18/2017Policy 520: Domain Naming & Registration
09/01/201109/18/2017Policy 530: Web Development
09/01/201109/18/2017* Standard 530S1: Online Privacy and Data Collection
09/01/201109/18/2017* Standard 530S2: Universal Accessibility
09/01/201109/18/2017* Standard 530S3: Online Security Statement
09/01/201109/18/2017* Standard 530S4: Hypertext Linking


Cybersecurity Management

05/16/201109/18/2017Policy 600: Information Security
05/31/201109/18/2017Policy 602: Info Security for Service Providers
07/19/201209/18/2017Policy 604: Cyber Security Incident Response
06/06/201109/18/2017* Procedure 604P1: Incident Reporting
08/09/201209/18/2017* Procedure 604P2: Incident Handling
06/16/201109/18/2017Policy 605: Configuration Management
06/16/201109/18/2017* Guideline 605G1: CM Process
09/01/201110/05/2018Policy 611: Risk Management
09/01/201110/05/2018* Guideline 611G1: Risk Assessment


Access Controls

11/23/201109/18/2017Policy 621: Network & System Access
09/01/201109/18/2017Policy 622: Remote Access
09/01/201109/18/2017* Standard 622S1: Virtual Private Networks
09/01/201109/18/2017* Standard 622S2: Dial-In Access



09/01/201109/18/2017Policy 641: External Connections
09/01/201109/18/2017* Standard 641S1: Interconnecting IT Systems
09/01/201109/18/2017Policy 643: Wireless Security
09/01/201109/18/2017* Standard 643S1: Wireless Networks
09/01/201109/18/2017* Standard 643S2: Wireless Clients
09/01/201109/18/2017* Standard 643S3: Bluetooth Security


Physical Security

02/28/201209/18/2017Policy 651: Physical Security
10/23/201409/18/2017Policy 652: Card Key Access Control


System / Application Security

09/01/201109/18/2017Policy 661: Application Security
12/01/201109/13/2017* Guideline 661G1: Application Security
01/26/201209/13/2017* Guideline 661G2: Security Engineering Principles
09/01/201109/18/2017Policy 662: Systems Security
06/24/201309/18/2017* Standard 662S1: Server Security
08/01/201309/15/2017* Standard 662S2: Client Systems Security
09/01/201109/18/2017* Standard 662S3: POS Systems Security
09/01/201109/14/2017* Guideline 662G1: Systems Security
12/14/2011 09/14/2017* Guideline 662G2: BIOS Protection


Security Administration

04/15/201309/18/2017Policy 672: Vulnerability Scanning
09/01/201109/18/2017Policy 673: Backup and Recovery
03/03/201709/18/2017Policy 674: Virus Protection
09/01/201109/18/2017* Standard 674S1: Virus Protection
09/01/201109/18/2017Policy 675: Vulnerability Management
09/01/201109/18/2017Policy 676: Monitoring and Reporting
09/01/201109/18/2017Policy 677: Log Management
01/18/201209/18/2017* Standard 677S1: Log Management
09/01/201109/18/2017Policy 678: System Maintenance


Information / Data Management

09/01/201109/18/2017Policy 681: Information Protection
09/01/201109/18/2017* Standard 681S1: Information Protection
09/01/201109/15/2017* Standard 681S2: Protecting PII
09/01/201109/13/2017* Standard 681S3: Media Sanitization
09/01/201109/18/2017Policy 682: Information Release
09/01/201109/18/2017Policy 683: Encryption


Disaster Recovery

04/26/201108/28/2017Policy 690: Disaster Recovery