• User Guide: Creating an EO504 ISP-ESP  doc format of User Guide EO504 ISP-ESP
file size 2MB

    A document to assist Executive Department agencies in preparing and submitting an ISP-ESP, as mandated by Executive Order 504.
  • User Guide: Preparing and Submitting a Self-Audit Questionnaire (SAQ)  doc format of User Guide: EO504 SAQ
file size 1MB

    A guide to assist Executive Department agencies in preparing and submitting the annual Self-Audit Questionnaire (SAQ), as mandated by Executive Order 504.
  • Information Security Policy

    This policy articulates requirements that assist management in defining a framework that establishes a secure environment for providing services provided by Commonwealth agencies, authorities, and business partners.

  • Enterprise Information Security Standards: Data Classification

    The purpose of this document is to identify the minimum standards that agencies must adopt for the appropriate classification of data and the ongoing management of that classification. Classification of data is a critical part of data management which includes planning and implementing comprehensive and responsible information security practices. This document describes a standard data classification scheme, the required considerations for classification, risk assessment, security control requirements and data management and lifecycle requirements.

  • Enterprise IT Security Incident Response Policy

    This policy articulates the requirements for responding to Security Incidents and Attack Intrusions.
  • Required elements for executive department website privacy policies

    Lists the baseline standards to assist agencies in developing a website privacy policy. These standards were developed to help Executive Departments comply with Secretary Crosby's April 27, 2001 memo which requires website privacy policies. In addition, any new Executive Department websites created after June 8, 2001, must also abide by these minimum requirements.
  • Enterprise Access Control Policy

    This policy articulates the access controls that are required to meet the security objectives of the Enterprise Information Security Policy .  Access control management is paramount to protecting Commonwealth Information Technology (IT) Resources and requires implementation of controls and continuous oversight to restrict access.