| Organization: | Cybersecurity and Enterprise Risk Management |
|---|---|
| Date published: | January 1, 2025 |
| Last updated: | March 24, 2025 |
Overview
The EOTSS Enterprise Risk Management Office is responsible for writing, publishing, and updating all Enterprise Information Security Policies that apply to all Executive Department offices and agencies. This is a compilation of those policies.
EOTSS Standards may be located at:
EOTSS Technology Standards and Guidelines
While the EOTSS Standards were historically located on the ERM Information Security webpage, they are currently undergoing revisions by EOTSS’ Operations, Security (SOC) and Technology teams. In 2025 the ownership of these Standards will transfer from ERM to our Operations, SOC and Technology teams. The ownership of the Enterprise Information Security Policies will remain with the Commonwealth CISO and the ERM team. Please check back for updates.
Table of Contents
- ISP.001 Information Security Governance Policy
- ISP.002 Acceptable Use Policy
- ISP.003 Access Management Policy
- ISP.004 Asset Management Policy
- ISP.005 Incident Response Policy
- ISP.006 Change and Configuration Management Policy
- ISP.007 Physical and Environmental Security Policy
- ISP.008 Software and Application Management Policy
- ISP.009 Third Party Risk Management Policy
- ISP.010 Vulnerability and Risk Management Policy
Downloads
-
Open PDF file, 268.97 KB, Enterprise Information Security Policies and Standards Glossary of Terms (English, PDF 268.97 KB)
Contact
Online
Address
Phone
Open Monday through Friday 8:30 a.m. - 4:30 p.m.