EBR, Office of Information Technology Policy ADM-000

(PDF)

1. Purpose

This policy provides requirements for the development, review, and approval of Employment Banking and Revenue (EBR) Office of Information Technology (OIT) policies and procedures.

This policy documents the implementation of the National Institute of Standards and Technology (NIST) Security Controls: PL-1 Per SP 800-53 R4.

2. Background

This policy is published under the general authority of the Governor’s Office of Administration / Office of Information Technology (OA/OIT).

EBR OIT policies are statements issued by EBR OIT management to define the organization’s mission, provide guidance, and detail actions. Each statement establishes boundaries for actions by EBR staff and may necessitate the creation of additional supporting policies or procedures to specify further direction. EBR OIT procedures deconstruct EBR OIT policies into specific workflows in order to establish methods for executing policy. Procedures assign responsibility and workflow, indicating what must be completed and how it should be accomplished.

This policy ensures a consistent review and approval process, allowing for resources to review for specific agency impact.

3. Scope

This policy applies to all employees within all agencies, bureaus, divisions, boards, commissions, and councils within the EBR delivery center. This includes any contracted employees in the service of EBR (hereinafter referred to collectively as “EBR Users”).

4. Policy

EBR OIT shall create and publish policies under the authority of the delivery center (DC) Chief Information Officer (CIO) that reflect the official position of EBR OIT in support of EBR business functions.

EBR OIT division chiefs have the responsibility for creating and initiating changes in EBR OIT policy and procedure. The EBR Information Security Office (ISO), shall serve as the policy administrator for EBR OIT policies and will ensure EBR OIT policies and procedures are initiated, refined, and approved for implementation.

All EBR OIT policies shall be approved by the EBR OIT division chiefs, bureau directors, the agency IT directors and CIO, the chief technology officer (CTO), and Chief Information Security Officer (CISO), (hereinafter referred to collectively as “EBR OIT Management”), as well as Employee Relations (ER), from the DC.

All policies will be further reviewed by the Office of Chief Counsel (OCC), and the Communications and Press Office (CPO) from each agency within the DC. Additionally, policies initiated by EBR deputy secretaries or executive management shall be approved by the initiating Deputy Secretary or executive management.

EBR OIT Management shall draft proposed policies and submit them to ISO with a statement describing the business need and impact, scope, and details of each proposed policy. The ISO shall review and format any new or updated policy prior to it being submitted for review and approval. ISO shall align the policies with the National Institute of Standards and Technology (NIST) Security Controls, per NIST SP 800-53 R4.

The ISO shall align policy statements with other publications, such as IRS Publication 1075 or Social Security Administration Technical Systems Security Requirements (TSSR).

The ISO shall allow five (5) business days for EBR OIT Management to review and agree to a policy draft. Following EBR OIT Management approval, ISO shall distribute the draft to OCC and ER for review and approval, allowing five (5) business days for response. Following approval by OCC and ER, ISO shall deliver the updated draft to CPOs for a five (5) business day review. The ISO shall allow for additional time if requested by any reviewer.

All EBR OIT policies require written approval from the CIO or CTO, OCC, ER, and CPO prior to publication.

EBR OIT shall document an outline of steps in separate procedure documents to comply with specific policies when deemed necessary by the ISO. EBR OIT procedures shall be referenced within EBR OIT policies.

Any EBR User may initiate a procedure document. The ISO and the EBR User who initiates the procedure shall identify the necessary review and approval for a procedure prior to publication.

All EBR OIT procedures require written approval from the initiator and CPO prior to publication.

All EBR OIT policies shall be compliant with documented IT Infrastructure Library (ITIL) and Information Technology Service Management (ITSM) processes.

All EBR OIT staff shall follow all implemented ITIL processes. Deviation from documented ITIL processes or EBR OIT policies may result in disciplinary action up to and including termination of employment or contractor sanctions (including loss of e-mail, Internet, or computer access privileges).

All EBR OIT policies shall be reviewed by the ISO annually and shall be re-published at least every three (3) years.

5. Responsibilities

1. EBR User responsibilities:
   
   
   • Comply with all EBR policies, OA ITPS, management directives, executive orders and laws; and
     
     
   • Report any violations of policies promptly to the Information Security Officer at LI, OIT-EBRCISO.
     
     
2. EBR management responsibilities:
   
   
   • Comply with all EBR policies, OA ITPS, management directives, executive orders and laws; and
     
     
   • Ensure EBR users comply with the policies; and
     
     
   • Adhere to this policy and any published procedures regarding policy publication.

6. References

7. Version Control