Code of Colorado Regulations
1501 - Office of the Governor
1501 - Governor's Office of Information Technology
8 CCR 1501-5 - RULES IN SUPPORT OF THE COLORADO INFORMATION SECURITY ACT
Section R 24-37.5-403.5 - Rule
Universal Citation: 1501 CO Code Regs R 24-37.5-403.5
Current through Register Vol. 47, No. 17, September 10, 2024
A. Cyber Security Planning: It is the policy of State of Colorado to prohibit unauthorized access, disclosure, duplication, modification, diversion, destruction, loss, misuse or theft of sensitive electronic information assets.
1. Each public agency in the State of
Colorado shall maintain a Cyber Security Plan to control risks associated with
access, use, storage and sharing of sensitive citizen and State electronic
information, and document the program details in an Agency Cyber Security Plan
(ACSP) for non-consolidated agencies or an Enterprise Cyber Security Plan
(ECSP) for consolidated agencies. An Agency Cyber Security Plan or an
Enterprise Cyber Security Plan shall include the following sections, at a
minimum:
a. Public agency Mission Objectives
(1)Mission Statement: Summarize or
insert the Public Agency/Agencies Mission Statement(s).
(2) Concept of Operations: Describe
the operational goals of the Cyber Security Program, and the conceptual
functions that are implemented to achieve these goals.
(3) Roles and Responsibilities:
Identify responsibilities for implementing, monitoring, and managing
the Cyber Security Program, specifically including the responsibilities of the
Executive Director, Agency ISO, Agency CIO, State Chief Information Officer,
State Chief Information Security Officer (CISO), Security Staff, Agency IT
staff, Agency Human Resources staff, and Agency
staff.
b.
Information Technology Environment
(1)
Network Environment, Enclaves, and Perimeters: Describe the current
network environment in detail, including characterizing of network segments
into Security Enclaves, and identify the perimeters of each Security
Enclave.
(2) Critical
Systems: List Agency critical systems by name, function, and the
network segments they reside on.
(3) General Support Systems: Define
general support systems as they pertain to the environment (e.g., Active
Directory Domains/Forests, NIS+ domains, or Email systems).
c. Risk Management
(1) Risk Assessment Methodology:
Describe the methodologies used for formal and informal System-level
and Agency-wide Risk Assessments, and the process for initiating a Risk
Assessment, mitigating unacceptable risk, approving residual risk, and updating
existing Risk Acceptance. Include the identification of the individual
responsible for accepting residual risk.
(2) Risk Assessment Responsibilities:
Identify any responsibilities in the Risk Management function that are
outside the scope of the Roles and Responsibilities section of the
ACSP/ECSP.
(3) Risk
Assessment Frequency: Identify the maximum length of time between
System-level and Agency-wide Risk Assessments.
(4) Project Lifecycle: Describe how
the Risk Management strategy is integrated into System, Network, and
Application engineering project lifecycles, specifically identifying control
points that trigger Risk Management activities.
(5) Vendor Management: Describe the
role of Risk Management in the assessment, selection, and management of IT
service providers or vendors.
d. Security Program
(1) Network Operations: Describe
standards for Network Operations as they pertain to Network Access Controls,
Perimeter Security, Network Administration, Monitoring and Reporting, and
Network Device Inventory.
(2) System and Application Security:
Describe standards for System and Application Security as they pertain
to Access Controls, System Administration and Engineering, Change Control and
Configuration Management, Patch Management, Malicious Code, Monitoring and
Reporting, and System Backups.
(3) Access Controls: Describe
standards for Hiring, Termination, and Transfer of staff and how it relates to
user account administration. Include a description of the process used to
approve system access requests based on need-to-know and describe how
"least-privilege" is achieved in the environment.
(4) Change Control and Configuration
Management: Describe the components of Change Control and describe the
integration of the Cyber Security Program as it relates to Change Control.
Describe the minimum standards for configuration management as it relates to
System, Network and Application engineering.
(5) Physical Security: Describe the
requirements for physically securing the Agency's Sensitive
Areas.
(6) Data Handling
and Disposal: Describe the procedures used to achieve the goals of the
CCSP Data Handling and Disposal Policy.
(7) Personnel Security: Describe the
process for and frequency of performing background checks on IT and Security
staff.
(8) Acceptable Use:
Identify the required elements of the Agency's Acceptable Use Policy
and the responsibilities for ensuring all users have received and acknowledged
it.
e. Incident
Warning, Advisory, and Response
(1) Cyber
Security Warnings and Advisories: Describe the process for evaluating
both Vendor and ISOC-issued Cyber Security Warnings, Patch Announcements, and
Security Advisories and describe the standard for recording the response,
including time frame for response, acceptable responses, and responsibilities
for evaluating the Warning or Advisory.
(2) Cyber Security Incident Response Plan
Summary: Provide a summary of the Agency's Incident Response Plan,
including naming the individual(s) who lead the
team.
f.
Training and Awareness
(1) Methodology:
Describe the methods for delivering Initial and Refresher Training to
staff. Describe any differing levels of Cyber Security Training that are
provided to individuals holding specific job responsibilities (end user, system
administrator, security administrator, and managers), if applicable. Describe
methods of providing periodic security awareness notices to Agency staff, and
the responsibilities for issuing these notices.
(2) Frequency: Identify the required
frequency for Refresher Training and Security Awareness
Notices.
(3) Content
Updates: Identify the role or individual responsible for providing
updated training content and awareness notices.
g. Self-Assessment: Describe the
required elements of the Cyber Security Self-Assessment Process, the roles and
responsibilities in carrying out the Self-Assessment, and the integration of
the Self-Assessment results into a program improvement
process.
h. Metrics and
Reporting: Describe the types of metrics that are being collected by
the Agency Cyber Security Program and how they are being used to evaluate the
effectiveness of the Program.
i. Plan Approval and Maintenance:
Identify the frequency of the ACSP/ECSP updates and the roles that are
responsible for making and approving the updates. The Agency Executive Director
and the Agency CIO are required approval authorities for the ACSP. The State
Chief Information Officer and the State Chief Information Security Officer are
the required approval authorities for the ECSP.
2. To carry out the ACSP, the public agency
shall delegate the position of Information Security Officer to an agency staff
member or contractor who has appropriate Cyber Security experience and public
agency IT environment knowledge. The Chief Information Security Officer shall
be responsible for carrying out the ECSP.
3. Annually, on or before July
15th of each year, each public agency shall submit
their ACSP to the State CISO for his or her review. The State CISO shall review
and approve, conditionally approve, or disapprove each ACSP based on evaluation
of the Plan and supporting documentation. Annually, on or before July
15th of each year, the State Chief Information
Security Officer shall submit the ECSP to the State Chief Information Officer
for review and approval
a. Each
non-consolidated agency shall submit an approval package to the CISO,
consisting of:
(1) Cover letter requesting
ACSP approval
(2) Agency Cyber
Security Plan (ACSP)
(3)
Agency-wide Risk Assessment
(4)
Agency Disaster Recovery Plan Summary
(5) Agency Disaster Recovery Plan test
results
(6) Agency Self-Assessment
results
(7) Agency Cyber Security
Plan of Action and Milestones (POA&M) Documents numbered 2 through 7,
above, are not public records pursuant to Sections
24-72-202(6) (b) (X)
CRS and
24-72-202(6) (b) (XII)
CRS. Each such document and any supporting
materials shall be labeled "Confidential" and "Not a Public
Record."
b. The cover
letter is an assertion to be signed by the Executive Director that either
states that the public agency is compliant with the Colorado Cyber Security
Program or that the Agency Cyber Security Plan of Action and Milestones
contains active initiatives that will bring the public agency into
compliance.
c. For the ECSP,
the CISO shall submit the following to the CIO:
(1) Cover letter requesting ECSP
approval
(2) Enterprise Cyber
Security Plan (ECSP)
(3)
Enterprise-wide Risk Assessment
(4)
Enterprise Disaster Recovery Plan Summary
(5) Enterprise Disaster Recovery Plan test
results
(6) Enterprise
Self-Assessment results
(7)
Enterprise Cyber Security Plan of Actions and Milestones (POA&M)
Documents numbered 2 through 7, above, are not public records pursuant to Sections 24-72-202(6) (b) (X) CRS and 24-72-202(6) (b) (XII) CRS. Each such document and any supporting materials shall be labeled "Confidential" and "Not a Public Record."
The cover letter for the ECSP is an assertion to be signed by the State CISO that either states that the enterprise is compliant with the Colorado Cyber Security Program or that Enterprise Cyber Security Plan of Action and Milestones contains active initiatives that will bring the enterprise into compliance.
Disclaimer: These regulations may not be the most recent version. Colorado may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
