The Office of Information Security

Our Mission

The mission of the Office of Information Security (OIS) is to provide leadership in the development, delivery, and maintenance of an information security program by safeguarding the state's information assets against unauthorized use, disclosure, modification, damage, or loss to support Colorado’s mission to provide secure and sustainable services.

OIS is directly aligned with the goals and objectives of the National Strategy to Secure Cyberspace. Working closely with federal, state, local, and private sector partners, the Office of Information Security actively gathers and analyzes information on cyber threats and vulnerabilities that present risk to the state's information systems or the critical information managed within.


Core Services

Security Architecture

The Security Architecture team produces and adopts security technology standards, Application Security architecture and best practices, IT Infrastructure architecture, and design.

What We Do

  • Architecture and design validation and consultation 
  • Secure Application architecture design and consultation
  • Web Application security (Owasp Foundation) architecture design and consultation
  • Secure Infrastructure architecture design and validation (CIS Controls and system hardening, CIS Center for Internet Security)
  • Firewall Change Requests 
  • Project and Operational Security Risk Assessment

Contact the Security Architecture Team: Mohamed Malki at mohamed.malki@state.co.us


Identity and Access Management

We provide and manage access to systems and data on behalf of the consolidated state agencies that the OIT provides service to. 

What We Do

  • Grant/revoke access to systems and applications according to agency customer business requirements and industry standards 
  • Manage the lifecycle of digital identities
  • Password Management and Password Self-Service 
  • Directory Services and Email security services

Contact the Identity and Access Management Team: Yvette Florez at yvette.florez@state.co.us


Security Risk and Compliance

We assist consolidated state agencies to identify, manage, and reduce risk to the state. We also help agencies and OIT internal teams to understand their compliance requirements for systems and data and work with outside auditors.

What We Do

  • Metrics and Reporting
  • Audit Support - Educate agency customers on compliance requirements and provide guidance on what to expect during audits
  • Risk Assessment and Management - Perform risk assessments against critical and essential systems for agency customers  
  • Compliance services
  • Security Risk Management Framework

Contact the Security Risk and Compliance Team: Dr. Greg Williams at greg.williams@state.co.us


Security Governance

The Security Governance team advocates for and communicates security policy on behalf of the Chief Information Security Officer. We also ensure cybersecurity awareness training including workshopping incident response tabletop exercises, and security program strategic planning.

What We Do

  • Colorado Information Security Policies - Glossary of Terms (PDF)
  • Enterprise Cyber Security Planning 
  • Security consultation and alignment of resources
  • Process Documentation 
  • Security Awareness Training for State Employees (SOC Learns) and for Vendor Partners (Colorado Cyber Training)
  • Incident Response Planning/training - Table Top and technical IR exercise mentoring and proctoring - Incident Response Template (PDF)

Contact the Security Governance Team: Trace Ridpath at trace.ridpath@state.co.us


Our Leadership

William Chumley

Chief Customer Officer & Interim Chief Information Security Officer

William Chumley, who joined OIT in 2011, is a veteran of technology team management with numerous customer relationship accomplishments in both public and private sectors. As CCO, William has transformed the role of the IT director into a true strategic partnership with our customer agencies to advance strategy through collaboration, balance business priorities and enterprise technology goals, secure funding, and ensure operational consistency. He started his role as Interim CISO in August 2021.

William's full bio

LinkedIn Profile