Information Security Office

Our Mission

The mission of the Information Security Office (ISO) is to provide leadership in the development, delivery, and maintenance of an information security program by safeguarding the state's information assets against unauthorized use, disclosure, modification, damage, or loss to support Colorado’s mission to provide secure and sustainable services.

The ISO is directly aligned with the goals and objectives of the National Strategy to Secure Cyberspace. Working closely with federal, state, local, and private sector partners, the ISO actively gathers and analyzes information on cyber threats and vulnerabilities that present risk to the state's information systems or the critical information managed within.

Core Services

Security Architecture

The Security Architecture team produces and adopts security technology standards, Application Security architecture and best practices, IT Infrastructure architecture, and design.

What We Do

  • Architecture and design validation and consultation 
  • Secure Application architecture design and consultation
  • Web Application security (Owasp Foundation) architecture design and consultation
  • Secure Infrastructure architecture design and validation (CIS Controls and system hardening, CIS Center for Internet Security)
  • Firewall Change Requests 
  • Project and Operational Security Risk Assessment

Contact the Security Architecture Team: Mohamed Malki at

Identity and Access Management

We provide and manage access to systems and data on behalf of the consolidated state agencies that the OIT provides service to. 

What We Do

  • Grant/revoke access to systems and applications according to agency customer business requirements and industry standards 
  • Manage the lifecycle of digital identities
  • Password Management and Password Self-Service 
  • Directory Services and Email security services

Contact the Identity and Access Management Team: Yvette Florez at

Security Risk and Compliance

We assist consolidated state agencies to identify, manage, and reduce risk to the state. We also help agencies and OIT internal teams to understand their compliance requirements for systems and data and work with outside auditors.

What We Do

  • Metrics and Reporting
  • Audit Support - Educate agency customers on compliance requirements and provide guidance on what to expect during audits
  • Risk Assessment and Management - Perform risk assessments against critical and essential systems for agency customers  
  • Compliance services
  • Security Risk Management Framework

Contact the Security Risk and Compliance Team: Jane Rosenthal at

Security Governance

The Security Governance team advocates for and communicates security policy on behalf of the Chief Information Security Officer. We also ensure cybersecurity awareness training including workshopping incident response tabletop exercises, and security program strategic planning.

What We Do

  • Colorado Information Security Policies - Glossary of Terms (PDF)
  • Enterprise Cyber Security Planning 
  • Security consultation and alignment of resources
  • Process Documentation 
  • Security Awareness Training for State Employees (SOC Learns) and for Vendor Partners (Colorado Cyber Training)
  • Incident Response Planning/training - Table Top and technical IR exercise mentoring and proctoring - Incident Response Template (PDF)

Contact the Security Governance Team: Trace Ridpath at

Our Leadership

Ray Yepes

Chief Information Security Officer

Ray Yepes is an experienced cybersecurity practitioner with strong business acumen, technical knowledge and proven leadership skills in information security and IT privacy, risk and compliance. Before joining OIT in April 2022, Ray served as the Chief Information Security Officer (CISO) for the Texas Department of Family and Protective Services. Prior to that work, Yepes co-founded and was the director of a full-service cybersecurity company whose clients included Fortune 500, 200, 100 and 50 companies. A strategic thinker, Ray has focused on building strong business relationships while delivering customer-centric solutions throughout his career.

Ray's full bio