Technical Standards & Policies

Acceptable Use Policy (AUP)

Acceptable Use of State Data & IT Resources, P-CISP-018 (AUP), (PDF)


Accessibility

TS-OEA-001: Technology Accessibility for Persons with Disabilities, (PDF)

TS-OEA-002: Technology Accessibility for Web Content and Applications, (PDF)

Digital Accessibility Guide


eSignature

eSignature Recommended Policy Guidelines for State Agencies, (PDF)


Financial Services

IT Expense Approval Request, (PDF)

Vendor Selection Standard for Major IT Projects, OIT-FinSvc-100, (PDF)

Acquisition of IT Goods (Products) and/or Services 
The formal processes to purchase or acquire information technology products and/or services are described here.

Buying from State Price Agreements 
State Price Agreements may exist that do not meet mandatory OIT standards applicable to state agencies as defined in C.R.S. 24-37.5-102(4) or that require OIT approval prior to use. State agencies are therefore cautioned to ensure that any price agreement for communication and IT (C.R.S. 24-37.5-102(2)), hardware, software, radios, communication systems/towers meets OIT standards and that necessary OIT approvals have been obtained prior to use of the Price Agreement.

Digital Products and Services Accessibility Pre-Purchase Checklist


Governance

Policy to Create the Colorado Architecture Review Board (CARB) (OEA Policy GOV 100-01), (PDF)


Information Security

The Office of Information Security has issued the following policies, rules and standards under the authority of C.R.S. 24-37.5-401 et seq.   

Rules
CCR 1501-5: Rules in support of the Colorado Information Security Act (State Agency Cyber Security Planning), (PDF)

Colorado Information Security Policies (CISPs) 
These policies are reviewed and updated annually but are subject to change more often as necessary. Unless otherwise noted, the policies below are effective as of Oct. 2021. 

Glossary of Terms for the Colorado Information Security Policies (CISPs), (PDF)

CISP-001: Access Control, (PDF)

CISP-002: Security Awareness and Training, (PDF)

CISP-003: Audit and Accountability, (PDF)

CISP-004: Security Assessment and Authorization, (PDF)

CISP-005: Configuration Management, (PDF)

CISP-006: Contingency Planning, (PDF)

CISP-007: Identification and Authentication, (PDF)

CISP-008: Incident Response, (PDF)

CISP-009: System Maintenance, (PDF)

CISP-010: Media Protection, (PDF)

CISP-011: Physical and Environmental Protection, (PDF)

CISP-012: Personnel Security, (PDF)

CISP-013: Risk Assessment, (PDF)

CISP-014: System and Services Acquisition, (PDF)

CISP-015: System and Communications Protection, (PDF)

CISP-016: System and Information Integrity, (PDF)

CISP-017: Security Planning, (PDF)

CISP-018: Acceptable Use of State Data & IT Resources (AUP), (PDF)


Project Management

The Portfolio and Project Management Center of Excellence (PPMCoE) is responsible for setting policies and procedures related to project, program and portfolio management within the Office of Information Technology (OIT) and for executive branch agencies that embark on projects that include an IT component.

The following documents are accessible to state employees only. If you are not a state employee and need access to one of the project management policies, please email oit@state.co.us

Major Projects Boards Policy (POL 200-02), (PDF)
Independent Verification and Validation Policy (POL 200-03), (PDF)
Project Lifecycle Methodology & Governance - POL 200-01 (formerly Standard for Project Management Methodology), (PDF)


Technical Standards

These technology standards support the State of Colorado's information security policies.

The Office of Enterprise Architecture has issued the following technical standards, superseding any standards posted prior. Each standard has been approved by the OIT Architecture Review Board (ARB), effective as of the "Effective Date" established in each document, and remains in effect until removed or revised by a decision of the ARB.

TS-APP-001: Application Portfolio Management System (APMS), (PDF)

TS-APP-002: Secure File Transfer, (PDF)

TS-APP-003: Development Frameworks (Custom Applications), (PDF)

TS-APP-004: Programming Languages (Custom Applications) - Coming Soon

TS-APP-005: Application Software Configuration Management - Coming Soon

TS-APP-006: Functional Application Test Automation Tool - Coming Soon

TS-APP-007: Salesforce “Lightning First” Design Framework, (PDF)

TS-APP-009: Continuous Integration Servers, (PDF)

TS-APP-010: Code Repositories (Repository Manager), (PDF)

TS-APP-011: Front End Website & Web Application Framework, (PDF) - Up for Review

TS-CISO-001: Data Security Categorization, (PDF)

TS-CISO-002: OIT Wireless (Wi-Fi) Standard, (PDF)

TS-CISO-003: Electronic Media Reuse and Disposal, (PDF)

TS-CISO-004: OIT Firewall Design Standard, (PDF)

TS-CISO-005: Enterprise Two-Factor Authentication (2FA), (PDF)

TS-CISO-006: Secure Applications Coding Standard, (PDF)

TS-CISO-007: Electronic Signatures (eSign), (PDF)

TS-CISO-008: Remote Administration, (PDF)

TS-CISO-009: Server Virtualization Security, (PDF)

TS-CISO-010: PCI Solution Implementation, (PDF)

TS-CISO-011: Vendor Contract Standard, (PDF)

TS-DAT-001: Enterprise Data Access and Integration Services, (PDF)

TS-INF-001: End User Computer Equipment, (PDF)

TS-INF-002: End User Enterprise Software, (PDF)

TS-INF-003: Identity and Access Administration, (PDF)

TS-INF-004: Kiosk Equipment, (PDF)

TS-INF-005: Structured Cabling, (PDF)

TS-INF-006: Enterprise Load Balancing, (PDF)

TS-INF-007: Wireless Site Survey, (PDF)

TS-INF-008: Network Monitoring, (PDF)

TS-OEA-001: Technology Accessibility for Persons with Disabilities, (PDF)

TS-OEA-002: Technology Accessibility for Web Content and Applications, (PDF)