Acceptable Use Policy (AUP)
Acceptable Use of State Data & IT Resources, CISP-018 (AUP), (PDF)
Accessibility
TS-OEA-001: Technology Accessibility for Persons with Disabilities
eSignature
eSignature Recommended Policy Guidelines for State Agencies, (PDF)
Financial Services
Vendor Selection Standard for Major IT Projects, OIT-FinSvc-100, (PDF)
Acquisition of IT Goods (Products) and/or Services
The formal processes to purchase or acquire information technology products and/or services are described here.
Buying from State Price Agreements
State Price Agreements may exist that do not meet mandatory OIT standards applicable to state agencies as defined in C.R.S. 24-37.5-102(4) or that require OIT approval prior to use. State agencies are therefore cautioned to ensure that any price agreement for communication and IT (C.R.S. 24-37.5-102(2)), hardware, software, radios, communication systems/towers meets OIT standards and that necessary OIT approvals have been obtained prior to use of the Price Agreement.
Digital Products and Services Accessibility Pre-Purchase Checklist
Governance
OIT Authority & Governance Operations Memorandum, (PDF)
IT Governance Guidebook - FY 2023-24, (PDF)
Information Security
The Office of Information Security has issued the following policies, rules and standards under the authority of C.R.S. 24-37.5-401 et seq., which align with NIST 800-53 rev. 5. All public agencies and all third-party IT Services Providers are required to adhere to these policies, rules and standards.
Colorado Information Security Policies (CISPs)
These policies are reviewed and updated annually but are subject to change more often as necessary. The policies below are effective as of December 2024.
Colorado Information Security Policy (CISP) Overview One Sheet, (PDF)
CISP Information Security Glossary, (PDF)
Supplemental Guidance for the Colorado Information Security Policies (CISPs), (PDF)
CISP-001: IT Access Control Management & User Security, (PDF)
CISP-002: IT Security Awareness Training, (PDF)
CISP-003: IT Audit Log Management & Accountability, (PDF)
CISP-004: IT Security Assessment & Authorization, (PDF)
CISP-005: Secure Configuration of IT Assets & Software, (PDF)
CISP-006: IT Contingency (Continuity of Operations) Planning, (PDF)
CISP-007: IT Account Management (Identification & Authentication) - RESCINDED
CISP-008: IT Incident Response Management, (PDF)
CISP-009: Information System Maintenance, (PDF)
CISP-010: Data Protection, Recovery & Sanitization, (PDF)
CISP-011: IT Environmental Protection & Physical Security, (PDF)
CISP-012: PS-Personnel Security - RESCINDED - See CISP-001
CISP-013: IT Risk Management, (PDF)
CISP-014: IT Service Provider Management (Systems & Services Acquisition), (PDF)
CISP-015: IT System & Communications Protection, (PDF)
CISP-016: IT System & Information Integrity, (PDF)
CISP-017: IT Security Planning, (PDF)
CISP-018: Acceptable Use of State Data & IT Resources (AUP), (2025) (PDF)
CISP-019: Continuous IT Vulnerability Management & Patching - RESCINDED
Project Management
The Enterprise Project Management Office (EPMO) is responsible for setting policies and procedures related to project, program and portfolio management within the Office of Information Technology (OIT) and for executive branch agencies that embark on projects that include an IT component.
The following documents are accessible to state employees only. If you are not a state employee and need access to one of the project management policies, please email oit@state.co.us.
Major Projects Boards Policy (POL 200-02), (PDF)
Project Lifecycle Methodology & Governance - POL 200-01 (formerly Standard for Project Management Methodology), (PDF)
Technical Standards
These technology standards support the State of Colorado's information security policies.
The Office of Enterprise Architecture has issued the following technical standards, superseding any standards posted prior. Each standard has been approved by the OIT Architecture Review Board (ARB), effective as of the "Effective Date" established in each document, and remains in effect until removed or revised by a decision of the ARB.
TS-APMS-001: Application Portfolio Management System (APMS)
TS-APP-003: Development Frameworks
TS-APP-004: Programming Languages
TS-APP-005: Application Software Configuration Management
TS-APP-006: Functional Application Test Automation Tool
TS-APP-009: Continuous Integration Servers
TS-APP-010: Code Repositories (Repository Manager)
TS-APP-011: Front End Website & Web Application Framework
TS-CISO-003: Electronic Media Reuse and Disposal
TS-CISO-004: OIT Firewall Design Standard
TS-CISO-005: Enterprise Two-Factor Authentication (2FA)
TS-CISO-006: Secure Applications Coding Standard
TS-CISO-007: Electronic Signatures (eSign)
TS-CISO-008: Remote Administration
TS-CISO-009: Server Virtualization Security
TS-CISO-010: PCI Solution Implementation
TS-CISO-011: Vendor Contract Standard
TS-DAT-001: Enterprise Data Access and Integration Services
TS-DAT-002: Secure File Transfer
TS-DBS-001: Supported Databases and Versions
TS-DBS-003: Oracle Database Patch Management
TS-DBS-005: Oracle Database Backup and Recovery
TS-DBS-007: Database Software Management
TS-DBS-008: Database User Administration
TS-DBS-009: Database Decommissioning and Data Archiving
TS-DBS-013: SQL DBMS Server Inventory
TS-DBS-014: Database Support in Cloud Services
TS-DBS-016: Database Developer Service
TS-DBS-017: SQL Server DBMS Installation
TS-INF-001: End User Computer Equipment
TS-INF-002: End User Enterprise Software
TS-INF-003: Identity and Access Administration
TS-INF-005: Structured Cabling
TS-INF-006: Enterprise Load Balancing
TS-INF-007: Wireless Site Survey
TS-INF-008: Network Monitoring
TS-INF-009: Infrastructure as Code Standard
TS-INF-010: Enterprise Wireless
TS-INF-011: Infrastructure Operations Technology Standards
TS-INF-012: Multifunction Device/Printer Configuration
TS-OEA-001: Technology Accessibility for Persons with Disabilities