Office of Information Security (OIS)


The Office of Information Security (OIS) is the single state source for cyber security readiness and awareness.

The mission of the Office of Information Security (OIS) is to provide leadership in the development, delivery and maintenance of an information security program by safeguarding the state's information assets against unauthorized use, disclosure, modification, damage or loss to support Colorado’s mission to provide secure and sustainable services.

OIS is directly aligned with the goals and objectives of the National Strategy to Secure Cyberspace. Working closely with federal, state, local and private sector partners, the Office of Information Security actively gathers and analyzes information on cyber threats and vulnerabilities that present risk to the state's information systems or the critical information managed within.

The Chief Information Security Officer (CISO) is responsible for enterprise-wide Colorado Information Security Program (CISP) which includes governance, risk, compliance and risk management. 

Security Management
The OIS Security Management is responsible for security risk management across state departments. This group manages State Information Security Policies, Security Standards, onsets with agencies on technical matters, and manages enterprise projects to meet security requirements.

Compliance Program
The OIS Compliance Program has oversight of applicable regulatory compliance to include compliance with federal and state laws, regulations, and Colorado Information Security Policy.

Application Security Program
The OIS Application Security Program is responsible for the creation of secure coding best practices to protect Colorado's information systems and mission critical applications.

Vision and Guiding Security Principles

The vision of OIS is to be a leader in preserving the confidentiality, integrity, and availability of state and citizen data while maintaining efficient and effective IT operations for the State of Colorado. At all times, this effort will embrace the following security principles:

  • Confidentiality: Assurance that information is shared only among authorized persons or organizations.
  • Integrity: Assurance that the information is authentic and complete and can be relied upon to be sufficiently accurate for its purpose.
  • Availability: Assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them.