Information Security Policies

The Office of Information Security has issued the following rules and policies under the authority of 24-37.5-401 through 406, C.R.S. These policies apply to public agencies as defined in section 402 of that part. Rules in support of the Colorado Information Security Act.

Note: These Colorado Information Security Policies are updated as of Feb. 11, 2015 and supersede any policies posted prior to this date.


Policy Number Description Download
CISP-001 Access Control PDF
CISP-002 Security Awareness and Training PDF
CISP-003 Audit and Accountability     PDF
CISP-004 Security Assessment and Authorization PDF
CISP-005 Configuration Management PDF
CISP-006 Contingency Planning PDF
CISP-007 Identification and Authentication PDF
CISP-008 Incident Response PDF
CISP-009 System Maintenance    PDF
CISP-010 Media Protection PDF
CISP-011 Physical and Environmental Protection PDF
CISP-012 Personnel Security PDF
CISP-013 Risk Assessment     PDF
CISP-014 System and Services Acquisition PDF
CISP-015 System and Communications Protection PDF
CISP-016 System and Information Integrity PDF
CISP-017 Security Planning PDF