Administrative Guide to State Government Page 2 of 32
POLICY 1340.00 Information Technology Information Security
CONTACT AGENCY
Department of Technology, Management and Budget (DTMB)
Cybersecurity & Infrastructure Protection (CIP)
Telephone: 517-241-4090
SUMMARY
Security controls must be implemented to protect SOM information from
unauthorized access, use, disclosure, modification, destruction, or denial and to
ensure confidentiality, integrity and availability of SOM information. All SOM
employees, trusted partners, or entities authorized to access, store, or transmit SOM
information shall protect the confidentiality, integrity and availability of the
information as set forth in this and all SOM enterprise IT policies, standards, and
procedures (PSP). Information is not limited to data in computer systems and is
included wherever it resides in an agency, whatever form it takes, (electronic,
printed, etc.), whatever technology is used to handle it, or whatever purposes it
serves. Any data that is originated, entered, processed, transmitted, stored or
disposed of for the SOM is considered SOM information.
Policies, standards and procedures addressed in this document and corresponding
sub-level documents include management, operational, and technical controls. The
corresponding standards and procedures are available to SOM employees at: Inside
Michigan.gov - IT Technical Policies, Standards & Procedures.
SOM or environmental changes may require changes to this security policy. Any
efforts to request, approve, implement, or communicate changes to policies,
standards, or procedures that this policy regulates or governs must be made under
SOM 1305.00.01 IT Policy Administration Standard.
Policy exceptions could occur for many reasons. Examples include an overriding
business need, a delay in vendor deliverables, new regulatory or statutory
requirements, and temporary configuration issues. The exception process must
ensure these circumstances are addressed while making all stakeholders aware of
the event, risks, and timetable to eliminate the exception. If an exception to this
policy or a related standard is necessary, agencies, in conjunction with their DTMB
representatives, must comply with the approved DTMB process outlined in SOM
1305.00.02 Technical Policy and Product Exception Standard and SOM
1305.00.02.01 Technical Review Board (TRB) and Executive Technical Review
Board (ETRB) Exception Procedure.
CIP will duly implement and enforce security policies, standards, and procedures to
ensure their effective dissemination and availability. CIP may enforce compliance
through continuous monitoring, security accreditation process, vulnerability
scanning, and other validation methods to ensure an adequate level of security is
maintained.
STANDARDS
General
The following SOM standards are established in accordance with corresponding
NIST controls. This policy establishes these standards and related standards and