Dept of Information Technology Policies

Policies and guidelines allow State agencies to operate under a common framework aligned with the strategic objectives of the State Information Technology Master Plan.

The framework fosters efficient and appropriate planning, procurement, development and use of State information technology and telecommunications systems.


Acceptable Use Policy
Maryland DOIT Acceptable Use Policy v1.0.pdf    
Effective: 1/31/2017

Effective security is a team effort involving the participation and support of every information system user who deals with information and Information Technology (IT) assets. Defining acceptable use sets boundaries and guidance on how these IT resources are to be used. Appropriate use of Information Technology (IT) resources and effective security are integral to protecting the confidentiality, integrity, and availability of IT systems and assets.


Account Management Policy
Maryland DOIT Account Management Policy v1.0.pdf    
Effective: 1/31/2017

This document establishes the DoIT account management policy and requires all agencies not under the direct management of DoIT to develop a process for documenting, managing, and maintaining all user and system accounts authenticating to the IT infrastructure.


Asset Management Policy
Maryland DOIT Asset Management Policy v1.0.pdf    
Effective: 1/31/2017

​​Compiling and maintaining inventory and accountability of assets is an important aspect of risk management. According to the Security Assessment Policy, each asset must be assigned a security category based on its perceived level of confidentiality, integrity, and availability, and it is the role of asset management to inventory, account for, and track these assets.


Authority to Operate Policy
Maryland DOIT Authority to Operate Policy v1.0.pdf    
Effective: 1/31/2017

The State of Maryland Department of Information Technology (DoIT) is responsible for, and committed to managing the confidentiality, integrity, and availability of State government information technology (IT) networks, systems, and applications within the scope of its authority. This includes ensuring that all devices and networks comply with security policies and configuration standards before they are approved to operate in agency IT environments. This policy defines the requirements for granting an Authority to Operate (ATO) or Interim Authority to Operate (IATO) certification to an information system.


Boundary Protection and Internet Access Policy
Maryland DOIT Boundary Protection and Internet Access Policy v1.0.pdf    
Effective: 1/31/2017

The establishment of perimeter defense mechanisms is an important part of minimizing exposure to security threats. The Maryland Department of Information Technology (DoIT) is committed to managing the confidentiality, integrity, and availability of State information technology networks, systems and applications (IT Systems). This includes establishing security controls for the boundaries between the DoIT Enterprise and subordinate agency networks, or between the DoIT Enterprise and 3rd party networks including the Internet.​​


Configuration Management Policy
Maryland DOIT Configuration Management Policy v1.0.pdf    
Effective: 1/31/2017

Configuration management is critical to establishing an initial baseline of hardware, software, and firmware components of Enterprise information systems and subsequently controlling and maintaining an accurate inventory of any changes to those systems. The Maryland Department of Information Technology (DoIT) is committed to managing the confidentiality, integrity, and availability of their information technology (IT) networks, systems, and applications (IT Systems) by establishing and enforcing standard baselines within the Enterprise. This allows DoIT to document, authorize, manage, and control system changes and prevent deviation from the established accepted risk.


Continuous Monitoring Policy
Maryland DOIT Continuous Monitoring Policy v1.0.pdf    
Effective: 1/31/2017

The Maryland Department of Information Technology (DoIT) is responsible for, and committed to, managing the confidentiality, integrity, and availability of the executive branch of Maryland State government Information Technology (IT) networks, systems, applications, and data. To provide this level of security within the DoIT Cybersecurity Program, a key component protecting systems and data is the implementation of a continuous monitoring capability.


Cybersecurity Program Policy
cybersecurity-program-policy-v1.0 (Updated with Sigs).pdf    
Effective: 1/31/2017

The Maryland Department of Information Technology (DoIT) is responsible for, and committed to, managing the confidentiality, integrity, and availability of Information Technology (IT) networks, systems, and applications for the Executive Branch of Maryland State Government. This document establishes the DoIT Cybersecurity Program by implementing information security policy initiatives across all IT Systems supported by, or under the policy authority of, DoIT as directed within the scope of its authority under the 2013 Maryland Code §§ 3A-303 and 3A-305. Pursuant to its authority, DoIT will ensure the information security of State IT resources by enacting this policy, which serves as the foundation for this program by establishing the minimum requirements to be observed by all reporting agencies.


Email Security Policy
Email-Security-Policy-v1.1.pdf    
Effective: 1/31/2017

Official correspondence must be exchanged securely to ensure all confidential data, such as PII, sensitive, and protected data is safeguarded. This policy defines acceptable guidelines for the secure configuration and use of State-issued email services and helps to ensure that correspondence is exchanged securely and protects confidential data.


Endpoint Protection Policy
Maryland DOIT Endpoint Protection Policy v1.0.pdf    
Effective: 1/31/2017

Endpoint security management is an approach to network security that requires, and ensures, endpoint devices comply with specific criteria before being granted access to the network. Endpoint protection is an important aspect of maintaining the confidentiality, integrity, and availability of information. The increasing ease and prevalence of a mobile-enabled workforce makes it more important than ever to protect endpoint devices and the security posture of IT systems.


HIPAA Security Rule Policy
Maryland DOIT HIPAA Security Rule Policy v1.0.pdf    
Effective: 1/31/2017

The Maryland Department of Information Technology is committed to managing the confidentiality, integrity, and availability of electronic protected health information (ePHI) created, stored, processed, and transmitted electronically via State government Information Technology (IT) networks, systems, and applications (IT Systems). Agencies considered covered entities (CE) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) must comply with the requirements of HIPAA.


Incident Response Policy
Maryland DOIT Incident Response Policy v1.0.pdf    
Effective: 1/31/2017

The Maryland Department of Information Technology (DoIT) is committed to managing the confidentiality, integrity, and availability of information technology (IT) networks, systems, applications (IT systems), and data owned and/or operated by the Executive Branch of the State of Maryland, including vendors, contractors, and/or other affiliated entities providing services to the Executive Branch of the State of Maryland. This includes providing timely, efficient, and effective response to cybersecurity incidents.


Network Documentation and Access Policy
Maryland DOIT Network Documentation and Access Policy v1.0.pdf    
Effective: 1/31/2017

Network documentation is critical to efficient troubleshooting, onboarding personnel, and recovery in the event of a data loss or an integrity-impacting event. Network documentation should be created and updated regularly to ensure accuracy. Additionally, the establishment of network access controls protects both the network and data when a policy is not met by a user or device. The Maryland Department of Information Technology (DoIT) is responsible for, and committed to, managing the confidentiality, integrity, and availability of State government information technology (IT) networks, systems, and applications within the scope of its authority. This includes ensuring that networks are properly documented, configured, and accessed by Maryland agencies and users.


Patch Management Policy
Maryland DOIT Patch Management Policy v1.0.pdf    
Effective: 1/31/2017

Patch Management is a proactive practice designed to prevent exploitation of known vulnerabilities within an organization’s IT infrastructure. An effective patch management process helps mitigate the costs of time and effort expended defending against vulnerabilities known to the information security field at large. Timely patching of known security issues is recognized as a best practice critical to maintaining the confidentiality, availability, and integrity of information systems. The time immediately after the release of a patch is a particularly vulnerable moment for organizations because the window of time between obtaining, testing, and deploying a patch to the vulnerable IT Systems is sufficient for malicious entities to attempt various exploitation strategies.


PCI DSS Compliance Policy
Maryland DOIT PCI DSS Compliance Policy v1.0.pdf    
Effective: 1/31/2017

The Maryland Department of Information Technology (DoIT) is committed to managing the confidentiality, integrity, and availability of payment card account data that is stored, processed, and transmitted electronically via State government Information Technology (IT) networks, systems, and applications (IT Systems).


Public and Confidential Information Policy
Maryland DOIT Public and Confidential Information Policy v1.0.pdf    
Effective: 1/31/2017

The establishment of data classification levels is an important part of ensuring the protection and dissemination of potentially confidential data. The Maryland Department of Information Technology (DoIT) is committed to managing the confidentiality, integrity, and availability of information processed, stored, or transmitted by its information technology (IT) networks, systems, and applications (IT Systems).


Remote Access Policy
Remote-Access-v1.1.pdf    
Effective: 1/31/2017

The use of technology to work from remote locations, such as employees in the field or on-call staff accessing the network from home, are becoming more common. Remote access increases the risk of compromise or data loss – therefore, effective security implementation is necessary. This policy ensures security procedures are integrated into remote connections to protect the information systems and the data that reside on them.


Security Assessment Policy
Maryland DOIT Security Assessment Policy v1.0.pdf    
Effective: 1/31/2017

The Maryland Department of Information Technology (DoIT) is responsible for, and committed to, managing the confidentiality, integrity, and availability of State government information technology (IT) networks, systems, and applications within the scope of its authority. This policy sets standards for Risk Assessment, Vulnerability Assessment, and Penetration Testing as an overall approach to mitigating exploitation and data compromise posed by cyber attackers and vulnerabilities.


Social Media Policy
Maryland DOIT Official Use of Social Media Policy v1.0.pdf    
Effective: 1/31/2017

The Maryland Department of Information Technology (DoIT) is responsible for, and committed to, managing the confidentiality, integrity, and availability of the Executive Branch of Maryland State government Information Technology (IT) networks, systems, and applications.​​


Third Party Interconnection Policy
Maryland DOIT Third Party Interconnection Policy v1.0.pdf    
Effective: 1/31/2017

The Maryland Department of Information Technology (DoIT) is responsible for, and committed to, managing the confidentiality, integrity, and availability of State government information technology (IT) networks, systems, and applications within the scope of its authority. This includes ensuring that acceptable security measures are in place, and that acceptable risk levels are maintained, when new network connections are made between Maryland agencies and third party entities.


Wireless Access Policy
Wireless-Access-v1.1.pdf    
Effective: 1/31/2017

Implementation of wireless technologies offers new challenges in balancing access to information and ensuring security is properly designed and integrated into the devices and connections that support it. This policy establishes the use of wireless technologies and the baseline requirements for proper implementation within Executive Agencies.