|
MD-POL-100
|
Cybersecurity & Privacy Governance Policy
|
The Cybersecurity & Privacy Governance Policy establishes the policy framework through which the State of Maryland defines, implements, and oversees cybersecurity and privacy practices aligned with regulatory requirements, industry standards, and strategic objectives.
|
|
MD-POL-201
|
Cybersecurity Risk Management Policy
|
The Cybersecurity Risk Management Policy establishes the requirements for managing information security risk to the State by assessing risk, responding to risk once determined, and monitoring risk over time.
|
|
MD-POL-202
|
Asset Management Policy
|
The Asset Management Policy establishes the requirements for identification and management of all information technology (IT) assets consistent with their relative importance to the State.
|
|
MD-POL-203
|
Acceptable Use Policy
|
The Acceptable Use Policy establishes allowances and conditions for the acceptable use of State-owned or State-managed IT assets.
|
|
MD-POL-204
|
Access Control Policy
|
The Access Control Policy establishes a framework for managing and safeguarding access to State information systems and resources.
|
|
MD-POL-205
|
Data Protection & Privacy Policy
|
The Data Protection & Privacy Policy establishes requirements for safeguarding State data throughout its lifecycle and managing privacy risks in alignment with State and regulatory expectations.
|
|
MD-POL-206
|
Awareness & Training Policy
|
The Awareness & Training Policy establishes the requirements for developing and maintaining an awareness and training program for cybersecurity and privacy.
|
|
MD-POL-207
|
System and Network Security Policy
|
The System and Network Security Policy establishes the requirements for managing the hardware, software, and services of physical and virtual platforms to protect their confidentiality, integrity, and availability.
|
|
MD-POL-208
|
Continuous Monitoring Policy
|
The Continuous Monitoring Policy establishes the requirements for maintaining ongoing awareness of information security risks, vulnerabilities, and threats to enable timely and effective threat response within the State of Maryland.
|
|
MD-POL-209
|
Incident Response Policy
|
The Incident Response Policy establishes a structured and effective approach for identifying, managing, and mitigating the risk of cybersecurity and privacy incidents that threaten the confidentiality, integrity, or availability of information and State assets.
|
|
MD-POL-210
|
Continuity of Operations Policy
|
The Continuity of Operations Policy establishes the requirements for building and maintaining restoration capabilities that support recovery to normal State operations after an incident or disruption.
|
|
MD-STD-301-AC
|
Access Control Standard
|
The Access Control Standard provides the technical and operational specifications needed
to manage access to systems, applications, and data.
|
|
MD-STD-302-AT
|
Awareness & Training Standard
|
The Awareness & Training Standard reduces risk by creating an understanding of the security, privacy, and data management risks associated with individual roles that handle information defined by the State as confidential or restricted and how to properly protect this data.
|
|
MD-STD-303-AU
|
Audit & Accountability Standard
|
The Audit & Accountability Standard requires systems to generate, protect, and retain audit records to support the detection, investigation, and response to unauthorized or suspicious activity.
|
|
MD-STD-304-CA
|
Control Assessments Standard
|
The Control Assessments Standard establishes a process for each agency to systematically evaluate the security posture, authorize systems before deployment, and continually monitor for risk.
|
|
MD-STD-305-CM
|
Configuration Management Standard
|
The Configuration Management Standard provides the technical and operational specifications needed to manage and maintain system configurations across the State’s hardware, software, and network environments.
|
|
MD-STD-306-CP
|
Contingency Planning Standard
|
The Contingency Planning Standard provides the technical and operational specifications needed to establish, prepare, respond to, and recover from disruptive events that may impact State operations.
|
|
MD-STD-307-IA
|
Identification & Authentication Standard
|
The Identification & Authentication Standard provides the technical and operational specifications needed to verify the identities of users, devices, and systems before granting access to State systems.
|
|
MD-STD-308-IR
|
Incident Response Standard
|
The Incident Response Standard provides the technical and operational specifications needed to detect, respond to, and recover from security incidents.
|
|
MD-STD-309-MA
|
Maintenance Standard
|
The Maintenance Standard provides the technical and operational specifications needed to maintain effective security controls over time.
|
|
MD-STD-310-MP
|
Media Protection Standard
|
The Media Protection Standard provides the technical and operational specifications needed to protect the confidentiality, integrity, and availability of State Data stored on various media formats.
|
|
MD-STD-311-PE
|
Physical & Environmental Protection Standard
|
The Physical & Environmental Protection Standard provides the technical and operational specifications needed to mitigate risks associated with unauthorized access, environmental hazards, natural disasters, and infrastructure vulnerabilities.
|
|
MD-STD-312-PL
|
Planning Standard
|
The Planning Standard provides the technical and operational specifications needed to establish a structured approach to strategic planning.
|
|
MD-STD-313-PM
|
Program Management Standard
|
The Program Management Standard provides the technical and operational specifications needed to oversee and coordinate cybersecurity programs.
|
|
MD-STD-314-PS
|
Personnel Security Standard
|
The Personnel Security Standard provides the technical and operational specifications needed to manage personnel security measures that protect organizational assets, operations, and information.
|
|
MD-STD-315-PT
|
PII and Transparency Standard
|
The PII and Transparency Standard provides the technical and operational specifications needed to process PII responsibly, maintain transparency, and comply with privacy regulations.
|
|
MD-STD-316-RA
|
Risk Assessment Standard
|
The Risk Assessment Standard provides the technical and operational specifications needed for security threats and vulnerabilities to be systematically evaluated and addressed.
|
|
MD-STD-317-SA
|
System & Services Acquisition Standard
|
The System & Services Acquisition Standard provides the technical and operational specifications needed to effectively procure, develop, and maintain technology solutions that align with security, operational, and business objectives in a secure manner.
|
|
MD-STD-318-SC
|
System & Communication Protection Standard
|
The System & Communication Protection Standard provides the technical and operational specifications needed to prevent unauthorized access, detect threats and secure State data.
|
|
MD-STD-319-SI
|
System & Information Integrity Standard
|
The System & Information Integrity Standard provides the technical and operational specifications needed for data to remain accurate, unaltered, and protected from unauthorized modifications.
|
|
MD-STD-320-SR
|
Supply Chain & Risk Management Standard
|
The Supply Chain & Risk Management Standard provides the technical and operational specifications needed for procurement, development, and integration of secure systems and services.
|
|
Cybersecurity & Privacy Glossary
|
Cybersecurity & Privacy Glossary
|
The Cybersecurity & Privacy Glossary provides a comprehensive, standardized set of definitions and terminology used throughout the State's Policy Suite to ensure clarity and consistent interpretation of security and privacy requirements.
|