20-07 IT Security Policy

Purpose: This document establishes the requirement that units within the Executive Branch must comply with the Information Technology Security manuals, standards, processes/procedures, and guidelines.

Policy Statement: The Governor created the Office of Security Management (OSM) with Executive Order 01.01.2019.07, establishing the role of State Chief Information Security Officer (SCISO) as the head of the OSM. The SCISO is responsible for the direction, coordination, and implementation of the overall cybersecurity strategy and policy for the Executive Branch of State government. Additionally, this authorization includes managing the Security Awareness and Training program to ensure that all Units either utilize the OSM managed solution or operate an internal program consistent with the requirements and guidance prescribed by the SCISO. The Department of Information Technology maintains a manual of information security standards, as well as standalone guidance documents and standards that shall apply to covered units of state government.

Applicable Law & Other Policy:

  • MD State Finance and Procurement Code Ann. § 3A-301-309

  • Governor’s Executive Order 01.01.2019.07

  • MD State Government Code §10-1301-1308

  • Maryland IT Security Manual, version 1.2, 28 June, 2019

Scope and Responsibilities: All units of the Executive Branch of the State Government are required to comply with this Policy. Agency executives and applicable staff covered by this Policy shall ensure adherence.

Key Terms:

Department of Information Technology (DoIT): An executive branch unit of Maryland state government, organized according to Maryland Code, State Finance and Procurement Article, § 3A.

Policy: A statement of jurisdiction and methods to guide agencies in the management of IT resources and services.

Units: All executive branch units of state government, except those identified in Maryland Code, SF&P § 3A-302.

Technical Specifications: State of Maryland Information Technology Security Manual v1.2.

Policy Review: By the DoIT IT Policy Review Board annually or as needed.

Contact Information: Chair, IT Policy Review Board, doit-oea@maryland.gov 410-697-9724. The policy steward is the State Chief Information Security Officer.​​​​​

​​​​