| Access Control Policy |
ETSS_Policy_300.1_Access_Control__AC_.pdf |
DoIT |
2026-06-22 |
This policy ensures that only authorized users, devices, and processes gain access commensurate with business need; that privileged actions are tightly governed and auditable; and that accountability for user actions is maintained. |
| Assessment, Authorization, and Monitoring Policy |
ETSS_Policy_10-23_Assessment__Authorization__and_Monitoring__CA_.pdf |
DoIT |
2022-11-08 |
To establish policy for the effective implementation of security controls to safeguard State of Rhode Island IT system resources, infrastructure, and data. |
| Audit and Accountability Policy |
ETSS_Policy_300.3_Audit_and_Accountability__AU_.pdf |
DoIT |
2026-06-22 |
Establish policy for effectively managing and monitoring audit and accountability controls to ensure there are sufficient information system logs of actions performed to determine accountability. |
| Awareness and Training Policy |
ETSS_Policy_10-26_Awareness_and_Training__AT_.pdf |
DoIT |
2022-11-08 |
To establish policy that ensures information system users are aware of current threats to information security and are adequately trained to perform their assigned roles and responsibilities in a manner that maintains system security. |
| Bring Your Own Device Security Policy |
DOIT_Bring_Your_Own_Device_Security_Policy_4-1-16.pdf |
DoIT |
2016-04-01 |
To establish a Bring Your On Device Security Policy for the effective management of personally owned mobile devices used to access State networks, applications and/or data and to ensure the confidentiality, integrity, and availability of State networks, applications and data. |
| Configuration Management Policy |
ETSS_Policy_10-14_Configuration_Management__CM_.pdf |
DoIT |
2022-11-08 |
To establish a Configuration Management Policy for effectively managing risk associated with changes to and tha have an impact on system configurations, baseline configuration settings and overall information system security,
|
| Contingency Planning Policy |
ETSS_Policy_100.6_Contingency_Planning__CP_.pdf |
DoIT |
2026-06-22 |
This policy establishes the requirements for contingency planning across State of Rhode Island information systems. Contingency planning enables the restoration and continuity of operations of mission-critical assets and business functions following a disruption, compromise, or failure. This policy defines requirements for contingency plan development, testing, and training, system backup and recovery, and the establishment of alternate storage, processing, and telecommunications capabilities. |
| Federal Tax Information Access Policy |
ETSS_Policy_10-11_Federal_Tax_Information_Access__FTI_.pdf |
DoIT |
2022-11-08 |
To establish policy that adequately protects and ensures the confidentiality of federal tax information (FTI) in accordance with Internal Revenue Service (IRS) has issued Publication 1075 entitled “Tax Information Security Guidelines for Federal, State, and Local Agencies” (IRS Publication 1075). |
| Identification and Authorization Policy |
ETSS_Policy_300.7_Identification_and_Authentication__IA_.pdf |
DoIT |
2026-06-22 |
This policy ensures that user access is authorized prior to system access, classified data is protected through strong authentication mechanisms, and accountability is maintained through unique identification and centralized identity services. |
| Incident Handling and Response Policy |
ETSS_Policy_10-12_Incident_Handling_and_Response__IR_.pdf |
DoIT |
2022-11-08 |
To establish policy for the effective and timely management of IT security related incidents to safeguard State of Rhode Island IT resources, infrastructure, and data. |
| Information Technology Project Approval Policy |
IT-07-02_Information_Technology_Project_Approval_Policy_2022.pdf |
DoIT |
2022-03-22 |
Prior to the expenditure of State resources, the State CDO/CIO will ensure that all major information technology (IT) efforts are consistent with the State of Rhode Island's strategic direction and will be delivered within the DoIT Project Management Framework. |
| IT Systems and Services Acquisition Policy |
ETSS_Policy_10-17_System_and_Services_Acquisition__SA_.pdf |
DoIT |
2022-11-08 |
This policy provides requirements for the IT system and service acquisition process required to assure that information systems are acquired using controls sufficient to safeguard the State’s information systems. |
| Media Protection Policy |
ETSS_Policy_300.10_Media_Protection__MP__2026.pdf |
DoIT |
2026-06-22 |
This policy establishes enterprise requirements for the protection of information stored on digital and non-digital media throughout its lifecycle. It defines controls for media access, marking, storage, transport, sanitization, and use to protect the confidentiality, integrity, and availability of State information. |
| Mobile Devices Service and Support Policy 09-01 |
ETSS_Policy_09-01_Mobile_Devices_Service_and_Support_Policy.pdf |
DoIT |
2025-04-21 |
Identify the process and procedures for the procurement and support of cellular telephones and mobile broadband devices (commonly referred to as air cards or hotspots). |
| Personnel Security Policy |
ETSS_Policy_300.14_Personnel_Security__PS_.pdf |
DoIT |
2026-06-22 |
To establish a personnel security policy that provides effective governance of personnel to ensure the security of sensitive information systems and data. |
| Physical and Environmental Security Policy |
ETSS_Policy_100.11_Physical_and_Environmental_Security.pdf |
DoIT |
2026-06-22 |
This policy establishes the requirements for physical and environmental security controls at facilities that house State of Rhode Island information systems and support infrastructure. It provides a framework for protecting information systems and their components from physical threats, environmental hazards, and unauthorized physical access. |
| Risk Assessment Policy |
ETSS_Policy_10-25_Risk_Assessment__RA__.pdf |
DoIT |
2022-11-08 |
To establish policy that effectively manages inherent risk, vulnerabilities, threats, and countermeasures based on the criticality of the information system and data to ensure its confidentiality, integrity, and availability, and achieve an acceptable level of enterprise risk. |
| Security and Risk Program Management |
ETSS_PM-1_Security_and_Risk_Program_Management_Rev1.2.pdf |
DoIT |
2023-05-11 |
The Security and Risk Management Program defines the foundation for information technology security in Rhode Island. It establishes the Statewide information security standards, providing direction for the Chief Information Security Officer (CISO) to establish a set of standards for information technology security to maximize the functionality, security, and interoperability of the State’s distributed information technology assets, including, but not limited to, data classification and management, communications, and encryption technologies. These standards apply to all executive branch agencies. |
| Security Planning Policy |
ETSS_Policy_300.12_Security_Planning.pdf |
DoIT |
2026-06-22 |
This policy establishes the requirements for security planning across State of Rhode Island information systems. Security planning ensures that information systems are designed, implemented, operated, and maintained with appropriate security and privacy controls, and that the security posture of each system is documented, reviewed, and authorized. This policy defines the requirements for developing and maintaining System Security Plans (SSPs), establishing rules of behavior, managing security and privacy architectures, and selecting and tailoring control baselines. |
| Social Networking Policy |
IT-10-09_Policy_on_Social_Networking.pdf |
DoIT |
2018-02-28 |
This policy is aimed at allowing state agencies and departments the benefit of using social networking for the performance of state business, to communicate with the public, protect the infrastructure and legal interests of the State of Rhode Island and assure that adequate bandwidth is available to conduct State business without interruption |
