The Information Security Control Policy PS-17-001 became effective January 15, 2017:

The purpose of the Information Security Control Policy is to improve how security controls are managed within the State’s shared-service environment. Security operations remains a top priority and is necessary to continue to advance security practices and processes. The definition of “ownership” within a shared-services environment has different dimensions. As it pertains to security, controls are often established by agency business owners but are typically executed by multiple parties. Often times the delineation of duties between multiple parties are not clearly understood resulting in inconsistencies in the execution of responsibilities. The Security Control Policy addresses this business challenge by establishing clearer lines of delineation between security controls, ownership and the overall responsibility of execution.