IT Policies
Statewide IT Policies
Statewide IT policies are set by the Information Technology Executive Council.
OITS Policies
OITS Policy 5230 - IP Phone Background Images
Effective Date 12/31/2012
Review Date 07/2019
1.0 SUBJECT: IP Phone Background Images
2.0 DISTRIBUTION: All branches of State Government
3.0 PURPOSE: To establish and define a policy in regard to the availability of background images for IP phones on the State's Cisco phone system.
4.0 BACKGROUND: The Cisco Phone system contains a feature allowing background images, much like on a workstation, to be displayed on the menu screen. This feature allows the phone to be personalized by an organization. At least one agency from each branch of government has requested a customized background image for their branch of government. Maintaining an unlimited number of images will create system management and storage issues, therefore the number of images available on the system will be restricted.
5.0 POLICY: To address the management issue, each branch of government will be allowed to have two customized phone background images. Individual agencies within each branch of government will not be allowed to have custom images specific to the agency. However, each end user in each agency will have the option to choose the appropriate image for their branch of government from the available images on the State's Cisco phone system.
6.0 CONTACT PERSON: Director, OITS Telecommunications 785-296-4999.
OITS Policy 8200 - Generative Artificial Intelligence Policy
Effective Date 07/31/2023
Approval Date 07/25/2023
1.0 Subject: Generative Artificial Intelligence Policy
2.0 Distribution: Executive Branch Cabinet and Non-Cabinet Agencies
3.0 From: Jeff Maxon, Interim Chief Information Technology Officer
4.0 Purpose: The purpose of this policy is to outline the acceptable use of generative artificial intelligence (AI). The policy is created to protect the safety, privacy, and intellectual property rights of the State of Kansas.
5.0 Background: As generative AI technology progresses, chatbots, virtual assistants, and other systems based on it are becoming more prevalent. These can include standalone systems, be integrated as features within search engines, or be overtly or transparently embedded in all manner of other software tools. Examples include ChatGPT and DALL-E from OpenAI, Microsoft Bing’s chat, Microsoft 365 Copilot, and Bard from Google.
Generative AI tools have the potential to enhance productivity by assisting with tasks like drafting documents, editing text, generating ideas, and software coding. However, these technologies also come with potential risks that include inaccuracies, bias and unauthorized use of intellectual property in the content generated. In addition, content created by AI, and the public availability of information submitted to the AI, could pose security or privacy concerns.
6.0 Organizations Affected: Executive Branch Cabinet and Non-Cabinet Agencies
7.0 REFERENCES:
7.2 State of Kansas Social Media Policy
8.0 Definitions:
8.1 Generative artificial intelligence (AI) uses advanced technologies such as predictive algorithms, machine learning, and large language models to process natural language and produce content in the form of text, images, or other types of media. Generated content is typically remarkably similar to what a human creator might produce, such as text consisting of entire narratives of naturally reading sentences.
8.2 Restricted Use Information as defined in ITEC 7230A.
8.3 Entity is defined as agencies, boards, commissions under the direction of the Governor or agents and contractors acting on behalf of those agencies, boards or commissions.
9.0 Policy: This policy shall serve as the primary governing document for usage of generative artificial intelligence technology as a user or related activities by the entities. While any entity may impose additional restrictions through their own policy, such policies must not conflict with the provisions outlined in this policy.
9.1 This policy applies to all business use cases involving the State of Kansas, including but not limited to:
9.1.1 development of software code,
9.1.2 written documentation (i.e., policy, legislation, or regulations) and correspondence (such as memorandums, letters, text messages, and emails),
9.1.3 research,
9.1.4 summarizing and proofreading documents,
9.1.5 making business decisions that impact short-term or long-term activities or policies and procedures.
9.2 Responsibilities
9.2.1 Responses generated from generative AI outputs shall be reviewed by knowledgeable human operators for accuracy, appropriateness, privacy and security before being acted upon or disseminated.
9.2.2 Responses generated from generative AI shall not:
9.2.2.1 be used verbatim,
9.2.2.2 be assumed to be truthful, credible, or accurate,
9.2.2.3 be treated as the sole source of reference,
9.2.2.4 be used to issue official statements (i.e. policy, legislation, or regulations),
9.2.2.5 be solely relied upon for making final decisions,
9.2.2.6 be used to impersonate individuals or organizations.
9.2.3 Restricted Use Information (RUI) shall not be provided when interacting with generative AI. Refer to ITEC Policy 7230A Section 9.16 Account Management - RUI.
9.2.4 Material that is inappropriate for public release shall not be entered as input to generative AI. All information that is provided shall be subjected to the same standard as referenced in the State Social Media Policy and shall be treated as publicly available.
9.2.5 Material that is copyrighted or the property of another, shall not be entered as input to generative AI.
9.2.6 Generative AI shall not be used for any activities that are harmful, illegal, or in violation of state policy or agency acceptable use policy.
9.2.7 Agencies shall ensure contractors disclose in their contracts the utilization of generative AI or integrations with generative AI platforms.
9.2.8 Agency contracts shall prohibit contractors from using State of Kansas RUI or other confidential data in generative AI queries or for building or training proprietary generative AI programs unless explicitly approved by the agency head with consultation from the Chief Information Security Officer.
9.2.9 Contractors utilizing Generative AI to build software explicitly for the State of Kansas must demonstrate positive control over all data input into the system.
9.3 Software Code development
9.3.1 Software code generated by generative AI shall only be implemented after the entity has identified and mitigated all business and security risks related to its use.
9.3.2 All usage of software code generated by generative AI shall be annotated.
10.0 Responsibilities:
10.1 Heads of entities are responsible for establishing procedures for their organization’s compliance with the requirements of this policy.
10.2 OITS is responsible for the maintenance of this policy.
11.0 History: This PPM was originally issued #8200.00, dated 19 May 2023.
12.0 Contact: Chief Information Technology Architect
OITS Policy 9206 - OITS Central Office Visitor Policy
Effective Date 07/09/2014
Review Date 07/2019
1.0 SUBJECT: OITS Central Office Visitor Policy
2.0 PURPOSE: The purpose of this document is to provide guidance for Visitors to the Office of Information Technology Services Central Office (OITS CO) premises, as well as for employees sponsoring visitors to OITS CO.
3.0 BACKGROUND: The State of Kansas requires the use of access controls to restrict physical access to facilities that house information systems. Without physical access controls, the potential exists that information systems could be illegitimately accessed and the confidentiality, integrity and availability of the information they house compromised.
4.0 PROCEDURE:
4.1 Check-In
4.1.1 All visitors must arrive in the main reception area. All visitors must check in and affix a visitor badge to their person at a location above their waist and easily visible.
4.1.2 All visitors must present government-issue photo identification to their employee sponsor.
4.1.3 All visitors will remain at the check-in station until their employee sponsor arrives.
4.1.4 Visitors may not sponsor other visitors.
4.1.5 Pets are not permitted; however, service animals such as Seeing Eye Dogs are permitted.
4.1.6 Visitor logs shall also be maintained in each data center.
4.1.7 Visitor access shall be recorded in a log that includes, at a minimum;
4.1.7.1 Name and organization of the visitor
4.1.7.2 Name and organization of the person and/or system visited
4.1.7.3 Purpose of the visit
4.1.7.4 Date and time of arrival and departure
4.1.7.5 The form of identification used for identity verification
4.1.7.6 Visitor’s signature
4.1.7.7 Visitors badge number
4.2 Visitor logs will be reviewed for completeness on at least a monthly basis and maintained for seven years.
4.3 Check-Out:
4.3.1 Visitors will check out at the same station where they arrived.
4.4 Visitor Badges
4.4.1 Visitor badges shall be easily recognizable
4.4.2 Visitor badges must be worn at all times. Employees are instructed to immediately report any visitor not wearing a visitor badge.Visitor badges are solely used for recognition and shall not open any door.
4.5 Photographs
4.5.1 Visitors shall not take photographs unless discussed specifically with sponsoring employees. For example, photographs are sometimes required for documentation purposes. If employees have any questions about the suitability of photographs they should consult Administrative Services or the Kansas Information Security Office (KISO). Not withstanding other requirements of this section, cell phones and laptops equipped with cameras are permitted.
4.6 Information Disclosure
4.6.1 Visitors should not request information that does not pertain to their visit or the work being performed. Confidential or otherwise inappropriate requests for organization information, documentation, comments or statements on any matter currently under litigation, (as might be requested by a reporter or a lawyer) will be reported to the KISO.
4.7 Sanitizing Controlled Areas
4.7.1 Any area containing sensitive information shall be sanitized prior to any visitation.
4.8 Emergency Evacuation
4.8.1 In the event of an emergency, it is the sponsoring employee’s responsibility to encourage the visitor to remain in the evacuation marshaling area. Emergency coordinators will include visitors in their accountability procedures using the visitors log from the check-in station.
4.9 Multiple Day or Extended Period Visits
4.9.1 For multiple day or extended period visits, visitors may be issued a Consultant ID badge under the following conditions:
4.9.1.1 Administrative Services has received authorization from the department head to issue a visitor a Consultant ID badge.
4.9.1.2 The visitor has a sponsor.
4.9.1.3 The visit will be for a period longer than 4 consecutive hours.
4.9.1.4 The visitor’s sponsor will ensure the Consultant ID badge is returned upon completion of the visit.
4.10 Unaccompanied visitor access to controlled areas such as datacenters, storage areas, frame rooms, Telecom Equipment Rooms (TER), etc. is prohibited.
4.11 Groups Requesting Tours of Facilities
4.11.1 All requests for group tours of facilities will be referred to Administrative Services and/or Office of the CISO for handling as an exception. A reason for the tour, areas of interest, and a list of participants must be provided.
4.11.2 Administrative Services will coordinate for an employee to be the designated sponsor of the group; the employee must have appropriate access to the tours intended areas of interest.
4.11.3 The group sponsor will provide a summary of the Emergency Evacuation Procedure and restrictions on photographs prior to the start of the tour.
4.11.4 Visitor badges for groups with more than three participants are not required, instead Administrative Services will provide the group sponsor with a roster of the groups participants, and must remain with the group at all times until the tour is completed.
4.12 Network or System Access
4.12.1 Visitors that need internet access may use the state wireless network.
4.12.2 Visitors who require temporary access to production networks requires prior permission from the department head with which they are visiting, and their employee sponsor will arrange for temporary credentials. Prerequisites for this access include:
4.12.2.1 The visitor shall review the Information Security User Guide
4.12.2.2 The visitor shall agree to abide by the policies set forth in the user guide by signing the user agreement located in the user guide
4.12.2.3 The visitor’s sponsor shall provide the signed user agreement to Administrative Services where it will be maintained for two years.
No visitor may have unaccompanied to access to any network or information system that would disclose Restricted Use Information (RUI) (See ITEC Security Policy 7230a for RUI definition) without first having completed a fingerprint based background investigation that has been adjudicated by the KISO.
4.13 Penalties
4.13.1 Violations of any of the requirements in this policy by any employee may result in disciplinary action, up to and including prosecution and / or termination.
4.13.2 Violations of any of the requirements in this policy by any visitor may also result in similar disciplinary action against the sponsoring employee, and may also result in termination of services with any associated consulting organization or prosecution in the case of criminal activity.
5.0 CONTACT PERSON: COO, Office of Information Technology Services,785-296-4999
OITS Policy 9207 - ID Badges/Electronic Card Key Management
Effective Date 06/12/2013
Review Date 07/2019
1.0 SUBJECT: ID Badges/Electronic Card Key Management
2.0 DISTRIBUTION: OITS
3 .0 PURPOSE: The purpose of this document is to provide guidance for issuance of Electronic Card Keys for access to OITS Central Office controlled areas.
4.0 BACKGROUND: The State of Kansas requires the use of access controls to restrict physical access to facilities that house information systems. Without physical access control the potential exists that information systems could be illegitimately accessed and the information within compromised. Unaccompanied access to these controlled areas will be limited to authorized personnel only and that authorization shall be demonstrated through the use of authorization credentials (badges, identity cards, etc.) that have been issued by the State.
5.0 PROCEDURE:
5.1 ID Badge/Electronic Card Key
5.1.1 ID badges shall be issued by Administrative Services.
5.1.2 Three types of ID badges shall be available:
5.1.2.1 State Employee ID Badge: This badge is issued by the Kansas Highway Patrol and is only issued to State employees. Access to areas using this badge will be determined by the employee’s supervisor. Access provided by the badge may be changed as duties change.
5.1.2.2 Visitor ID Badge: Visitor ID badges are used only for identifying visitors; they shall not provide access to any area.
5.1.2.3 Consultant ID: Badge. Managed by Administrative Services this badge is issued by the Kansas Highway Patrol and shall only open office area doors. This badge shall only be issued to authorized consultants, contractors, or vendors. As a standing exception, this badge may also be temporarily issued to an employee that has lost or forgotten their State Employee ID Badge.
5.1.3 ID Badges and Electronic Card Keys: Except for State Employee ID badges, and for the purpose of this Policy and Procedures Memorandum (PPM), all other ID badges and electronic card keys shall be used to identify electronic keys that provide access to controlled areas. These electronic keys shall be used and treated as an ordinary key and managed by local key control procedures.
6.0 Visitors
6.1 Must sign in and out at the reception desk; visitors must have a sponsor; the sponsor will be responsible for ensuring the visitor logs in and out.
6.2 All visitors shall be issued a visitors badge which must be worn at all times.
6.3 No visitor shall have unaccompanied access to any area.
6.4 For further information on visitors refer to the visitor’s policy.
7.0 Consultants, Contractors and Vendors
7.1 Consultant ID badges may be requested for consultants performing services that require more than four consecutive hours to complete. Consultant ID badges only open doors to office areas and no others (data centers, storage areas, frame rooms, etc.)
7.2 For consultants, contractors and vendors that do not maintain a clearance with administrative services, escorts are required for access to any controlled area such as data centers, storage areas, frame rooms, etc.
7.3 For unaccompanied access to controlled areas the following applies:
7.3.1 Must be working on behalf of a local active where access to a controlled area is required.
7.3.2 Must possess an equivalent OITS security clearance that has been verified by the Office of the CISO, and proof of this clearance is on file with Administrative Services.
7.3.3 Must be on the unaccompanied access roster maintained by Administrative Services
7.4 Non-state employees that have been authorized unaccompanied access to controlled areas shall sign for (card) keys to specific areas from the appropriate key control custodians such as the Network Operations Center (NOC).
8.0 Employees
8.1 Employees shall not share use of their State Employee ID badge.
8.2 For employees that forget their State Employee ID badge, they may temporally sign for a Consultant ID Badge from Administrative services
9.0 Facilities Maintenance Personnel.
9.1 State personnel performing maintenance in controlled areas are also required to possess a security clearance for unaccompanied access. This clearance must be maintained on file with Administrative Services.
10.0 Administrative Services
10.1 Shall be responsible for requesting all badges and card keys.
10.2 Shall be responsible for issuing Consultant ID badges. The following are requirements before a Consultant ID badge is issued.
10.2.1 Issuing a consultant badge to employees requires that employment is verified, and the employee has either lost or forgotten their State issued ID badge.
10.2.2 Issuing a Consultant ID badge to non-state employees requires that an office head has approved a request, for an individual whose services require more than four consecutive hours.
10.3 Shall be responsible for issuing electronic card keys to controlled areas to the NOC.
10.4 Shall be responsible for conducting monthly reconciliation reviews of those authorized unaccompanied access to controlled areas. Records of these reviews shall be maintained on file for six years.
10.5 Shall be responsible for providing the NOC with an “access roster” of those authorized unaccompanied access that may be issued keys to controlled areas.
10.6 Shall conduct quarterly inventories of all electronic card keys issued. Records of these audits shall be maintained for six years.
10.7 Shall be responsible for discontinuing access of any electronic card key or ID badge if lost, missing or stolen.
11.0 Network Operations Center (NOC)
11.1 Shall manage electronic card keys in accordance with local key control policy .
11.2 Shall be responsible for issuing electronic card keys to all controlled areas.
11.3 Shall only issue electronic card keys to authorized persons whose names are present on the access roster provided by Administrative Services.
12.0 CONTACT PERSON: COO, Office of Information Technology Services, 785-296-4999
CISO Policy
CISO Policy 1100 - Prohibition of Designated Digital Platforms
Effective Date 03/25/2025
1.0 Title: Prohibition of Designated Digital Platforms
2.0 Purpose: The purpose of this policy is to safeguard the State of Kansas’ information systems by prohibiting the use of Prohibited Digital Platforms on all state‑owned or managed devices, including mobile devices, and by blocking network and Internet access to these applications. This measure mitigates national and state security risks, protects sensitive state data, and ensures the integrity of our digital infrastructure.
3.0 Scope: This policy applies to all state‑owned or managed information systems, networks, and devices that process, transmit, or store state data. It also applies to all third parties that process, transmit, or store state data when engaged in such activities on behalf of the State of Kansas.
4.0 Organizations Affected: This policy applies to all State of Kansas Executive branch boards, commissions, departments, divisions, Entities, and third parties involved in processing, transmitting, or providing business capabilities on behalf of Kansas state government, hereafter referred to as Entities.
5.0 References:
5.1 K.S.A. 75-7238
5.2 K.S.A. 75-7239
5.3 K.S.A. 75-7240
6.0 Definitions:
6.1 Blocked Digital Platforms List: The following platforms are designated as Prohibited Digital Platforms under this policy: DeepSeek, RedNote, and Lemon8. Additional platforms may be classified as prohibited and included in an appendix to this policy. Any platforms listed in the appendix, even if not explicitly named in this policy, are incorporated by reference and considered an integral part of this policy.
6.2 Prohibited Digital Platforms: Digital platforms, including applications, social media services, artificial intelligence tools, websites, and associated services, that the Kansas Information Security Office (KISO), in consultation with the Executive Branch Chief Information Security Officer (CISO), determines to pose a security risk due to factors such as country of origin, data handling practices, or potential links to adversarial foreign entities.
6.3 State Devices: Devices owned, leased, or managed by the State of Kansas, including mobile devices and endpoints used to access state networks.
7.0 Policy: This policy serves as the principal governing authority for the prohibition of Prohibited Digital Platforms on all state‑owned or managed devices and networks. Individual Entities may impose supplemental restrictions through their own policies; however, such measures must not contradict this policy.
Entities must:
Prohibition of Usage and Installation
7.1 Not install, use, or permit the installation or use of any Prohibited Digital Platforms on state-owned or managed devices.
7.2 Enforce, when possible, Mobile Device Management (MDM) policies that prevent the installation and execution of Prohibited Digital Platforms on mobile devices. MDM systems must automatically detect and block any attempt to install or execute these platforms.
Network Blocking Requirements
7.3 Configure all state networks – including Internet, intranet, and extranet systems – to block all inbound and outbound traffic to domains, IP addresses, and associated services related to Prohibited Digital Platforms.
7.4 Employ all available technical controls, including firewalls, intrusion detection systems, DNS filtering, and endpoint management tools, to continuously enforce this policy.
7.5 Ensure all access attempts to Prohibited Digital Platforms are logged.
Removal and Compliance
7.6 Remove any instance of Prohibited Digital Platforms from state devices or systems within 30 days following the publication of this policy and any updated Blocked Digital Platforms List.
7.6.1 Report to the CISO any failures to remediate within this timeframe and must provide a plan for immediate corrective action.
7.7 Submit written confirmation of the removal of Prohibited Digital Platforms and compliance with this policy to the Kansas Information Security Office (KISO) within 15 days after the removal deadline.
Procurement and Vendor Certification Restrictions
7.8 Not award any new procurement, contract, license, task order, prior authorization, or similar instrument for digital platforms, applications, services, or components that incorporate or support technology related to Prohibited Digital Platforms.
7.9 Require vendors, suppliers, and other third-party providers to certify that their products are free from technology or components related to Prohibited Digital Platforms.
8.0 Responsibilities:
8.1 Heads of Entities must establish procedures to ensure compliance with this policy.
8.2 The Chief Information Security Officer (CISO), Executive Branch, is responsible for maintaining this policy.
9.0 Enforcement:
9.1 Non-compliance with this policy may result in disciplinary action, up to and including termination of employment.
9.2 Written approval from the Kansas Information Security Office (KISO) is required for any exception to this policy.
10.0 Cancellation: This policy cancels and supersedes all previous versions.