Strategies, Governance, Policies, Standards and Resources

Strategies and Governance

Governance

• IT Shared Services Overview
• IT Shared Services Governance Overview
• IT Governance
• Enterprise Architecture Framework and Principles
• Enterprise Technology Architecture

Strategies

Statewide IT strategies developed for agency consumption can be viewed by clicking on the corresponding link below.

• State Cloud Computing Strategy
• Statewide Strategic Information Technology Plan (Current)
• Statewide Strategic Information Technology Plan (2018-2020)
• Statewide Strategic Information Technology Plan (2016-2018)

Policies

Information Privacy

• Data Protection and Privacy

Information Security

These policies, designed to improve the state's security and privacy posture, will align information management with the missions, goals and objectives of state agencies.

• Master Policy
• Access Control Policy
• Asset Management Policy
• Business Continuity Management Policy
• Human Resources and Security Awareness Policy
• Information Systems Acquisitions Development and Maintenance Policy
• Information Technology Compliance Policy
• Information Technology Risk Strategy Policy
• Mobile Security Policy  
• Physical and Environmental Security Policy
• Risk Management Policy
• Threat Vulnerability Management Policy

Learn more about the adoption and implementation of Information Security Policies in the SC Information Security Policy Handbook:

• SC Information Security Policy Handbook
• SC Information Security Policy Handbook — Appendices

The development of enterprise policies, procedures and standards is a critical step in setting the direction and framework for information security and privacy programs. These policies, designed to improve the state's security and privacy posture, will align information management with the missions, goals and objectives of state agencies.

Information Technology

• In accordance with the FY 2018-19 Appropriations Act, Proviso 117.148. (GP: Mobile Device Protection Plan), the Mobile Device Protection Policy describes the assignment, use and management of state issued mobile communication devices.

Procedures

Information Security

The following procedures establish minimum baseline processes to be followed by state agencies to comply with the policies above.

• SCDIS—501 Information Media Disposal Procedure
  • By law (S.C. Code Ann. § 30—2—310), all state agencies are to follow SCDIS—501 to securely transfer or dispose of information technology hardware or storage media.

Standards

Information Security

The following standards establish requirements for compliance with the above policies:

• SCDIS—200 Information Security and Privacy Standards
• SCDIS—210 InfoSec Technology Coverage Standards

Information Technology

The state of South Carolina has established a series of statewide information technology (IT) standards as part of the development and implementation of the IT shared services model. These standards are helping redefine how agencies approach the design, procurement, implementation and use of technology.

Statewide IT standards approved for agency consumption include those listed below. To view the standard, click on the corresponding link.

• End-User Computing Device Standard
• Hyper Converged Infrastructure System Standard
• Email Standard​

Each of the standards developed for this initiative originate, progress and are ultimately recommended through the defined governance structure. This structure – comprised of members representing a wide variety of agencies diverse in both size and scope – helps to provide a solid collaborative approach while ensuring agencies have a constant voice and input in such key decisions.

• Exception Process – An exception process has been established for instances when an agency feels that circumstances necessitate the need to depart from a given standard. Please note, exception requests are not guaranteed to be approved, and are considered and processed through the governance process.
• Questions or Concerns – If you have any questions regarding the development of IT standards or the IT shared services governance process, please contact Admin’s Program Management Office (pmo@admin.sc.gov).

Guidance and Guidelines

Information Privacy

• Data Classification
  • Data Classification Schema and Guidelines
  • Template Data Inventory Tool
  • Data Inventory Analysis and Reporting Template
  • Data Classification Auditing and Monitoring Plan Template
• Privacy Impact Assessment (PIA) 
  • Privacy Threshold Analysis (PTA) / Privacy Impact Assessment (PIA) Guidance and Template
  • Training Presentation for use with PTA/PIA Guidance and Template
• Information Security and Privacy Data Handling Guidelines

Information Security

• Asset Management Guidelines
• State of South Carolina IT Asset Management Tool

Other Resources

Information Privacy

• Sample Language and Clauses for Acceptable Use Acknowledgements

Information Security

• State of South Carolina Security Self—Assessment Tool
• Gap Analysis — Asset Management Policy (Template) 
• Gap Analysis — Access Control Policy (Template) 
• Gap Analysis — Business Continuity Management Policy (Template) 
• Gap Analysis — Data Protection and Privacy Policy (Template) 
• Gap Analysis — HR and Security Awareness Policy (Template) 
• Gap Analysis — IS Acquisition, Development and Maintenance Policy (Template) 
• Gap Analysis — IT Compliance Policy (Template) 
• Gap Analysis — IT Risk Strategy (Template) 
• Gap Analysis — Master Policy (Template) 
• Gap Analysis — Mobile Security Policy (Template) 
• Gap Analysis — Physical Environmental Security Policy (Template) 
• Gap Analysis — Risk Management Policy (Template) 
• Gap Analysis — Threat and Vulnerability Management Policy (Template) 
• Policy Implementation Plan of Action (Template) 
• Roles and Responsibilities Chart (Template)
• Information Security Plan (ISP) (Template)
• Interconnection Security Agreement (ISA) (Template)