To define the terms, “policy,” “standard,” and “guideline” and to describe how the Kansas Information Technology Executive Council (ITEC) will issue these in discharging its statutory responsibilities to include establishing technology architecture for the state technology infrastructure.
To promote efficient use of resources and to promote the delivery of public services by an IT enabled system of governance that works better, costs less and is capable of serving the citizens’ needs with ease.
To establish and enforce specifications which shall apply to all technology and technology resource related supplies, materials, and equipment purchased or to be purchased for the use of the state government or any of its entities. These specifications shall be based to the extent practicable on industry accepted open network architecture and interoperability standards.
All Branches, Boards, Commissions, Departments, Divisions and Agencies of state government, hereafter referred to as entities.
K.S.A. 75-7203 authorizes ITEC to: Adopt information resource policies and procedures and provide direction and coordination for the application of the state's information technology resources for all state agencies.
K.S.A. 75-7205 Duties of the Chief Information Technology Officer (CITO).
ITEC shall establish information technology policies, standards, and enterprise architecture for the state technology infrastructure to promote efficient use of resources and to promote economic development.
K.S.A. 75-7203 authorizes the ITEC to set technology policy for all state entities. This statute also authorizes ITEC to:
Adopt an information technology architecture, including telecommunications systems, networks, and equipment, that covers all state agencies.
Adopt standards for data management for all state agencies.
Adopt a strategic information technology management plan for the state.
Provide direction and coordination for the application of the state's information technology resources.
Designate the ownership of information resource processes and the lead agency for implementation of new technologies and networks shared by multiple agencies in different branches of state government.
Perform such other functions and duties as necessary to carry out the provisions of K.S.A. 75-7203.
ITEC shall adopt a standard that provides specifications for how “policies”, “standards”, and “guidelines” shall be formatted, organized, and maintained.
ITEC may revoke policies, standards, and guidelines which are no longer applicable for such reason as the provisions have been superseded by law or legal instrument, or the technology referenced by such policy has become obsolete.
ITEC will provide a web-based site for the dissemination of policies, standards, and guidelines. This web-based site should include clearly marked revoked policies that include the date the policy was active for auditing purposes.
ITEC shall have the authority to establish technology standards and architecture and issue technology guidelines. Guidelines will be issued from time-to-time by ITEC, either directly or in conjunction with the establishment of policies and standards.
In the context of information technology, the words policy, standard, and guideline are often used interchangeably. The intent of this document is to 1) provide working definitions for each of these terms as used by ITEC and all state entities. 2) identify which state entities are affected by these terms; and, 3) how they are affected. A thumbnail definition of each term:
Policy – A general or high-level statement of a direction, purpose, principle, process, method, or procedure for managing technology and technology resources.
Standard – A prescribed or proscribed specification, approach, directive, procedure, solution, methodology, product, or protocol which must be followed.
Guideline – A guideline is similar to either a standard or a policy, in that it outlines a specific principle, direction, directive, specification, or procedure but is not binding. Rather, a guideline is a recommended course of action.
A Policy is a general or high-level statement of a direction, purpose, principle, process, method, or procedure for managing technology and technology resources.
A specific example of a technology policy might be:
“Entities shall implement an Information Technology Security Policy for their organization. All Information Technology Security Policies adopted by the Entity must be at least as stringent as this policy.”
When ITEC adopts a technology policy, it is binding upon all state entities. State entities may adopt additional policies so long as they are not less restrictive or conflict with existing ITEC policies.
A Standard is a prescribed or proscribed specification, approach, directive, procedure, solution, methodology, product, or protocol which must be followed. An example of a technology standard might be:
“Entities must document a security plan that specifies security controls based upon a risk assessment for Information Systems that process, store or transmit Restricted-Use Information."
When ITEC establishes a standard, it is binding upon all state entities. State entities may adopt additional standards so long as they are not less restrictive or conflict with existing ITEC standards.
A Guideline is similar to either a Standard or a Policy, in that it outlines a specific principle, direction, directive, specification, or procedure, but it is advisory in nature. The intent of a Guideline is to promote a “best practice”, while recognizing that there may be several ways of accomplishing the same task or that further analysis is necessary before adoption of a binding uniform approach. It is possible for Guidelines to evolve into Policies or Standards. An example of a technology Guideline might be:
“Each user should organize email to aid in the filing and retrieval of messages. This should be done through a system of folders and subfolders.”
When ITEC issues a Guideline, all entities are encouraged to follow the Guideline, but ultimately it is the agency’s decision whether to use or ignore the Guideline.
Heads of entities are responsible for compliance with the requirements of this policy.
The Chief Information Technology Officer, Executive Branch is responsible for the maintenance of this policy.