Department of Innovation & Technology
Overarching Enterprise Information Security Policy
S t a t e o f I l l i n o i s
D e p a r t m e n t o f I n n o v a t i o n & T e c h n o l o g y
O v e r a r c h i n g E n t e r p r i s e I n f o r m a t i o n S e c u r i t y P o l i c y
P a g e 3
1.
OVERVIEW
It is the policy of the State of Illinois Department of Innovation & Technology (DoIT) to (i) support the business
missions, goals, and objectives of the Governor and DoIT’s client agencies, boards, and commissions, (ii)
reduce the risk posed to the State of Illinois due to the loss, disruption, or corruption of information and
Information Systems, and (iii) comply with applicable state, federal, and industry laws, rules, and regulations
related to information security. Unless otherwise specified, capitalized terms contained herein shall have the
meaning assigned to them in the Terminology Glossary. Any reference to “Agency” herein shall include both
DoIT and Client Agencies.
2.
PURPOSE
The Secretary of DoIT is committed to securing State of Illinois information, Information Systems, and
technology assets. The Secretary has issued this State of Illinois Enterprise Information Security Policy and its
corresponding policies, standards, procedures, and guidelines to prevent or limit the adverse effects of a
failure, interruption, or security breach of State of Illinois Information Systems. This Policy is intended to focus
on the core concepts of confidentiality, integrity, availability, and system resiliency.
This Policy and its subordinate policies and standards define the minimum-security controls that must be
implemented for State of Illinois Information Systems. This Policy further establishes parameters and
boundaries regarding the acceptable use of information and information technology assets.
Those who use, acquire, implement, and manage State of Illinois Information Systems must comply with this
Policy. Individuals responsible for the implementation of Information Systems, including third parties, must
address the security controls of this Policy and corresponding standards and procedures.
Executive Order 2016-01 created DoIT in recognition that thousands of state systems are redundant,
outdated, and vulnerable to cyberattacks that place the private information of Illinois employees, residents,
consumers, and businesses at risk. Public Act 100-0611, which codifies Executive Order 2016-01 and
establishes DoIT by law, directs DoIT to (i) develop and implement data security policies and procedures that
ensure the security of data that is confidential, sensitive, or protected from disclosure by privacy or other
laws, and (ii) ensure compliance with applicable federal and state laws pertaining to information technology,
data, and records of DoIT and the State of Illinois agencies, boards, and commissions that DoIT serves and that
have been identified as client agencies of DoIT through executive order, legislation, or inter-governmental
agreement (Client Agencies).
The Secretary of DoIT has established an information security program to address the requirements of
Executive Order 2016-01 and Public Act 100-0611, to ensure a continued and deliberate effort to reduce the
risk posed to the State by external cyberattacks, insider threats, and other incidents, and to ensure compliance
with applicable state, federal, and industry laws, rules, and regulations. Focusing on the core information
security concepts of confidentiality, integrity, availability, and system resiliency, the State of Illinois
Overarching Enterprise Information Security Policy is established to help ensure that the risk posed to the
State of Illinois due to the loss, disruption, or corruption of information is managed within acceptable limits.