An annual IT Plan and Standards Assessment is performed annually by Group 2 state agencies, boards and commissions to determine the versatility and privacy/security practices of target technologies as identified by statewide IT policies and standards.
The purpose of IT Plans and the Technology Infrastructure Standards Assessment (TISA) is as follows:
- To assess overall compliance of Group 2 agencies with statewide IT policies and standards;
- To create awareness among state agencies of statewide IT policies and standards with emphasis on privacy/security practices for confidential and sensitive information of the state;
- To identify Privacy and IT Security vulnerabilities of the state to mitigate further risks of the agency.
- To help prepare for technical compliance reviews with ADOA-ASET.
Each Group 2 agency, board and commission shall evaluate its IT environment through TISA on or before September 2nd of the current year. If there have been significant changes to infrastructure and technologies which may reveal vulnerabilities and risks, mid-year updates to TISA are recommended.
The TISA assessment has twenty (one general and 19 specific) “Yes” or “No” compliance questions pertaining to technology risks for Group 2 agencies. The questions address the following:
- Password Protection
- File Maintenance & Backup
- Sensitive Data and Documentation
- Anti-Virus Software
- Firewall Protection
- Destruction of Sensitive Data/Media
- Destruction of Sensitive Documentation
- HIPAA Compliance
- Breach Notification
- Business Continuity Plans (aka Continuity of Operations Plans, COOP)
Once the TISA application has been accessed an agency can continuously change its responses as long as the status at the top remains as “Work in Progress”. When the status has changed to “SUBMITTED” by the agency, this prevents TISA result from being further updated. If the status is accidentally changed, a phone call to ADOA-ASET at (602) 364-4790 can change the status back to “Work in Progress. When a plan has been changed to “SUBMITTED”, ADOA-ASET will review the submitted TISA questionnaire for completeness and then can change the status to either modification requested or APPROVED within one week of a “SUBMITTED” TISA questionnaire. When an agency completes their TISA and it is approved, the State CIO will send a letter to each agency’s CEO noting either approval or disapproval, usually around the beginning of the calendar year.
Please note, all “No” response can be considered as either non-compliance or not applicable to the organization. A detailed explanation for all “No” responses is required in the COMMENTS section of TISA.
Special attention should be paid to these areas, as they apply to your agency, board or commission:
- Enforcement of Email Policies
- Development of an annual IT Security Awareness program
- Patch Management
- Regular disaster recovery planning and documentation for mission-essential functions
For access to the TISA application, or questions on TISA or IT security policy and standards compliance, contact the Enterprise Architecture Team.