Q. Who do I contact if I have questions about statewide IT standards or a suggestion for a new statewide IT standard?
A. Contact State IT Standards Manager:
Email: State.ITStandards.Manager@oit.ohio.gov
Telephone: 614.995.9928
Facsimile: 614.644.9152
Enterprise Architecture and Standards
Investment & Governance Division
Ohio Office of Information Technology
30 East Broad Street, 39th Floor Columbus, Ohio 43215
Q. What state agencies must comply with statewide IT standards?
A. Pursuant to Ohio IT Policy ITP-A.1, “Authority of the State Chief Information Officer to Establish Policy Regarding the Acquisition and Use of Computer and Telecommunications Products and Services,” state IT standards are applicable to every organized body, office, or agency established by the laws of the state for the exercise of any function of state government except for those specifically exempted. Statewide IT Standards are optional for any state-supported institution of higher education, the office of the auditor of state, treasurer of state, secretary of state, or attorney general, the public employees retirement system, the Ohio police and fire pension fund, the state teachers retirement system, the school employees retirement system, the state highway patrol retirement system, the general assembly or any legislative agency, the courts or any judicial agency, the military department, the bureau of workers’ compensation, the industrial commission, the Ohio housing finance agency, the Ohio tuition trust authority, or the eTech Ohio commission.
Q. Are exceptions to statewide IT standards permitted?
A. Exceptions to a statewide IT standard, if permitted, are described within the published standard. In general, exceptions are allowed when an agency can present a business justification for an alternative to using the standard that achieves the intent of the standard, or saves the agency substantial money.
Q. Where can I find the current statewide IT standards and related projects on the Web?
A. Current statewide IT standards can be found at http://oit.ohio.gov/IGD/policy/OhioITPolicies.aspx. Current statewide IT standard related projects can be fund at: http://www.oit.ohio.gov/IGD/policy/StandardsManagement.aspx.
If you have any question related to these projects or a suggestion for a new statewide IT standard, contact State IT Standards Manager:
at State.ITStandards.Manager@oit.ohio.gov.
Q. My agency wants to reference the Data Encryption and Cryptography standard to provide additional information helpful to our implementation plan. How do we do that? We also need the information related to how to classify data elements, where can we find it?
A. The state IT Data Encryption and Cryptography standard can be incorporated by reference into state or agency security policies. This standard should be invoked by reference when cryptographically strong security functions are required or mandated for the protection of critical or sensitive data. It can also be used in application and system specification documents as well as procurement documents, or in circumstances with less critical security requirements. This standard and its specifications are invoked by incorporating a reference similar to one of the following:
- “… in conformance with Ohio State IT Standard ITS-SEC-01, “Data Encryption and Cryptography.”
- “… as described in section 4.1.1, “Symmetric Key Ciphers for Data Encryption” of Ohio State IT Standard ITS-SEC-01, “Data Encryption and Cryptography.”
- “… as specified in Table 4-1, “Symmetric Key Cipher Specifications” of Ohio State IT Standard ITS-SEC-01, “Data Encryption and Cryptography.”
The IT Bulletin (No: ITB-2007.02 http://oit.ohio.gov/IGD/policy/pdfs_bulletins/ITB-2007.02.pdf) is released in conjunction with the data encryption standard and provides guidance to agencies as they take steps to further protect sensitive data and information they have classified per Ohio IT Policy ITP-B.11, “Data Classification.” Executive Order 2007-013S calls for agencies to produce a data encryption implementation plan within 75 days of the release of the encryption standard and bulletin. The plan shall show how the agency will work to implement this bulletin and Ohio IT Standard ITS-SEC-01, “Data Encryption and Cryptography.” OIT recognizes that data-level encryption will take time to implement, but strongly urges agencies to begin device-level encryption on portable computing devices and back-up devices using the recently published encryption standard.