Office of the Chief Technology Officer

DC Agency Top Menu

-A +A
Bookmark and Share

Information Security Program

This policy establishes responsibilities and custodial roles for the protection of District of Columbia government information.

Policy Number: OCTO0003
Creation Date/Revisions: 08.01.01 Rev 1.1
Effective Date: July 31, 2001


To establish responsibilities and custodial roles for the protection of District of Columbia government information.

Policy Details

It is the policy of the Government of the District of Columbia that all government employees and contractors are responsible for maintaining the confidentiality, integrity and availability of government information, including information held in trust, or on behalf of, residents, clients, contractors, or personnel.

Protection of District of Columbia government information requires a risk-management approach based on a balanced, cost-effective mix of procedural, administrative, and technical security measures. These measures are detailed in the Office of the Chief Technology Officer (OCTO) Security Standards and Procedures Manual.

The goal of the Information Security Policy is to protect information assets to an extent and for a period commensurate with the value of the information and degree of damage that could result from the unauthorized disclosure or modification, misuse, destruction, or non-availability of the information.

The following security objectives must be maintained for all District of Columbia government information; confidentiality, integrity, and availability, as described below:

  • Confidentiality. Sensitive information, including intellectual capital or proprietary data, classified and unclassified but sensitive information belonging to the District of Columbia government, information concerning the private lives of individuals, information subject to attorney-client or physician-patient privileges, or information subject to other legislative or regulatory protections, must be protected from unauthorized disclosure. See Data Sensitivity Classification for more information on documents and systems affected by the policy.
  • Integrity. Information must be protected from intentional or unintentional destruction or modification. Implicit in the concept of information integrity is the notion that, upon receipt of information transmitted electronically: the recipient must be able to be certain from whom the information came; the sender is assured that the information has been received; both parties can be assured that the information has not been modified in transit.
  • Availability. Information must be accessible when needed to support analytic and decision-making processes enabling the District of Columbia government to function efficiently and to serve its citizens and clients effectively.

These goals apply to all information, including information being maintained in databases, processed by application systems, or transmitted via the District LAN, WAN, email system, or other standalone connection. The level to which each of the three security objectives is achieved is subject to independent verification.

Employees and contractors will be granted only the level of access to information and automated systems they need to do their jobs. Additional access to sensitive information and systems shall not be provided until such access is needed and is formally authorized in accordance with District of Columbia government standards.

Standards, procedures, and guidelines for implementing this policy and maintaining information confidentiality, availability, and integrity are contained in the OCTO Security Standards and Procedures Manual. The standards, procedures, and guidelines will be a basis for compliance monitoring and review.

The OCTO IT Security Department has the right to access and review any and all information stored, processed, or communicated on computers, systems, or networks belonging to the District of Columbia government.

No one using District of Columbia government systems has a right to personal privacy of any information thereon, whatever its source.

A violation of standards, procedures, or guidelines established in support of the Information Security Policy shall be brought to the attention of agency directors for appropriate action and could result in termination of employment.

Statutory Authority

  • DC Law 5-168, Section 4, 32 DCR 721.
  • DC Law 11-259, Section 305(a), 44 DCR 1423.
  • DC Code Section 1-1135, b, (6).
  • DC Law 12-175. Act 12-239.


This policy applies to all DC government agencies and the following users:

  1. full or part-time employees;
  2. contractors who are authorized to use DC government-owned equipment or facilities;
  3. volunteers who are authorized to use DC government resources and who have been provided with a user account.


None. OCTO will consider granting exceptions on a case-by-case basis if requested in writing by the head of an agency.

Roles & Responsibilities

The Office of the Chief Technology Officer (OCTO) is responsible for establishing, implementing and maintaining an Information Technology (IT) security program to help managers protect their assigned assets.

The OCTO IT security program shall issue standards, procedures and guidelines to assure adequate security in all areas within the scope of this policy. The OCTO IT security program is responsible for conducting surveillance of computer user activities through the use of monitoring tools. Users are not to conduct or attempt to conduct unauthorized security vulnerability tests or scans involving or using District of Columbia computers or network resources. Unauthorized security scanning tools must not be installed or executed on District computer systems without explicit consent from the OCTO IT security program.

All employees and contractors of the District of Columbia government are responsible for protecting information assets. Agency directors must ensure the appropriate personnel within their organizations classify the sensitivity of the information within their purview; identify, define, and grant access to information assets; and adequately protect the information within their assigned area of management control. Agency directors are also responsible for protecting access to information by non-employees with whom they are conducting business. Agency directors are expected to implement this policy in a manner consistent with sound business practice and any standards and procedures set forth.

Related Policies and Supporting Documentation

  • GAO Executive Guide, Information Security Management, May 1998.
  • NIST Special Publication 800-12.