Fraudulent court appearance text messages targeting Colorado residents
Kit Carson Courthouse building closures announced for 7/30/26 and 7/31/26
Colorado Judicial Branch

Security Policies

Colorado Judicial Information Security Policy Overview

The Colorado Judicial Information Security Policies (CJISPs) should be viewed as a set of minimum security requirements that must be adhered to establish a consistent baseline of security.
 

The following is a key summary of each policy:
 

CJISP-000 Definitions

Purpose: This Definitions page defines a number of technical terms and relevant acryonyms which appear throughout these Security Policies.
 

CJISP-001-Access Control

Purpose: The Access Control Policy outlines the procedures for managing authorization credentials and privileges for user accounts, including administrator and service accounts. It aims to identify and mitigate security risks by ensuring that account actions comply with organizational policies and procedures. The policy includes guidelines for account creation, modification, and removal, as well as monitoring account usage and reporting anomalies.
 

CJISP-002 Training and Awareness

Purpose: The IT Security Awareness and Training Policy aims to reduce security risks by establishing and maintaining an information technology security awareness program. This program is designed to influence workforce behavior to be security conscious and properly skilled, thereby reducing cybersecurity risks to public agencies. The policy mandates regular training sessions and awareness campaigns to keep employees informed about the latest security threats and best practices.
 

CJISP-005 IT Security Baseline Configuration

Purpose: The IT Security Baseline Configuration Policy defines the minimum baseline requirements for Department hardware, software, and data. It ensures that all systems and information within the Department meet a consistent level of security. The policy includes guidelines for the configuration, management, and monitoring of IT assets to maintain their security and integrity.
 

CJISP-006 Contingency Planning

Purpose: The Contingency Planning Policy ensures that essential and critical systems and technologies are in place during any downtime, whether planned or unplanned. It helps key players and stakeholders plan for emergency situations, establish secondary data centers and systems, and document steps required to recover those systems to ensure timely recovery. The policy aims to minimize the impact of disruptions on the Department's operations.
 

CJISP-009 Maintenance

Purpose: The Maintenance Policy clarifies the difference between preventive and predictive support to Colorado Judicial systems and devices. It identifies the maximum range of time needed to recover and fix Department IT assets and software to ensure minimal downtime for essential services. The policy includes guidelines for regular maintenance activities, monitoring, and reporting to ensure the continued functionality and security of IT assets.
 

CJISP-010 Media Protection Policy

Purpose: The Media Protection Policy establishes the requirements for the access, handling, transport, storage, sanitization, and disposal of digital and non-digital system media within the Department. It aims to protect the confidentiality, integrity, and availability of organizational information by ensuring that media is managed securely throughout its lifecycle. The policy includes procedures for media labeling, encryption, and secure disposal.
 

CJISP-011 Physical and Environmental Protection Policy

Purpose: The Physical and Environmental Protection Policy establishes the requirements for the physical and environmental protection of information systems, system components, and the facilities in which they reside within the Colorado Judicial Department. The goal is to safeguard personnel and prevent loss, damage, or compromise of assets and interruption of system services due to physical and environmental threats. The policy includes guidelines for physical access controls, environmental monitoring, and emergency response.
 

CJISP-012 Planning

Purpose: The Planning Policy establishes the guidelines for developing, documenting, and maintaining security plans that outline the security requirements and controls for information systems. The policy also emphasizes the importance of communication and coordination among relevant parties to ensure that security measures are effectively implemented and maintained.
 

CJISP-013 IT Security Program Management

Purpose: The IT Security Program Management Policy supports the Colorado Judicial Department in achieving the requirements of the Colorado Information Security Act. It provides a framework for managing the Department's information security program, including the development, implementation, and maintenance of security policies, procedures, and controls. The policy includes guidelines for risk management and continuous monitoring.
 

CJISP-016 Risk Assessment

Purpose: The Risk Assessment Policy establishes the requirements and procedures for conducting risk assessments within the Department to ensure the security and privacy of information systems and the information they process, store, or transmit. It includes guidelines for identifying, analyzing, and mitigating risks to the Department's information assets. The policy aims to provide a systematic approach to risk management and ensure that security risks are identified and addressed in a timely manner.
 

CJISP-017 System and Services Acquisition

Purpose: The System and Services Acquisition Policy establishes the requirements for the acquisition of IT systems and services within the Department. It aims to ensure that all acquired systems and services meet the Department's security requirements and are integrated into the existing security framework. The policy includes guidelines for procurement, vendor management, and security assessments of third-party services.
 

CJISP-018 Systems and Communication Protection

Purpose: The IT Systems and Communications Protection Policy aims to define how to secure data at rest and in transit using secure cryptography. It includes guidelines for implementing encryption, access controls, and secure communication protocols to protect the confidentiality, integrity, and availability of information. The policy also addresses the protection of system boundaries and the monitoring of communication channels for security threats.
 

CJISP-020 Supply Chain Risk Management

Purpose: The Supply Chain Risk Management Policy establishes an ITS Supply Chain Risk Management (SCRM) program. It aims to identify and mitigate risks associated with the supply chain, including the procurement, delivery, and maintenance of IT systems and services. The policy includes guidelines for vendor risk assessments, supply chain security controls, and continuous monitoring of supply chain activities.