Security concern or incident to report?
We are here to help with network security vulnerabilities and threats in Colorado: 303.764.7760

Security, Risk & Compliance (SRC)

If you have any regulatory compliance questions, risk assessments needs, or general security concerns, please contact Security, Risk, and Compliance Team at

Authority to Operate (ATO)

An Authority to Operate (ATO) is an accreditation decision that proves that a system has undergone a security risk assessment, using a recognized process. This assertion by a senior official associated with your agency ensures that the system meets the minimum specified security requirements for storing of sensitive data types, as set forth in the Colorado Information Security Policies (CISP). Be aware that the document is an official declaration which satisfies a legal requirement by your agency. It asserts that a recognized risk assessment process has been successfully completed and approved by your senior official.

Risk Assessments (RA)

Risk assessment is the determination of quantitative or qualitative estimate of risk related to a well-defined situation and a recognized threat. Risk assessment requires calculations of two components of risk (R): the magnitude of the potential loss (L), and the probability (p) that the loss will occur.

This Risk Assessment Tool is intended to be a starting point for identifying cybersecurity risks to your organization. Some risk assessments are mandated by regulatory bodies requiring periodic RA's. However a major change in the computing environment also dictates re-accomplishment of a risk assessment to gauge impact of the additional infrastructure or application component. Additionally, there are subsets of risk assessments for specific data types i.e. (HIPAA, FTI) that focuses on performing assessments in regards to the regulatory compliance requirements.

Risk Exception


The purpose of this process is to guide OIT personnel in how to request an IT security risk exception to comply with a published security standard.


State Cybersecurity Policies require that all servers, workstations, network devices, applications and security systems are hardened or configured, at a minimum, to conform to the benchmarks established by the Center for Internet Security (CIS). Occasions may arise when systems cannot be configured according to CIS benchmarks and still meet their intended business purpose. These will be considered the exception and not the rule. When such occasions arise, the System Owner will be required to submit a Secure Configuration Exception Request to the Office of Information Security (OIS) for consideration. OIS will review the request and take one of three actions:
  1. Approve
  2. Deny
  3. Approve Based Upon the Implementation of Additional Controls
OIS will keep copies of the OIS decision on file for periodic review and reassessment. A minimum, exception request must be resubmitted and approved on an annual basis.

Approval of a configuration exception does not automatically extend to similar configurations. A separate exception request is required for each system as there may be unique considerations that affect the security of the system. Risk exceptions may be revoked at any time in the event of an incident or changes in policy or regulation standards.

Please refer to the Exception Request/Waiver to access the exception request form.

Internal Assessments

Internal assessments are required by the IRS every 18 months, the security, risk, and compliance office will perform these inspections annually from January-March of the calendar year, but NLT March.

Classification of Assets based on risk evaluation (CARE)

Applies to: Risk assessment Analysts
Objective: Perform risk assessments to identify, quantify, and prioritize risks against established criteria
Policy or Handbook Reference: CISP-013 Risk Assessment states that ITSP shall assess risk, including the likelihood and magnitude of harm, from an event that could compromise the confidentiality, integrity, and availability of the Information System, with input from Business Owner and prior to placing the Information System into a production state.

Pre-Requisites: Kickoff Meeting: Identify key players; the assessment approach; steps to be taken; level-set about high-level milestones for the HIPAA assessment; and just have a general meet and greet.

For supplemental guidance, please see the Risk Assessment Policy

Governance Risk and Compliance Tool (ZenGRC)

ZenGRC serves as a single source of record for state agencies audit findings, responses, and artifacts -– incorporating workflows, logging communications and changes. ZenGRC is a repository hosting numerous compliance frameworks i.e. (NIST, HIPAA, CJIS) for cross referencing and performing hybrid audits and is the primary tool for coordinating and remediating audit findings throughout the enterprise. In addition, ZenGRC hosts CISPs for updating policies and revision control and its modularity provides the flexibility to perform assessments of all types, including vendor and contract assessments -– making it a very valuable tool.