The University System of Georgia (USG) comprises thirty-one institutions of higher learning, a marine research institute, and a system central office, as well as the Georgia Public Library System (GPLS) and the State Archives. These participant organizations represent the rich diversity of a state system spanning the spectrum of educational and research offerings. This handbook respects the value of the diversity of participant organizations while providing guidance with regards to information technology (IT) operations within the USG.
Information, in all forms, is a strategic asset to a participant organization and to the USG as a system. Under Board of Regents’ (BoR) policy, it is the responsibility of the Vice Chancellor and Chief Information Officer (VC/CIO) to establish “the procedures and guidelines under which the acquisition, development, planning, design, construction/renovation, management, and operation of USG technology facilities and systems shall be accomplished.” Part of this responsibility is to prepare a handbook of Information Technology (IT) standards and best practices to be followed by each USG institution.
The hierarchy of USG IT policies and procedures is as follows:
- BoR Policy Manual is the top-level set of Board-approved policies from which all lower-level USG documents flow. Section 11.0, Information Technology, covers all aspects USG information technology including general policy, IT project authorization, and information security.
- USG IT Handbook contains the IT requirements and recommendations that establish acceptable IT practices for all USG participant organizations.
- Participant Organization Policies and Procedures establish the detailed practices and tools used by each USG participant organization to meet the standards set forth in the USG IT Handbook.
- Program/Project Policies and Procedures establish the detailed practices and tools used within each program/project to implement the standards and best practices set forth in the USG IT Handbook and/or the participant organization policies and procedures.
This USG IT Handbook serves several purposes. Primarily, it sets forth the essential procedural components that each USG participant organization must follow to meet both Board of Regents policy mandates, the statutory or regulatory requirements of the state of Georgia and the federal government, and best IT practices. Secondly, it is designed also to provide new IT professionals within the USG the necessary information and tools to perform effectively. Finally, it serves as a useful reference document for seasoned professionals at USG participant organizations who need to remain current with changes in Board of Regents policy and federal and state law.
As a web-based document, the Handbook provides direct links to reference information – Board of Regents policies, Georgia statutes, and other federal and state resources – to assist the reader in identifying the underlying source of some procedures and to provide broader understanding of the basis for others.
Thus, the Handbook, while focusing on USG procedures, also offers ready access to important policies, statutes, and regulations that will aid the IT officer in his/her daily performance of duties.
The following definitions of shall, will, must, may, may not, and should are used throughout this Handbook.
- Shall, Will, and Must indicate a legal, regulatory, standard, or policy requirement. Shall and Will are used for persons and organizations, and Must for inanimate objects.
- May indicates an option.
- May Not indicates a prohibition.
- Should indicates a recommendation that, in the absence of an alternative providing equal or better protection from risk, is an acceptable approach to achieve a requirement. The focus of “should” statements generally is more outcome-based; i.e., an alternate method to achieve the requirement may be developed assuming it is documented as effectively managing risk.
Exceptions to any policy, standard, process, procedure, or guideline set forth in this Handbook shall be at the discretion of, and approved in writing by, the USG VC/CIO and/or the USG Chief Information Security Officer (CISO). In each case, the USG participant organization or vendor must complete and submit an Information Security Policy Exception Request Form, which will include such items as the need for the exception, the scope and extent of the exception, the safeguards to be implemented to mitigate risks, specific timeframe for the exception, organization requesting the exception, and the management approval. Denials of requests for exceptions may be appealed to the USG VC/CIO and/or CISO.
Table of Contents
Section 1.0: Information Technology (IT) Governance
Section 2.0: Project and Service Administration
Section 3.0: IT Management
Section 4.0: Financial and Human Resource Management
Section 5.0: Information Security (IS)
Section 6.0: ePrivacy
Section 7.0: Facilities
Section 8.0: Bring Your Own Device (BYOD) Standard
Section 9.0: Learning Management System (LMS) Section 10.0: Data Governance and Management Structure