Knowledge Management provides information technology systems, tools, governance, and support to facilitate the creation and management of data and the use of information and knowledge for effective analysis and decision making both at the System and institution levels. IT Management establishes and advances an environment and a set of practices that support agile and accessible collection, transformation, warehousing, retrieval, analysis, and exchange of vital enterprise data and decision-support information.
The following definitions of shall, will, must, may, may not, and should are used throughout this Handbook.
- Shall, Will, and Must indicate a legal, regulatory, or policy requirement. Shall and Will are used for persons and organizations, and Must for inanimate objects.
- May indicates an option.
- May Not indicates a prohibition.
- Should indicates a recommendation that, in the absence of an alternative providing equal or better protection from risk, is an acceptable approach to achieve a requirement. The focus of “should” statements generally is more outcome-based; i.e., an alternate method to achieve the requirement may be developed assuming it is documented as effectively managing risk.
The following definitions of Critical System, Principle of Least Privilege (PoLP), Sensitive Information, System Owner, and Users are used throughout this section.
- A Critical System is a system whose failure or malfunction will result in not achieving organization goals and objectives.
- The Principle of Least Privilege (PoLP) describes minimal user profile or access privileges to information resources based on allowing access to only what is necessary for the users to successfully perform their job requirements.
- Sensitive Information is information maintained by USG institutions, the USO, and the GPLS that requires special precautions, as determined by institution standards and risk management decisions, to ensure its accuracy and integrity by using integrity, verification, and access controls to protect it from unauthorized modification or deletions.
- A System Owner is the manager or agent responsible for the function that is supported by the resource or the individual upon whom responsibility rests for carrying out the program that uses the resources. The system owner is responsible for establishing the controls that provide the security. The system owner of a collection of information is the person responsible for the business results of that system or the business use of the information.
- Users are individuals who use the information processed by an information system.
|Section Number||Section Name||Compilation Date||Published Date||Compliance Date||Revision Date(s)|
User Account Management
|November 2012||March 2013||July 2013||May 2014|
Controlling access to information systems and managing user accounts are critical business processes that support effective use of information resources. Effective use of information resources is a shared responsibility among functional owners. For example, the registrar would likely be the functional owner of at least part of Banner, while information technology (IT) operations (to include core IT support and information technology) and management/support functions (e.g., front-line managers and human resources) both play key roles in ensuring that personnel changes are communicated to concerned parties.
At its core, information system user account management refers to the process by which an individual’s access and permissions within information systems is initially activated, periodically reviewed, and timely deactivated consistent with that individual’s roles and responsibilities as an employee. To be effective, an account provisioning process should ensure that the creation of accounts and the access to applications and data are consistent while maintaining required privacy and protecting information systems. Information systems user account management must be addressed in order to lower the risks and threats facing users, hosts, networks, and business operations.
3.1.1 Information System User Account Management Procedures
The University System of Georgia (USG) recognizes the system’s information resources/systems are strategic and vital assets belonging to the people of Georgia. These assets require a degree of protection commensurate with their value.
Information systems must be protected from unauthorized access, loss, contamination, or destruction. Proper management and protection of information systems is characterized by ensuring the confidentiality, integrity, and availability of the system.
User account access is a continual process and vital to the proper management and security of information systems. Chief information officers (CIOs), chief information security officers (CISOs), system owners, and Human Resources management will work together to create institutional procedures focused on good communication, accuracy of user account data, and protection of confidential/sensitive data.
Establish procedures to address user account management for information systems including granting, reviewing, inactivation, updating, and/or terminating account access for all USG administrators, executives, faculty, staff, researchers, clinical care providers, and students, along with the University System Office (USO) [which includes the Shared Services Center (SSC)], the Georgia Public Library System (GPLS), and the Georgia Archives. These procedures also apply to all individuals or representatives of entities in relationship with the USG through formal, informal, contract, or other types of agreements who interact with USG information systems.
188.8.131.52 Scope, Authority, Enforcement, Exceptions
- Institutions shall identify and categorize information systems that process or store confidential or sensitive information, or are critical systems. The suggested responsible parties are the CIO and the CISO.
- Institutions will identify the owner for each critical system or systems containing confidential or sensitive information. The list of designated systems and the associated owners will be made available upon request. The suggested responsible parties are the CIO and the CISO.
- Institutions will maintain an up-to-date mapping of users to information system(s). The CIO will provide the system owner with user ID information. The suggested responsible party is the system owner, with support from the CIO.
- Only authorized users should be allowed physical, electronic, or other access to information systems.
- The institution will define both procedural and technical access controls. The suggested responsible parties are the system owner, Human Resources, the CIO, and the CISO. Access controls must include, but may not be limited to:
- Documented procedures to grant, review, deactivate, update, and/or terminate account access;
- Ensure appropriate resources are available and maintained to adequately authenticate and verify authorized access; and,
- Ensure appropriate resources are available and maintained to prevent and detect unauthorized use.
- The system owner and the user share the responsibility of preventing unauthorized access to USG information systems.
- The system owner will analyze user roles and determine level of access required to perform a job function. The level of authorized access must be based on the principle of least privilege (PoLP).
- Managers and Human Resources will notify the CIO of personnel status changes in job function, status, transfers, referral privileges, and/or affiliation. User authorization shall be reviewed and revised by the system owner. The suggested responsible parties are the system owner, Human Resources, and the CIO.
- Access to an information system must be reviewed regularly. At a minimum, the information system owner must review user access to the information system every four (4) months and document findings with the CIO and CISO.
- The system owner will update information system access no more than five (5) business days after terminations and no more than thirty (30) days after other personnel status changes.
184.108.40.206 Recommended Process Flow Chart
Logs contain information related to many different types of events occurring within systems, networks and applications. Logs serve functions such as optimizing system and network performance, recording the actions of users and providing data useful for investigating security events. Logs containing records related to computer security, may include audit logs that track user authentication attempts and security device logs that record possible attacks. These requirements address security-related logs and log entries.
A fundamental problem with log management occurring in many organizations is effectively balancing a limited quantity of log management resources with a continuous supply of log data. Log generation and storage can be complicated by several factors: including a high number of log sources, inconsistent log content, formats, timestamps among sources, and increasingly large volumes of log data. Log management also involves protecting the confidentiality, integrity and availability of logs. The dominant problem with log management is ensuring that security, system and network administrators regularly perform effective analysis of log data.
Establish the requirements for computer and network resource log management for the USG organizations computing and network environment. The goals of log management are:
- Proactive maintenance of information system resources.
- Awareness of “normal” vs. “abnormal” network traffic or system performance.
- Support after-the-fact investigations of security incidents.
USG resources that store, access or transmit data and categorized as “HIGH” shall be electronically logged. Logging shall include system, application, database and file activity whenever available or deemed necessary.
- USG organizations must formalize log management by:
- Creating and maintaining a secure log management infrastructure by balancing system performance, storage resources and legal requirements.
- Committing resources to perform timely log review and analysis about access, change monitoring, malfunction, resource utilization, security events and user activity.
- Identifying roles and responsibilities of staff associated with this process.
- Developing standards, procedures and guidelines as needed to support this program.
- Reviewing audit logs minimally every 30 days during system reviews.
- Prioritizing log management.
The following table provides recommendations of logging configuration types. Moreover, USG organizations should not adopt these values as-is, instead use them as a starting point for determining what values are appropriate for their needs.
|Category||Low Impact Systems||Moderate Impact Systems||High Impact Systems|
|Log retention||1 to 2 weeks||1 to 3 months||3 to 12 months|
|How often log data needs to be analyzed (through automated or manual means)||Every 1 to 7 days||Every 1 to 3 days||Once a day|
As components of the log management standard become enforceable, the USG Office of Information Security & ePrivacy will add appropriate questions to Information Security Program Review (ISPR) for institutional self-assessment and USG managerial review. If a USG organization is not compliant with the log management standard as indicated by the ISPR, the organization will reply by endorsement (RBE) detailing their plans for mitigating risk until compliance as well as their plan and schedule to move to compliance. The RBE will be from the organizational CIO routed to the USG CIO/CISO for managerial review. A courtesy copy will be provided to the organizations’ chief executive and USG Audit and Compliance Information Technology audit director for information purposes. The RBE must be submitted within 30 days of the due date of the ISPR.
3.2.5 References and Resources
- NIST SP800-92 Guide to Computer Security Log Management
- IT Handbook Section 5.6 USG Information System Categorization Standard
- USG Records Retention Schedule
3.3.1 USG Continuity of Operations Planning Standard
Continuity of Operations Planning (COOP), ensures the continuity of business and essential functions through a wide range of emergencies and disasters including localized acts of nature, accidents and technological or attack-related emergencies. COOP is an effort to ensure that at minimum, the general support system (GSS) continues to operate and be available.
220.127.116.11 Scope, Enforcement, Authority
- BOR Policy Manual, Section 11.0
- USG Office of Information Security Program Policy
- USG IT/IS Risk Management Standard
- USG Information Security Program Reporting Policy
18.104.22.168 Guiding Principles
- The USG Continuity of Operations Plan shall be developed following existing standards, industry best practices, Federal Information Security Management Act (FISMA), Federal Information Processing Standards (FIPS), National Institute of Standards and Technology (NIST) guidelines, USG Information Security & ePrivacy (InfoSec) tools, and templates.
- The USG Continuity of Operations Plan will require the involvement of all USG organizations to ensure an effective University System response to contingencies and disasters.
- The USG Continuity of Operations Plan must incorporate the physical and logistical limitations of the USG operating locations.
- The USG Continuity of Operations Plan will be aligned with and operationalize the USG Emergency Operations Plan and the Enterprise Risk Management Program.
Recovery strategies must be developed for information technology (IT) systems. This includes network connectivity, servers, data and support systems. Priorities for IT recovery must be consistent with the priorities for recovery of network connectivity and other critical processes that were developed during the operational impact analysis.
All USG IT organizations must: * Create, implement, maintain and test a continuity of operations plan – COOP, that will allow appropriate response to a wide range of contingencies and disasters that may occur at all USG organizations. * Describe the actions to be taken before, during and after events that disrupt critical information system operations. * All plans must be tested every 24 months and evidence of testing must be available upon request, and part of the continuity of operations plan documentation.
The formal COOP and processes must at minimum include: * The backup and recovery processes, and plan for critical general support systems * A cyber incident response process and plan * A disaster recovery plan for critical general support systems
Each USG organization must keep its COOP up-to-date and provide a COOP status report annually via the Information Security Program Report (ISPR).
It is important to adapt the detailed content of each plan section to suit the needs of the individual USG organization, with the understanding that Disaster Recovery Plans (DRP) are based upon available information so they can be adjusted to changing circumstances.
22.214.171.124 General Support System
A general support system (GSS) is an interconnected set of information resources under the same direct management control that shares common functionality. A general support system normally includes hardware, software, information, data, applications, communications, facilities, and people and provides support for a variety of users and/or applications. A general support system, for example, can be a:
- Backbone (e.g., network core)
- Communications network
- USG organization data processing center, including its operating system and utilities, or
- Shared information processing service facility (data center)
A general support system should have a Federal Information Processing Standard Publication (FIPS) 199 impact level of low, moderate, or high in its security categorization depending on the criticality or sensitivity of the system, and any major applications the general support system is supporting. A general support system is considered a major information system when special management attention is required, there are high development, operating, or maintenance costs; and the system/information has a significant role in the administration of USG organization’s programs. When the general support system is a major information system, the system’s FIPS 199 impact level is either moderate or high. A major application can be hosted on a general support system.
126.96.36.199 Minimum Continuity of Operations Plan Content (can be separate processes and plans)
Backup and retention schedules and procedures are critical to the recovery of USG organization’s systems, applications and data. The detailed procedures for such a recovery should include hardware, software (including version), data file backup and retention schedules, off-site storage details, and appropriate contact and authority designation for personnel to retrieve media.
Off-site storage of backup material where possible; backup media will be stored at a suitable off-site location. For locations where off-site storage is not practical or cost effective, COOP leadership will designate an appropriate facility to serve as the off-site storage of backup media. A suitable facility is one within reasonable distance of the main campus or facility, but not likely to be immediately threatened by the contingency or disaster.
The USG organization will establish a Cyber Security Incident Response capability program to respond to and manage adverse activities or actions that threaten the successful conduct of teaching, instruction, research and operations in the USG. The cyber security incident response plan will follow existing USG policies, standards, USG InfoSec tools, industry best practices, and Information Services Office (ISO) or NIST guidelines.
The USG organization’s management must promptly investigate incidents involving loss, exposure, damage, misuse of information assets, or improper dissemination of information. All USG organizations are required to report information security incidents consistent with the security reporting requirements in the cyber incident management standard.
Proper incident management includes the formulation and adoption of a written incident management plan that provides for the timely assembly of appropriate staff that are capable of developing a response to, appropriate reporting about, and successful recovery from a variety of incidents.
In addition, incident management includes the application of lessons learned from incidents, together with the development and implementation of appropriate corrective actions directed to preventing or mitigating the risk of similar occurrences in the future.
Each USG organization must establish a disaster recovery plan for information systems categorized as critical, that provides processes supported by executive management and resources to ensure the appropriate steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure the USG organization has the ability to continue its essential functions during a business disruption or major catastrophic event. The program controls ensure that information is protected by providing for regular backup of automated files and databases, identifies and reduces risks, limits the consequences of the incident, and ensures the availability of information assets for continued business.
Disaster recovery planning provides for continuity of computing operations that support critical business functions, minimizes decision-making during an incident, produces the greatest benefit from the remaining limited resources, and achieves a systematic and orderly migration toward the resumption of all computing services within a USG organization following a business disruption. It is essential that critical IT services and critical applications be restored as soon as possible.
It is significant to recognize that no disaster recovery program is ever complete. All disaster recovery planning is based upon available knowledge and assumptions, and must be adapted to changing circumstances and business needs, as appropriate. Strategies, procedures, and resources must be adapted as often as necessary in order to recover critical applications. Recovery strategies must be developed and updated routinely to anticipate risks including loss of utility (e.g., hardware, software, power, and telecommunications), loss of access to the facility, and loss of facility. Also, avoid the typical scenario planning approach that calls for separate plan for each “what-if” scenario. Instead, develop one plan that can be adapted to different scenarios, which also reduce the effort to maintain the Disaster Recovery Plan /Business Recovery Plan.
The disaster recovery planning process supports necessary preparation to identify and document procedures to recover critical operations in the event of an outage. USG organizations should consider the results of their risk analysis process and their business impact analysis when developing their DRP. Each USG organization’s processes should culminate in a viable, fully documented, and tested DRP.
To improve the likelihood for the full recovery of key business processes, DRPs should be developed as part of a complete business continuity (BC) program, which includes emergency response and business resumption plans.
188.8.131.52 Applicability and Compliance
This standard applies to all USG information resources, systems and technology, and to all users of these resources, systems and technology within the USG information infrastructure. Compliance with this standard is mandatory.
As components of the continuity of operations planning standard as detailed in Section 5 become enforceable, the USG Office of Information Security & ePrivacy will add appropriate questions to ISPR for institutional self-assessment and USG managerial review. If a USG institution is not compliant with the continuity of operations standard as indicated by the ISPR, the institution will reply by endorsement (RBE) detailing their plans for mitigating risk until compliance, as well as their plan and schedule to move to compliance. The RBE will be from the institutional CISO routed to the USG CISO for managerial review. A courtesy copy will be provided to the institutional president and USG Audit and Compliance Information Technology audit director for information purposes. The RBE must be submitted within 30 days of the ISPR the due date.
- FIPS Publication 199 (Security Categorization)
- FIPS Publication 200 (Minimum Security Requirements)
- ISO 27005 Information Security Risk Management (ISRM)
- NIST Special Publication 800-30 (Risk Management)
- NIST SP 800-34, Revision 1 – Contingency Planning Guide for Federal Information Systems
- USG Continuity of Operations Planning Template and Guide
3.4.1 Network Services Standard
PeachNet®, the University System of Georgia’s (USG) statewide network, is the foundation that enables efficient, robust access to mission-critical online learning resources, business applications and transactions, and academic research. The transformation to the “Information Age” continues to be revolutionary in its impact on higher education. Students, researchers and administrators have come to view the network as a tool to enhance their learning experience.
PeachNet services are governed by the Board of Regents of the University System of Georgia’s PeachNet Acceptable Use Policy. In addition, the following outlines the roles and responsibilities of ITS and USG Organizations:
A. ITS Network Services
- Regional Wide Area Networks (WANs)
- ITS will facilitate the construction and management of Regional WANs to provide managed telecommunications services to the physical addresses of USG locations.
- The bandwidth delivered to each location, unless explicitly defined, will be provisioned based on utilization and trend-analysis data.
- ITS will maintain the fiber infrastructure to support USG Regional WANs.
- ITS will provide each location with public IP address ranges based on site needs and requirements.
- Internet and Internet 2
- ITS will provide Internet and Internet 2 access to all USG locations.
- ITS will require and establish appropriate Service Level Agreements (SLA) from Service Providers for any contracted network services. These SLAs will be established in accordance with normal industry standards for network-based performance measurements. ITS will also perform continuous network monitoring and service management to capture availability, performance and utilization statistics.
B. USG Institutional Responsibilities
- USG organizations will provide Co-Location (CoLo) facilities allowing ITS to create a PeachNet Point of Presence to support interconnections for Regional USG WANs, the Internet, and Internet 2.
- USG organizations will provide necessary power to support USG Regional WANs equipment within the PeachNet POP facilities.
- USG organizations shall have the ability to accept and utilize the physical interface specified and delivered by ITS.
- USG organizations are responsible for the oversight and distribution of the public Internet Protocol address assigned to each institution by ITS.
- USG organizations will be responsible for providing ITS with local administrative and technical contacts. Firewall services at a statewide, regional or district level are excluded from this section.
- USG organizations are responsible for implementing and managing a campus security architecture and may consist of devices such as firewalls, intrusion detection/prevention, content filters, etc.