5.1 USG Information Security Program
Section 11.3 of the BoR Policy Manual charges USG Information Security & ePrivacy within Information Technology Services (ITS) with the responsibility and authority to:
- Create, issue, and maintain standards and guidelines;
- Direct USG institutions, the USO, the GPLS, and the Georgia Archives to effectively manage security, privacy and risk;
- Advise and consult with USG institutions, the USO, the GPLS, and the Georgia Archives on security issues; and,
- Ensure that USG institutions, the USO, the GPLS, and the Georgia Archives are in compliance with the requirements specified in the BoR Policy Manual, and local, state, and federal laws, codes, and/or regulations.
Based on this direction, the USG chief information security officer (CISO) shall develop and maintain an information security organization and architecture for support of information security across the USG and support of activities between participant organizations. He/she shall maintain information security implementation standards and guidelines that the USO, all USG institutions, the GPLS, and the Georgia Archives should consider in the development of their individual information security plans.
The USG CISO will:
- Assess performance (returning value while managing risk);
- Assume and accept responsibility for the charge given and resources received;
- Align the interests of different entities;
- Lead USG information security and privacy efforts;
- Measure results; and,
- Implement continuous improvement.
Specific guidelines for interpretation and administration of this policy are given in the USG Appropriate Use Policy (AUP) and the USG AUP Interpretation and Administration Guidelines. These guidelines contain more specific examples of offenses, and procedures for dealing with incidents.
5.1.1 Institution, USO, GPLS, and Georgia Archive Responsibilities
Each USG institution, the USO, the GPLS, and the Georgia Archives must provide for the proper use and protection of its information assets. Accordingly, each USG institution, the USO, the GPLS, and the Georgia Archives must:
- Build an information security program;
- Assign management responsibilities for information security program, including the appointment of an information security officer (ISO), as noted in Section 5.2 of this Handbook;
- Develop and maintain a computer/data incident management component as noted in Section 5.3 of this Handbook;
- Develop and maintain a program to manage and protect information assets, as noted in Section 5.4 of this Handbook;
- Establish and maintain an information technology and information security risk management program, including a risk assessment, analysis, planning mitigation, and monitoring process as noted in Section 5.5 of this Handbook;
- Categorize information systems, as noted in Section 5.6 of this Handbook;
- Classify information records (data), as noted in Section 5.7 of this Handbook;
- Implement the minimum endpoint security standard requirements/capabilities, as noted in Section 5.8 of this Handbook;
- Maintain an annual information security awareness, and training component for all employees and contractors, as noted in Section 5.9 of this Handbook;
- Backup and Recovery Plan
- Incident Management Plan
- Note: It is our future intention to require that the C.O.O.P. include a Disaster Recovery Plan and a Business Continuity Plan.
- Implement minimum security standards for networked devices, as noted in Section 5.11 of this Handbook;
- Implement password security controls, as noted in Section 5.12 of this Handbook;
- Implement and administer domain name security, as noted in Section 5.13 of this Handbook;
- Follow the USG policy and guide on the distribution of copyrighted material, as noted in Section 5.14 of this Handbook; and,
- Make reasonable efforts to detect, prevent, and mitigate identity theft, as noted in Section 5.15 of this Handbook.
- Implement the standard for the appropriate use and protection of USG email systems, as noted in Section 5.16 of this Handbook.
5.1.2 Policy, Standards, Processes, and Procedure Management Standard
The purpose of IS policy, standards, processes and procedures are to establish and maintain a standard of due care to prevent misuse or loss of USG information assets. Policy provides management direction for IS to conform to business requirements, laws, and administrative policies. Standards are the specifications that contain measurable, mandatory rules to be applied to a process, technology, and/or action in support of a policy. Procedures are the specific series of actions that are taken in order to comply with policies and standards.
Each USG institution, the USO, the GPLS, and the Georgia Archives must provide for the integrity and security of its information assets by creating appropriate internal policies, processes, standards, and procedures for preserving the integrity and security of each automated, paper file, or database. Each USG institution, the USO, the GPLS, and the Georgia Archives must:
- Establish and maintain management and staff accountability for protection of USG information assets.
- Establish and maintain processes for the assessment and analysis of risks associated with USG information assets.
- Establish and maintain cost-effective risk management practices intended to preserve the ability to meet USG program objectives in the event of the unavailability, loss, or misuse of information assets.
- Establish appropriate academic and administrative policies, processes, and procedures to protect and secure IT infrastructure, including:
- Technology upgrades, which include, but are not limited to, operating system upgrades on servers, routers, and firewalls. Appropriate planning and testing of upgrades must be addressed, in addition to departmental criteria for deciding which upgrades to apply.
- Security patches and security upgrades, which include, but are not limited to, servers, routers, desktop computers, mobile devices, and firewalls. Application and testing of the patches and/or security upgrades must be addressed, in addition to departmental criteria for deciding which patches and security upgrades must be applied and how quickly.
- Intrusion Prevent System (IPS)/firewall configurations, which must require creation and documentation of a baseline configuration for each ISP/firewall, updates of the documentation for all authorized changes, and periodic verification of the configuration to ensure that it has not changed during software modifications or rebooting of the equipment.
- Server configurations, which must clearly address all servers that have any interaction with Internet, extranet, or intranet traffic. Creation and documentation of a baseline configuration for each server, updates of the documentation for all authorized changes, and periodic checking of the configuration to ensure that it has not changed during software modifications or rebooting of the equipment must be required.
- Server hardening, which must cover all servers throughout the organization, not only those that fall within the jurisdiction of the organization’s IT area. The process for making changes based on newly published vulnerability information as it becomes available must be included. Further, this must address, and be consistent with, the organization’s policy for making security upgrades and security patches.
- Software management and software licensing, which must address acquisition from reliable and safe sources, and must clearly state the organization’s policy about not using pirated or unlicensed software.
- Ensuring that the use of peer-to-peer technology for any non-business purpose is prohibited. This includes, but is not limited to, transfer of music, movies, software, and other intellectual property. Business use of peer-to-peer technologies must be approved by the organization’s CIO and ISO.
- Require that if a data file is downloaded to a mobile device or desktop computer from another computer system, the specifications for information integrity and security, which have been established for the original data file, must be applied in the new environment.
- Establish policy requiring encryption, or equally effective measures, for all personal, sensitive, or confidential information that is stored on portable electronic storage media (including, but not limited to, CDs, DVDs, and thumb drives) and on portable computing devices (including, but not limited to, state assets: mobile devices, tablets, and laptop and notebook computers).
- Note: This policy does not apply to mainframe and server tapes.
5.1.3 USG Appropriate Use Policy (AUP)
This section establishes a USG-wide policy regarding appropriate use of USG information technology (IT) resources.
22.214.171.124 Policy Statement
It is USG policy to provide an environment that encourages the free exchange of ideas and sharing of information. Access to this environment and the USG’s IT resources is a privilege and must be treated with the highest standard of ethics.
The USG expects all participant organizations and their users to use IT resources in a responsible manner, respecting the public trust through which these resources have been provided, the rights and privacy of others, the integrity of facilities and controls, state and federal laws, and USG policies and standards. USG institutions, the USO, the GPLS, and the Georgia Archives may develop policies, standards, and guidelines based on their specific needs that supplement, but do not lessen, the intent of this policy.
This policy outlines the standards for appropriate use of USG IT resources, which include, but are not limited to, equipment, software, networks, data, and telephones whether owned, leased, or otherwise provided by USG participant organizations. This policy applies to all users of USG IT resources including faculty, staff, students, guests, external organizations and individuals accessing network services, such as the Internet via USG resources.
Preserving the access to information resources is a system-wide effort that requires each institution to act responsibly and guard against abuses. Therefore, the USG as a whole, each individual participant organization, and its users have an obligation to abide by the following standards of appropriate and ethical use:
- Use only those IT resources for which you have authorization
- Protect the access and integrity of IT resources
- Abide by applicable local, state, federal laws, university policies and respect the copyrights and intellectual property rights of others, including the legal use of copyrighted material
- Use IT resources only for their intended purpose
- Respect the privacy and personal rights of others
- Do no harm
Failure to comply with the appropriate use of these resources threatens the atmosphere for the sharing of information, the free exchange of ideas, and the secure environment for creating and maintaining information property, and subjects one to discipline. Any user of any USG system found using IT resources for unethical and/or inappropriate practices has violated this policy and is subject to disciplinary proceedings including suspension of system privileges, expulsion from school, termination of employment and/or legal action as may be appropriate. Although all members of the USG have an expectation of privacy, if a user is suspected of violating this policy, his or her right to privacy may be superseded by the USG’s requirement to protect the integrity of IT resources, the rights of all users, and the property of the USG and the state. The USG thus reserves the right to examine material stored on or transmitted through its resources if there is cause to believe that the standards for appropriate use are being violated by a participant organization, user, or a trespasser onto its systems or networks.
Specific guidelines for interpretation and administration of this policy are given in the USG AUP Interpretation and Administration Guidelines below. These guidelines contain more specific examples of offenses, and procedures for dealing with incidents.
5.1.4 USG AUP Interpretation and Administration Guidelines
126.96.36.199 Guidelines for Interpretation & Administration of the USG Appropriate Use Policy for Information Technology (IT) Resources
These guidelines are meant to assist the USG institutions, the USO, the GPLS, and the Georgia Archives in the interpretation and administration of the USG Appropriate Use Policy (AUP). The guidelines outline the responsibilities each participant organization and its users accept when using USG’s computing and IT resources. This is put forth as a minimum set of standards for all areas of the USG and may be supplemented with specific organization-level guidelines. However, such additional guidelines must be consistent with this document and cannot supersede this document. These guidelines include the use of information systems and resources, computers, telephones, Internet access, electronic mail (email), voice mail, reproduction equipment, facsimile systems, and other forms of electronic communications.
188.8.131.52 User Responsibilities
Use of USG IT resources is granted based on acceptance of the following specific responsibilities:
Use only those computing and IT resources for which you have authorization.
For example, it is a violation:
- To use resources you have not been specifically authorized to use
- To use someone else’s account and password or share your account and password with someone else
- To access files, data, or processes without authorization
- To purposely look for or exploit security flaws to gain system or data access
Protect the access and integrity of computing and IT resources.
For example, it is a violation:
- To use excessive bandwidth
- To release a virus or a worm that damages or harms a system or network
- To prevent others from accessing an authorized service
- To send email that may cause problems and disrupt service for other users
- To attempt to deliberately degrade performance or deny service
- To corrupt or misuse information
- To alter or destroy information without authorization
Abide by applicable laws and USG policies and respect the copyrights and intellectual property rights of others, including the legal use of copyrighted software.
For example, it is a violation:
- To download, use or distribute copyrighted materials, including pirated software or music or videos or games
- To make more copies of licensed software than the license allows
- To operate and participate in pyramid schemes
- To upload, download, distribute, or possess pornography
- To upload, download, distribute, or possess child pornography
Use computing and IT resources only for the intended purposes.
For example, it is a violation:
- To use computing or network resources for advertising or other commercial purposes
- To distribute copyrighted materials without express permission of the copyright holder
- To send forged email
- To misuse Internet Relay Chat (IRC) software to allow users to hide their identity, or to interfere with other systems or users
- To send terrorist threats or “hoax messages”
- To send chain letters
- To intercept or monitor any network communications not intended for you
- To attempt to circumvent security mechanisms
- To use privileged access for other than official duties
- To use former privileges after graduation, transfer or termination, except as stipulated by the USG Institution
Respect the privacy and personal rights of others.
For example, it is a violation:
- To use electronic resources for harassment or stalking other individuals
- To tap a phone line or run a network sniffer or vulnerability scanner without authorization
- To access or attempt to access other individual’s password or data without explicit authorization
- To access or copy another user’s electronic mail, data, programs, or other files without permission
- To disclose information about students in violation of USG Guidelines
184.108.40.206 System and Network Administrator Responsibilities
System Administrators and providers of USG computing and IT resources have the additional responsibility of ensuring the confidentiality, integrity, and availability of the resources they are managing. Persons in these positions are granted significant trust to use their privileges appropriately for their intended purpose and only when required to maintain the system. Any private information seen in carrying out these duties must be treated in the strictest confidence, unless it relates to a violation or the security of the system.
220.127.116.11 Security Caveat
Be aware that although computing and IT providers throughout the USG are charged with preserving the integrity and security of resources, security sometimes can be breached through actions beyond their control. Users are therefore urged to take appropriate precautions such as:
- Safeguarding their account and password
- Taking full advantage of file security mechanisms
- Backing up critical data on a regular basis
- Promptly reporting any misuse or violations of the policy
- Using virus scanning software with current updates
- Using personal firewall protection
- Installing security patches in a timely manner
Every user of USG IT resources has an obligation to report suspected violations of the above guidelines or of the Appropriate Use Policy for Computing and IT Resources. Reports should be directed to the institution, unit, center, office, division, department, school, or administrative area responsible for the particular system involved.
Return to Top