5.2 Information Security Organization and Administration
This standard establishes the guidelines for organizing and administering information security at USG institutions, the USO, and the GPLS.
5.2.1 Information Security Organization
Each USG institution, the USO, and the GPLS must create an information security organization and program that ensures the confidentiality, integrity, and availability of all USG information assets. The program will have oversight for administration of information security standards, processes, and procedures, and will consider the effects of security requirements on the entire enterprise. Every security requirement will be tied to an operational need, a state or federal regulation, or an industry standard practice.
Furthermore, this organization will interpret state or federal regulations and apply their requirements to USG information resources, administer programs and execute projects to meet information security objectives, and perform liaison functions between the institution, the USO, or the GPLS and the USG for matters regarding information security and privacy.
Required administrative activities include, but are not limited to, the following:
- Develop security standards, processes, standards and procedures;
- Determine roles and responsibilities for information security within the institution, the USO, or the GPLS;
- Develop and implement information security plans for applications, systems, and remote locations as required by local, federal, state, and USG directives;
- Evaluate local infrastructure compliance with information security policies, processes, standards, and procedures;
- Establish processes and procedures for access to sensitive systems and information;
- Establish processes and procedures to minimize the likelihood of disruptions, to recover from disasters, and to respond to security incidents; and,
- Develop programs to increase user awareness of information security issues and responsibilities.
5.2.2 Institution, USO, and GPLS Information Security Officer (ISO) Designees
Each USG institution, the USO, and the GPLS must identify an information security officer (ISO) who will be responsible for establishing, maintaining, and reporting on information security roles, responsibilities, policies, standards, and procedures. This designee and the appropriate contact information must be sent annually to USG Information Security & ePrivacy, as noted in Section 5.7 of this Handbook.