not mobile

Information Technology Handbook

Definitions

The following definitions of shall, will, must, may, may not, and should are used throughout this Handbook.

  1. Shall, Will, and Must indicate a legal, regulatory, standard, or policy requirement. Shall and Will are used for persons and organizations, and Must for inanimate objects.
  2. May indicates an option.
  3. May Not indicates a prohibition.
  4. Should indicates a recommendation that, in the absence of an alternative providing equal or better protection from risk, is an acceptable approach to achieve a requirement. The focus of should statements generally is more outcome-based; i.e., an alternate method to achieve the requirement may be developed assuming it is documented as effectively managing risk.

The following definitions of Authentication, Availability, Confidentiality, Computer Security Incident, DNS, DNS Spoofing, Domain, Endpoints, Endpoint Security, Endpoint Security Management, Endpoint Security Management System, Event of Interest, Guideline, Incident Management, Incident Response Management, Integrity, Metric, Monitoring, Performance Goal, Performance Measures, Policy, Split DNS, and Standard are used throughout this section.

  1. Authentication is a process of attempting to verify the digital identity of a system user or processes.
  2. Availability: Ensuring timely and reliable access to and use of information.
  3. Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
  4. Computer Security Incident is a violation (breach) or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices, which may include, but are not limited to:
    • Widespread infections from virus, worms, Trojan horse or other malicious code;
    • Unauthorized use of computer accounts and computer systems;
    • Unauthorized, intentional or inadvertent disclosure or modification of sensitive/critical data or infrastructure;
    • Intentional disruption of critical system functionality;
    • Intentional or inadvertent penetration of firewall;
    • Compromise of any server, including Web server defacement or database server;
    • Exploitation of other weaknesses, known or unknown;
    • Child pornography;
    • Attempts to obtain information to commit fraud or otherwise prevent critical operations or cause danger to state or system or national security and
    • Violations of state or USG security policies or standards that threaten or compromise the security objectives of state or USG data, technology, or communications systems; and,
    • Any violation of the “Appropriate Use Policy.”
  5. DNS refers to the domain name system, which represents a powerful Internet technology for converting domain names to their corresponding IP addresses.
  6. DNS Spoofing refers to confusing a DNS server into giving out bad information. The way it works is that an attacker sends a recursive query to the victim’s server, using the victim’s server to resolve the query. The answer to the query is in a zone the attacker controls. The answer given by the attacker’s name server includes an authoritative record for a domain name controlled by a third party. That authoritative record is FALSE. The victim’s server caches the bogus record. Once spoofed, the victim’s resolver will continue to use the false record it has in its cache, potentially misdirecting email, or any other Internet service. This is a potential major security leak for credit card information, trade secrets, and other highly sensitive information.
    • Note: Most modern servers will not cache a fake record because it does not fall in the same parent zone as the record that was requested.
  7. Domain is most often used to refer to a domain zone, it is also used to describe a zone or a domain name.
  8. Endpoints can include, but are not limited to, PCs, laptops, smart phones, tablets and specialized equipment such as bar code readers or point of sale (POS) terminals.
  9. Endpoint Security is an approach to network protection that requires each computing device on a corporate network to comply with certain standards before network access is granted. Simple forms of endpoint security include personal firewalls or anti-virus software that is distributed and then monitored and updated from a server.
  10. Endpoint Security Management is a policy-based approach to network security that requires endpoint devices to comply with specific criteria before they are granted access to network resources.
  11. Endpoint Security Management Systems, which can be purchased as software or as a dedicated appliance, discover, manage, and control computing devices that request access to the corporate network. Endpoints that do not comply with policy can be controlled by the system to varying degrees. For example, the system may remove local administrative rights or restrict Internet browsing capabilities.
  12. Event of Interest is a questionable or suspicious activity that could threaten the security objectives for critical or sensitive data or infrastructure. They may or may not have criminal implications.
  13. Guideline: A guideline is a document that suggests a path or guidance on how to achieve or reach compliance with a policy.
  14. Incident Management is the process of detecting, mitigating, and analyzing threats or violations of security policies and controls and limiting their effect.
  15. Incident Response Management is the process of detecting, mitigating, and analyzing threats or violations of security policies and limiting their effect.
  16. Integrity: Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.
  17. Metric is a numeric indicator(s) used to gauge system-wide program performance and monitor progress toward accomplishing system-wide goals and objectives. Monitors and measures accomplishment of goals by quantifying the level of implementation and effectiveness.
  18. Monitoring is observing and checking for a set standard or configuration.
  19. Performance Goal is the desired result(s) of implementing the security objective or technique that are measured by the metric.
  20. Performance Measures are the actions required to accomplish the performance goal validated through the completion and analysis of the institution report.
  21. Policy: A policy is typically a concise document that outlines specific requirements, business rules, or company stance that must be met. The policy is the organization’s stance on an issue, program, or system. It is a rule that everyone must meet.
  22. Split DNS is when internal hosts are directed to an internal domain name server for name resolution, while external hosts are directed to an external domain name server for name resolution.
  23. Standard: A standard is a requirement that supports a policy.

Implementation and Compliance

Section Number Section Name Compilation Date Published Date Compliance Date Revision Date(s)
5.1 USG Information Security Program February 2009 February 2009 to InfoSec
February 2013 to IT Handbook
February 2009 May 2014
5.2 Information Security Organization and Administration February 2009 February 2009 to InfoSec
February 2013 to IT Handbook
February 2009 May 2014
5.3 Incident Management December 2008 December 2008 to InfoSec
February 2013 to IT Handbook
February 2009 May 2014
5.4 USG Information Asset Management and Protection Standard July 2013 May 2014 TBD
5.5 IT/IS Risk Management April 2010 April 2010 to InfoSec
February 2013 to IT Handbook
April 2010 May 2014
5.6 USG Information System Categorization and Data Classification Standard June 2013 May 2014 July 2014
5.7 USG Classification of Information Standard June 2013 May 2014 July 2015
5.8 USG Endpoint Security Standard June 2013 May 2014 July 2015
5.9 Security Awareness, Training, and Education April 2009 April 2009 to InfoSec
February 2013 to IT Handbook
April 2009 May 2014
5.10 Required Reporting April 2009 April 2009 to InfoSec
February 2013 to IT Handbook
April 2009 May 2014
5.11 Minimum Security Standards for USG Networked Devices October 2008 October 2008 to InfoSec
May 2014 to IT Handbook
October 2008 May 2014
5.12 Password Security July 2010 July 2010 to InfoSec
February 2013 to IT Handbook
July 2010 May 2014
5.13 Domain Name Service February 2011 February 2011 to InfoSec
February 2013 to IT Handbook
February 2011 May 2014
5.14 Copyright Violation Guideline April 2010 April 2010 to InfoSec
May 2014 to IT Handbook
April 2010 May 2014
5.15 Identity Theft Prevention Standard – Red Flags Rule January 2011 January 2011 to InfoSec
May 2014 to IT Handbook
January 2011 May 2014
5.16 Email Use and Protection Standard January 2009 January 2009 to InfoSec
May 2014 to IT Handbook
May 2014

Print friendly Version date May 15, 2014

Introduction

Information and information systems are strategic assets to all University System of Georgia (USG) entities. The Board of Regents (BoR) recognizes that information created, collected, or distributed using technology by a USG institution, the University System Office (USO) [which includes the Shared Services Center (SSC)], the Georgia Public Library System (GPLS), and the Georgia Archives is a valuable asset and must be protected from unauthorized disclosure, modification, or destruction. The degree of protection needed is based on the nature of the resource and its intended use. Each USG institution, the USO, the GPLS, and the Georgia Archives have the responsibility to employ prudent information security standards and best practices to minimize the risk and threats to the integrity, confidentiality, and availability of USG information and information systems.

Information security means the protection of information and information systems, equipment, and people from a wide spectrum of risks and threats. Implementing appropriate security measures and controls to provide for the confidentiality, integrity, and availability of information, regardless of its form (electronic, print, or other media) is critical to ensure business continuity and protection against unauthorized access, use, disclosure, disruption, modification, or destruction.

It is USG policy to provide an environment that encourages the free exchange of ideas and sharing of information. Access to this environment and the USG’s information technology (IT) resources is a privilege and must be treated with the highest of ethical standards.

Applicability

All USG institutions, the USO, the GPLS, and the Georgia Archives must comply with the information security and privacy policies, standards, and procedures issued by USG Information Security & ePrivacy, and report and file the appropriate compliance documents as identified in this policy. All USG institutions, the USO, the GPLS, and the Georgia Archives must adhere to the Information Security Reporting Requirements, as noted in Section 5.10 of this Handbook.

The scope of this section is to have broad application, particularly with respect to information and information systems, which impact the operational levels of the USG institutions, the USO, the GPLS, and the Georgia Archives. In a similar manner, all contractual agreements with 3rd party vendors must adhere to the guidance provided. An appropriate Service Level Agreement (SLA) and Non-Disclosure Agreement (NDA) should be constructed to ensure roles and requirements are acknowledged and followed.

Print friendly Version date May 15, 2014

Section 11.3 of the BoR Policy Manual charges USG Information Security & ePrivacy within Information Technology Services (ITS) with the responsibility and authority to:

  1. Create, issue, and maintain standards and guidelines;
  2. Direct USG institutions, the USO, the GPLS, and the Georgia Archives to effectively manage security, privacy and risk;
  3. Advise and consult with USG institutions, the USO, the GPLS, and the Georgia Archives on security issues; and,
  4. Ensure that USG institutions, the USO, the GPLS, and the Georgia Archives are in compliance with the requirements specified in the BoR Policy Manual, and local, state, and federal laws, codes, and/or regulations.

Based on this direction, the USG chief information security officer (CISO) shall develop and maintain an information security organization and architecture for support of information security across the USG and support of activities between participant organizations. He/she shall maintain information security implementation standards and guidelines that the USO, all USG institutions, the GPLS, and the Georgia Archives should consider in the development of their individual information security plans.

The USG CISO will:

  1. Assess performance (returning value while managing risk);
  2. Assume and accept responsibility for the charge given and resources received;
  3. Align the interests of different entities;
  4. Lead USG information security and privacy efforts;
  5. Measure results; and,
  6. Implement continuous improvement.

Specific guidelines for interpretation and administration of this policy are given in the USG Appropriate Use Policy (AUP) and the USG AUP Interpretation and Administration Guidelines. These guidelines contain more specific examples of offenses, and procedures for dealing with incidents.

5.1.1 Institution, USO, GPLS, and Georgia Archive Responsibilities

Each USG institution, the USO, the GPLS, and the Georgia Archives must provide for the proper use and protection of its information assets. Accordingly, each USG institution, the USO, the GPLS, and the Georgia Archives must:

  1. Build an information security program;
  2. Assign management responsibilities for information security program, including the appointment of an information security officer (ISO), as noted in Section 5.2 of this Handbook;
  3. Develop and maintain a computer/data incident management component as noted in Section 5.3 of this Handbook;
  4. Develop and maintain a program to manage and protect information assets, as noted in Section 5.4 of this Handbook;
  5. Establish and maintain an information technology and information security risk management program, including a risk assessment, analysis, planning mitigation, and monitoring process as noted in Section 5.5 of this Handbook;
  6. Categorize information systems, as noted in Section 5.6 of this Handbook;
  7. Classify information records (data), as noted in Section 5.7 of this Handbook;
  8. Implement the minimum endpoint security standard requirements/capabilities, as noted in Section 5.8 of this Handbook;
  9. Maintain an annual information security awareness, and training component for all employees and contractors, as noted in Section 5.9 of this Handbook;
  10. Comply with USG reporting requirements, as noted in Section 5.10 of this Handbook, including developing and maintaining an information security and privacy policy and compliance management process, and building, testing, and maintaining a Continuity of Operations Plan (C.O.O.P.) including a:
    • Backup and Recovery Plan
    • Incident Management Plan
      • Note: It is our future intention to require that the C.O.O.P. include a Disaster Recovery Plan and a Business Continuity Plan.
  11. Implement minimum security standards for networked devices, as noted in Section 5.11 of this Handbook;
  12. Implement password security controls, as noted in Section 5.12 of this Handbook;
  13. Implement and administer domain name security, as noted in Section 5.13 of this Handbook;
  14. Follow the USG policy and guide on the distribution of copyrighted material, as noted in Section 5.14 of this Handbook; and,
  15. Make reasonable efforts to detect, prevent, and mitigate identity theft, as noted in Section 5.15 of this Handbook.
  16. Implement the standard for the appropriate use and protection of USG email systems, as noted in Section 5.16 of this Handbook.

5.1.2 Policy, Standards, Processes, and Procedure Management Standard

The purpose of IS policy, standards, processes and procedures are to establish and maintain a standard of due care to prevent misuse or loss of USG information assets. Policy provides management direction for IS to conform to business requirements, laws, and administrative policies. Standards are the specifications that contain measurable, mandatory rules to be applied to a process, technology, and/or action in support of a policy. Procedures are the specific series of actions that are taken in order to comply with policies and standards.

Each USG institution, the USO, the GPLS, and the Georgia Archives must provide for the integrity and security of its information assets by creating appropriate internal policies, processes, standards, and procedures for preserving the integrity and security of each automated, paper file, or database. Each USG institution, the USO, the GPLS, and the Georgia Archives must:

  1. Establish and maintain management and staff accountability for protection of USG information assets.
  2. Establish and maintain processes for the assessment and analysis of risks associated with USG information assets.
  3. Establish and maintain cost-effective risk management practices intended to preserve the ability to meet USG program objectives in the event of the unavailability, loss, or misuse of information assets.
  4. Establish appropriate academic and administrative policies, processes, and procedures to protect and secure IT infrastructure, including:
    • Technology upgrades, which include, but are not limited to, operating system upgrades on servers, routers, and firewalls. Appropriate planning and testing of upgrades must be addressed, in addition to departmental criteria for deciding which upgrades to apply.
    • Security patches and security upgrades, which include, but are not limited to, servers, routers, desktop computers, mobile devices, and firewalls. Application and testing of the patches and/or security upgrades must be addressed, in addition to departmental criteria for deciding which patches and security upgrades must be applied and how quickly.
    • Intrusion Prevent System (IPS)/firewall configurations, which must require creation and documentation of a baseline configuration for each ISP/firewall, updates of the documentation for all authorized changes, and periodic verification of the configuration to ensure that it has not changed during software modifications or rebooting of the equipment.
    • Server configurations, which must clearly address all servers that have any interaction with Internet, extranet, or intranet traffic. Creation and documentation of a baseline configuration for each server, updates of the documentation for all authorized changes, and periodic checking of the configuration to ensure that it has not changed during software modifications or rebooting of the equipment must be required.
    • Server hardening, which must cover all servers throughout the organization, not only those that fall within the jurisdiction of the organization’s IT area. The process for making changes based on newly published vulnerability information as it becomes available must be included. Further, this must address, and be consistent with, the organization’s policy for making security upgrades and security patches.
    • Software management and software licensing, which must address acquisition from reliable and safe sources, and must clearly state the organization’s policy about not using pirated or unlicensed software.
    • Ensuring that the use of peer-to-peer technology for any non-business purpose is prohibited. This includes, but is not limited to, transfer of music, movies, software, and other intellectual property. Business use of peer-to-peer technologies must be approved by the organization’s CIO and ISO.
  5. Require that if a data file is downloaded to a mobile device or desktop computer from another computer system, the specifications for information integrity and security, which have been established for the original data file, must be applied in the new environment.
  6. Establish policy requiring encryption, or equally effective measures, for all personal, sensitive, or confidential information that is stored on portable electronic storage media (including, but not limited to, CDs, DVDs, and thumb drives) and on portable computing devices (including, but not limited to, state assets: mobile devices, tablets, and laptop and notebook computers).
    • Note: This policy does not apply to mainframe and server tapes.

5.1.3 USG Appropriate Use Policy (AUP)

This section establishes a USG-wide policy regarding appropriate use of USG information technology (IT) resources.

5.1.3.1 Policy Statement

It is USG policy to provide an environment that encourages the free exchange of ideas and sharing of information. Access to this environment and the USG’s IT resources is a privilege and must be treated with the highest standard of ethics.

The USG expects all participant organizations and their users to use IT resources in a responsible manner, respecting the public trust through which these resources have been provided, the rights and privacy of others, the integrity of facilities and controls, state and federal laws, and USG policies and standards. USG institutions, the USO, the GPLS, and the Georgia Archives may develop policies, standards, and guidelines based on their specific needs that supplement, but do not lessen, the intent of this policy.

This policy outlines the standards for appropriate use of USG IT resources, which include, but are not limited to, equipment, software, networks, data, and telephones whether owned, leased, or otherwise provided by USG participant organizations. This policy applies to all users of USG IT resources including faculty, staff, students, guests, external organizations and individuals accessing network services, such as the Internet via USG resources.

5.1.3.2 Standard

Preserving the access to information resources is a system-wide effort that requires each institution to act responsibly and guard against abuses. Therefore, the USG as a whole, each individual participant organization, and its users have an obligation to abide by the following standards of appropriate and ethical use:

  • Use only those IT resources for which you have authorization
  • Protect the access and integrity of IT resources
  • Abide by applicable local, state, federal laws, university policies and respect the copyrights and intellectual property rights of others, including the legal use of copyrighted material
  • Use IT resources only for their intended purpose
  • Respect the privacy and personal rights of others
  • Do no harm

Failure to comply with the appropriate use of these resources threatens the atmosphere for the sharing of information, the free exchange of ideas, and the secure environment for creating and maintaining information property, and subjects one to discipline. Any user of any USG system found using IT resources for unethical and/or inappropriate practices has violated this policy and is subject to disciplinary proceedings including suspension of system privileges, expulsion from school, termination of employment and/or legal action as may be appropriate. Although all members of the USG have an expectation of privacy, if a user is suspected of violating this policy, his or her right to privacy may be superseded by the USG’s requirement to protect the integrity of IT resources, the rights of all users, and the property of the USG and the state. The USG thus reserves the right to examine material stored on or transmitted through its resources if there is cause to believe that the standards for appropriate use are being violated by a participant organization, user, or a trespasser onto its systems or networks.

Specific guidelines for interpretation and administration of this policy are given in the USG AUP Interpretation and Administration Guidelines below. These guidelines contain more specific examples of offenses, and procedures for dealing with incidents.


5.1.4 USG AUP Interpretation and Administration Guidelines

5.1.4.1 Guidelines for Interpretation & Administration of the USG Appropriate Use Policy for Information Technology (IT) Resources

These guidelines are meant to assist the USG institutions, the USO, the GPLS, and the Georgia Archives in the interpretation and administration of the USG Appropriate Use Policy (AUP). The guidelines outline the responsibilities each participant organization and its users accept when using USG’s computing and IT resources. This is put forth as a minimum set of standards for all areas of the USG and may be supplemented with specific organization-level guidelines. However, such additional guidelines must be consistent with this document and cannot supersede this document. These guidelines include the use of information systems and resources, computers, telephones, Internet access, electronic mail (email), voice mail, reproduction equipment, facsimile systems, and other forms of electronic communications.

5.1.4.2 User Responsibilities

Use of USG IT resources is granted based on acceptance of the following specific responsibilities:

Use only those computing and IT resources for which you have authorization.
For example, it is a violation:

  • To use resources you have not been specifically authorized to use
  • To use someone else’s account and password or share your account and password with someone else
  • To access files, data, or processes without authorization
  • To purposely look for or exploit security flaws to gain system or data access

Protect the access and integrity of computing and IT resources.
For example, it is a violation:

  • To use excessive bandwidth
  • To release a virus or a worm that damages or harms a system or network
  • To prevent others from accessing an authorized service
  • To send email that may cause problems and disrupt service for other users
  • To attempt to deliberately degrade performance or deny service
  • To corrupt or misuse information
  • To alter or destroy information without authorization

Abide by applicable laws and USG policies and respect the copyrights and intellectual property rights of others, including the legal use of copyrighted software.
For example, it is a violation:

  • To download, use or distribute copyrighted materials, including pirated software or music or videos or games
  • To make more copies of licensed software than the license allows
  • To operate and participate in pyramid schemes
  • To upload, download, distribute, or possess pornography
  • To upload, download, distribute, or possess child pornography

Use computing and IT resources only for the intended purposes.
For example, it is a violation:

  • To use computing or network resources for advertising or other commercial purposes
  • To distribute copyrighted materials without express permission of the copyright holder
  • To send forged email
  • To misuse Internet Relay Chat (IRC) software to allow users to hide their identity, or to interfere with other systems or users
  • To send terrorist threats or “hoax messages”
  • To send chain letters
  • To intercept or monitor any network communications not intended for you
  • To attempt to circumvent security mechanisms
  • To use privileged access for other than official duties
  • To use former privileges after graduation, transfer or termination, except as stipulated by the USG Institution

Respect the privacy and personal rights of others.
For example, it is a violation:

  • To use electronic resources for harassment or stalking other individuals
  • To tap a phone line or run a network sniffer or vulnerability scanner without authorization
  • To access or attempt to access other individual’s password or data without explicit authorization
  • To access or copy another user’s electronic mail, data, programs, or other files without permission
  • To disclose information about students in violation of USG Guidelines

5.1.4.3 System and Network Administrator Responsibilities

System Administrators and providers of USG computing and IT resources have the additional responsibility of ensuring the confidentiality, integrity, and availability of the resources they are managing. Persons in these positions are granted significant trust to use their privileges appropriately for their intended purpose and only when required to maintain the system. Any private information seen in carrying out these duties must be treated in the strictest confidence, unless it relates to a violation or the security of the system.

5.1.4.4 Security Caveat

Be aware that although computing and IT providers throughout the USG are charged with preserving the integrity and security of resources, security sometimes can be breached through actions beyond their control. Users are therefore urged to take appropriate precautions such as:

  • Safeguarding their account and password
  • Taking full advantage of file security mechanisms
  • Backing up critical data on a regular basis
  • Promptly reporting any misuse or violations of the policy
  • Using virus scanning software with current updates
  • Using personal firewall protection
  • Installing security patches in a timely manner

5.1.4.5 Violations

Every user of USG IT resources has an obligation to report suspected violations of the above guidelines or of the Appropriate Use Policy for Computing and IT Resources. Reports should be directed to the institution, unit, center, office, division, department, school, or administrative area responsible for the particular system involved.


Print friendly Version date May 15, 2014

Given the USG and the state government’s increased use of IT and Internet-based services, the USG has a compelling need to ensure the confidentiality, integrity and availability of those systems and services are adequately protected from known and anticipated threats. As noted in Section 5.2.2 of this Handbook, USG institutions, the USO, the GPLS, and the Georgia Archives are responsible for the designation of officials within their organization to fulfill key security functions and report on its status of compliance with security policy, standards and procedures. While reporting and self-certification activities alone do not ensure the security of USG and state information assets, they do demonstrate an organization’s acknowledgement of the requirements and provide a measure of accountability.

5.10.1 Schedule of Required Reporting Activities

The following provides a summary list and schedule of required security reporting activities with corresponding due dates. Unless otherwise noted, all reports must be submitted in electronic PDF format with original signature(s) to USG Information Security & ePrivacy.

5.10.1.1 Information Security Officer (ISO) Designee Letter

As noted in Section 5.2.2 of this Handbook, the name and the appropriate contact information for this designee must be sent annually by January 31, or within ten (10) business days of any change in the designee.

5.10.1.2 Computer Security Incident Response Plan

As noted in Section 5.3.1 of this Handbook, a Computer and Data Security Incident Response (CDSIR) Plan must be formally documented and electronically sent and filed with USG Information Security & ePrivacy. If the plan is changed, the latest version of the plan must be sent within ten (10) business days of the change.

5.10.1.3 Information Security Incident Report

As noted in Section 5.3.2 of this Handbook, information security incidents consistent with the security reporting requirements of USG information security policy must be reported within five (5) business days of the computer or data incident.

5.10.1.4 Information Security Incident Follow-up Report

As noted in Section 5.3.3 of this Handbook, the incident follow-up report must be submitted to USG Information Security & ePrivacy within thirty (30) business days after entering the “recovery” step/phase of incident response.

5.10.1.5 Annual Information Security Program Report

The governor’s Executive Order of March 19, 2008 requires development of a composite report on the status of Information Security for all state agencies. The USG has chosen to align itself with this order by producing its own USG Information Security Program Report (ISPR). The report shall be comprised of the security program reports of all USG institutions, the USO, the GPLS, and the Georgia Archives into one USG information security program report. The report shall be the aggregate of data compiled from the annual ISPR questionnaire. No specific institution, USO, GPLS, or Georgia Archives information shall be reported.


5.10.2 USG Information Security Program Reporting Standard

This section establishes the standard for USG institutions, the USO, the GPLS, and the Georgia Archives to report the status of their information security program annually to USG Information Security & ePrivacy.

5.10.2.1 Purpose

On March 19, 2008 the Governor of the State of Georgia issued an Executive Order taking the lead on issues of information security. This order directs each state agency to issue an information security plan report (ISPR) annually.

Information technology and information security risk management is a broad area requiring top-level management attention and system-wide participation. USG information security policies and standards are intended to strengthen information security throughout the system. The policies, standards and directives provide participant organizations with the necessary direction to cost-effectively document and reduce security risks to a level acceptable to the organization and the USG.

The continuous and efficient operation of data systems is both vital and necessary to the USG mission. USG participant organizations have the responsibility of providing critically important, coordinated, robust, and effective information security in order to protect the system’s data, its students, and employees and to ensure the efficient operation of the USG.

To ensure the adequacy and effectiveness of information security throughout the system, this standard requires institutions to conduct annual reviews of their information security programs and report the results to USG Information Security & ePrivacy. These data will be used to prepare the consolidated annual report for the Georgia Governor’s Office. The annual report will facilitate state decision makers understanding of the current state of information risk management within the state and how each agency is performing year to year. It will also provide data for making appropriate decisions with regards to proposed improvements.

The new ISPR requirement builds on previous efforts by USG CIO Advisory Council Security Advisory Group (SAG), where institutions were instructed to gather information on institution-level information security programs/plans and report to USG Information Security & ePrivacy.

While information security plans and measures are specifically exempted from public disclosure under the Georgia Open Records Act, USG participant organizations are required to strategically plan their initiatives and make these plans and corresponding performance measures or metrics available to the public upon request.

Performance metrics are especially important because they:

  • Demonstrate quantifiable progress in accomplishing strategic goals and objectives;
  • Satisfy federal and state legislative requirements;
  • Improve accountability for delivering services;
  • Play a key role in initiating improvement actions based on performance trends;
  • Provide objective information to USG leadership on achieving objectives and by reporting on the relative effectiveness and efficiency of institutional programs and spending.

5.10.2.2 Scope, Enforcement, Authority, and Exceptions

5.10.2.3 Standard

To ensure the adequacy, effectiveness, and continuous improvement of information security controls throughout the USG, each participant organization shall conduct an annual review of its information security program and report its status as of March 31st of each year. These reports shall be called the “Institution Information Security Plan Report (ISPR).”

USG Information Security & ePrivacy shall collect and analyze the institutions’ ISPRs and compile an annual State of the University System of Georgia Information Security Program Report. The ISPR shall be delivered to Georgia Technical Authority (GTA) on or before October 31st of the same year.

The report shall provide a summary of system-wide performance in information security management and implementation, analysis of system-wide areas for improvement in information security practices, and a plan of action to improve information security throughout the USG.

Each year, USG Information Security & ePrivacy and the CIO Advisory Council SAG shall establish information security performance goals, requirements and gather metrics based on specific compliance, implementation and effectiveness objectives such as but not limited to implementation/compliance to security policies and standards, security services delivery and/or mission impact of security events. The performance goals shall state a desired result of the implementation of a system security program requirement and the actions required to accomplish the goals.

The metrics shall attempt to measure the accomplishments of each participant organization by quantifying (percentages, averages, numbers etc.) the level of implementation, effectiveness and efficiency of the security objectives. They shall demonstrate progress against established objectives as the security program matures, and shall facilitate the development of corrective actions and/or improvement plans.

Performance measures shall examine the implementation and effectiveness of each institution’s information security program consisting of demonstrated progress in establishing a functioning baseline in the areas of: Strategic Security Planning, Policy Management, Risk Management, Continuity of Operations Management, Incident Response and Reporting Management, and Security Awareness and Training.

5.10.2.4 Related USG Policies, Standards, and Guidelines

5.10.2.5 References

  • Federal Information Security Management (FISMA) Act – 2002
  • Federal Information Processing Standards (FIPS) 199/200
  • NIST SP 800-30 Risk Management Guide for Information Technology Systems
  • NIST SP 800-53 Recommended Security Controls for Federal Information Systems
  • NIST SP 800-55 Performance Measurement Guide for Information Security
  • NIST SP 800-80 Guide for Developing Performance Metrics for Information Security

5.10.2.6 Appendix 1

Strategic Security Planning: A comprehensive information security program combines people, processes and technologies. Information security’s goal and objective is to provide a “secure environment”, where by each student, faculty and staff can reach their goals and objectives. The information security goals and objectives must map to the business goals and objectives of the institution, that is, one must be able to articulate, quantitatively that the business goals and objectives of the institution are at risk without the security objectives being met.

Goal(s): Develop an “information security strategy or strategies.” Each strategy is supported by one or more initiatives. An initiative is the implementation of an operational plan that through time realize part or all of the security strategies and objectives. The overall objective is to implement a set of interrelated initiatives that collectively achieve all of the security objectives.

Each organization shall answer the following questions:

  1. Does your organization have a strategic business goal or objective?
  2. Does your information security program map to the institution’s strategic business goal or objective?
  3. What is or are the strategic goals or objectives of the information security program?
  4. What are the initiatives that support that strategic security goal or objective?
  5. What is the “plan of action & milestones” in achieving/reaching the strategic security goal or objective?

5.10.2.7 Appendix 2

IT/IS Policy Management: The purpose of an IT or IS policy is to establish and maintain a standard of due care to prevent misuse or loss of USG information assets. Policy provides management direction for information security to conform to business requirements, laws, and administrative policies. Each USG participant organization must provide for the integrity and security of its information assets by establishing appropriate internal policies and procedures for preserving the integrity and security of each automated, paper file, or database.

Goal(s): Develop a full lifecycle policy development process, refreshment, and retirement methodology based on current best practices.

Each organization shall answer the following questions:

  1. Has the organization adopted an IT/IS “policy management” standard?
  2. Which policy development process standard is employed?
  3. Does the IT/IS policy development process include:
    • Policy awareness and compliance?
  4. Is the organization’s IT/IS policy development process simple and repeatable?
  5. Have you developed IT/IS policies and standards that are in compliance with all legal and contractual requirements in terms of privacy and information security?

5.10.2.8 Appendix 3

Risk Management: Risk management is the process of taking actions to avoid or reduce risk to acceptable levels. This process includes both the identification and assessment of risk through risk analysis and the initiation and monitoring of appropriate practices in response to that analysis through the organization’s risk management program.

Goal: Establish risk management planning processes for identifying, assessing, and responding to the risks associated with its information assets. Verify that all IT and/or business processes owners have appropriately documented information security characteristics of their systems. Support the USG Enterprise Risk Management program.

Each organization shall answer the following questions:

  1. Does the organization maintain a current documented inventory of operational systems?
  2. Have all operational systems been assigned a classification/categorization?
  3. Does the list of systems and their appropriate level classification/categorization include the following information?
    • The system’s business or IT owner.
    • The name of the sensitive or critical business function(s) the system supports.
    • The system’s name and purpose.
    • Are any of the system’s operations outsourced? If so, to whom?
    • Does the system have a complete information security plan? If so, what is the security plan date (this is the date it was last reviewed/updated/approved)
    • The date of the last assessment conducted by a trusted 3rd party.
    • Provide a copy upon request.
    • Does the system have a disaster recovery plan and a business continuity plan?
    • Date of the last test of the disaster recovery plan and a business continuity plan.

5.10.2.9 Appendix 4

Computer Security Incident Response and Reporting: In 2009 the USG issued a policy and a security standard for incident response and reporting. Institutions are required to create and gain approval for a documented plan for managing information security incidents including when to escalate to USG and law enforcement.

Goal: To quantify the number of organizations that have a formal incident management capability, and measure the extent of the impacts to institution’s operations, critical systems, required escalation to the USG or GBI, and/or notification to the affected.

Each organization shall answer the following questions:

  1. Does your organization have a documented Computer Security Incident Response and Reporting Plan?
  2. Does the plan include:
    • Preparation
    • Detection & Analysis
    • Escalation, Decision-making processes and Notification
    • Communications Plan
    • Containment, Eradication and Recovery
    • Post-incident Activity
    • Testing and Measurement Plan
    • Review and Revision Processes

5.10.2.10 Appendix 5

Continuity of Operations Planning: Continuity of Operations Planning (C.O.O.P.) ensures the continuity of essential functions through a wide range of emergencies and disasters. Today’s changing threat environment and recent natural and man-made emergencies demonstrate the need for C.O.O.P. capabilities and plans.

In 2009 USG issued a new policy and security standards to support institutions in the development of C.O.O.P.

Goal: To determine whether all organizations are aware of the need for a Continuity of Operations Planning - C.O.O.P. program. Determine if the organization’s IT/IS C.O.O.P. includes collaboration/communications with organization emergency operations/planning strategies/initiatives.

Each organization shall answer the following questions:

  1. Do you have a comprehensive “Continuity of Operations Plan” that:
    • Identifies the critical business processes and applications; along with the hardware, software, business and IT support staff that run them, and the local and wide area networks that connect them to the end users?
    • Includes a backup and recovery plan:
    • On disk or tape or network storage device:
    • Operating system w/current patch levels
    • Critical applications that run on the operating system w/current patches
    • Critical data
    • Backup and Recovery Test Plan
    • Incident Response and Reporting Plan (IR)
    • Incident Response and Reporting Test Plan
    • Disaster Recovery Plan (DR) & Business Continuity Plan (BC)
    • A hardware replacement plan
    • Documented step-by-step procedures on how to recover the OS, applications and data
    • A testing plan and results of the last test
    • An offsite storage of the critical data (30+ miles)
    • An alternate site/location identified
    • Contract or arrangement for an alternate sustainable power generation (Consider multi-fuel electric power generators)
    • Disaster Recovery Plan (DR) & Business Continuity Plan (BC) Test Plan, through scenarios and tests.
    • Documented and tested total business resumption plan

5.10.2.11 Appendix 6

Security Education and Awareness: In 2009, USG issued a policy and a security standard requiring that annual security awareness all USG employees and contractors (defined as full/part-time employees and contractors) comprehensive training. USG Information Security & ePrivacy has made available an information security awareness training video and materials for this purpose.

Goal: To determine the number of employees who have completed annual security awareness training using the video/presentation materials provided by the USG or an external/internal equivalent.

Each institution shall answer the following questions:

  1. How many employees and/or contractors (full and part-time) does the USG organization employ?
  2. Were your employees required to complete the USG security awareness training video or other presentations?
    • If yes, how many successfully completed the training?
    • If no, describe any alternate training that was provided and how many employees successfully completed the training.

Print friendly Version date May 15, 2014

The following minimum information security standards are required for devices connected to the USG PeachNet™ network.

5.11.1 Software Patch Updates

Networked devices must run software for which security patches are made available in a timely fashion. They must have all currently available security patches installed. Exceptions may be granted for patches that compromise the usability of critical applications.


5.11.2 Anti-Virus, Anti-Spam, and Anti-Phishing Software

Anti-virus, anti-spam and anti-phishing software must be running and up-to-date on every level of the device, including clients, file servers, mail servers, and other types of networked devices.


5.11.3 Host-Based Firewall or Host-Based Intrusion Prevention Software

Host-based firewall or hosted-based intrusion prevention software for any particular type of device must be running and configured, on every level of device, including clients, file servers, mail servers, and other types of networked devices. While the use of hardware firewalls is encouraged, they do not necessarily obviate the need for host-based firewalls or host-based intrusion prevention.


5.11.4 Passwords

USG electronic communications systems or services must identify users and authenticate and authorize access by means of user ID, passwords, or other secure authentication processes (e.g. biometrics or Smart Cards). Password length and strength must meet the USG Password Security and Composition Standard. In addition, shared-access systems must enforce these standards whenever possible and appropriate and require that users change any pre-assigned passwords immediately upon initial access to the account. All default passwords for access to network accessible devices must be modified. Passwords used by system administrators for their personal access to a service or device must not be the same as those used for privileged access to any service or device.


5.11.5 Encrypted Authentication

Unencrypted device authentication mechanisms are only as secure as the network upon which they are used. Traffic across the USG network may be surreptitiously monitored, rendering these authentication mechanisms vulnerable to compromise. Therefore, all networked devices must use only encrypted authentication mechanisms unless otherwise authorized by USG Information Security & ePrivacy. In particular, historically insecure services such as Telnet, FTP, SNMP, POP, and IMAP must be replaced by their encrypted equivalents.

Encryption, or equally effective measures, is required for all personal, sensitive, or confidential information, as defined in Section 5.7, that is stored on portable electronic storage media (including, but not limited to, CDs/DVDs, external/mobile storage and USB drives) and on portable computing devices (including, but not limited to laptop and notebook computers). This policy does not apply to mainframe and server tapes.


5.11.6 Physical Security

Unauthorized physical access to an unattended device can result in harmful or fraudulent modification of data, fraudulent email use, or any number of other potentially dangerous situations. In light of this, where possible and appropriate, devices must be configured to lock and require a user to re-authenticate if left unattended for more than twenty (20) minutes.


5.11.7 Unnecessary Services

A service(s) not necessary for the intended purpose or operation of the device shall not be running.


Print friendly Version date May 15, 2014

5.12.1 User Access Controls

USG institutions, the USO, the GPLS, and the Georgia Archives must establish policies and procedures that ensure necessary user access controls are in place for controlling the actions, functions, applications, and operations of legitimate users. The aim is to protect the confidentiality, integrity, and availability of all USG information resources.

The guiding principles in developing these standards and procedures are:

  1. Users will have access to the resources needed to accomplish their duties.
  2. User access applies the principles of least privilege and resource categorization as necessary tools to achieve the desired purpose.
  3. User access controls will balance security and USG mission needs.

All users, whether internal, external, or temporary, and their activity on all IT systems should be uniquely identifiable. User identification should be enabled through appropriate authentication mechanisms. User access rights to all systems and data must be in line with defined and documented business needs, and job requirements must be attached to user identification. User access rights should be requested by user management, approved by system owners, and implemented by the appropriate local security administrator. User identification and access rights should be maintained in a central repository. Each USG participant organization should deploy cost-effective technical and procedural measures to establish user identification, implement authentication, and enforce access rights. These measures should be reviewed periodically and kept current.


5.12.2 USG Password Authentication Standard

5.12.2.1 Purpose

Passwords are an important aspect of information and information technology security. They are often the only means for authenticating users and the front line of protection for user accounts. Failure to use a strong password or using a poorly chosen password when accessing USG information assets may result in the compromise of those assets. It is the responsibility of every USG participant organization to implement authentication mechanisms such as passwords to access sensitive data, and the responsibility of the user to appropriately select and protect their passwords.

5.12.2.2 Scope

This security standard applies to all USG institutions, the USO, the GPLS, and the Georgia Archives. This standard also applies to all users (employees, contractors, vendors, and other parties) of USG and state information technology systems or data are expected to understand and abide by the standard.

5.12.2.3 Standard

Passwords shall be the minimum acceptable mechanism for authenticating users and controlling access to the USG and its participant organizations’ information systems, services and applications unless specifically designated as a public access resource.

All users (students, employees, contractors, and vendors) with access to USG information and information systems shall take the appropriate steps to select and secure their passwords.

5.12.2.4 Enforcement

Individual USG participant organizations are responsible for developing internal procedures to facilitate compliance with these USG security policies and standards. The standards are designed to comply with applicable laws and regulations. However, if there is a conflict, applicable laws and regulations will take precedence.

USG participant organizations may establish more stringent policies, standards and procedures consistent with this USG standard.

Violations of this standard could result in serious security incidents involving sensitive state, federal, sensitive or privacy data. Violators may be subject to disciplinary actions including termination and/or criminal prosecution.

The standards will guide periodic security reviews, as well as audits by USG Internal Audit & Compliance and the state Department of Audits and Accounts (DOAA).

5.12.2.5 Authority

5.12.2.6 Related Enterprise Policies, Standards, Guidelines


5.12.3 USG Password Security and Composition Standard

5.12.3.1 Purpose

This section establishes a standard for protecting passwords and the frequency of change for such passwords to mitigate compromise of sensitive information.

5.12.3.2 Scope

This security standard applies to all USG institutions, the USO, the GPLS, and the Georgia Archives. This standard also applies to all USG users, including employees, contractors, vendors, and other parties.

5.12.3.3 Standard

  1. All passwords shall be treated as sensitive, confidential information and shall not be shared with anyone including, but not limited to, administrative assistants, system administrators and helpdesk personnel.
  2. Passwords shall not be stored in clear text.
  3. Users shall not write passwords down or store them anywhere in their office or publically. They shall not store passwords in a file on any computer system, including smart devices, without encryption.
  4. All system-level administrative passwords shall be changed every ninety (90) days. All user-level passwords shall be changed every one hundred and eighty (180) days.
  5. User accounts that have system-level privileges granted through group memberships or programs shall have a unique password from other accounts held by that user.
  6. Passwords shall not be inserted into email messages or other forms of electronic communication unless encrypted.
  7. If an account or password is suspected of being compromised, the incident must be reported to the appropriate authorities in accordance with local incident response procedures.
  8. Temporary or “first use” passwords (e.g., new accounts or guests) must be changed the first time the authorized user accesses the system, and have a limited life of inactivity before being disabled.
  9. Access to all USG information systems and applications used to process, store, or transfer data with a security categorization of MODERATE or higher, as defined in Section 5.6.3 of this Handbook, shall require the use of strong passwords or other strong authentication mechanisms. Strong passwords shall be constructed with the following characteristics:
    • Be at least ten characters in length
    • Must contain characters from at least two of the following four types of characters:
      • English upper case (A-Z)
      • English lower case (a-z)
      • Numbers (0-9)
      • Non-alphanumeric special characters ($, !, %, ^, …)
    • Must not contain the user’s name or part of the user’s name
    • Must not contain easily accessible or guessable personal information about the user or user’s family, such as birthdays, children’s names, addresses, etc.
    • Note 1: A six-character password is acceptable if “account lockout” is enabled and set to lock or disable the account after five unsuccessful or failed login attempts. Six-character passwords must adhere to all of the characteristics noted above.
    • Note 2: Participant organizations may mix different characteristics regarding length and mandatory characters to obtain the same password strength. For example, a password of 11 characters containing two upper case letters, two lower case letters, two numbers, and no special characters would be permissible.
  10. Password history must be enabled and configured to disallow usage of the same password for a set length of change cycles greater than four (4) times. Users and administrators must not be allowed to use the same password that has been used in the past four (4) changes. Users and administrators who have changed their user password or system password must not be allowed to change passwords immediately. This will prevent users and administrators from changing their passwords several times to get back to their old passwords.

5.12.3.4 Enforcement

Individual USG participant organizations are responsible for developing internal procedures to facilitate compliance with these USG security policies and standards. The standards are designed to comply with applicable laws and regulations; however, if there is a conflict, applicable laws and regulations will take precedence.

USG participant organizations may establish more stringent policies, standards and procedures consistent with this USG standard.

Violations of this standard could result in serious security incidents involving sensitive state, federal, sensitive or privacy data. Violators may be subject to disciplinary actions including termination and/or criminal prosecution.

The standards will guide periodic security reviews, as well as audits by USG Internal Audit & Compliance and the state Department of Audits and Accounts (DOAA).

5.12.3.5 Authority

5.12.3.6 Related Enterprise Policies, Standards, and Guidelines


Print friendly Version date May 15, 2014

Guidelines for interpretation and administration of domain name security are provided in the USG Domain Name System (DNS) Security Standard.

5.13.1 USG Domain Name System (DNS) Security Standard

5.13.1.1 Purpose

The purpose of this standard is to provide guidance in implementing Domain Name System (DNS) security on the DNS server(s).

5.13.1.2 Background

If DNS data is compromised, attackers can gain information about the network that can be used to compromise other services. For example, attackers can harm the organization in the following ways (not an exhaustive list):

  1. By using zone transfer, attackers can retrieve a list of all the hosts and their IP addresses in your network;
  2. By using denial-of-service attacks, attackers can prevent e-mail from being delivered to and from your network, and they can prevent your Web server from being visible; or,
  3. If attackers can change your zone data, they can set up fake Web servers, or cause email to be redirected to their servers.

5.13.1.3 Scope

This standard covers USG internal DNS system(s), and USG external DNS system(s).

5.13.1.4 Domain Name Server (DNS) System Security Policy

DNS Internal Security Standard

  1. Every USG institution, the USO, the GPLS, and the Georgia Archives must have at a minimum one (1) internal DNS system.
  2. DNS systems must be physically secured.
  3. Internal hosts must resolve to an internal DNS server.
  4. All servers and network equipment must have a reserved IP address. These reserved IP addresses must be assigned in DNS.
  5. All internal applications should refer to the DNS server; it should not refer to an IP address.
  6. DNS server must be located on a LAN segment that is different than the users’.
  7. Internal DNS must not access the Internet directly.
  8. Internet or external queries on the domain must be forwarded to an external DNS.

DNS External Security Standard

  1. External DNS must be located in a demilitarized zone (DMZ) or similar architecture.
  2. External DNS must be protected with firewall equipment or IPS.
  3. DNS administration must follow best practices.

5.13.1.5 Domain Name Service (DNS) Guidelines


Print friendly Version date May 15, 2014

5.14.1 Overview

USG policies prohibit the distribution of materials owned by anyone other than the person engaged in such distribution, whether officially copyrighted or not, without the permission of the owner. The distribution of copyright protected files without the permission of the copyright holder is illegal.


5.14.2 Applicability and Availability

This guideline applies to all USG institutions, the USO, the GPLS, and the Georgia Archives. This includes students, faculty and staff members as well as guest account holders.


5.14.3 Purpose

The USG Appropriate Use Policy establishes a general policy for the use of computing, telephone and information resources. The purpose of this guideline is to establish acceptable practices that support the policy as it applies to copyright violations.

This guideline was established to ensure that the USG community has a clear understanding of proper procedure and usage. USG Information Security & ePrivacy reserves the right to modify this guideline as necessary.


5.14.4 Guideline Statement

For anyone accessing the Internet through the USG’s PeachNet℠ network using an institutionally-owned or personally-owned computer, the USG institution, the USO, the GPLS, or the Georgia Archives serves as the Internet Service Provider (ISP), and is therefore bound by laws and policies that apply to ISPs.

The USG requires that all users of its network learn and abide by relevant policies that apply to such use as outlined in the USG Appropriate Use Policy.

As an ISP, the USG institution, the USO, the GPLS, or the Georgia Archives is required to respond, and has responded, to complaints from copyright holders and organizations representing copyright holders, such as the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA), regarding the illegal distribution of copyrighted materials. Most such complaints are associated with peer-to-peer music and video distribution. When receiving a “cease and desist order” from these and other organizations with credible evidence of the abuse and sufficient identification of the computers involved, USG Information Security & ePrivacy has the right to investigate the situation and inform the USG participant organization responsible for the computer(s) at issue of the complaint.

Recent developments suggest that if requested by representatives of copyright holders, the USG will be legally required to provide information about individual users who appear to be illegally distributing copyrighted materials on our network and/or to the Internet. These organizations, particularly the RIAA, have indicated or explicitly announced their intention to aggressively identify and bring suits against individual users for such distribution of copyrighted materials.

In such cases, it is the individual engaged in such distribution that will be legally liable and subject to possible fines, which according to the Digital Millennium Copyright Act can range from $750 to $150,000 per song if songs are the items being distributed illegally. The RIAA recently won a legal case requiring Verizon, an ISP, to turn over the names of subscribers who, according to the RIAA, were engaging in illegal file sharing using their network. Furthermore, the RIAA recently sued four college students who were allegedly engaged in extensive sharing of copyrighted music on their colleges’ networks. These suits were settled, with the students involved agreeing to pay between $12,000 and $17,000 in compensation.


5.14.5 Responsibilities and Procedures

Because of USG’s standing policy and because of the announced intention by the RIAA to pursue personal suits as well as issue cease and desist orders to ISPs, we urge all members of the USG community to strictly follow USG policy and this guideline on the distribution of copyrighted material.


Print friendly Version date May 15, 2014

Identity theft is defined as a fraud committed or attempted using the identifying information of another person without authority. The risk to USG institutions, the USO, the GPLS, and the Georgia Archives and their faculty, staff, students, and other applicable constituents from identity theft and accompanying data loss is of significant concern to the USG. USG participant organizations should make reasonable efforts to detect, prevent, and mitigate identity theft.

5.15.1 Purpose

The USG adopts this Identity Theft Prevention Standard and enacts this program in an effort to detect, prevent and mitigate identity theft, and to help protect USG participant organizations and their faculty, staff, students, and other applicable constituents from damages related to the loss or misuse of identifying information due to identity theft.

Personal identifying information, as defined in Section 5.7 of this Handbook, is any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including but not limited to: name, address, telephone number, Social Security number (SSN), date of birth, government-issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number, student identification number, computer Internet Protocol address or routing code, and credit card number or other credit card information.

Under this standard, the program will:

  1. Identify patterns, practices or specific activities (red flags) that could indicate the existence of identity theft with regard to new or existing covered accounts. A covered account is defined as:
    • Any account that involves or is designated to permit multiple payments or transactions; or,
    • Any other account maintained by a USG participant organization for which there is a reasonably foreseeable risk of identity theft to students, faculty, staff, or other applicable constituents, or for which there is a reasonably foreseeable risk to the safety or soundness of the USG participant organization from identity theft, including financial, operational, compliance, reputation, or litigation risks.
  2. Detect red flags that are incorporated in the program. A red flag is a pattern, practice or specific activity that indicates the possible existence of identity theft.
  3. Respond appropriately to any red flags that are detected under this program to prevent and mitigate identity theft.
  4. Ensure periodic updating of the program, including reviewing the covered accounts and the identified red flags that are part of this program.
  5. Promote compliance with state and federal laws and regulations regarding identity theft protection.

The program shall, as appropriate, incorporate existing USG and institutional policies and guidelines such as anti-fraud programs and information security programs that control reasonably foreseeable risks.


5.15.2 Identifying Red Flags

The following examples of red flags are potential indicators of fraud or identity theft. The risk factors for identifying relevant red flags include the types of covered accounts offered or maintained, the methods provided to open or access covered accounts, and previous experience with identity theft. Any time a red flag or a situation closely resembling a red flag is apparent, it should be investigated for verification.

5.15.2.1 Alerts, Notifications, or Warnings from a Credit or Consumer Reporting Agency

Examples of these red flags include:

  1. A report of fraud or active duty alert in a credit or consumer report
  2. A notice of credit freeze from a credit or consumer reporting agency in response to a request for a credit or consumer report
  3. A notice of address discrepancy in response to a credit or consumer report request
  4. A credit or consumer report having a pattern of activity inconsistent with the history and usual pattern of activity of an applicant, such as:
    • A recent and significant increase in the volume of inquiries
    • An unusual number of recently established credit relationships
    • A material change in the use of credit, especially with respect to recently established credit relationships
    • An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor

5.15.2.2 Suspicious Documents

Examples of these red flags include:

  1. Documents provided for identification appear to have been altered, forged or are inauthentic.
  2. The photograph or physical description on the identification document is not consistent with the appearance of the individual presenting the identification.
  3. Other information on the identification is not consistent with information provided by the person opening a new covered account or individual presenting the identification.
  4. Other information on the identification is not consistent with readily accessible information that is on file with the USG participant organization, such as a signature card or a recent check.
  5. An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.

5.15.2.3 Suspicious Personal Identifying Information

Examples of these red flags include:

  1. Personal identifying information provided is inconsistent when compared against other sources of information used by the participant organization, such as:
    • The address does not match any address in the consumer report; or,
    • The SSN has not been issued or is listed on the Social Security Administration’s Death Master File.
  2. Personal identifying information provided by the individual is not consistent with other personal identifying information provided by that individual, such as a lack of correlation between the SSN range and date of birth.
  3. Personal identifying information provided is associated with known fraudulent activity, such as the address or telephone number on an application is the same as one provided on a fraudulent application.
  4. Personal identifying information provided is of a type commonly associated with fraudulent activity, such as:
    • The address on an application is fictitious, a mail drop, or a prison; or,
    • The phone number is invalid or is associated with a pager or answering service.
  5. The Social Security number provided is the same as that submitted by another person opening an account.
  6. The address or telephone number provided is the same as or similar to the address or telephone number submitted by that of another person.
  7. The individual opening the covered account fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.
  8. Personal identifying information provided is not consistent with personal identifying information that is on file with the USG participant organization.
  9. When answering security questions (mother’s maiden name, pet’s name, etc.), the person opening that covered account cannot provide authenticating information beyond what would generally be available from a wallet or consumer report.

5.15.2.4 Unusual Use of, or Suspicious Activity Related to, a Covered Account

Examples of these red flags include:

  1. Shortly following the notice of a change of address for a covered account, a request is received for a new, additional, or replacement card, or for the addition of authorized users on the account.
  2. A covered account is used in a manner that is not consistent with established patterns of activity on the account, such as:
    • Nonpayment when there is no history of late or missed payments; or,
    • A material change in purchasing or usage patterns.
  3. A covered account that has been inactive for a reasonably lengthy period of time is used, taking into consideration the type of account, the expected pattern of usage and other relevant factors.
  4. Mail sent to the individual is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the individual’s covered account.
  5. The USG participant organization is notified that the individual is not receiving paper account statements.
  6. The USG participant organization is notified of unauthorized charges or transactions in connection with an individual’s covered account.
  7. The USG participant organization receives notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with its covered accounts.
  8. The USG participant organization is notified by an employee or student, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.
  9. There is a breach in the USG entity’s computer security system.

5.15.3 Detecting Red Flags

5.15.3.1 Student Enrollment

In order to detect red flags associated with the enrollment of a student, the USG participant organization will take the following steps to obtain and verify the identity of the individual opening the account:

  1. Require certain identifying information such as name, date of birth, academic records, home address, or other identification; and,
  2. Verify the student’s identity at the time of issuance of the student identification card through review of a driver’s license or other government-issued photo identification.

5.15.3.2 Existing Accounts

In order to detect red flags associated with an existing account, the USG participant organization will take the following steps to monitor transactions on an account:

  1. Verify the identification of students if they request information;
  2. Verify the validity of requests to change billing addresses by mail or email, and provide the student a reasonable means of promptly reporting incorrect billing address changes; and,
  3. Verify changes in banking information given for billing and payment purposes.

5.15.3.3 Consumer/Credit Report Requests

In order to detect red flags for an employment or volunteer position for which a credit or background report is sought, the USG participant organization will take the following steps to assist in identifying address discrepancies:

  1. Require written verification from any applicant that the address provided by the applicant is accurate at the time the request for the credit report is made to the consumer reporting agency; and,
  2. In the event that notice of an address discrepancy is received, verify that the credit report pertains to the applicant for whom the requested report was made and report to the consumer reporting agency an address for the applicant that has reasonably been confirmed is accurate.

5.15.4 Responding to Red Flags

Once a red flag or potential red flag is detected, the USG participant organization must act quickly with consideration of the risk posed by the red flag. The USG participant organization should quickly gather all related documentation, write a description of the situation, and present this information to the Program Administrator for determination. The Program Administrator will complete additional authentication to determine whether the attempted transaction was fraudulent or authentic. The USG participant organization may take any of the following steps deemed appropriate:

  1. Continue to monitor the covered account for evidence of identity theft.
  2. Contact the student or applicant for whom a credit report was run.
  3. Change any passwords or other security devices that permit access to covered accounts.
  4. Close and reopen the account.
  5. Determine not to open a new covered account.
  6. Provide the student with a new student identification number.
  7. Notify law enforcement.
  8. Determine that no response is warranted under the particular circumstances.
  9. Cancel the transaction.

5.15.5 Protecting Personal Information

In order to prevent the likelihood of identity theft occurring with respect to covered accounts, the USG participant organizations may take the following steps with respect to its internal operating procedures:

  1. Lock file cabinets, desk drawers, overhead cabinets, and any other storage space containing documents with covered account information when not in use.
  2. Lock storage rooms containing documents with covered account information and record retention areas at the end of each workday or when unsupervised.
  3. Clear desks, workstations, work areas, printers and fax machines, and common shared work areas of all documents containing covered account information when not in use.
  4. Destroy documents or computer files containing covered account information in a secure manner.
    • Note: Records may only be destroyed in accordance with the state’s records retention guideline.
  5. Ensure that office computers with access to covered account information are password protected.
  6. Ensure that the endpoint is secure.
  7. Avoid the use of Social Security numbers.
  8. Use encryption devices when transmitting covered account information.

USG personnel are encouraged to use common sense judgment in securing covered account information to the proper extent. Furthermore, this section should be read in conjunction with the Family Education Rights and Privacy Act (FERPA), the Georgia Open Records Act, and other applicable laws and policies. If an employee is uncertain of the sensitivity of a particular piece of information, he/she should contact his/her supervisor or USG Information & ePrivacy for advice.


Print friendly Version date May 15, 2014

5.16.1 Purpose

USG email is provided as a tool to assist and facilitate state business, communications with students, faculty, and its representatives to conduct official business on behalf of the USG. This section establishes a standard for the appropriate use and protection of USG email systems.


5.16.2 Scope, Authority, Enforcement, and Exceptions

Individual USG institutions, the USO, the GPLS, and the Georgia Archives will be responsible for developing detailed procedures to comply with this standard. This standard will guide periodic reviews, as well as audits by USG Internal Audit and Compliance. Violators of this standard may be subject to employee disciplinary procedures. USG participant organizations may impose sanctions upon their employees for violations of this standard.


5.16.3 Standard

  1. Access to email shall be governed by the USG participant organization’s authorization and access control and password protection policies and standards.
  2. Email passwords shall be encrypted and not be stored or passed in clear text.
  3. Email systems shall be protected from viruses, interception, and other malicious intentions.
  4. Use of USG email systems for the creation or distribution of any disruptive or offensive messages is prohibited.
  5. Mass mailings about viruses or other malware warnings shall not be distributed by general users, and shall be validated, approved, and distributed by the appropriate security administrator(s).
  6. All email monitoring must be reviewed and approved by USG Information Security & ePrivacy and/or USG Legal Affairs.
  7. Unauthorized email forwarding is prohibited. Email forwarding must be approved by the email account user or the USG participant organization’s executive management.

All electronic mail (email) transmitted to or from a USG email system shall comply with all applicable federal and state regulations, and shall be governed by the following USG security policies, standards, and/or guidelines:


Print friendly Version date May 15, 2014

This standard establishes the guidelines for organizing and administering information security at USG institutions, the USO, the GPLS, and the Georgia Archives.

5.2.1 Information Security Organization

Each USG institution, the USO, the GPLS, and the Georgia Archives must create an information security organization and program that ensures the confidentiality, integrity, and availability of all USG information assets. The program will have oversight for administration of information security standards, processes, and procedures, and will consider the effects of security requirements on the entire enterprise. Every security requirement will be tied to an operational need, a state or federal regulation, or an industry standard practice.

Furthermore, this organization will interpret state or federal regulations and apply their requirements to USG information resources, administer programs and execute projects to meet information security objectives, and perform liaison functions between the institution, the USO, the GPLS, or the Georgia Archives and the USG for matters regarding information security and privacy.

Required administrative activities include, but are not limited to, the following:

  1. Develop security policies, standards, processes, and procedures;
  2. Determine roles and responsibilities for information security within the institution, the USO, the GPLS, or the Georgia Archives;
  3. Develop and implement information security plans for applications, systems, and remote locations as required by local, federal, state, and USG directives;
  4. Evaluate local infrastructure compliance with information security policies, processes, standards, and procedures;
  5. Establish processes and procedures for access to sensitive systems and information;
  6. Establish processes and procedures to minimize the likelihood of disruptions, to recover from disasters, and to respond to security incidents; and,
  7. Develop programs to increase user awareness of information security issues and responsibilities.

5.2.2 Institution, USO, GPLS, and Georgia Archives Information Security Officer (ISO) Designees

Each USG institution, the USO, the GPLS, and the Georgia Archives must identify an information security officer (ISO) who will be responsible for establishing, maintaining, and reporting on information security roles, responsibilities, policies, standards, and procedures. This designee and the appropriate contact information must be sent annually to USG Information Security & ePrivacy, as noted in Section 5.10 of this Handbook.


Print friendly Version date May 15, 2014

USG institution, USO, GPLS, and Georgia Archives management must investigate incidents involving loss, damage, misuse of information assets, or improper dissemination of information. All USG institutions, the USO, the GPLS, and the Georgia Archives are required to report information security incidents consistent with the security reporting requirements as noted in Section 5.10 of this Handbook.

Proper incident management includes the formulation and adoption of a written incident management plan, which provides for the timely assembly of appropriate staff that is capable of developing a response to, appropriate reporting about, and successful recovery from a variety of incidents.

In addition, incident management includes the application of lessons learned from incidents, together with the development and implementation of appropriate corrective actions directed to preventing or mitigating the risk of similar occurrences in the future. All institution, USO, GPLS, and Georgia Archives incident management policies and plans must be on file at USG Information Security & ePrivacy. The USO and the USG CISO will file an electronic copy of the USG-USO Incident Response Plan with the State CISO and the Georgia Bureau of Investigation (GBI), per the State Incident Response Reporting Standard.

The process by which computer abuse cases are handled and escalated is shown in the Abuse Notification document posted on the Information Security website at: http://www.usg.edu/infosec/incident_management.

5.3.1 Information Security Incident Reporting Requirements

All USG institutions, the USO, the GPLS, and the Georgia Archives must establish a Computer Security Incident Response (CSIR) plan to respond to and manage adverse activities or actions that threaten the successful conduct of teaching, instruction, research and operations in the USG. This plan should follow existing USG policies and standards, industry best practices, and International Organization for Standardization (ISO) and National Institute of Standards and Technology (NIST) guidelines. This plan must be on file with USG Information Security & ePrivacy per the Reporting Requirements noted in Section 5.10 of this Handbook.


5.3.2 Criteria for Reporting Incidents

USG institution, USO, GPLS, and Georgia Archives management must promptly investigate incidents involving loss, damage, misuse of information assets, or improper dissemination of information. All USG institutions, the USO, the GPLS, and the Georgia Archives are required to report information security incidents consistent with the security reporting requirements of this policy. Reports must be submitted to USG Information Security & ePrivacy per the Reporting Requirements noted in Section 5.10 of this Handbook.


5.3.3 Incident Follow-up Report

In addition, an incident follow-up report must be submitted that includes the application of lessons learned from incidents, together with the development and implementation of appropriate corrective actions directed to preventing or mitigating the risk of similar occurrences in the future. Reports must be submitted to USG Information Security & ePrivacy per the Reporting Requirements noted in Section 5.10 of this Handbook.


5.3.4 Incidents Involving Personal Information

Every USG institution, the USO, the GPLS, and the Georgia Archives that collects, uses, or maintains records containing personal information shall establish and maintain in its incident management plan, procedures for ensuring that any breach of security involving personal information, regardless of its medium (e.g., paper, electronic, verbal) immediately trigger the incident response procedures. Procedures must be documented and address, at a minimum, the following:

  1. Incident Response Team. Procedures shall identify the positions responsible for responding to a breach of personal information. A response team must include, at a minimum, an escalation manager, the program manager of the program or office experiencing the breach, the ISO, the Senior Official for Privacy, the Public Information or Communications Officer, Legal Counsel, and a representative from the institution, USO, GPLS, or Georgia Archives IS organization. Some incidents will require the involvement of others not mentioned above. For example, if the source of the compromised information was a computer system or database, the USG CIO should also be involved in the response activity. If the incident involves unauthorized access, misuse, or other inappropriate behavior by an employee, or the security breach involves employee’s personal information, the institution, the USO, the GPLS, or the Georgia Archives Personnel Officer or Human Resource Manager should be involved.
  2. Protocol for Internal Reporting. Procedures shall outline the method, manner, and progression of internal reporting to ensure that executive management is informed about breaches involving personal information; the institution, USO, GPLS, or Georgia Archives Incident Response Team is assembled; and, the incident is addressed immediately.
  3. Decision Making Criteria and Protocol for Notifying Individuals. Procedures shall include documentation of the methods and manner for determining when and how a notification is to be made. The procedures shall be consistent with and comply with USG policies and applicable state and federal laws. At a minimum, these procedures will address the following elements:
    • Whether the notification is required by law;
    • Whether the notification is required by USG or state or federal policy;
    • Timeliness of notification;
    • Source of notice;
    • Content of notice;
    • Approval of notice prior to release;
    • Method(s) of notification;
    • Preparation for follow-on inquiries; *Other actions that can be taken to mitigate harm to individuals; and,
    • Other situations when notification should be considered.
  4. Notice to Affected Individuals. Notice to individuals when a breach of notice-triggering data elements occurs, regardless of the media involved (electronic or paper), and in accordance with criteria set forth above.
  5. Breach Notification Trigger. The USG requires a notification be made to individuals when the breach involves unencrypted “Notice Triggering” personal information as defined in the section. Technically, the law is applicable to a breach involving computerized data. However, the USG has taken the position that a notification should be made when a breach of this same “Notice Triggering” data involves paper or other types of media, as the breach would expose individuals to the same financial/identity theft risk and concerns. Safeguarding all personal, confidential, or sensitive information, no matter the format, is essential to maintaining trust in USG. The objective is to make timely notification to individuals so that they may take appropriate steps to protect themselves.

For more information, refer to the USG Computer Security Incident Management Standard and the USG Incident Response and Reporting Standard below.


5.3.5 USG Computer Security Incident Management Standard

This section establishes a requirement that each USG institution, the USO, the GPLS, and the Georgia Archives establish a process for detecting and responding to security incidents.

5.3.5.1 Purpose

The number of computer security incidents and the resulting cost of business disruption and service restoration continue to escalate. Through implementing solid security policies, limiting access to networks and computers, improving user security awareness, and early detection and mitigation of security risks are some the preventative actions that can be taken to reduce the risk, frequency and the cost of security incidents, not all incidents can be prevented. Therefore, an incident response capability is necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring computing services.

This standard establishes the requirement for each USG institution, the USO, the GPLS, and the Georgia Archives to establish an internal capability for handling computer security incidents.

5.3.5.2 Scope, Authority, Enforcement, and Exceptions

5.3.5.3 Standard

Each USG institution, the USO, the GPLS, and the Georgia Archives shall establish and document an internal information security incident management capability that provides for prevention, monitoring, detection, containment, response, recovery, reporting and escalation appropriate to the level of risk and threats to the participant organization.

USG institution, USO, GPLS, and Georgia Archives management must promptly investigate incidents involving loss, damage, misuse of information assets, or improper dissemination of information. All USG institutions, the USO, the GPLS, and the Georgia Archives are required to report information security incidents according to the security reporting requirements in this standard.

5.3.5.4 Related Enterprise Policies, Standards, and Guidelines

5.3.5.5 References


5.3.6 USG Incident Response and Reporting Standard

This section sets minimum requirements for information security incident response and reporting.

5.3.6.1 Purpose

In support of the USG Computer Security Incident Management Standard, each institution, the USO, the GPLS, and the Georgia Archives must implement an information security incident handling capability. This standard establishes the minimum incident response and reporting requirements.

5.3.6.2 Scope, Authority, Enforcement, and Exceptions

5.3.6.3 Standard

  1. Each USG institution, the USO, the GPLS, and the Georgia Archives must implement an incident management capability including documented processes and procedures for monitoring, detection, data collection, analysis, containment, recovery, response, reporting and escalation.
  2. All incident response reporting and escalation procedures must be formally documented and approved by the USG CISO with review by the GBI as required by state law.
  3. Upon discovery of any incident that meets the defined criteria below:
    • The incident must be reported following the USG Information Security Incident Notification and Reporting Instructions found at the USG Information Security & ePrivacy web site: http://www.usg.edu/infosec.
    • The report must be submitted to USG Information Security & ePrivacy within five (5) days of the participant organization becoming aware of an incident involving the theft of such information, including information stolen in conjunction with the theft of a computer or data storage device.
    • Each participant organization must train its employees on how to recognize and report incidents in accordance with the reporting and escalation procedures.
  4. Participant organizations must have a designated and recorded incident management point of contact.
  5. USG institutions, the USO, the GPLS, and the Georgia Archives must report all security incidents or events of interest affecting systems or data categorized as moderate or high for any of the security objectives of confidentiality, integrity, or availability to USG Information Security & ePrivacy through the ITS Helpdesk (helpdesk@usg.edu) at 706-583-2001, or 1-888-875-3697 (Toll free within Georgia).

5.3.6.4 Incident Categories and Reporting Timeframes

The following table identifies all incident categories and their descriptions.

CATEGORY NAME DESCRIPTION
CAT 0 Exercise/Network Defense Testing Used during state, federal, and USG exercises, and approved activity testing of internal/external network defenses or responses.
CAT 1 Unauthorized Access* A person gains logical or physical access without permission to a network, system, application, data, or other USG resource.
CAT 2 Denial of Service* An attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting USG resources.
CAT 3 Malicious Code* A virus, worm, Trojan horse, or other code-based malicious entity that infects a host.
CAT 4 Inappropriate Usage* A person violates appropriate computing/network use policies.
CAT 5 Probes and Reconnaissance Scams This category includes any activity that seeks to access or identify a critical/high category system, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service.
CAT 6 Investigation Unconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant further review.
PII Personally Identifiable Information (PII) Exposure Any information about an individual including, but not limited to, education, financial transactions, medical history, and criminal or employment history, and information that can be used to distinguish or trace an individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information that is linked or linkable to an individual.
PHI Protected Health Information (PHI) Any individually identifiable health information. Identifiable refers not only to the data that is explicitly linked to a particular individual (identified information), but also includes health information with data items that reasonably could be expected to allow individual identification.

Note: Categories marked with an * have as their source NIST Special Publication 800-61.

The following table identifies the applicable reporting timeframe for each incident category described above.

CATEGORY REPORTING TIMEFRAME
CAT 0 Not Applicable. This category is for USG Information Security & ePrivacy’s internal use during exercises. Do not report to USG Information Security & ePrivacy.
CAT 1 Within one (1) hour of discovery/detection. Report to USG Information Security & ePrivacy.
CAT 2 Within two (2) hours of discovery/detection if the successful attack is still ongoing and the USG participant organization is unable to successfully mitigate activity. Report to USG Information Security & ePrivacy.
CAT 3 Daily, within one (1) hour of discovery/detection if widespread across the USG participating organization.
CAT 4 Weekly. Notify USG Information Security & ePrivacy via aftermath meeting.
CAT 5 Monthly. If system is classified, report within one (1) hour of discovery.
CAT 6 Not Applicable. This category is for the USG participant organization’s use to categorize a potential incident that is currently being investigated. Do not report to USG Information Security & ePrivacy.
PII Within one (1) hour of discovery/detection. Report to USG USG Information Security & ePrivacy.

5.3.6.5 Related Enterprise Policies, Standards, and Guidelines

5.3.6.6 References


Print friendly Version date May 15, 2014

Information assets can be defined as:

  1. All categories of automated information, including, but not limited to, records, files, and data bases; and,
  2. Information technology facilities, equipment (including endpoints, personal computer systems), and software owned or leased by a USG institution, the USO, the GPLS, or the Georgia Archives.

5.4.1 USG Information Asset Management Standard

5.4.1.1 Purpose

Asset inventory is required by State asset management procedures, and is the method by which the USG maintains accountability of the physical computing devices and software purchased with state funds.

5.4.1.2 Scope, Authorization, Enforcement, and Exceptions

5.4.1.3 Standard

Each USG participant organization shall maintain perpetual and up-to-date accountability of all hardware and software (including licenses) acquired with federal or state funds. In the case of shared resource situations among two or more USG participant organizations, the hosting organization shall be responsible for this accountability. All assets shall be recorded in compliance with all applicable state or USG asset management policies and the Official Code of Georgia Annotated section 50-16-160 et. seq. Asset management shall include procedures for accountability throughout the asset’s life cycle from acquisition to decommission, transfer of ownership, surplus, and/or equipment refresh/upgrades.

5.4.1.4 References

  • USG IT Handbook, Section 5.8, USG Endpoint Security Standard

5.4.2 USG Information Asset Protection Standard

USG institutions, the USO, the GPLS, and the Georgia Archives must provide for the integrity and security of its information assets by identifying all information systems, automated files and databases for which the USG participant organization has ownership responsibility, and ensuring that responsibility for each information system, automated file or database is defined with respect to:

  1. Owners of the information system;
  2. Owners of the information within the USG institution, the USO, the GPLS, and the Georgia Archives;
  3. Trustees and stewards of the information;
  4. Users of the information; and,
  5. Classification of information to ensure that each automated file or database is identified as to its information class in accordance with policies and standards.

Note: The definitions of Owners, Stewards, Trustees, and Users are covered in Section 9, Data Governance and Management Structure, of this Handbook.


Print friendly Version date May 15, 2014

IT/IS Risk Management is formally defined as the total process of identifying, controlling, and managing the impact of uncertain harmful events, commensurate with the value of the protected assets, to avoid risk or reduce it to acceptable levels. This process includes both the identification and assessment of risk through risk assessment, analysis, and the initiation and monitoring of appropriate practices in response to that analysis through a risk management program.

The USG CISO shall develop and maintain an IT/IS risk management standard, processes and procedures for support of risk management across the USG and support of activities between participant organizations. He/she shall maintain IT/IS risk management implementation standards that the individual USG participant organizations must consider in the development of their individualized IT/IS risk management plans.

5.5.1 Institution, USO, GPLS, and Georgia Archives Responsibilities

All USG institutions, the USO, the GPLS, and the Georgia Archives must ensure the integrity of computerized information resources by protecting them from unauthorized access, modification, destruction, or disclosure and to ensure the physical security of these resources. USG institutions, the USO, the GPLS, and the Georgia Archives shall also ensure that users, contractors, and third parties having access to state or USG computerized information resources are informed of and abide by this standard and the institution, USO, GPLS, and/or Georgia Archives security plan, and are informed of applicable local, state, and federal policies, laws, regulations, and/or codes related to computerized information resources.

USG institutions, the USO, the GPLS, and the Georgia Archives employing information technology must establish an IT/IS risk management process to identify, assess, and respond to the risks associated with its information assets. The unauthorized modification, deletion, or disclosure of information included in institution, USO, GPLS, and Georgia Archives files and databases can compromise the integrity of state and USG programs, violate individual right to privacy, and constitute a criminal act.


5.5.2 Risk Assessment and Analysis

Once the level of sensitivity of the information resources has been identified through an impact analysis, in which IT-related assets (e.g., information, people, software, hardware, facilities, etc.) are identified and which of those assets are determined to be most critical to protect, the threats to which they are subject must be identified and evaluated. This process is referred to as a risk assessment; i.e., the probability of each threat event occurring and the resultant impact of that event on the information resources should be assessed during this process.

For a given IT asset, an estimate should be made of the largest potential business impact, based on failures of confidentiality, integrity, and availability. The relative business impact of these three types of failure events should then be estimated as high, medium, or low. For example, if a system is estimated as having a low requirement for confidentiality, a medium requirement for data integrity, and a high requirement for service availability, then that IT asset is treated as having a high requirement for attention.

The organization needs to decide if and when a residual level of risk may be acceptable. It is then senior management’s choice of one of the following activities pertaining to each of the identified risks to determine an appropriate risk response:

  1. Mitigate the risk by implementing controls and countermeasures, or safeguards;
  2. Accept the risk;
  3. Avoid the risk; or,
  4. Pass the risk on.

5.5.3 Institution, USO, GPLS, and Georgia Archives Risk Management Programs

The practice of IT/IS risk management within a USG institution, the USO, the GPLS, and the Georgia Archives must be based upon the results of the organization’s risk analysis process. Based on the impact analysis and the risk assessment, the organization should determine what types of safeguards are appropriate to address their defined risks. In this manner, the safeguards deployed reflect the true importance of the investment in the information resources used to accomplish the organization’s mission.

An IT/IS risk management plan must then be developed documenting the actions, safeguards, or countermeasures that can be taken to reduce the identified risks based on available resources. While it is not required that this plan be on file with USG Information Security & ePrivacy, it must be made available upon request.

A focus on the USG and organization missions is vital. The IT organization cannot, and is not expected to, mitigate every risk, but must prioritize based on the threat to the mission and available resources.

Obtaining resources for IT/IS risk management is subject to the same technical, programmatic, and budgetary justification and review processes required for any information technology program. The IT/IS risk management practices implemented by the USG participant organization will vary depending upon the nature of the organization’s information assets.


5.5.4 USG IT/IS Risk Management Standard

IT/IS risk management is the process of taking actions to avoid or reduce risk to acceptable levels.

5.5.4.1 Purpose

IT/IS risk management is an aggregation of three processes – risk assessment, risk mitigation, and controls evaluation and measurement – that help an organization ensure that information security management processes are integrated with that organization’s strategic and operational planning processes. Managing risk safeguards the organization’s mission and goals, and provides an on-going evaluation and assessment of IT- and IS- related mission risks.

USG institutions, the USO, the GPLS, and the Georgia Archives must ensure the confidentiality, integrity, and availability of information and information systems resources and assets by protecting them from unauthorized access, modification, destruction, or disclosure, and ensure the physical security of IT resources and assets.

5.5.4.2 Standard Statement

IT/IS risk management is the process of taking actions to avoid or reduce risk to acceptable levels. This process includes both the identification and assessment of risk through risk analysis, and the initiation and monitoring of appropriate practices in response to that analysis through the organization’s IT/IS risk management program.

USG institutions, the USO, the GPLS, and the Georgia Archives need to ensure the integrity of computerized information resources by protecting them from unauthorized access, modification, destruction, or disclosure, and to ensure the physical security of these resources. USG institutions, the USO, the GPLS, and the Georgia Archives shall also ensure that users, contractors, and third parties having access to institution computerized information resources are informed of and abide by this policy and the organization security plan, and are informed of applicable federal laws and state statutes related to computerized information resources.

Each USG participant organization that employs information technology must establish IT/IS risk management and disaster recovery planning processes for identifying, assessing, and responding to the risks associated with its information assets. The USG’s information assets (its data processing capabilities, information technology infrastructure and data) are an essential resource and asset. For many organizations, program operations would effectively cease in the absence of key computer systems. In some cases, public health and safety would be immediately jeopardized by the failure or disruption of a system. Furthermore, the unauthorized modification, deletion, or disclosure of information included in institution files and databases can compromise the integrity of USG programs, violate individual right to privacy, and constitute a criminal act.


5.5.5 USG IT/IS Risk Management Process

Federal and state information technology regulations require USG information resources to undergo an Information Security Risk Management process to identify the risks associated with their operation and to take steps to reduce, and maintain that risk to an acceptable level. IT/IS Risk Management is integral to the development and operation of information resources.

5.5.5.1 Process

The practice of IT/IS risk management within a USG participant organization must be based upon the results of its risk analysis process. Obtaining resources for IT/IS risk management is subject to the same technical, programmatic, and budgetary justification and review processes required for any IT program.

The IT/IS risk management practices implemented will vary depending upon the nature of the participant organization’s information assets. Among the practices that must be included in each organization’s risk management program are:

  1. Discover endpoints and data (desktops, notebooks, servers, mobile devices, and other computer assets);
  2. Inventory endpoints and data (desktops, notebooks, servers, mobile devices, and other computer assets);
  3. Categorize the information system (impact/criticality/sensitivity);
  4. Select and tailor baseline (minimum) security controls;
  5. Supplement the security controls based on risk assessment;
  6. Document security controls in system security plan;
  7. Implement the security controls in the information system;
  8. Assess the security controls for effectiveness;
  9. Authorize information system operation based on mission risk; and,
  10. Monitor security controls on a continuous basis.

It is then senior management’s choice of one of the following activities pertaining to each of the identified risks to determine an appropriate risk response:

  1. Mitigate the risk by implementing the recommended controls and countermeasures, or safeguards;
  2. Accept the risk;
  3. Avoid the risk; or,
  4. Pass the risk on.

5.5.5.2 Specific Guidelines for IT/IS Risk Management

  • FIPS Publication 199 (Security Categorization)
  • FIPS Publication 200 (Minimum Security Requirements)
  • ISO 27005 Information Security Risk Management (ISRM)
  • NIST Special Publication 800-18 (Security Planning)
  • NIST Special Publication 800-30 (Risk Management)
  • NIST Special Publication 800-37 (Certification & Accreditation)
  • NIST Special Publication 800-53 (Recommended Security Controls)
  • NIST Special Publication 800-53A (Security Control Assessment)
  • NIST Special Publication 800-59 (National Security Systems)
  • NIST Special Publication 800-60 (Security Category Mapping)

Print friendly Version date May 15, 2014

Data is a critical asset of the USG. All USG institutions, the USO, the GPLS, and the Georgia Archives have a responsibility to protect the confidentiality, integrity, and availability of the information and information systems assets utilized. However, to adequately protect the data, there must be an understanding of what to protect, why protect it, and how to protect it.

The Security Objective is to maintain the confidentiality, integrity, and availability of all information and information systems. Security Categorization is the characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organization operations, assets, or individuals, and the USG itself. Confidentiality, integrity, and availability are defined as:

  1. Confidentiality - “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” [44 U.S.C., Sec. 3542] A loss of confidentiality is the unauthorized disclosure of information.
  2. Integrity - “Guarding against improper information modification or destruction, and includes ensuring information non - repudiation and authenticity…” [44 U.S.C., Sec. 3542] A loss of integrity is the unauthorized modification or destruction of information.
  3. Availability - “Ensuring timely and reliable access to and use of information…” [44 U.S.C., SEC. 3542] A loss of availability is the disruption of access to, or use of, information or an information system.

5.6.1 Security Categories

Security categories are based on the potential impact to an organization should certain events occur that jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals.


5.6.2 Scope, Enforcement, Authority, and Exceptions

TBD


5.6.3 Standard

Data Owners shall inventory and assign a security category to the information systems for which they hold responsibility. The security category assigned shall conform to FIPS Publication 199, Standards for Security Categorization for Federal Information Systems, which addresses developing standards for categorizing information and information systems according to the potential impact on organizations should there be a breach in security (CIA).

Note: The definition of Data Owners is covered in Section 9, Data Governance and Management Structure, of this Handbook.

Specifically:

  1. The potential impact is LOW if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
  2. The potential impact is MODERATE if the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
  3. The potential impact is HIGH if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Security categorization information is shown in the “Nine Box” from FIPS Publication 199, as shown below.

Low Moderate High
Confidentiality The loss of confidentiality could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Integrity The loss of integrity could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Availability The loss of availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

The generalized format for expressing the security category (SC) of an information system is:

  • SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are LOW, MODERATE, or HIGH.

The security categorization process is carried out by the information system owner and information owner/steward in cooperation and collaboration with appropriate organizational officials (i.e., senior leaders with mission/business function and/or information security officer/risk management responsibilities).

Note: The definitions of Information System Owner and Information Owner/Steward are covered in Section 9, Data Governance and Management Structure, of this Handbook.

The security categorization process is conducted as an organization-wide activity taking into consideration the enterprise architecture and the information security architecture. This helps to ensure that individual information systems are categorized based on the mission and business objectives of the organization. The results of the security categorization process influence the selection of appropriate security controls for the information system and also, where applicable, the minimum assurance requirements for that system. Security categorization information must be documented in the system identification section of the security plan or included as an attachment to the plan.


5.6.4 References


Print friendly Version date May 15, 2014

The USG’s records (paper or electronic, including automated files and databases) are essential public resources that must be given appropriate protection from unauthorized use, access, disclosure, modification, loss, or deletion. Each USG institution, the USO, the GPLS, and the Georgia Archives must classify each record using the following classification structure:

  1. Unrestricted/Public Information is information maintained by a USG organization that is not exempt from disclosure under the provisions of the Open Records Act or other applicable state or federal laws.
  2. Sensitive Information is information maintained by a USG organization that requires special precautions to protect from unauthorized use, access, disclosure, modification, loss, or deletion. Sensitive information may be either public or confidential. It is information that requires a higher than normal assurance of accuracy and completeness. Thus, the key factor for sensitive information is that of integrity. Typically, sensitive information includes records of USG financial transactions and regulatory actions.
  3. Confidential Information is information maintained by a USG organization that is exempt from disclosure under the provisions of the Open Records Act or other applicable state or federal laws.

In addition, Personal Information may occur in unrestricted/public, sensitive, and/or confidential information. Personal information is information that identifies or describes an individual as defined in, but not limited by, the statutes listed below. This information must be protected from inappropriate access, use, or disclosure and must be made accessible to data subjects upon request. Personal information includes, but is not limited to:

  1. Notice-triggering personal information - specific items or personal information (name plus Social Security Number, driver’s license/Georgia identification card number, or financial account number) that may trigger a requirement to notify individuals if it is acquired by an unauthorized person.
  2. Protected Health Information - individually identifiable information created, received, or maintained by such organizations as health care payers, health care providers, health plans, and contractors to these entities, in electronic or physical form. Laws require special precautions to protect from unauthorized use, access, or disclosure.
  3. Electronic Health Information - individually identifiable health information transmitted by electronic media or maintained in electronic media. Federal regulations require state entities that are health plans, health care clearinghouses, or health care providers conducting electronic transactions ensure the privacy and security of electronic protected health information from unauthorized use, access, or disclosure.
  4. Personal Information for Research Purposes - personal information requested by researchers specifically for research purposes. Releases may only be made to the USG or other non-profit educational institutions in accordance with the provisions set forth in the law.
  5. Personally Identifiable Information (PII) - any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to the institution. Some PII is not sensitive, such as the PII on a business card, while other PII is considered Sensitive Personally Identifiable Information (Sensitive PII), as defined below.
  6. Sensitive Personally Identifiable Information (Sensitive PII) - personally identifiable information that if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual, such as a Social Security number or alien number (A-number). Sensitive PII requires stricter handling guidelines because of the increased risk to an individual if compromised.

The designated owner of a record is responsible for making the determination as to whether that record should be classified as public or confidential, and whether it contains personal and/or sensitive information. The owner of the record is responsible for defining special security precautions that must be followed to ensure the integrity, security, and appropriate level of confidentiality of the information.

Note: The definition of Owner is covered in Section 9, Data Governance and Management Structure, of this Handbook.

Records containing sensitive and/or personal information require special precautions to prevent inappropriate disclosure. When confidential, sensitive, or personal information is contained in public records, procedures must be used to protect it from inappropriate disclosure. Such procedures include the removal, redaction, or otherwise masking of the confidential, sensitive, or personal portions of the information before a public record is released or disclosed.

While the need for the USG institutions, the USO, the GPLS, and the Georgia Archives to protect data from inappropriate disclosure is important, so is the need for the USG participant organization to take necessary action to preserve the integrity of the data. USG participant organizations must develop and implement procedures for access, handling, and maintenance of personal and sensitive information.

Information classification must be part of the IT/IS risk management program, as detailed in Section 5.5 of this Handbook, for each USG institution, the USO, the GPLS, and the Georgia Archives.

Print friendly Version date May 15, 2014

5.8.1 Purpose

The USG encourages the use of IT and the USG PeachNet™ network in support of business, learning, education, research, and public service. However, this resource is limited and vulnerable to attack. Therefore, the USG promulgates this standard in direct support of the Appropriate Use Policy (AUP) and the Minimum Security Standards for Networked Devices Policy.


5.8.2 Scope

This standard applies to all USG participant organizations’ devices that are connected (wired or wireless) to the USG network or use a usg.edu Internet Protocol (IP) address to originate electronic communications. Such devices include computers, mobile, smart-devices, printers, or other network appliances, as well as hardware connected to the USG network from behind firewalls or Network Address Translation (NAT) systems. This USG security standard mandates that all devices connected to the USG’s network or to the USG participant organization’s network comply with the following requirements, referred to collectively as the Endpoint Security Standard.


5.8.3 Authority


5.8.4 Enforcement

USG participant organizations are responsible for developing internal policies, standards, processes, and procedures to facilitate compliance with USG security policies and standards. The standards are designed to comply with applicable laws and regulations. However, if there is a conflict, applicable laws and regulations will take precedence.

USG participant organizations may establish more stringent policies, standards, and procedures consistent with this USG standard.

Violations of this standard could result in serious security incidents involving state, federal, sensitive, or privacy data. Violators may be subject to disciplinary actions including termination and/or criminal prosecution.


5.8.5 Standard

USG network services and assets are privileges accorded at USG discretion. Devices connected to the USG PeachNet™ network and the USG participating organization’s network(s) must comply with this minimum endpoint security standard. The colleges, departments, offices, units, or service providers of any USG participant organization may develop stricter standards for themselves. Devices that do not meet minimum endpoint security standard for security may be disconnected.

The following are the minimum endpoint security standard requirements/capabilities:

USG STANDARD REQUIREMENT DESCRIPTION
Asset Discovery and Inventory See and report all assets connecting wired or wirelessly to the network.
Anti-phishing, anti-spyware, anti-malware, and antivirus management Protect all endpoints from malware.
Host Intrusion Prevention (HIPS) Search for and stop suspicious behaviors typical of malicious attacks before they can execute.
Whitelisting/Blacklisting Configure which programs are authorized to run or not run when connected or disconnected from the network.
Firewalling Configure trusted programs (applications), trusted network scopes, and connection rules to protect managed devices from unauthorized intrusions.
Encryption Enforce USG Encryption Standard governing encryption of all mobile endpoints including laptops, desktops, handhelds, and other external media. Reporting to demonstrate compliance.
OS/App Patch Management Evaluate systems with active vulnerability scanning, and remediate known vulnerabilities through automated targeting and patch distribution.
Dashboard and Reporting Manage and monitor hardware and software assets.
Removable Media and Device Control Secure IT resources from core and network servers to desktops, laptops, and portable storage media in order to prevent data leakage.
Inventory Management/Discovery Discover any managed or unmanaged IP-enabled device on your organization network or track devices in the cloud, as well as all applications. Inventory tracking functionality.
Software Management and Reporting Manage and report on software licensing, distribution, and installation across the network.
Mobility Management - Mobile Device Management (MDM) Manage and secure any mobile device connected to the network including tablets, smartphones, and other mobile devices.
Management Gateway (off-network devices) Manage access endpoints inside or outside the firewall and without VPN using certificate-based authentication and SSL encryption.
Remote Management (managed and unmanaged devices) Manage asset data, remote access, control features, and remote monitoring.
Cloud Security Management
  • Use certificate-based authentication and SSL encryption.
  • Send all data with SSL encoding.
  • Allow only authorized staff to access the core server in order to maintain the security of the organization’s firewall.
  • Use SSL session architecture.
  • Include firewall functionality.
  • Include monitoring and logging features.
Compliance Verification (FERPA, HIPPA, PCI, etc.) Assess and enforce alignment with compliance standards:
  • Payment Card Industry - Data Security Standards (PCI DSS)
  • SANS
  • National Institute of Standards and Technology (NIST)
  • National Security Agency (NSA)
  • Federal Information Security Management Act (FISMA)
Data Analytics (2016) Aggregate and analyze IT data.


Print friendly Version date May 15, 2014

This directive establishes the Information Security Awareness, Training and Education Program for information resources supporting the USG’s mission. All USG information security organizations must implement information technology regulations regarding security of information and information resources. The Information Security Awareness program will address the information security concerns that apply to USG mission needs. For more information, refer to the Security Awareness, Training and Education Standard and Security Awareness Program Policy.

USG Information Security & ePrivacy will provide an Annual Security Awareness presentation for USG institutions, the USO, the GPLS, and the Georgia Archives. Each participant organization is welcome to use the presentation in whole or in part, or to create on in-house security awareness training for their environment. Also, the USG Information Security & ePrivacy team is ready, willing, and able to come to your location and present the Annual Security Awareness presentation to students, faculty, or staff. Please call or email infosec@usg.edu to schedule the annual presentation (first scheduled, first served).

5.9.1 Roles and Responsibilities

While it is important to understand the policies that drive USG institutions, the USO, the GPLS, and the Georgia Archives to develop and implement defense in depth, it is crucial that faculty and staff understand who has responsibility for information security defense in depth.

5.9.1.1 Organization Head

The USG Chancellor or his/her designee for the USO, the president of each USG institution, the GPLS state librarian, or the Georgia Archives leadership is responsible for:

  1. Leadership;
  2. Overall safety and security of the institution; and,
  3. Annual Security Plan, as noted in Section 5.1.2 of this Handbook.

5.9.1.2 Senior Leadership

Senior Leadership must ensure that high priority is given to effective security awareness and training for all students, faculty, and staff. This includes implementation of a viable IT security program with a strong awareness and training component. Senior Leadership should:

  1. Provide leadership;
  2. Assign responsibility for IT and IS (CISO or ISO for the institution, the USO, the GPLS, or the Georgia Archives);
  3. Ensure that an organization-wide IT and IS program is implemented, is well-supported by resources and budget, and is effective;
  4. Ensure there are sufficiently trained personnel to secure and protect critical and sensitive data through the use of secure processes, tools, and training;
  5. Assign responsibilities to management;
  6. Insist that management makes security investments and security improvements measurable, and monitors and reports on program effectiveness; and,
  7. Include security in job performance appraisals and apply appropriate rewards and disciplinary measures.

5.9.1.3 Information Security Officer (ISO)

The ISO is tasked to oversee security awareness and training through the application of secure processes, awareness, and technology. The ISO will work with the academic and administrative leadership and information technology management to:

  1. Provide leadership;
  2. Establish overall strategy for the IT and IS awareness and training program;
  3. Ensure that the senior leadership, senior managers, system and data owners, and others understand the concepts and strategy of the security awareness and training program, and are informed of the progress of the program’s implementation;
  4. Ensure that the institution, USO, GPLS, or Georgia Archives security awareness and training program is funded;
  5. Ensure the training of faculty and staff with significant security responsibilities;
  6. Ensure that all users are sufficiently trained in their security responsibilities; and,
  7. Ensure that effective tracking and reporting mechanisms are in place.

5.9.1.4 Users

Users are the largest audience and are the single most important group of people who can help to reduce unintentional errors and vulnerabilities. Users may include students, faculty, staff, contractors, foreign or domestic guest researchers, other institutional personnel, visitors, guests, and other collaborators or associates requiring access. Users must:

  1. Understand and comply with institutional security policies and procedures;
  2. Be appropriately trained in the acceptable use of the systems and applications to which they have access;
  3. Work with management to meet training needs;
  4. Keep software/applications updated with security patches; and,
  5. Be aware of actions they can take to better protect their institution’s information and information systems. These actions include, but are not limited to:
    • Proper password usage;
    • Data backup;
    • Proper antivirus protection;
    • Reporting any suspected incidents or violations of security policy; and,
    • Following established rules to avoid social engineering attacks and deter the spread of spam or viruses and worms.

5.9.2 Security Awareness, Training, and Education Standard

This section establishes requirement for the employees and contractors of all USG institutions, the USO, the GPLS, and the Georgia Archives to attend annual security awareness training.

5.9.2.1 Purpose

One of the objectives/goals of the ITS Information Technology Strategic Plan 2010 is to increase the awareness of the workforce through a security awareness program. The USG cannot protect the confidentiality, integrity, and availability of information and information systems in today’s highly networked environment without ensuring that each person involved understands their roles and responsibilities and is adequately trained to perform them.

5.9.2.2 Scope, Authority, Enforcement, and Exceptions

5.9.2.3 Standard

All USG institutions, the USO, the GPLS, and the Georgia Archives shall provide information security awareness training to their employees and engagement contractors who have unescorted logical or physical access to state facilities and/or information resources not designated as public access resources.

The training shall be conducted annually, attendance shall be mandatory, and training completion shall be documented in personnel/contractor training records. Awareness training shall provide practical and simple guidance pertaining to employee and contractor roles and responsibilities for protecting the state’s information assets, incident reporting and contingency preparedness. It shall provide updates to and reinforce security policies and procedures and highlight overall awareness.

Additional role-based security training shall be provided to IT specialists, developers, the security management organization, and others that have unique or specific information security responsibilities.

5.9.2.4 Related Policies, Standards, and Guidelines

5.9.2.5 References

  • Public Law 100-235
  • NIST SP 800-16 IT Security Training Requirements
  • NIST SP 800-50 Building an IT Security Awareness and Training Program

5.9.3 Security Awareness Program Policy

This section addresses the need to increase user security awareness through an awareness and training program at all USG institutions, the USO, the GPLS, and the Georgia Archives.

5.9.3.1 Purpose

One of the objectives/goals of the ITS Information Technology Strategic Plan 2010 is to increase the awareness of the workforce through a security awareness program. The USG cannot protect the confidentiality, integrity, and availability of information and information systems in today’s highly networked environment without ensuring that each person involved understands their roles and responsibilities and is adequately trained to perform them.

5.9.3.2 Scope, Authority, Enforcement, and Exceptions

5.9.3.3 Policy

The USG’s employees (full/part-time employees and contractors) shall be made aware of their basic information security responsibilities through an awareness program. The USO (Atlanta and Athens) shall provide annual, information security awareness training. Attendance shall be mandatory and documented in personnel/contractor records for all USO employees and engagement contractors who have logical or physical access to USG or state information resources, not explicitly designated as public access resources.

5.9.3.4 Related Enterprise Policies, Standards, and Guidelines

5.9.3.5 References


Return to Top