not mobile

Information Technology Handbook

5.7 Required Reporting

Print friendly Version date February 22, 2013

Given the USG and the state government’s increased use of IT and Internet-based services, the USG has a compelling need to ensure the confidentiality, integrity and availability of those systems and services are adequately protected from known and anticipated threats. As noted in Section 5.2.2 of this Handbook, USG institutions, the USO, and the GPLS are responsible for the designation of officials within their organization to fulfill key security functions and report on its status of compliance with security policy, standards and procedures. While reporting and self-certification activities alone do not ensure the security of USG and state information assets, they do demonstrate an organization’s acknowledgement of the requirements and provide a measure of accountability.

5.7.1 Schedule of Required Reporting Activities

The following provides a summary list and schedule of required security reporting activities with corresponding due dates. Unless otherwise noted, all reports must be submitted in electronic PDF format with original signature(s) to USG Information Security & ePrivacy.

5.7.1.1 Information Security Officer (ISO) Designee Letter

As noted in Section 5.2.2 of this Handbook, the name and the appropriate contact information for this designee must be sent annually by January 31, or within ten (10) business days of any change in the designee.

5.7.1.2 Computer Security Incident Response Plan

As noted in Section 5.4.1 of this Handbook, a Computer and Data Security Incident Response (CDSIR) Plan must be formally documented and electronically sent and filed with USG Information Security & ePrivacy. If the plan is changed, the latest version of the plan must be sent within ten (10) business days of the change.

5.7.1.3 Information Security Incident Report

As noted in Section 5.4.2 of this Handbook, information security incidents consistent with the security reporting requirements of USG information security policy must be reported within ten (10) business days of the computer or data incident.

5.7.1.4 Information Security Incident Follow-up Report

As noted in Section 5.4.3 of this Handbook, the incident follow-up report must be submitted to USG Information Security & ePrivacy within forty-five (45) business days after entering the “recovery” step/phase of incident response.

5.7.1.5 Annual Information Security Program Report

The governor’s Executive Order of March 19, 2008 requires development of a composite report on the status of Information Security for all state agencies. The USG has chosen to align itself with this order by producing its own USG Information Security Program Report (ISPR). The report shall be comprised of the security program reports of all USG institutions, the USO, and the GPLS into one USG information security program report. The report shall be the aggregate of data compiled from the annual ISPR questionnaire. No specific institution, USO, or GPLS information shall be reported.

return to top


5.7.2 USG Information Security Program Reporting Standard

This section establishes the standard for USG institutions, the USO, and the GPLS to report the status of their information security program annually to USG Information Security & ePrivacy.

5.7.2.1 Purpose

On March 19, 2008 the Governor of the State of Georgia issued an Executive Order taking the lead on issues of information security. This order directs each state agency to issue an information security plan report (ISPR) annually.

Information technology and information security risk management is a broad area requiring top-level management attention and system-wide participation.

USG information security policies and standards are intended to strengthen information security throughout the system. The policies, standards and directives provide participant organizations with the necessary direction to cost-effectively document and reduce security risks to a level acceptable to the organization and the USG.

The continuous and efficient operation of data systems is both vital and necessary to the USG mission. USG participant organizations have the responsibility of providing critically important, coordinated, robust, and effective information security in order to protect the system’s data, its students, and employees and to ensure the efficient operation of the USG.

To ensure the adequacy and effectiveness of information security throughout the system, this standard requires institutions to conduct annual reviews of their information security programs and report the results to USG Information Security & ePrivacy. These data will be used to prepare the consolidated annual report for the Georgia Governor’s Office. The annual report will facilitate state decision makers understanding of the current state of information risk management within the state and how each agency is performing year to year. It will also provide data for making appropriate decisions with regards to proposed improvements.

The new ISPR requirement builds on previous efforts by USG CIO Advisory Council Security Advisory Group (SAG), where institutions were instructed to gather information on institution-level information security programs/plans and report to USG Information Security & ePrivacy.

While information security plans and measures are specifically exempted from public disclosure under the Georgia Open Records Act, USG participant organizations are required to strategically plan their initiatives and make these plans and corresponding performance measures or metrics available to the public upon request.

Performance metrics are especially important because they:

  • Demonstrate quantifiable progress in accomplishing strategic goals and objectives;
  • Satisfy federal and state legislative requirements;
  • Improve accountability for delivering services;
  • Play a key role in initiating improvement actions based on performance trends;
  • Provide objective information to USG leadership on achieving objectives and by reporting on the relative effectiveness and efficiency of institutional programs and spending.

5.7.2.2 Scope, Enforcement, Authority, Exceptions

  • BoR Policy Manual, Section 11
  • USG Office of Information Security Program Policy
  • USG Information Strategic Security Plan
  • USG Information Security Program Reporting Policy

5.7.2.3 Supplemental Exception

Any exceptions to this standard shall be at the discretion of and approved in writing by the USG CIO or CISO.

5.7.2.4 Standard

To ensure the adequacy, effectiveness, and continuous improvement of information security controls throughout the USG, each participant organization shall conduct an annual review of its information security program and report its status as of March 31st of each year. These reports shall be called the “Institution Information Security Plan Report (ISPR).”

USG Information Security & ePrivacy shall collect and analyze the institutions’ ISPRs and compile an annual State of the University System of Georgia Information Security Program Report. The ISPR shall be delivered to Georgia Technical Authority (GTA) on or before October 31st of the same year.

The report shall provide a summary of system-wide performance in information security management and implementation, analysis of system-wide areas for improvement in information security practices, and a plan of action to improve information security throughout the USG.

Each year, USG Information Security & ePrivacy and the CIO Advisory Council SAG shall establish information security performance goals, requirements and gather metrics based on specific compliance, implementation and effectiveness objectives such as but not limited to implementation/compliance to security policies and standards, security services delivery and/or mission impact of security events. The performance goals shall state a desired result of the implementation of a system security program requirement and the actions required to accomplish the goals.

The metrics shall attempt to measure the accomplishments of each participant organization by quantifying (percentages, averages, numbers etc.) the level of implementation, effectiveness and efficiency of the security objectives. They shall demonstrate progress against established objectives as the security program matures, and shall facilitate the development of corrective actions and/or improvement plans.

Performance measures for 2009 shall examine the implementation and effectiveness of each institution’s information security program consisting of demonstrated progress in establishing a functioning baseline in the areas of: Strategic Security Planning, Policy Management, Risk Management, Continuity of Operations Management, Incident Response and Reporting Management, and Security Awareness and Training.

5.7.2.5 Related USG Policies, Standards, Guidelines

5.7.2.6 References

  • Federal Information Security Management (FISMA) Act – 2002
  • Federal Information Processing Standards (FIPS) 199/200
  • NIST SP 800-30 Risk Management Guide for Information Technology Systems
  • NIST SP 800-53 Recommended Security Controls for Federal Information Systems
  • NIST SP 800-55 Performance Measurement Guide for Information Security
  • NIST SP 800-80 Guide for Developing Performance Metrics for Information Security

5.7.2.7 Terms and Definitions

  • Performance Goal – The desired results of implementing the security objective or technique that are measured by the metric
  • Performance Measures – the actions required to accomplish the performance goal validated through the completion and analysis of the institution report.
  • Metric – Numeric indicators used to gauge system-wide program performance and monitor progress toward accomplishing system-wide goals and objectives. Monitors and measures accomplishment of goals by quantifying the level of implementation and effectiveness.

5.7.2.8 Appendix 1

Strategic Security Planning: A comprehensive information security program combines people, processes and technologies. Information security’s goal and objective is to provide a “secure environment”, where by each student, faculty and staff can reach their goals and objectives. The information security goals and objectives must map to the business goals and objectives of the institution, that is, one must be able to articulate, quantitatively that the business goals and objectives of the institution are at risk without the security objectives being met.

Goal(s): Develop an “information security strategy or strategies.” Each strategy is supported by one or more initiatives. An initiative is the implementation of an operational plan that through time realize part or all of the security strategies and objectives. The overall objective is to implement a set of interrelated initiatives that collectively achieve all of the security objectives.

Each organization shall answer the following questions:

  1. Does your organization have a strategic business goal or objective?
  2. Does your information security program map to the institution’s strategic business goal or objective?
  3. What is or are the strategic goals or objectives of the information security program?
  4. What are the initiatives that support that strategic security goal or objective?
  5. What is the “plan of action & milestones” in achieving/reaching the strategic security goal or objective?

5.7.2.9 Appendix 2

IT/IS Policy Management: The purpose of an IT or IS policy is to establish and maintain a standard of due care to prevent misuse or loss of USG information assets. Policy provides management direction for information security to conform to business requirements, laws, and administrative policies. Each USG participant organization must provide for the integrity and security of its information assets by establishing appropriate internal policies and procedures for preserving the integrity and security of each automated, paper file, or database.

Goal(s): Develop a full lifecycle policy development process, refreshment, and retirement methodology based on current best practices.

Each organization shall answer the following questions:

  1. Has the organization adopted an IT/IS “policy management” standard?
  2. Which policy development process standard is employed?
  3. Does the IT/IS policy development process include:
    • Policy awareness and compliance?
  4. Is the organization’s IT/IS policy development process simple and repeatable?
  5. Have you developed IT/IS policies and standards that are in compliance with all legal and contractual requirements in terms of privacy and information security?

5.7.2.10 Appendix 3

Risk Management: Risk management is the process of taking actions to avoid or reduce risk to acceptable levels. This process includes both the identification and assessment of risk through risk analysis and the initiation and monitoring of appropriate practices in response to that analysis through the organization’s risk management program.

Goal: Establish risk management planning processes for identifying, assessing, and responding to the risks associated with its information assets. Verify that all IT and/or business processes owners have appropriately documented information security characteristics of their systems.

Each organization shall answer the following questions:

  1. Does the organization maintain a current documented inventory of operational systems?
  2. Have all operational systems been assigned a classification/categorization?
  3. Does the list of systems and their appropriate level classification/categorization include the following information?
    • The system’s business or IT owner.
    • The name of the sensitive or critical business function(s) the system supports.
    • The system’s name and purpose.
    • Are any of the system’s operations outsourced? If so, to whom?
    • Does the system have a complete information security plan? If so, what is the security plan date (this is the date it was last reviewed/updated/approved)
    • The date of the last assessment conducted by a trusted 3rd party.
    • Provide a copy upon request.
    • Does the system have a disaster recovery plan and a business continuity plan?
    • Date of the last test of the disaster recovery plan and a business continuity plan.

5.7.2.11 Appendix 4

Computer Security Incident Response and Reporting: In 2009 the USG issued a policy and a security standard for incident response and reporting. Institutions are required to create and gain approval for a documented plan for managing information security incidents including when to escalate to USG and law enforcement.

Goal: To quantify the number of organizations that have a formal incident management capability, and measure the extent of the impacts to institution’s operations, critical systems, required escalation to the USG or GBI, and/or notification to the affected.

Each organization shall answer the following questions:

  1. Does your organization have a documented Computer Security Incident Response and Reporting Plan?
  2. Does the plan include:
    • Preparation
    • Detection & Analysis
    • Escalation, Decision-making processes and Notification
    • Communications Plan
    • Containment, Eradication and Recovery
    • Post-incident Activity
    • Testing and Measurement Plan
    • Review and Revision Processes

5.7.2.12 Appendix 5

Continuity of Operations Planning: Continuity of Operations Planning (C.O.O.P.) ensures the continuity of essential functions through a wide range of emergencies and disasters. Today’s changing threat environment and recent natural and man-made emergencies demonstrate the need for C.O.O.P. capabilities and plans.

In 2009 USG issued a new policy and security standards to support institutions in the development of C.O.O.P.

Goal: To determine whether all organizations are aware of the need for a Continuity of Operations Planning - C.O.O.P. program. Determine if the organization’s IT/IS C.O.O.P. includes collaboration/communications with organization emergency operations/planning strategies/initiatives.

Each organization shall answer the following questions:

  1. Do you have a comprehensive “Continuity of Operations Plan” that:
    • Identifies the critical business processes and applications; along with the hardware, software, business and IT support staff that run them, and the local and wide area networks that connect them to the end users?
    • Includes a backup and recovery plan:
      • On disk or tape or network storage device:
        • Operating system w/current patch levels
        • Critical applications that run on the operating system w/current patches
        • Critical data
      • Backup and Recovery Test Plan
    • Incident Response and Reporting Plan (IR)
      • Incident Response and Reporting Test Plan
    • Disaster Recovery Plan (DR) & Business Continuity Plan (BC)
      • A hardware replacement plan
      • Documented step-by-step procedures on how to recover the OS, applications and data
      • A testing plan and results of the last test
      • An offsite storage of the critical data (30+ miles)
      • An alternate site/location identified
      • Contract or arrangement for an alternate sustainable power generation (Consider multi-fuel electric power generators)
      • Disaster Recovery Plan (DR) & Business Continuity Plan (BC) Test Plan, through scenarios and tests.
    • Documented and tested total business resumption plan

5.7.2.13 Appendix 6

Security Education and Awareness: In 2009, USG issued a policy and a security standard requiring that annual security awareness all USG employees and contractors (defined as full/part-time employees and contractors) comprehensive training. USG Information Security & ePrivacy has made available an information security awareness training video and materials for this purpose.

Goal: To determine the number of employees who have completed annual security awareness training using the video/presentation materials provided by the USG or an external/internal equivalent.

Each institution shall answer the following questions:

  1. How many employees and/or contractors (full and part-time) does the USG organization employ?
  2. Were your employees required to complete the USG security awareness training video or other presentations?
    • If yes, how many successfully completed the training?
    • If no, describe any alternate training that was provided and how many employees successfully completed the training.

return to top