• Home
• About
• Mission
• Governance
• Risk Management
• Policy and Compliance Management
  • Policies
  • Standards
  • Compliance
  • ISO
  • USG Security Policy Development Process Flowchart
  • More Policy Development Process Guidelines
  • Information Security Policies Table: Regulatory
• Incident Management
• Continuity of Operations Planning Management
• Security Awareness and Training Management
• Information Security Program Reporting
• Security Officers & Groups
• Events
• Library
• National Cyber Security Awareness
• Related Sites
• Legal Links
• Contact USG InfoSec

Home » Policy Management » USG Information Security Manual

Information Security Manual (USG - ISM)

The Information Security Manual (USG-ISM) is a reference source for system wide policies, standards, guidelines, procedures, regulations and information developed and issued and authored by ACIT-SAG and the USG Office of Information Security. In order to provide a uniform approach to system wide information security management, the contents have the approval of and are published by the authority of the BOR.

TOPICS:

• Introduction
• Statutory Provisions
• USG Institution Responsibilities

• Risk Management
• Risk Analysis
• Institution Risk Management Program

• Policy Management

• Organizing Information Security
• Institution Management Responsibilities
• Institution Designations

• Asset Protection
• Ownership of Information
• Responsibility of Owners of Information
• Responsibilities of Custodians of Information
• Responsibilities of Users of Information

• Classification of Information

• Personal Computer Security

• Cryptography

• Incident Management
• Information Security Incident Reporting Requirements
• Criteria For Reporting Incidents
• Incident Follow-Up Report

INTRODUCTION

Information security means the protection of information and information systems, equipment, and people from a wide spectrum of threats and risks. Implementing appropriate security measures and controls to provide for the confidentiality, integrity, and availability of information, regardless of its form (electronic, print, or other media) is critical to ensure business continuity and protection against unauthorized access, use, disclosure, disruption, modification, or destruction.

The BOR Policy Manual, Section 700, assigns the responsibility and accountability to the Chief Information Technology Officer or designee with the responsibility and authority to create, issue, and maintain policies, standards, and procedures; direct USG institutions to effectively manage security and risk; advise and consult with USG institutions on security issues; and, ensure USG institutions are in compliance with the requirements specified in the BOR Policy Manual Section 700. These sections will continue to evolve as new policy is adopted.

Back to Top

STATUTORY PROVISIONS

Pursuant to the Policy Manual of the Board of Regents Section 700: Finance and Business, every USG institution, department, and office shall comply with the information security and privacy policies, standards, procedures and filing requirements issued by the USG Office of Information Security. Additionally, the Office may conduct, or require to be conducted, independent security assessments or audits of any USG institution, department, or office.

Back to Top

USG INSTITUTION RESPONSIBILITIES

Each USG institution must provide for the proper use and protection of its information assets. Accordingly, each USG institution must perform the following:

• Assign management responsibilities for information technology risk management, including the appointment of an Information Security Role. See BOR Policy Manual, Section 700
• Provide for the integrity and security of automated and paper information, produced or used in the course of USG institution business. See BOR Policy Manual, Section 700
• Provide for the security of information technology facilities, software, and equipment utilized for automated information processing. See BOR Policy Manual, Section 700
• Establish and maintain an information technology risk management program, including a risk analysis process. See USG Risk Management Policy
• Prepare and maintain an USG institution Operational Recovery Plan. See USG Risk Management Policy
• Comply with USG information security program reporting requirements. See ISPR Standard.

Back to Top

RISK ANALYSIS

As an essential aspect of its information technology security and risk management program, each institution that employs information technology must establish a risk analysis process to identify and assess risks associated with its information assets and define a cost-effective approach to managing such risks.

Specific risks that must be addressed include, but are not limited to, those associated with accidental and deliberate acts on the part of institution employees and outsiders; fire, flooding, and electric disturbances; and, loss of data communications capabilities.

The institution risk analysis process must identify and prioritize critical applications of information technology. When establishing priorities, USG institutions should consider that applications may become more critical as the period of unavailability increases and that processing cycles (i.e. monthly, quarterly or yearly) may have an impact upon the prioritization of applications.

Institution risk management practices and disaster recovery planning must give priority to the establishment of policies and procedures to ensure the continued operation of these applications.

The risk analysis process must be carried out with sufficient regularity to ensure that the institution's approach to risk management is a realistic response to the current risks associated with its information assets. In general, the risk analysis process should be a cyclical process for most institutions. Institutions should complete the comprehensive risk analysis cycle at least every two years and whenever there has been a significant change in their use of information technology. This cycle ends with the preparation of a report documenting the risk assessment.

The risk analysis process should include the following:

• Assignment of responsibilities for risk assessment, including appropriate participation of executive, technical, and program management.
• Identification of the institution information assets that are at risk, with particular emphasis on the applications of information technology that are critical to institution program operations. A critical application, from a campus-wide perspective, is an application that is so important to the institution that the loss or unavailability of the application is unacceptable. With a critical application, even short-term unavailability of the information provided by the application would have a significant negative impact on the health and safety of the students or institution employees; on the fiscal or legal integrity of institution operations; or, on the continuation of essential institution programs.
• Identification of the threats to which the information assets could be exposed.
• Assessment of the vulnerabilities, i.e., the points where information assets lack sufficient protection from identified threats.
• Determination of the probable loss or consequences, based upon quantitative and qualitative evaluation, of a realized threat for each vulnerability and estimation of the likelihood of such occurrence.
• Identification and estimation of the cost of protective measures, which would eliminate or reduce the vulnerabilities to an acceptable level.
• Selection of cost-effective security management measures to be implemented.
• Preparation of a report, to be submitted to the institution President, Senior Leadership and the University System upon request. This report must be kept on file within the institution, documenting the risk assessment, the proposed security management measures, the resources necessary for security management, and the amount of remaining risk to be accepted by the institution.

Back to Top

USG INSTITUTION RISK MANAGEMENT PROGRAM

The practice of information technology (IT) & information security (IS) risk management (RM) within the University System of Georgia (USG) Institution must be based upon the results of the institution's risk analysis process.

Obtaining resources for risk management is subject to the same technical, programmatic, and budgetary justification and review processes required for any information technology program.

The risk management practices implemented by the USG Institution will vary depending upon the nature and size of the institution's information assets/resources. Among the practices that must be included in each institution's risk management program are:

• Organizational and Management Practices,
• IT & IS Tactical and Operational Practices,
• Personnel Practices,
• Physical Security Practices,
• Information Integrity and Business Practices,
• Personal & Mobile Computing Practices,
• Software Integrity and Application Development Practices,
• System Development Lifecycle Practices

Back to Top

POLICY MANAGEMENT

The purpose of information security policy is to establish and maintain a standard of due care to prevent misuse or loss of USG System Office and USG Institution information assets. Policy provides management direction for information security to conform with business requirements, laws, and administrative policies. Each institution must provide for the integrity and security of its information assets by establishing appropriate internal policies and procedures for preserving the integrity and security of each automated, paper file, or data base including:

• Establishes and maintains management and staff accountability for protection of USG institution information assets.
• Establishes and maintains processes for the analysis of risks associated with institution information assets.
• Establishes and maintains cost-effective risk management practices intended to preserve the institution's ability to meet USG program objectives in the event of the unavailability, loss or misuse of information assets.
• Agreements with USG and non-USG entities to cover, at a minimum, the following:
  • Appropriate levels of confidentiality for the data based on data classification (see USG Business Procedures Manual).
  • Standards for transmission and storage of the data, if applicable.
  • Agreements to comply with all USG policy and Federal/State law regarding use of information resources and data.
  • Agreements to apply security patches and upgrades, and keep virus software up-to-date on all systems on which data may be used.
  • Agreements to notify the data owners promptly if a information security incident involving the data occurs.
• Establishing appropriate departmental/unit policies and procedures to protect and secure IT infrastructure, including:
  • Security patches and security upgrade policy, which includes, but is not limited to, servers, routers, desktop computers, mobile devices, and firewalls. The policy must address application and testing of the patches and/or security upgrades, in addition to departmental criteria for deciding which patches and security upgrades must be applied, and how quickly.
  • Server hardening policy, which must cover all servers throughout the department/unit, not only those that fall within the jurisdiction of the department's/unit's IT area. The policy must include the process for making changes based on newly published vulnerability information as it becomes available. Further, the policy must address, and be consistent, with the department's/unit's policy for making security upgrades and security patches.
  • Ensure that the use of peer-to-peer technology for any non-business purpose is prohibited. This includes, but is not limited to, transfer of music, movies, software, and other intellectual property. Business use of peer-to-peer technologies must be approved by the CIO and CISO.
• Establishing policy requiring encryption, or equally effective measures, for all personal, sensitive, or confidential information that is stored on portable electronic storage media (including, but not limited to, CDs and thumb drives) and on portable computing devices (including, but not limited to, laptop and notebook computers). This does not apply to mainframe and server tapes.

Back to Top

ORGANIZING INFORMATION SECURITY

USG Institution executive management must be visibly committed to information security and the practice of risk management. Risk management must be based upon an appropriate division of responsibility among management, technical, program staff and users, with written documentation of specific responsibilities. USG Institution security policies and procedures must be fully documented, and institution employees must be knowledgeable about those policies and procedures.

Back to Top

INSTITUTION MANAGEMENT RESPONSIBILITIES

Executive Management - The institution president has ultimate responsibility for information technology security, risk management, and privacy within the institution. Institution presidents are responsible and shall take reasonable measures for implementation of, and compliance with, the USG security policy and are accountable for the computerized information resources held by their institutions. Institution presidents are responsible for the integrity of computerized information resources and the authorization of access to those resources. All institution employees share in this responsibility as well. On an annual basis the president of each USG institution must submit an Institution Designation Letter designating critical personnel. Lastly, on an annual basis the president of each institution must submit an annual Information Security Program Reporting to the USG Office of Information Security

Information Security Officer or Security Designee - Oversight responsibility at the institution level for ensuring the integrity and security of automated and paper files, databases, and computer systems must be vested in the institution Information Security Officer (ISO) or Security Designee. The ISO/Designee is required to oversee institution compliance with policies and procedures regarding the security of information assets. The ISO/Designee must be directly responsible to the institution president for this purpose and be of a sufficiently high-level classification that he or she can execute the responsibilities of the office in an effective and independent manner. It is acceptable to create this reporting relationship on a functional basis rather than reorganize the organization. To avoid conflicts of interest, the ISO should not have direct responsibility for information processing, technology operations, or for institution programs that employ confidential information.

The establishment of positions to meet institution information security responsibilities must be justified in accordance with established personnel and budgetary requirements.

Back to Top

INSTITUTION DESIGNATIONS

Designation of Information Security Officer or Information Security Designee, and Information Security Backup, and Information Technology point-of-contact - Due by January 1 of each year, or as designee changes occur. Each USG Institution must designate and provide contact information for the institution's Information Security Officer (ISO) and backup, and Information Technology point-of-contact using the USG Information Security web site Designation Form. Upon the designation of a new ISO or IS-Backup, and/or Information Technology point-of-contact, the institution must submit an updated USG Institution Designation Form to the USG Office of Information Security (OIS) within ten (10) business days.

Please see the online USG Institution Designee Form (PDF)

Back to Top

ASSET PROTECTION

Each institution must provide for the integrity and security of its information assets by identifying all automated files and data bases for which the institution has ownership responsibility, and ensuring that responsibility for each automated file or data base is defined with respect to the following:

• Owners of the information within the institution.
• Custodians of the information.
• Users of the information.

Classification of information to ensure that each automated file or database is identified as to its information class in accordance with law and administrative policy.

Back to Top

OWNERSHIP OF INFORMATION

USG Institution management must assign ownership of each automated file or database used by the institution. Normally, responsibility for automated information resides with the manager of the institution program that employs the information. When the information is used by more than one program, considerations for determining ownership responsibilities include the following:

1. Which program collected the information.
2. Which program is responsible for the accuracy and integrity of the information.
3. Which program budgets the costs incurred in gathering, processing, storing, and distributing the information.
4. Which program has the most knowledge of the useful value of the information.
5. Which program would be most affected, and to what degree, if the information were lost, compromised, delayed, or disclosed to unauthorized parties.

Back to Top

RESPONSIBILITY OF OWNERS OF INFORMATION

The responsibilities of an institution academic or administrative unit that is the designated owner of an automated file or database consist of:

1. Classifying each file or database for which it has ownership responsibility in accordance with the need for precautions in controlling access to and preserving the security and integrity of the file or database.
2. Defining precautions for controlling access to and preserving the security and integrity of files and databases that have been classified as requiring such precautions.
3. Authorizing access to the information in accordance with the classification of the information and the need for access to the information.
4. Monitoring and ensuring compliance with institution and University System of Georgia security policies, standards and procedures affecting the information.
5. Identifying for each file or database the level of acceptable risk.
6. Filing Information Security Incident Reports with the Institution and the USG - Office of Information Security. See Incident Response Policy and Standard.

The ownership responsibilities must be performed throughout the life cycle of the file or database, until its proper disposal. Institutional program units (academic or administrative) that have been designated owners of automated files and databases must coordinate these responsibilities with the institution Information Security Officer or Security Designee.

Back to Top

CLASSIFICATION OF INFORMATION

Subject to executive management review, the institution academic or administrative unit that is the designated owner of a file or database is responsible for making the determination as to whether that file or database should be classified as public, or confidential, and whether it contains personal, critical and/or sensitive data. The owner of the file or data is responsible for defining special security precautions that must be followed to ensure the integrity, security, and appropriate level of confidentiality of the information.

The University System of Georgia's (USG) automated files and databases are essential core and essential resources or assets that must be given appropriate protection from unauthorized use, access, disclosure, modification, loss, or deletion. Each institution must classify each file and database using the following classification structure:

1. Unrestricted Data or Public Data - information maintained by USG Institutions that is not exempt from disclosure under the USG Policies or other applicable state or federal laws.
2. Sensitive Data - information maintained by USG Institutions that is exempt from disclosure under the provisions of USG Policies or other applicable state or federal laws.
3. Confidential or Restricted Data - The highest levels of restriction should apply due to the risk or harm that may result from disclosure or mis-use. Example: FERPA, HIPAA, GLB, PCI and other legal or regulatory compliance protected data.

NOTE: Sensitive Information (SI) and Personal Identifiable Information (PII) may occur in Unrestricted/Public Information. Files and databases containing SI and/or PII require special precautions to prevent inappropriate disclosure. When SI or PII is contained in public records, care must be taken to protect it from inappropriate disclosure.

1. Breach Notification information - specific items or personal information (name plus Social Security Number, driver's license/Georgia identification card number, or financial account number) that may trigger a requirement to notify individuals if it is acquired by an unauthorized person.
2. Protected Health Information (PHI) - individually identifiable information created, received, or maintained by such organizations as health care payers, health care providers, health plans, and contractors to these entities, in electronic or physical form. State laws require special precautions to protect from unauthorized use, access or disclosure.
3. Electronic Health Information (EHI) - individually identifiable health information transmitted by electronic media or maintained in electronic media. Federal regulations require state entities that are health plans, health care clearinghouses, or health care providers that conduct electronic transactions to ensure the privacy and security of electronic protected health information from unauthorized use, access, or disclosure.
4. Personal Information for Research Purposes - personal information requested by researchers specifically for research purposes. Releases may only be made to the University System of Georgia Institution or other non-profit educational institutions and in accordance with the provisions set forth in the law.

Back to Top

PERSONAL COMPUTER SECURITY

Information maintained in a personal computer system, including laptop computers and mobile devices, must be subjected to the same degree of management control and verification of accuracy that is provided for information that is maintained in other automated files. Files containing restricted or sensitive data should not be stored in personal computer systems unless the institution can demonstrate that doing so is in the best interest of the University System or USG Institution and that security measures have been implemented to provide adequate protection. Proposals to use desktop or laptop computers to maintain or access files containing confidential or sensitive data must be approved by the institution's Information Security Officer or Security Designee before implementation. The Information Security Officer will determine that the proposal complies with all applicable provisions of information security and risk management.

Back to Top

CRYPTOGRAPHY

Encryption, or equally effective measures, is required for all personal, sensitive, or confidential information that is stored on portable electronic storage media (including, but not limited to, CDs and thumb drives) and on portable computing devices (including, but not limited to, laptop and notebook computers). This policy does not apply to mainframe and server tapes. Alternatives to encryption must be reviewed on a case-by-case basis and approved in writing by the USG Institution Information Security Officer.

Back to Top

INCIDENT MANAGEMENT

USG Institution management must promptly investigate incidents involving loss, theft, damage, interception, misuse of information assets, or improper dissemination of information. All USG Institutions are required to report information security incidents according to the USG computer security incident reporting requirements.

Back to Top

INFORMATION SECURITY INCIDENT REPORTING REQUIREMENTS

Upon discovery of any incident that meets the defined criteria below, all USG Institutions must immediately report the incident following the USG Information Security Incident Notification and Reporting Instructions. The Security Incident Report, is available via the USG Office of Information Security's website at http://www.usg.edu/infosec. The report must be submitted to the USG Office of Information Security within ten working days of the Institution's becoming aware of an incident involving the theft of such information, including information stolen in conjunction with the theft of a computer or data storage device.

Back to Top

CRITERIA FOR REPORTING INCIDENTS

Incidents reported to the USG Office of Information Security include, but are not limited to, the following:

1. USG Data (includes electronic, paper, or any other medium).
   1. Theft, loss, damage, unauthorized destruction, unauthorized modification, or unintentional or inappropriate release of any data classified as confidential, sensitive or personal. (See USG Business Procedures Manual).
   2. Possible acquisition of restricted or sensitive personal information by unauthorized persons.
   3. Deliberate or accidental distribution or release of personal information by an institution, its employee(s), or its contractor(s) in a manner not in accordance with law or policy.
   4. Intentional non-compliance by the custodian of information with his/her responsibilities.
2. Inappropriate Use & Unauthorized Access - This includes actions of institution employees and/or non-USG individuals that involve tampering, interference, damage, or unauthorized access to USG computer data and computer systems. This includes, but is not limited to, successful virus attacks, web site defacements, server compromises, and denial of service attacks.
3. Equipment - Theft, damage, destruction, or loss of state-owned/USG Information Technology (IT) equipment, including laptops, tablets, integrated phones, personal digital assistants (PDA), or any electronic devices containing or storing confidential, sensitive, or personal data.
4. Computer Crime - Use of a state/USG information asset in commission of a crime.
5. Any other incidents that violate USG Institution policy.

Back to Top

INCIDENT FOLLOW-UP REPORT

Each USG Institution having ownership responsibility for the asset must complete an USG Institution Information Security Incident Report for each incident. The report is signed by the institution's IT or Information Security Officer. Submit the report to the USG Office of Information Security within ten (10) business days from the date of notification.

Any incident involving personal identifying information or sensitive information may require the institution to notify the effected individuals and additional reporting may be necessary for institutions that must adhere to Health Insurance Portability and Accountability Act (HIPAA) requirements.

The Office may require that the institution provide additional information in conjunction with its assessment of the incident.

Back to Top

---

The University System - Office of Information Security (OIS) web site contains links to other sites that are not owned or controlled by us. The information provided at these sites does not reflect the views of this Office or indicate an endorsement of a particular company or product. Please be aware that our Office is not responsible for the security and privacy practices of such other sites.