11.3 Information Security Policy
11.3.1 General Policy
The Board of Regents recognizes that information created, collected, or distributed using technology by the University System Office (USO), all USG institutions, and the Georgia Public Library Service (GPLS) is a valuable asset and must be protected from unauthorized disclosure, modification, or destruction. The degree of protection needed is based on the nature of the resource and its intended use. The USO, all USG institutions, and the GPLS have the responsibility to employ prudent information security policies, standards, and practices to minimize the risk to the confidentiality, integrity, and availability (CIA) of USG information.
Therefore, the USO, all USG institutions, and the GPLS shall create and maintain an internal information security technology infrastructure consisting of an information security organization and program that ensures the confidentiality, availability, and integrity of all USG information assets.
11.3.2 System-Level Activities
The USG chief information security officer shall develop and maintain an information security organization and architecture for support of information security across the USG and support of activities between institutions.
The USG chief information security officer shall maintain information security implementation guidelines that the USO, all USG institutions, and the GPLS should consider in the development of their individualized information security plans.
11.3.3 Institutional Responsibilities
The president of each institution and the GPLS state librarian shall be responsible for ensuring that appropriate and auditable information security controls are in place.
The USO, all USG institutions, and the GPLS shall each develop, implement, and maintain an individualized information security plan consisting of a set of information security policies, standards, and guidelines that is consistent with the guidelines provided by the USG Office of Information Security (OIS). This information security plan must be submitted to the OIS for periodic review.
The Board recognizes that user awareness, training, and education are a vital part of information security. Therefore, methods for ensuring that information regarding the applicable laws, regulations, guidelines, and policies is distributed and readily available to its user community shall be included in the individualized information security plan.
Clear procedures for reporting and handling of information security incidents shall be followed. These procedures shall include reporting of incidents to the USO in a timely manner, and shall be documented in the individualized information security plan.
Any other institutions or institutes added to the USG shall develop information security plans using the same guidelines as referred to above (BoR Minutes, January 2006).