11.2 Project Authorization
The Board of Regents shall rely on the Chancellor, the presidents of all USG institutions, and their chief information officers to develop, adapt, and administer the information technology methods and procedures for promoting efficiency of operations and the advancement of learning.
The term “technology” is defined in O.C.G.A. § 50-25-1 and includes, but is not limited to:
“hardware, software, and communications equipment, including, but not limited to, personal computers, mainframes, wide and local area networks, servers, mobile or portable computers, peripheral equipment, telephones, wireless communications, public safety radio services, facsimile machines, technology facilities including, but not limited to, data centers, dedicated training facilities, and switching facilities, and other relevant hardware and software items as well as personnel tasked with the planning, implementation, and support of technology.”
11.1.1 Board of Regents Procedures and Guidelines
The Board of Regents holds the USG chief information officer responsible for the establishment of the procedures and guidelines under which the acquisition, development, planning, design, construction/renovation, management, and operation of USG technology facilities and systems shall be accomplished. Documentation of Board of Regents’ procedures and guidelines shall be maintained and updated in electronic format and shall be readily available to institutions, consultants, vendors, and any other parties involved in work on USG IT-related initiatives. A complete list and current documents will be accessible on the USG web site.
The USG chief information officer shall periodically update the Board on the status of documents available for guidance on USG IT-related topics.
11.1.2 Delegation of Authority
For the purposes of this section of this Policy Manual, unless specifically designated otherwise, the Chancellor’s designee shall be the USG chief information officer or any other person designated by the Chancellor in writing from time to time.
Where the Board has authorized action or has previously delegated authority, the Chancellor, the Chancellor’s designee, and the USG chief information officer shall be authorized and empowered, in the name and on behalf of the Board of Regents of the University System of Georgia, to take or cause to be taken any and all such further action as, in the judgment of such officials, may be necessary, proper, convenient, or required in connection with the execution and delivery of such instruments, documents, or writings in order to carry out the intent of authority granted and authority delegated so as to comply with state and federal law.
All technology acquisitions, as well as upgrades and expansions to existing technology solutions and associated agreements, using funds from any source shall require authorization by the Board of Regents and shall be implemented in accord with established Board procedures under the direction of the USG chief information officer.
The USG chief information officer is authorized to act on behalf of the Board of Regents, without prior approval of the Board, in the authorization of IT projects in accordance with state law and existing BoR policy governing IT procurement.
11.3.1 General Policy
The Board of Regents recognizes that information created, collected, or distributed using technology by the University System Office (USO), all USG institutions, and the Georgia Public Library Service (GPLS) is a valuable asset and must be protected from unauthorized disclosure, modification, or destruction. The degree of protection needed is based on the nature of the resource and its intended use. The USO, all USG institutions, and the GPLS have the responsibility to employ prudent information security policies, standards, and practices to minimize the risk to the confidentiality, integrity, and availability (CIA) of USG information.
Therefore, the USO, all USG institutions, and the GPLS shall create and maintain an internal information security technology infrastructure consisting of an information security organization and program that ensures the confidentiality, availability, and integrity of all USG information assets.
11.2.1 Delegation of Authority
The USG chief information officer may delegate any or all of the above authority, to authorize projects, to individual USG institution presidents or their representatives based upon an evaluation by the Chancellor or USG chief information officer of the ability of an institution to properly administer the delegated authority. Such delegation of authority shall be administered in accordance with Board of Regents policies, procedures and guidelines. Delegated authority may be withdrawn at the discretion of the Chancellor or the USG chief information officer.
11.3.2 System-Level Activities
The USG chief information security officer shall develop and maintain an information security organization and architecture for support of information security across the USG and support of activities between institutions.
The USG chief information security officer shall maintain information security implementation guidelines that the USO, all USG institutions, and the GPLS should consider in the development of their individualized information security plans.
11.3.3 Institutional Responsibilities
The president of each institution and the GPLS state librarian shall be responsible for ensuring that appropriate and auditable information security controls are in place.
The USO, all USG institutions, and the GPLS shall each develop, implement, and maintain an individualized information security plan consisting of a set of information security policies, standards, and guidelines that is consistent with the guidelines provided by the USG Office of Information Security (OIS). This information security plan must be submitted to the OIS for periodic review.
The Board recognizes that user awareness, training, and education are a vital part of information security. Therefore, methods for ensuring that information regarding the applicable laws, regulations, guidelines, and policies is distributed and readily available to its user community shall be included in the individualized information security plan.
Clear procedures for reporting and handling of information security incidents shall be followed. These procedures shall include reporting of incidents to the USO in a timely manner, and shall be documented in the individualized information security plan.
Any other institutions or institutes added to the USG shall develop information security plans using the same guidelines as referred to above (BoR Minutes, January 2006).