Board of Regents Policy Manual

7.12 Information Security Policy

Print friendly

Regulations on information security will be published and distributed periodically to the various operating units in Section 12.0, Protection and Security of Records, of the Business Procedures Manual.

7.12.1 General Policy

The Board of Regents recognizes that information created, collected, or distributed using technology by the University System Office and USG institutions is a valuable asset and must be protected from unauthorized disclosure, modification, or destruction. The degree of protection needed is based on the nature of the resource and its intended use. The University System Office and all USG institutions have the responsibility to employ prudent information security policies, standards, and practices to minimize the risk to the integrity, confidentiality, and availability of USG information.

Therefore, the University System Office and all USG institutions shall create and maintain an internal information security technology infrastructure consisting of an information security organization and program that ensures the confidentiality, availability, and integrity of all USG information assets.

return to top

7.12.2 System-level Activities

The USG chief information security officer shall develop and maintain an information security organization and architecture for support of information security across the USG and support of activities between institutions.

The USG chief information security officer shall maintain information security implementation guidelines that the individual USG units should consider in the development of their individualized information security plans.

return to top

7.12.3 Institutional Responsibilities

The president of each institution shall be responsible for ensuring that appropriate and auditable information security controls are in place on his/her institution.

Each institution shall develop, implement, and maintain an information security plan consisting of a set of information security policies, standards, and guidelines that is consistent with the guidelines provided by the Office of Information Security. Institutions must submit the information security plan to the Office of Information Security for periodic review.

The Board recognizes that user education is a vital part of information security. Therefore, each institution shall include in its information security plan methods for ensuring that information regarding the applicable laws, regulations, guidelines, and policies is distributed and readily available to its user community.

Clear procedures for reporting and handling of information security incidents shall be followed at each institution. These procedures shall include reporting of incidents to the University System Office in a timely manner. These procedures shall be documented in the institution’s formal information security plan.

Any other institutions or institutes added to the USG shall develop information security plans using the same guidelines as referred to above (BoR Minutes, January 2006).

return to top

7.12.4 Specific Policies and Standards

7.12.4.1 Appropriate Use

It is USG policy to provide an environment that encourages the free exchange of ideas and sharing of information. Access to this environment and the USG’s information technology (IT) resources is a privilege and must be treated with the highest of ethical standards.

The USG requires all institutions and their users to use IT resources in a responsible manner, respecting the public trust through which these resources have been provided, the rights and privacy of others, the integrity of facilities and controls, state and Federal laws, and USG policies and standards. USG institutions may develop policies, standards and guidelines based on their specific needs that augment, but do not lessen, the intent of this policy.

This policy outlines the standards for appropriate use of USG IT resources, which include, but are not limited to, equipment, software, networks, data, and telephones whether owned, leased, or otherwise provided by the USG institutions.

This policy applies to all users of USG IT resources including faculty, staff, students, guests, and external organizations and individuals accessing network services, such as the Internet, via USG resources.

Preserving the access to information resources is a system-wide effort that requires each institution and its leadership to act responsibly and to proactively guard against abuses. Therefore, the USG as a whole, each individual institution, and its users have an obligation to abide by the following standards of appropriate and ethical use:

  1. Use only those IT resources for which you have authorization.
  2. Protect the access and integrity of IT resources.
  3. Abide by applicable local, state, federal laws, university policies and respect the copyrights and intellectual property rights of others, including the legal use of copyrighted material.
  4. Use IT resources only for their intended purposes.
  5. Respect the privacy and personal rights of others.
  6. Do no harm.

Failure to comply with the appropriate use of these resources threatens the atmosphere for the sharing of information, the free exchange of ideas, and the secure environment for creating and maintaining information, and subjects one to discipline. Any user of any USG system found using IT resources for unethical and/or inappropriate practices has violated this policy and is subject to disciplinary proceedings including suspension of system privileges, expulsion from his/her institution, termination of employment, and/or legal action as may be appropriate.

Although all USG members have an expectation of privacy, if a user is suspected of violating this policy, his/her right to privacy may be superseded by the USG’s requirement to protect the integrity of IT resources, the rights of all users, and the property of the USG and the State. The USG thus reserves the right to examine material stored on or transmitted through its resources if there is cause to believe that the standards for appropriate use are being violated by a member institution, a user, or a trespasser onto its systems or networks.

Specific guidelines for interpretation and administration of this policy are given in the Guidelines for Interpretation and Administration of the USG Appropriate Use Policy. These guidelines contain more specific examples of offenses, and procedures for dealing with incidents.

7.12.4.2 Information Security Risk Management

Risk management is the process of taking actions to avoid or reduce risk to acceptable levels. This process includes both the identification and assessment of risk through risk analysis, and the initiation and monitoring of appropriate practices in response to that analysis through the institution’s risk management program.

The University System Office and USG institutions must ensure the integrity of computerized information resources by protecting them from unauthorized access, modification, destruction, or disclosure and to ensure the physical security of these resources. The University System Office and USG institutions shall also ensure that users, contractors, and third parties having access to institution computerized information resources are informed of and abide by this policy and the institution security plan, and are informed of applicable Federal Laws and State statutes related to computerized information resources.

Each USG institution that employs information technology must establish risk management and disaster recovery planning processes for identifying, assessing, and responding to the risks associated with its information assets. The USG’s information assets (its data processing capabilities, information technology infrastructure and data) are an essential resource and asset. For many institutions, program operations would effectively cease in the absence of key computer systems. In some cases, public health and safety would be immediately jeopardized by the failure or disruption of a system. Furthermore, the unauthorized modification, deletion, or disclosure of information included in institution files and databases can compromise the integrity of USG programs, violate individuals’ right to privacy, and constitute a criminal act.

The practice of information security risk management within the institution must be based upon the results of the institution’s risk analysis process. Obtaining resources for risk management is subject to the same technical, programmatic, and budgetary justification and review processes required for any information technology program. The risk management practices implemented by the institution will vary depending upon the nature of the institution’s information assets.

Among the practices that must be included in each institution’s risk management program are:

  1. Categorize the information system (criticality/sensitivity).
  2. Select and tailor baseline (minimum) security controls.
  3. Supplement the security controls based on risk assessment.
  4. Document security controls in system security plan.
  5. Implement the security controls in the information system.
  6. Assess the security controls for effectiveness.
  7. Authorize information system operation based on mission risk.
  8. Monitor security controls on a continuous basis.

It is then senior management’s choice of one of the following activities pertaining to each of the identified risks:

  1. Mitigate the risk by implementing the recommended countermeasure;
  2. Accept the risk;
  3. Avoid the risk; or,
  4. Pass on the risk.

7.12.4.3 Continuity of Operations Plan Policy

Continuity of Operations Planning (COOP) and Continuity of Government (COG) ensure the continuity of essential functions through a wide range of emergencies and disasters. Today’s changing threat environment and recent natural and man-made emergencies demonstrate the need for COOP/COG capabilities and plans at the University System Office, USG institutions, and the Georgia Public Library Services (GPLS).

This policy requires the University System Office, each USG institution and the GPLS to establish a plan to develop and maintain a Continuity of Operations Plan (C.O.O.P.) Program. This policy applies to all USG information resources, systems, and technology and to all users of these resources, systems and technology within the USG operating umbrella or connected to the USG information infrastructure. Compliance with this policy is mandatory.

The program plan must include a:

  1. Backup and recovery plan for critical data/systems;
  2. Computer security incident response (IR) and reporting plan;
  3. Disaster recovery (DR) plan; and,
  4. Business continuity (BC) plan for all critical data and information systems supporting the University System Office, USG institutions, and GPLS mission and operations activities.

The program shall create plans for contingency and disaster response. These plans will be tested periodically to ensure they reflect current operating conditions and address current threats.

The following documents contain information on the program plan scope, enforcement, authority, and exceptions:

  1. Section 7.0 of this Policy Manual
  2. USG Office of Information Security Program Policy
  3. USG Strategic Information Security Plan
  4. USG Information Security Program Reporting Policy

The guiding principles of the USG Continuity of Operations Plan Policy are:

  1. It shall be developed following existing Standards, industry best practices, and National Institute of Standards and Technology (NIST) guidelines.
  2. It will require the involvement of the University System Office, all USG institutions, and the GPLS to ensure an effective system response to contingencies and disasters.
  3. It must incorporate the physical and logistical limitations of the USG operating locations.
  4. It will be aligned with the USG Emergency Operations Plan.

This policy shall establish a requirement to develop a formal program to develop, maintain, and evaluate plans to appropriately respond to a wide range of contingencies and disasters that may occur at the University System Office, all of the USG institutions, and the GPLS. The plans shall describe the actions to be taken before, during and after events that disrupt critical information system operations.

Backup/Recovery and Offsite Storage of Critical Data and Systems
Backup and retention schedules and procedures are critical to the recovery of any USG unit’s systems, applications and data. The detailed procedures for such a recovery should include hardware, software (including version), data file back up and retention schedules, off-site storage details, and appropriate contact and authority designation for personnel to retrieve media.

Off-site Storage of Backup Material
Where possible, backup media will be stored at a suitable off-site location. For locations where off-site storage is not practicable or cost-effective, COOP leadership will designate an appropriate facility to serve as the off-site storage of backup media. A suitable facility is one within reasonable distance of the main campus or facility, but not likely to be immediately threatened by the contingency or disaster.

Incident Management
The University System Office, USG institutions, and the GPLS will establish a Computer Security Incident Response capability program to respond to and manage adverse activities or actions that threaten the successful conduct of teaching, instruction, research and operations in the USG. The computer security incident response plan will follow existing USG policies, standards, industry best practices, and International Organization for Standardization (ISO) and NIST guidelines.

The University System Office, USG institutions, and the GPLS management must promptly investigate incidents involving loss, damage, misuse of information assets, or improper dissemination of information. The University System Office, all USG institutions, and the GPLS are required to report information security incidents consistent with the security reporting requirements in this policy.

Proper incident management includes the formulation and adoption of a written incident management plan that provides for the timely assembly of appropriate staff that are capable of developing a response to, appropriate reporting about, and successful recovery from a variety of incidents.

In addition, incident management includes the application of lessons learned from incidents, together with the development and implementation of appropriate corrective actions directed to preventing or mitigating the risk of similar occurrences in the future.

Disaster Recovery Management
The University System Office, USG institutions, and the GPLS must establish a COOP Program that provides processes supported by executive management and resources to ensure the appropriate steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure they have the ability to continue its essential functions during a business disruption or major catastrophic event. The program controls ensure that information is protected by providing for regular backup of automated files and databases, identifies and reduces risks, limits the consequences of the incident, and ensures the availability of information assets for continued business.

Disaster Recovery Planning
Disaster recovery planning, also known as business continuity planning, provides for continuity of computing operations in support of critical business functions, minimizes decision-making during an incident, produces the greatest benefit from the remaining limited resources, and achieves a systematic and orderly migration toward the resumption of all computing services within the University System Office, USG institutions, and the GPLS following a business disruption. It is essential that critical IT services and critical applications be restored as soon as possible.

It is significant to recognize that no disaster recovery program is ever complete. All disaster recovery planning is based upon available knowledge and assumptions, and must be adapted to changing circumstances and business needs, as appropriate. Strategies, procedures, and resources must be adapted as often as necessary in order to recover critical applications. Recovery strategies must be developed and updated routinely to anticipate risks including loss of utility (hardware, software, power, telecommunications, etc.), loss of access to the facility, and loss of facility.

The disaster recovery planning process supports necessary preparation to identify and document procedures to recover critical operations in the event of an outage. The University System Office, USG institutions, and the GPLS should consider the results of their risk analysis process and their business impact analysis when developing their Disaster Recovery Plan (DRP). These processes should culminate in a viable, fully documented, and tested DRP.

To provide for recoverability of new systems, the University System Office, USG institutions, and the GPLS must include disaster recovery considerations and costs in project authority documents and budget proposals.

To improve the likelihood for the full recovery of key business processes, DRPs should be developed as part of a complete business continuity (BC) program, which includes emergency response and business resumption plans.

Disaster Recovery Plan (DRP)
The University System Office, USG institutions, and the GPLS must maintain a Disaster Recovery Plan (DRP) identifying the computer applications that are critical to their operations, the information assets that are necessary for those applications, and the plans for resuming operations following an unplanned disruption of those applications.

The University System Office, USG institutions, and the GPLS must keep their Disaster Recovery Plans up-to-date and provide an annual status document to the Office of Information Security. The annual requirements are:

  1. File a copy of its DRP Executive Summary.
  2. Cover, at a minimum, ten (10) topic areas, which are listed and described in the Disaster Recovery Plan Documentation for Institutions.

It is important to adapt the detailed content of each plan section to suit the needs of the University System Office, USG institutions, and the GPLS, with the understanding that DRPs are based upon available information so they can be adjusted to changing circumstances.

return to top