Business Procedures Manual

Essential business procedural components for University System of Georgia institutions.

12.4 Cybersecurity

(Last Modified on March 22, 2019)

Cybersecurity refers to preventative methods used to protect information and information systems from unauthorized access, compromise or attack. Cybersecurity requires an understanding of potential threats and utilizes strategies that include, for example, identity management, risk management and incident management.

12.4.1 Safeguards

(Last Modified on March 22, 2019)

Shared information is a powerful tool and loss or misuse can be costly, if not illegal. The purpose of this section is to ensure that cybersecurity safeguards are established, in place, effective and adhered to in order to reduce risk. This applies to all users of USG information resources.

Safeguards include the policies, procedures, requirements, and practices that are necessary for maintaining a secure environment for the storage and dissemination of information. The objective of USG organizations is to protect information from inadvertent or intentional damage as well as unauthorized disclosures or use. The benefits of safeguards include identification of fraud, security vulnerabilities, unforeseen threats and minimization of potential impacts. Other benefits include audit compliance, service level monitoring, performance measuring, limiting liability and capacity planning.

The USG recognizes that cybersecurity:

  • Is everyone’s responsibility;
  • Is a cornerstone of maintaining public trust;
  • Should be risk-based and cost-efficient;
  • Should align with USG priorities, industry best practices and government requirements; and,
  • Should be applied holistically, regardless of medium.

USG organizations must designate trained cybersecurity representatives whose role includes:

  • Communicating cybersecurity policies to all employees and contractors; and,
  • Reporting deviations from policies.

USG organizations must:

  • Develop procedures and processes that support compliance with Board of Regents (BOR) and USG policies and procedures. Organizational procedures and processes may be more specific than BOR and USG policies and procedures but shall in no case be less than the minimum requirements; and,
  • Develop strategic and operational control guidance of hardware, software and telecommunications facilities.

USG organizations must develop reporting processes to support investigation of and response to suspicious activities and follow USG guidelines for reporting or investigating acts of suspected malfeasance that involve organizational data as noted in the BOR University System of Georgia Ethics Policy.


12.4.2 Classification

(Last Modified on March 22, 2019)

Because USG data must be given appropriate protection from unauthorized use, access, disclosure, modification, loss or deletion, each USG organization must classify each record. When classifying a collection of data, the most restrictive classification of any of the individual elements should be used based on the following classification structure or similar schema required by regulations governing specific data domains:

  • Unrestricted/Public Information is information maintained by a USG organization that is not exempt from disclosure under the provisions of the Open Records Act or other applicable state or federal laws. Some level of control is required to prevent unauthorized modification or destruction of public information.
  • Sensitive Information is information maintained by a USG organization that requires special precautions to protect from unauthorized use, access and disclosure guarding against improper information modification, loss or destruction. Sensitive information is not exempt from disclosure under the provisions of the Open Records Act or other applicable state or federal laws but is not necessarily intended for public consumption.
  • Confidential Information is information maintained by a USG organization that is subject to authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. (44 USC Sec 3542) Confidential classified documents are exempt from disclosure under the provisions of the Open Records Act or other applicable state or federal laws.

Note: The Open Records Act is located at http://law.ga.gov/law.

In addition, Personal Information may occur in unrestricted/public, sensitive, and/or confidential information. It is information that identifies or describes an individual and must be considered in the classification structure. Please refer to the IT Handbook for further information and guidance. Information classification must be part of the information technology risk management program, as detailed in the IT Handbook.


12.4.3 Access Procedures

(Last Modified on March 22, 2019)

This section promotes secure and appropriate access to USG information systems, and to the data used, processed, stored, maintained and/or transmitted in and through those systems. It is essential that access to and use of the USG’s information systems and data are properly secured and protected against cybersecurity threats and dangers.

All users are required to adhere to the following rules in order to use, access, store, process, and/or display data acquired from USG information systems. These rules also apply to any contractors or non-USG persons who acquire access to USG systems in any format, and on any device.

Procedures:

  • USG organizations shall identify and categorize information systems that process or store confidential or sensitive information, or are critical systems. The suggested responsible party is the data trustee or designee.

  • USG organizations will identify the data trustee and data steward for each critical system or systems containing confidential or sensitive information. A list of these systems and the associated trustee and steward shall be made available upon request.

  • USG organizations will maintain a current list of users granted access to information systems. Only authorized users should be allowed physical, electronic or other access to information systems.

  • USG organizations will define both administrative and technical access controls. The suggested responsible parties are Human Resources (HR), the data trustee and data steward.

    • Access controls must include, but are not limited to:
    • Documented procedures to grant, review, deactivate, update or terminate account access;
    • Ensure appropriate resources are available and maintained to adequately authenticate and verify authorized access; and,
    • Ensure appropriate resources are available and maintained to prevent and detect unauthorized use.
  • Data trustees, data stewards and users share the responsibility of preventing unauthorized access to USG organizations’ information systems.

  • Data stewards will analyze user roles and determine the level of access required to perform a job function. The level of authorized access must be based on Principle of Least Privilege.

  • HR and/or the supervisor will notify the data steward of personnel status changes in job function, status, transfers, referral privileges or affiliation.

  • Access to an information system must be reviewed regularly. Data stewards must review user access to the information system every six months and document findings.

Data trustee or designee will ensure that a business process exists to update information system access no more than five business days after terminations and no more than 30 days after other personnel status changes.


12.4.4 Segregation and Separation of Duties

(Last Modified on March 22, 2019)

In addition to having a well-organized and defined data governance structure, USG organizations must ensure that its organizational structure, job duties, and business processes include an adequate system of separation of duties (SOD) taking into account a cost-benefit and risk analysis. SOD is fundamental to reducing the risk of loss of confidentiality, integrity and availability of information. To accomplish SOD, duties are divided among different individuals to reduce the risk of error or inappropriate action. For example, the employee or office responsible for safeguarding an asset should be someone other than the employee or office that maintains accounting records for that asset. In general, responsibility for related transactions should be divided among employees so that one employee’s work serves as a check on the work of other employees. When duties are separated, there must be collusion between employees for assets/data to be used inappropriately without detection.

While electronic processes enhance accuracy and efficiency, they also can blur SOD. USG organizations must evaluate and establish well-documented controls to deter an individual or an office from having the authority (or the ability) to perform conflicting functions both outside and within technology information systems.


↑ Top