Policies and Reports
Given the USG and the state government’s increased use of IT and Internet-based services, the USG has a compelling need to ensure the confidentiality, integrity and availability of those systems and services are adequately protected from known and anticipated threats. As noted in Section 5.2.2 of the Information Technology Handbook, USG institutions, the USO, the GPLS, and the Georgia Archives are responsible for the designation of officials within their organization to fulfill key security functions and report on its status of compliance with security policy, standards and procedures. While reporting and self-certification activities alone do not ensure the security of USG and state information assets, they do demonstrate an organization’s acknowledgement of the requirements and provide a measure of accountability.
A policy is typically a concise document that outlines specific requirements, business rules or company stance that must be met. The policy is the organization’s stance on an issue, program or system. It is a rule that everyone must meet. A standard is a requirement that supports a policy and a guideline is a document that suggests a path or guidance on how to achieve or reach compliance with a policy. There are three phases in the USG policy development cycle:
In the information and network security realm, policies are usually point-specific, covering a single area. Polices can be program policies, issue specific policies, and system policies.
The USG follows the Association of College and University Policy Administrators (ACUPA) model for policy development, modified for our environment.