Board of Regents Policy Manual

Official Policies of the University System of Georgia

10.4 Cybersecurity

Information created, collected, or distributed using technology by the University System Office (USO), all University System of Georgia (USG) institutions, and the Georgia Public Library Service (GPLS) is a valuable asset and must be protected from unauthorized disclosure, modification, and destruction. The degree of protection needed is determined by the nature of the resource and its intended use. The USO, all USG institutions, and the GPLS shall employ prudent cybersecurity policies, standards, and practices to minimize the risk to the confidentiality, integrity, and availability of data and information and shall create and maintain an internal cybersecurity program.

10.4.1 System-Level Responsibilities

The USG chief information security officer shall develop and maintain a cybersecurity organization and architecture in support of cybersecurity across the USG and between USG institutions.

The USG chief information security officer shall maintain cybersecurity implementation guidelines that the USO, all USG institutions, and the GPLS shall follow in the development of their individualized cybersecurity plans.

10.4.2 Institutional- and Organizational-Level Responsibilities

The President of each USG institution and the GPLS State Librarian shall ensure that appropriate and auditable information security controls are in place, which shall include maintaining a trained and dedicated information security officer.

The USO, all USG institutions, and the GPLS shall each develop, implement, and maintain a cybersecurity plan consisting of cybersecurity policies, standards, procedures, and guidelines that is consistent with the guidelines provided by USG Cybersecurity and submit the plan to USG Cybersecurity for review upon request.

Cybersecurity implementation must include a user awareness, training, and education plan, which is consistent with the guidelines provided by USG Cybersecurity and shall be submitted to USG Cybersecurity for review upon request. Methods for ensuring that applicable laws, regulations, guidelines, and policies concerning cybersecurity awareness training are followed shall be distributed and readily available to each organization’s user community.

Clear procedures for reporting and managing cybersecurity incidents shall be documented, adhered to, and contained in a cybersecurity incident response plan, which shall be submitted to USG Cybersecurity for review upon request. These procedures shall include the reporting of incidents to the USO in a timely manner.

10.4.3 Identity Theft

The USG shall maintain a program and policies designed to protect against identity theft and to safeguard personal and financial information maintained by the USG and its institutions and organizations. The program shall comply with all applicable credit reporting and electronic transaction laws, be reviewed at least annually for effectiveness and legal compliance, and be widely distributed.

↑ Top