12.4 Cybersecurity
(Last Modified on June 9, 2021)
Cybersecurity refers to preventative methods used to protect information and information systems, products and services from unauthorized access, compromise or attack. Cybersecurity requires an understanding of potential threats and utilizes strategies that include, for example, identity management, risk management and incident management.
12.4.1 Safeguards
(Last Modified on June 9, 2021)
Shared information is a powerful tool and loss or misuse can be costly, if not illegal. The purpose of this section is to ensure that cybersecurity safeguards are established, in place, effective and adhered to in order to reduce risk. This applies to all users of ÖгöÉÙ¸¾ÊÓƵ information resources.
Safeguards include the policies, procedures, requirements, and practices that are necessary for maintaining a secure environment for the storage and dissemination of information. The objective of ÖгöÉÙ¸¾ÊÓƵ organizations is to protect information from inadvertent or intentional damage as well as unauthorized disclosures or use. The benefits of safeguards include identification of fraud, security vulnerabilities, unforeseen threats and minimization of potential impacts. Other benefits include audit compliance, service level monitoring, performance measuring, limiting liability and capacity planning. The ÖгöÉÙ¸¾ÊÓƵ recognizes that cybersecurity:
- Is everyoneÖгöÉÙ¸¾ÊÓƵ™s responsibility;
- Is a cornerstone of maintaining public trust;
- Should be risk-based and cost-efficient;
- Should align with ÖгöÉÙ¸¾ÊÓƵ priorities, industry best practices and government requirements; and,
- Should be applied holistically, regardless of medium.
ÖгöÉÙ¸¾ÊÓƵ organizations must designate trained cybersecurity representatives whose role includes:
- Communicating cybersecurity policies to all employees and contractors; and,
- Reporting deviations from policies and procedures.
ÖгöÉÙ¸¾ÊÓƵ organizations must:
- Develop procedures and processes that support compliance with Board of Regents (BOR) and ÖгöÉÙ¸¾ÊÓƵ policies and procedures. Organizational procedures and processes may be more specific than BOR and ÖгöÉÙ¸¾ÊÓƵ policies and procedures but shall in no case be less than the minimum requirements; and,
- Develop strategic and operational control guidance of hardware, software and telecommunications facilities; and,
- Re-evaluate cybersecurity and data privacy risk on an ongoing basis and as key factors, including the organizationÖгöÉÙ¸¾ÊÓƵ™s business environment, governance, data processing and systems/products/services change.
ÖгöÉÙ¸¾ÊÓƵ organizations must develop reporting processes to support investigation of and response to suspicious activities and follow ÖгöÉÙ¸¾ÊÓƵ guidelines for reporting or investigating acts of suspected malfeasance that involve organizational data as noted in the BOR ÖгöÉÙ¸¾ÊÓƵ System of Georgia Ethics Policy.
12.4.2 Classification
(Last Modified on August 26, 2021)
Because ÖгöÉÙ¸¾ÊÓƵ data must be given appropriate protection from unauthorized use, access, disclosure, modification, loss or deletion, each ÖгöÉÙ¸¾ÊÓƵ organization must classify each record. When classifying a collection of data, the most restrictive classification of any of the individual elements should be used based on the following classification structure or similar schema required by regulations governing specific data domains:
- Unrestricted/Public Information is information maintained by a ÖгöÉÙ¸¾ÊÓƵ organization that is not exempt from disclosure under the provisions of the Open Records Act or other applicable state or federal laws. Some level of control is required to prevent unauthorized modification or destruction of public information.
- Sensitive Information is information maintained by a ÖгöÉÙ¸¾ÊÓƵ organization that requires special precautions to protect from unauthorized use, access and disclosure guarding against improper information modification, loss or destruction. Sensitive information is not exempt from disclosure under the provisions of the Open Records Act or other applicable state or federal laws but is not necessarily intended for public consumption.
- Confidential Information is information maintained by a ÖгöÉÙ¸¾ÊÓƵ organization that is subject to authorized restrictions on information access and disclosure, including, without limitation, the protection of personal privacy and proprietary information. (44 USC Sec 3542) Confidential classified documents are exempt from disclosure under the provisions of the Open Records Act or other applicable state or federal laws.
Note: The Open Records Act is located at .
In addition, Personal Information may occur in unrestricted/public, sensitive, and/or confidential information. It is information that identifies or describes an individual and must be considered in the classification structure. Please refer to the IT Handbook for further information and guidance. Information classification must be part of the information technology risk management program, as detailed in the IT Handbook.
12.4.3 Access Procedures
(Last Modified on August 26, 2021)
This section promotes secure and appropriate access to ÖгöÉÙ¸¾ÊÓƵ information systems, and to the data used, processed, stored, maintained and/or transmitted in and through those systems. It is essential that access to and use of the ÖгöÉÙ¸¾ÊÓƵÖгöÉÙ¸¾ÊÓƵ™s information systems and data are properly secured and protected against cybersecurity and data privacy threats and dangers.
All users are required to adhere to the following rules in order to process data acquired from ÖгöÉÙ¸¾ÊÓƵ information systems. These rules also apply to any contractors or non-ÖгöÉÙ¸¾ÊÓƵ persons who acquire access to ÖгöÉÙ¸¾ÊÓƵ systems in any format, and on any device.
Procedures:
ÖгöÉÙ¸¾ÊÓƵ organizations shall identify and categorize information systems that process or store confidential or sensitive information, or are critical systems. The suggested responsible party is the data trustee or designee.
ÖгöÉÙ¸¾ÊÓƵ organizations will identify the data trustee and data steward for each critical system or systems containing confidential or sensitive information. A list of these systems and the associated trustee and steward shall be made available upon request.
ÖгöÉÙ¸¾ÊÓƵ organizations will maintain a current list of users granted access to information systems. Only authorized users should be allowed physical, electronic or other access to information systems.
ÖгöÉÙ¸¾ÊÓƵ organizations will define both administrative and technical access controls. The suggested responsible parties are Human Resources (HR), the data trustee and data steward.
Access controls must include, but are not limited to:
- Documented procedures to grant, review, deactivate, update or terminate account access;
- Ensure appropriate resources are available and maintained to adequately authenticate and verify authorized access; and,
- Ensure appropriate resources are available and maintained to prevent and detect unauthorized use.
Data trustees, data stewards and users share the responsibility of preventing unauthorized access to ÖгöÉÙ¸¾ÊÓƵ organizationsÖгöÉÙ¸¾ÊÓƵ™ information systems.
Data stewards will analyze user roles and determine the level of access required to perform a job function. The level of authorized access must be based on Principle of Least Privilege.
HR and/or the supervisor will notify the data steward of personnel status changes in job function, status, transfers, referral privileges or affiliation.
Access to an information system must be reviewed regularly. Data stewards must review user access to the information system every six months and document findings.
Data trustee or designee will ensure that a business process exists to update information system access no more than five business days after terminations and no more than 30 days after other personnel status changes.
12.4.4 Segregation and Separation of Duties
(Last Modified on March 22, 2019)
In addition to having a well-organized and defined data governance structure, ÖгöÉÙ¸¾ÊÓƵ organizations must ensure that its organizational structure, job duties, and business processes include an adequate system of separation of duties (SOD) taking into account a cost-benefit and risk analysis. SOD is fundamental to reducing the risk of loss of confidentiality, integrity and availability of information. To accomplish SOD, duties are divided among different individuals to reduce the risk of error or inappropriate action. For example, the employee or office responsible for safeguarding an asset should be someone other than the employee or office that maintains accounting records for that asset. In general, responsibility for related transactions should be divided among employees so that one employeeÖгöÉÙ¸¾ÊÓƵ™s work serves as a check on the work of other employees. When duties are separated, there must be collusion between employees for assets/data to be used inappropriately without detection.
While electronic processes enhance accuracy and efficiency, they also can blur SOD. ÖгöÉÙ¸¾ÊÓƵ organizations must evaluate and establish well-documented controls to deter an individual or an office from having the authority (or the ability) to perform conflicting functions both outside and within technology information systems.
↑ Top