10.4 Cybersecurity
Information created, collected, or distributed using technology by the ÖгöÉÙ¸¾ÊÓƵ System Office (USO), all ÖгöÉÙ¸¾ÊÓƵ System of Georgia (ÖгöÉÙ¸¾ÊÓƵ) institutions, and the Georgia Public Library Service (GPLS) is a valuable asset and must be protected from unauthorized disclosure, modification, and destruction. The degree of protection needed is determined by the nature of the resource and its intended use. The USO, all ÖгöÉÙ¸¾ÊÓƵ institutions, and the GPLS shall employ prudent cybersecurity policies, standards, and practices to minimize the risk to the confidentiality, integrity, and availability of data and information and shall create and maintain an internal cybersecurity program.
10.4.1 System-Level Responsibilities
The ÖгöÉÙ¸¾ÊÓƵ chief information security officer shall develop and maintain a cybersecurity organization and architecture in support of cybersecurity across the ÖгöÉÙ¸¾ÊÓƵ and between ÖгöÉÙ¸¾ÊÓƵ institutions.
The ÖгöÉÙ¸¾ÊÓƵ chief information security officer shall maintain cybersecurity implementation guidelines that the USO, all ÖгöÉÙ¸¾ÊÓƵ institutions, and the GPLS shall follow in the development of their individualized cybersecurity plans.
10.4.2 Institutional- and Organizational-Level Responsibilities
The President of each ÖгöÉÙ¸¾ÊÓƵ institution and the GPLS State Librarian shall ensure that appropriate and auditable information security controls are in place, which shall include maintaining a trained and dedicated information security officer.
The USO, all ÖгöÉÙ¸¾ÊÓƵ institutions, and the GPLS shall each develop, implement, and maintain a cybersecurity plan consisting of cybersecurity policies, standards, procedures, and guidelines that is consistent with the guidelines provided by ÖгöÉÙ¸¾ÊÓƵ Cybersecurity and submit the plan to ÖгöÉÙ¸¾ÊÓƵ Cybersecurity for review upon request.
Cybersecurity implementation must include a user awareness, training, and education plan, which is consistent with the guidelines provided by ÖгöÉÙ¸¾ÊÓƵ Cybersecurity and shall be submitted to ÖгöÉÙ¸¾ÊÓƵ Cybersecurity for review upon request. Methods for ensuring that applicable laws, regulations, guidelines, and policies concerning cybersecurity awareness training are followed shall be distributed and readily available to each organizationÖгöÉÙ¸¾ÊÓƵ™s user community.
Clear procedures for reporting and managing cybersecurity incidents shall be documented, adhered to, and contained in a cybersecurity incident response plan, which shall be submitted to ÖгöÉÙ¸¾ÊÓƵ Cybersecurity for review upon request. These procedures shall include the reporting of incidents to the USO in a timely manner.
10.4.3 Identity Theft
The ÖгöÉÙ¸¾ÊÓƵ shall maintain a program and policies designed to protect against identity theft and to safeguard personal and financial information maintained by the ÖгöÉÙ¸¾ÊÓƵ and its institutions and organizations. The program shall comply with all applicable credit reporting and electronic transaction laws, be reviewed at least annually for effectiveness and legal compliance, and be widely distributed.
↑ Top