10.4 Cybersecurity
Information created, collected, or distributed using technology by the University System Office (USO), all University System of Georgia (¶¶ÒõÉçÇø¶ÌÊÓƵ) institutions, and the Georgia Public Library Service (GPLS) is a valuable asset and must be protected from unauthorized disclosure, modification, and destruction. The degree of protection needed is determined by the nature of the resource and its intended use. The USO, all ¶¶ÒõÉçÇø¶ÌÊÓƵ institutions, and the GPLS shall employ prudent cybersecurity policies, standards, and practices to minimize the risk to the confidentiality, integrity, and availability of data and information and shall create and maintain an internal cybersecurity program.
10.4.1 System-Level Responsibilities
The ¶¶ÒõÉçÇø¶ÌÊÓƵ chief information security officer shall develop and maintain a cybersecurity organization and architecture in support of cybersecurity across the ¶¶ÒõÉçÇø¶ÌÊÓƵ and between ¶¶ÒõÉçÇø¶ÌÊÓƵ institutions.
The ¶¶ÒõÉçÇø¶ÌÊÓƵ chief information security officer shall maintain cybersecurity implementation guidelines that the USO, all ¶¶ÒõÉçÇø¶ÌÊÓƵ institutions, and the GPLS shall follow in the development of their individualized cybersecurity plans.
10.4.2 Institutional- and Organizational-Level Responsibilities
The President of each ¶¶ÒõÉçÇø¶ÌÊÓƵ institution and the GPLS State Librarian shall ensure that appropriate and auditable information security controls are in place, which shall include maintaining a trained and dedicated information security officer.
The USO, all ¶¶ÒõÉçÇø¶ÌÊÓƵ institutions, and the GPLS shall each develop, implement, and maintain a cybersecurity plan consisting of cybersecurity policies, standards, procedures, and guidelines that is consistent with the guidelines provided by ¶¶ÒõÉçÇø¶ÌÊÓƵ Cybersecurity and submit the plan to ¶¶ÒõÉçÇø¶ÌÊÓƵ Cybersecurity for review upon request.
Cybersecurity implementation must include a user awareness, training, and education plan, which is consistent with the guidelines provided by ¶¶ÒõÉçÇø¶ÌÊÓƵ Cybersecurity and shall be submitted to ¶¶ÒõÉçÇø¶ÌÊÓƵ Cybersecurity for review upon request. Methods for ensuring that applicable laws, regulations, guidelines, and policies concerning cybersecurity awareness training are followed shall be distributed and readily available to each organization’s user community.
Clear procedures for reporting and managing cybersecurity incidents shall be documented, adhered to, and contained in a cybersecurity incident response plan, which shall be submitted to ¶¶ÒõÉçÇø¶ÌÊÓƵ Cybersecurity for review upon request. These procedures shall include the reporting of incidents to the USO in a timely manner.
10.4.3 Identity Theft
The ¶¶ÒõÉçÇø¶ÌÊÓƵ shall maintain a program and policies designed to protect against identity theft and to safeguard personal and financial information maintained by the ¶¶ÒõÉçÇø¶ÌÊÓƵ and its institutions and organizations. The program shall comply with all applicable credit reporting and electronic transaction laws, be reviewed at least annually for effectiveness and legal compliance, and be widely distributed.
↑ Top