Transcription
USG INFORMATION TECHNOLOGY HANDBOOKVERSION 2.9.25/1/2020SENSITIVEAbstract: USG Information Technology Handbook’s purpose is to primarily set forth the essentialstandard components USG organizations must follow to meet statutory or regulatory requirements ofthe federal government and state of Georgia, BOR policy, and IT best practices. Secondly, it is designedto provide new IT professionals within the USG the necessary information and tools to performeffectively. Finally, it serves as a useful reference document for seasoned professionals at USGorganizations who need to remain current with changes in federal and state law, and BOR policy
USG Information Technology Handbook 2.9.2SensitiveUniversity System of GeorgiaPage iSensitive
USG Information Technology Handbook 2.9.2University System of GeorgiaIntroductionThe University System of Georgia (USG) comprises public institutions of higher learning, a UniversitySystem Office, Georgia Public Library System (GPLS), Shared Services Center (SSC), Georgia Archives, andGeorgia Film Academy; hereinafter referred to as USG organizations. These USG organizations representthe rich diversity of a state system spanning the spectrum of educational and research offerings. Thismanual respect the value of the diversity of USG organizations while providing guidance with regards toinformation technology (IT) operations within the USG.Version ControlDateNameVersionDescription of Change04/18/2016Revised cost estimate05/02/2016PDF, structure and format.2.0Initial redesign referenced in a new structure and format.05/17/2016System-level password informationadded.2.1Section 5.12.3 – added a statement about system-levelpasswords in bullet point number 4.05/27/2016Updated flow chart2.2Section 3.1 – updated “Recommended Process Flow Chart” addedto match content.05/27/2016Introduction to the IT Handbook2.2Section Introduction – updated entire section.11/1/2016Department title changed2.3As of Nov. 1, 2016, the department name changed toCybersecurity.11/3/2016Revised Domain Name System2.3Section 5.13 – content in section was updated and revised.11/3/2016Domain Name System Guidelines2.3Section 5.13 – added link to the revised Domain Name System(DNS) Guidelines.11/3/2016Addition to USG organizations2.3Section Introduction – Georgia Film Academy added to the list ofUSG organizations.11/17/2016Clarification of information system owner2.4Section 1.3.2 – added clarification of information system ownerroles and responsibilities within the framework of people,process and technology.11/17/2016Spending limits updated2.4Section 4.1 – updated spending limits for purchases in excess of 1 million.05/15/2017Revised section for consistency in formatand content. Added title.2.5Section 1.2 – added the correct title to 1.2.1.05/15/2017Revised section for consistency in formatand content.2.5Section 1.3 – deleted a misplaced word.05/15/2017Revised section for consistency in formatand content. Changed location ofdefinitions.2.5Section 3.0 – added definitions from 3.1 and deleted definitionsalready stated in Introduction section.SensitiveSection 4.1 – added a statement in IT Procurement Policies.P a g e iiSensitive
USG Information Technology Handbook 2.9.2University System of Georgia05/15/2017Revised section for consistency in formatand content. Changed location ofdefinitions.2.5Section 3.1 – moved definitions to 3.0.05/15/2017Revised section for consistency in formatand content. Deleted exceptions.2.5Section 3.2 – deleted exceptions to log management standard.05/15/2017Revised section for consistency in formatand content. Added ac curate titles anddeleted standard.2.5Section 3.3 – provided accurate title for ISO and deletedmanagement of USG continuity of operations planning standard.05/15/2017Revised section for consistency in formatand content. Deleted table.2.5Section 5.3 – added “USG organizations” as stated in theIntroduction section, changes made to the USG IncidentResponse and Reporting Standard and deleted IncidentCategories and Reporting Timeframes table.05/15/2017Revised section for consistency in formatand content.2.5Section 5.10 – added content for clarification.09/07/2017Reviewed and revised entire Section 5 forconsistency of content2.6Section 5 – Added “USG organizations” as stated in theIntroduction section and other minor editorial changes removingpolicy and standard where appropriate.09/07/2017Incorporated revisions in Section 5 byUniversity of North Georgia2.7Section 5 – Incorporated minor editorial changes recommendedby University of North Georgia.01/02/2019Revised Section 5.10 to align with theNIST framework and FIPS.2.8Revisions to required security reporting activities withcorresponding due dates. Changed ISPR to CPR and revisedcomponents. New sub section “Remediation and MitigationTracker” added.03/18/2019Migration2.9Migrated to MS Word format, Export to PDF. Relocated Section 9to the BPM. Value added Appendix: References, Glossary,Acronyms, and Index. Updated BOR policy reference from section11 to section 10.02/24/2020Incident Management2.9.1Section 5.3 – Updated language, added baseline requirementsand template to submit a plan for review.02/24/2020Awareness Training2.9.1Section 5.9 – Updated language to align with Section 5.10.02/22/2020Required Reporting2.9.1Section 5.10 – Updated language and diagram to include biannualawareness training requirements.02/22/2020Multifactor Authentication2.9.1Section 3.1.2 – Added section to standardize MFA deploymentacross the USG enterprise.04/30/2020Strike “Section”2.9.2Section 3.1.2 –Standardized MFA deployment heading.04/30/2020Strike “Compliance Dates ” move to“Compliance” table pg. 182.9.2Section 3.1.2 – moved compliance information to table.04/30/2020Strike extra space and add “All recoveryplanning must include lessons learnedand update recovery strategies.”2.9.2Section 3.3.1 – editorial change, and CSF alignment.SensitiveP a g e iiiSensitive
USG Information Technology Handbook 2.9.2University System of Georgia04/30/2020Add “, or dependent” and add bullet 1“Create, implement, maintain and testbackup and recovery plan .”2.9.2Section 3.3.1 – editorial change, and CSF alignment.04/30/2020Add bullet 2 “, and to provide timelycommunication.” And add bullet 3 “Thecommunication controls ensure thatinformation .”2.9.2Section 3.3.1 – editorial change, and CSF alignment.04/30/2020Add “continuous”2.9.2Section 5.1.1 – editorial change, and CSF alignment.04/30/2020Add bullet 3 “expected dataflowdiagrams,” and add bullet 4 “expecteddataflow diagrams,”2.9.2Section 5.1.2 – editorial change, and CSF alignment.04/30/2020Editorial corrections #6, and add“Principle of Least Function ”2.9.2Section 5.1.2 – editorial change, and CSF alignment.04/30/2020Add list “i. – v.” to # 5 and add “incidentalert thresholds” to #62.9.2Section 5.3.1 – editorial change, and CSF alignment.04/30/2020Add “continuous,” add “5.5.2 - Event data(logs) shall be collected and correlatedfrom sources and sensors.”2.9.2Section 5.5 and 5.5.2 – editorial change, and CSF alignment.Add “both internal and external to theorganization” and add definition “RiskRegister”04/30/2020Add “Continuously monitor ” and add “,which includes:” and list “a. – d.”2.9.2Section 5.5.5 – editorial change, and CSF alignment.04/30/2020Renumber Figure to 4/relocate referenceto bottom2.9.2Section 5.10.1 – editorial change.04/30/2020Add “principle of lease function ”2.9.2Section 5.11.7 – editorial change, and CSF alignment.04/30/2020Rebrand section title to “Domain NameSystem Management”2.9.2Section 5.13 – editorial change.04/30/2020Rebrand section title to “InformationProtection Management.” Strike space in1st paragraph, strike “of this manual”,and add “program’s protection processeswill:”. Add “To improve the protectionprocesses, ensure ” and add“information protection/”2.9.2Section 5.14 – editorial change, and CSF alignment.04/30/2020Add “or protocols” and “or protected”and strike “Information & ePrivacy”2.9.2Section 5.14.5 – editorial change, and CSF alignment.Information, in all forms, is a strategic asset to USG organizations and the USG as a system. It is theresponsibility of the Vice Chancellor and Chief Information Officer (VC/CIO), under Board of Regents(BOR) Policy 10.2 to establish, “the procedures and guidelines under which the acquisition,development, planning, design, construction/renovation, management and operation of USGtechnology facilities and systems shall be accomplished.” Part of this responsibility is to prepare aSensitiveP a g e ivSensitive
USG Information Technology Handbook 2.9.2University System of Georgiamanual of Information Technology (IT) standards and best practices to be followed by USGorganizations.The hierarchy of USG IT policies and procedures is as follows:1. BOR Policy Manual is the top-level set of Board approved policies from which all lower-level USGdocuments flow. Section 7.14 covers Identity Theft and Section 7.15 describes the RiskManagement Policy including objectives and oversight. Compliance Policy is covered in Section7.16 and defines applicability and implementation. Section 10, Information, Records &Publications Technology, covers all aspects of USG information technology including generalpolicy, IT project authorization and information security.2. USG Information Technology Handbook is a standard containing the IT requirements andrecommendations that establish acceptable IT practices for USG organizations.3. USG Organization Policies and Procedures establish the detailed practices and tools used by USGorganizations to meet the standards set forth in the USG Information Technology Handbook.4. Program or Project Policies and Procedures establish the detailed practices and tools toimplement the standards and best practices set forth in the USG Information TechnologyHandbook or USG organizations’ policies and procedures.This USG Information Technology Handbook serves several purposes. Primarily, it sets forth the essentialstandard components USG organizations must follow to meet statutory or regulatory requirements ofthe federal government and state of Georgia, BOR policy, and IT best practices. Secondly, it is designedto provide new IT professionals within the USG the necessary information and tools to performeffectively. Finally, it serves as a useful reference document for seasoned professionals at USGorganizations who need to remain current with changes in federal and state law, and BOR policy.This document provides direct links to reference information identifying the underlying source of someprocedures and to provide broader understanding of the basis for others. Thus, the InformationTechnology Handbook, while focusing on USG standards, also offers ready access to important policies,statutes and regulations that will aid the IT officer in his or her daily performance of duties.Governance, Compliance and AuthorityThe USG chief information officer fully supports this standard. USG Cybersecurity is responsible formanaging and administering this standard for all USG organizations. Authority to create this standardoriginates from the BOR Policy Manual §§ 7.14 - 16, and 10.4 as well as the USG’s Appropriate UsagePolicy.This document is subject to periodic review and revision. The current online version supersedes allprevious versions.ScopeThis standard applies to USG organizations.Implementation and ApplicabilityA system wide approach to IT operations and cybersecurity compliance shall be adopted by USGorganizations. It is expected that cybersecurity processes will be embedded into each organization’sSensitivePage vSensitive
USG Information Technology Handbook 2.9.2University System of Georgiacybersecurity plan. All compliance efforts will be focused on supporting the organization’s objectives.Therefore, USG organizations’ executive leaders or designee shall develop the origination’scybersecurity plans, standards and guidelines to: Identify and document applicable policies, procedures, laws and regulations. Establish the roles and responsibilities necessary to manage a cybersecurity program. Appoint skilled personnel into the identified roles. Communicate the importance of polices, standards and guidelines as defined in BOR PolicyManual 10.4. Submit annually the Information Security Program Review as defined by BOR Policy Manual10.4.ExceptionsExceptions to any policy, standard, process, procedure or guideline set forth in the InformationTechnology Handbook shall be at the discretion of, and approved in writing by, the USG VC/CIO or theUSG Chief Information Security Officer (CISO). In each case, USG organizations or vendors mustcomplete and submit an Information Security Policy Exception Request Form (Access to the document isrestricted to authorized users only) including the need, scope and extent of the exception, safeguards tobe implemented to mitigate risks, specific timeframe, requesting organization and managementapproval. Denials of requests for exceptions may be appealed to the USG VC/CIO or CISO.DefinitionsThe following definitions of Shall, Will, Must, May, May Not, and Should are used throughout thisInformation Technology Handbook.1. Shall, Will and Must indicate a legal, regulatory, standard or policy requirement. Shall and Willare used for persons and organizations. Must is used for inanimate objects.2. May indicates an option.3. May Not indicates a prohibition.4. Should indicates a recommendation that, in the absence of an alternative providing equal orbetter protection from risk, is an acceptable approach to achieve a requirement.SensitiveP a g e viSensitive
USG Information Technology Handbook 2.9.2University System of GeorgiaTable of ContentsIntroduction . iiVersion Control . iiGovernance, Compliance and Authority . vScope . vImplementation and Applicability. vExceptions . viDefinitions . viTable of Contents . viiTable of Figures . xiSection 1. Information Technology (IT) Governance . 12Introduction . 12Section 1.1. Chief Information Officer Role and Responsibilities . 12Section 1.2. Governance Structure . 131.2.1 Shared Governance Framework . 131.2.2 Strategic Alignment. 14Section 1.3. Information Technology Organization, Roles and Responsibilities and Processes . 141.3.1 Organization. 141.3.2 Information Technology System Ownership Roles and Responsibilities . 15Section 1.4 Strategic Planning. 171.4.1 Technology Direction Planning . 171.4.2 Standards and Quality Practices . 171.4.3 Development and Acquisition Standards . 17Section 1.5 Resource Management . 18Section 2. Project and Service Administration. 19Introduction . 19Section 2.1. Service Administration . 202.1.1 Service Level Management Framework . 202.1.2 Definition of IT Services . 202.1.3 Service Support . 20Section 2.2. Project Administration . 242.2.1 Initiation . 252.2.2 Planning . 252.2.3 Execution . 262.2.4 Monitoring and Controlling . 262.2.5 Closing . 26Section 2.3 Project Documentation Templates . 262.3.1 Project Scope . 262.3.2 Change Management Plan . 27SensitiveP a g e viiSensitive
USG Information Technology Handbook 2.9.2University System of Georgia2.3.3 Project Risk Management Plan . 30Section 3. Information Technology Management . 32Introduction . 33Section 3.1 Information System User Account Management. 33Introduction . 333.1.1 Information System User Account Management . 333.1.2 Managing Multifactor Authentication . 35Section 3.2 Log Management . 373.2.1 Purpose . 373.2.2 Objective . 373.2.3 Standard . 37Section 3.3 Continuity of Operations Planning . 383.3.1 USG Continuity of Operations Planning Standard . 38Section 3.4 Network Services. 413.4.1 Network Services Standard . 41Section 4. Financial and Human Resource Management . 43Introduction . 43Section 4.1. Technology Procurement Approval Process . 434.1.1 Spending Limits . 444.1.2 IT Procurement Policies . 444.1.3 Requesting Approval . 44Section 4.2 Financial Management . 45Section 4.3 Human Resource Management . 45Section 5: Cybersecurity . 46Introduction . 48Section 5.1 USG Cybersecurity Program . 495.1.1 USG Organizational Responsibilities . 495.1.2 Policy, Standards, Processes, and Procedure Management Requirements . 505.1.3 USG Appropriate Use Policy (AUP) Guidelines . 525.2 Organization and Administration . 555.2.1 Cybersecurity Organization. 555.2.2 Information Security Officer (ISO) . 55Section 5.3 Cybersecurity Incident Management . 555.3.1 Cybersecurity Incident Response Plan Requirements . 565.3.2 Cybersecurity Incident Reporting Requirements. 575.3.3 Cybersecurity Incidents Involving Personal Information . 58Section 5.4 USG Information Asset Management and Protection . 59SensitiveP a g e viiiSensitive
USG Information Technology Handbook 2.9.2University System of Georgia5.4.1 USG Information Asset Management Requirements . 595.4.2 USG Information Asset Protection Requirements . 59Section 5.5 Risk Management. 595.5.1 USG Organizations Responsibilities . 605.5.2 Risk Assessment and Analysis . 605.5.3 USG Organizations Risk Management Programs . 615.5.4 USG Risk Management Requirements . 615.5.5 USG Cybersecurity Risk Management Process . 62Section 5.6 USG Information System Categorization . 625.6.1 Security Categories . 635.6.2 Requirements. 63Section 5.7 USG Classification of Information . 64Section 5.8 Endpoint Security . 665.8.1 Purpose . 665.8.2 Discovery and Inventory . 665.8.3 Anti-virus, Anti-malware, Anti-spyware Controls . 665.8.4 Operating System (OS)/Application Patch Management . 67Section 5.9 Cybersecurity Awareness, Training and Education . 675.9.1 Roles and Responsibilities. 675.9.2 Cybersecurity Awareness, Training and Education Requirements . 68Section 5.10 Required Reporting . 705.10.1 Required Reporting Activities . 705.10.2 Remediation and Mitigation Tracker . 72Section 5.11 Minimum Security Standards for USG Networked Devices . 735.11.1 Software Patch Updates . 745.11.2 Anti-Virus, Anti-Spam, and Anti-Phishing Software. 745.11.3 Host-Based Firewall or Host-Based Intrusion Prevention Software . 745.11.4 Passwords . 745.11.5 Encrypted Authentication . 745.11.6 Physical Security . 745.11.7 Unnecessary Services . 755.12 Password Security . 755.12.1 User Access Controls . 755.12.2 USG Password Authentication Standard . 755.12.3 USG Password Security and Composition Requirement. 76Section 5.13 Domain Name System Management . 785.13.1 DNS Security. 78Section 5.14 Information Protection Management . 795.14.1 Purpose . 79SensitiveP a g e ixSensitive
USG Information Technology Handbook 2.9.2University System of Georgia5.14.2 Identifying Red Flags . 795.14.3 Detecting Red Flags.
USG Information Technology Handbook is a standard containing the IT requirements and recommendations that establish acceptable IT practices for USG organizations. 3. USG Organization Policies and Procedures establish the detailed practices and tools used by USG organizations to meet the standards set for
