confidentiality, integrity and availability of those systems and services as well as adequate protection from known and anticipated threats. As noted in Section 5.2.2 of the IT Handbook, USG organizations are responsible for the designation of officials to fulfill key security functions and report on status of compliance with security policy, standards and procedures.
Schedule of Required Reporting Activities
5.10.1
The following provides a summary list and schedule of required security reporting activities with
corresponding due dates. Unless otherwise noted, all reports must be submitted in electronic format with verifiable signatures to USG Information Security & ePrivacy.
Information Security Officer Designee Letter
As noted in Section 5.2.2 of the IT Handbook, the name and appropriate designee contact information must be sent annually by January 31 or within 10 business days of any designee change.
Cybersecurity Incident Response Plan
As noted in Section 5.3.1 of the IT Handbook, a Cybersecurity Incident Response (CSIR) Plan must be formally documented and electronically sent and filed with USG Information Security & ePrivacy. Planned changes must be sent within 10 business days.
Cybersecurity Incident Report
As noted in Section 5.3.6 of the IT Handbook, cybersecurity incidents consistent with the security reporting requirements of USG Information Security Policy (BoR Policy Manual 11.3.3) must be reported in accordance with section 5.3.6.4.
Cybersecurity Incident Follow-up Report
As noted in Section 5.3.3 of the IT Handbook, the incident follow-up report must be submitted to USG Information Security & ePrivacy within 30 business days.
Information Security Program Review
The Governor’s Executive Order of March 19, 2008 requires development of a composite report on the status of information security for all state agencies. The USG has chosen to align itself with this order by producing its own USG Information Security Program Review (ISPR). The ISPRs shall be aggregated into one USG information security program review. No specific USG organizations’ information shall be released. Importance of personal information security.
Information Security Program Review
5.10.2
management attention and systemwide participation. Cybersecurity policies, standards and guidelines are intended to reduce business risk throughout USG organizations. USG organizations have the responsibility of providing cybersecurity to protect the system’s data.
This standard requires USG organizations to conduct annual reviews of their information security programs and submit the results to USG Information Security & ePrivacy. These data will be used to prepare the consolidated report. The ISPR requirement builds on previous efforts by USG CIO Advisory Council Security Advisory Group (SAG), where USG organizations were instructed to gather information on cybersecurity programs and report to USG Information Security & ePrivacy.
While cybersecurity plans and measures are specifically exempted from public disclosure under the Georgia Open Records Act, USG organizations are required to strategically plan their initiatives and make these plans and corresponding performance measures or metrics available to the public upon request.
Performance metrics are especially important because they:
-Demonstrate qualitative and quantitative progress in accomplishing strategic goals and objectives. -Satisfy federal and state legislative requirements.
-Improve accountability for delivering services.
-Play a key role in initiating improvement actions based on performance trends.
-Provide objective information to USG leadership on achieving objectives and by reporting on the relative effectiveness and efficiency of institutional programs and spending.
ISPR Annual Review Process
This review and process has been established to assist USG organizations with identifying, evaluating and strengthening cybersecurity operations through reducing risks and strengthening internal controls. USG Information Security & ePrivacy will complete the following ISPR processes on an annual basis:
-January, February: USG Information Security & ePrivacy reviews ISPR reports from the previous year to determine changes that may be needed and identify areas of focus for the upcoming compliance review period. Proposed changes, as well as the selected areas of focus, will be reviewed by ITS senior staff and the Internal Audit and Compliance department. Revisions to the report, changes to the ISPR reporting process and the areas of focus for the upcoming review period are communicated to USG organizations. -March: USG Information Security & ePrivacy releases the ISPR survey to USG organizations. USG
organizations are given 21 days to complete the survey.
-April, May: USG Information Security & ePrivacy collects, compiles and analyzes ISPR survey results. -June: USG Information Security & ePrivacy prepares a final ISPR report for USG organizations aligning
with the Governor’s Executive Order.
-July, August and September: USG Information Security & ePrivacy conducts ISPR compliance reviews across USG organizations based on the selected areas of focus. Upon the conclusion of a compliance review, a report will be generated and delivered to respective USG CIOs, CISOs and USO senior staff. ISPR reporting and compliance guidelines, templates, support and training are provided to USG organizations based on areas of need and focus.
-October: USG Information Security & ePrivacy releases the ISPR survey to USG organizations. USG organizations are given 21 days to complete the survey.
-November, December: USG Information Security & ePrivacy collects, compiles and analyzes ISPR survey results.
ISPR Annual Reporting Process (Diagram)
ISPR Content Review
Strategic Security Planning
A comprehensive cybersecurity program combines people, processes and technologies. The cybersecurity goals and objectives must express, qualitatively or quantitatively, the business goals and objectives of USG organizations. The business goals and objectives are at risk without the security objectives being met.
Goal(s): Develop a cybersecurity strategy or strategies. Each strategy is supported by one or more initiative. An initiative is the implementation of an operational plan realizing part or all of the security strategies and objectives. The overall objective is to implement a set of interrelated initiatives that collectively achieve all of the security objectives.
IT/IS Policy/Standards/Guidelines Management
The purpose of an IT/IS policy, standards and guidelines (PSG) is to establish and maintain a standard of due care to prevent misuse or loss of USG information assets. PSG provides management direction for information security to conform to business requirements, laws and administrative policies. Each USG organization must
provide for the integrity and security of its information assets by establishing appropriate internal PSGs for January and February
March
November and December
April and May
June July, August, September
October
Review reports from previous year. Identify areas of focus and potential changes. Review plans with Internal Audit and Compliance. Communicate to
USG organizations.
Survey 1 released. [USG Organizations have 21 days to
complete and submit.] Results are collected,
compiled and analyzed.
Results are collected compiled and analyzed.
Compliance and remediation reviews as well as training
and support sessions are conducted.
Report for USG organizations is prepared and submitted to
the Governor’s office.