Access Control (PS-08-009)

Each agency is responsible for establishing access control measures that limits access (logical and/or physical) to only those individuals that are authorized to obtain it.

Accountability of Assets (PS-08-002)

Establishes accountability for all hardware and software acquired using public funds

Appropriate Use of Information Technology Resources (PS-08-003.2)

Defines appropriate use IT resources

Business Continuity and Disaster Recovery (PS-08-025)

Requires plans to maintain continuity of essential state government operations and services

Change Management (PS-08-015)

Requirements for a formal change management process

Cloud Provisioning Policy (PS-22-001)

Governance of cloud-based provisioning according to risk.

Computer Security Incident Management (PS-08-004)

Establishes the process for detecting and responding to security incidents

Data and Asset Categorization (PS-08-012)

Provides for inventory and classification of state data and information processing systems

Enterprise Artificial Intelligence Responsible Use (PS-23-001)

Establishes requirements for the use of AI tools within the enterprise

Enterprise Information Security Charter (PS-08-005.3)

Commits the State of Georgia to protecting information systems and data from unauthorized disclosure, modification, use, or destruction

Information Security - Risk Management (PS-08-031)

Requires a risk-based approach to information security management

Information Security Controls Policy (PS-17-001)

Improves how security controls are managed within the State’s shared-service environment. The Security Control Policy addresses this business challenge by establishing clearer lines of delineation between security controls, ownership and the overall responsibility of execution.

IT Supply Chain Security Controls Policy (PS-20-002)

To provide guidance to State agencies on identifying, assessing, selecting and implementing risk management processes and controls throughout the enterprise to manage IT supply chain risk.

Media Controls (PS-08-026)

Requirements protection of system media from unauthorized disclosure, modification, destruction or loss

Multi-Factor Authentication Policy (PS-21-002)

The purpose of an Enterprise Multi‐Factor Authentication (MFA) Policy is to enable a means of strong authentication for all users with access to information systems resources while ensuring ease of use and adoption for the user(s).

Network Security - Information Flow (PS-08-030)

Requires protection of information traversing networks

Network Security Controls (PS-08-027)

Requires network security controls

Outsourced Facilities Management (PS-08-019)

Establishes requirements over outsourcing data processing facilities

Password Authentication (PS-08-006)

Establishes use of passwords as primary authentication mechanism

Personnel Security (PS-08-014)

Provides for identity verification of IT employees and contractors

Physical and Environmental Security (PS-08-013)

Physical security is an essential element to the overall security of IT resources

Protection from Malicious Software (PS-08-021)

Requires protections against malicious software

Public Access Systems (PS-08-028)

Requires security controls on public facing systems

Reliance on Electronic Records (PS-08-007.02)

Establishes the State’s intent to rely on electronic data as a form of official record and adherence to proscribed records retention requirements

Remote Access (PS-08-023)

Requires protection from risks associated with remote access

Security Awareness Program (PS-08-010)

Establishes a need to increase user security awareness through an awareness and training program

Security Controls Review and Assessment (PS-08-029.02)

Agencies shall periodically review and continuously monitor the management, operational and technical security controls for all information systems to assess their effectiveness to determine the extent to which they are operating as intended and comply with federal, state, enterprise and agency s

Security Log Management (PS-08-022)

Requires log management practices

Separation of Production and Development Environments (PS-08-020)

Requires separation of production from development and test environments

Systems and Development Lifecycle (PS-08-018.02)

Requirements for a formal IT lifecycle management program

Third-Party Access (PS-08-011)

Provisions for third-party access to state facilities and information systems

Use of Cryptography (PS-08-024)

Requires the use of cryptographic controls