All Security Policies

Each agency is responsible for establishing access control measures that limits access (logical and/or physical) to only those individuals that are authorized to obtain it.

Each agency is responsible for establishing access control measures that limits access (logical and/or physical) to only those individuals that are authorized to obtain it.

Establishes accountability for all hardware and software acquired using public funds

Defines appropriate use IT resources

Requires plans to maintain continuity of essential state government operations and services

Requirements for a formal change management process

Governance of cloud-based provisioning according to risk.

Establishes the process for detecting and responding to security incidents

Provides for inventory and classification of state data and information processing systems

Commits the State of Georgia to protecting information systems and data from unauthorized disclosure, modification, use, or destruction

Requires a risk-based approach to information security management

Improves how security controls are managed within the State’s shared-service environment. The Security Control Policy addresses this business challenge by establishing clearer lines of delineation between security controls, ownership and the overall responsibility of execution.

To provide guidance to State agencies on identifying, assessing, selecting and implementing risk management processes and controls throughout the enterprise to manage IT supply chain risk.

Requirements protection of system media from unauthorized disclosure, modification, destruction or loss

The purpose of an Enterprise Multi‐Factor Authentication (MFA) Policy is to enable a means of strong authentication for all users with access to information systems resources while ensuring ease of use and adoption for the user(s).

Agencies shall use Multi-Factor authentication (MFA) for all network access to privileged accounts as outlined in NIST Special Publication 800-53 Revision 4 and required in federal regulatory requirements.

Requires protection of information traversing networks

Requires network security controls

Establishes requirements over outsourcing data processing facilities

Establishes use of passwords as primary authentication mechanism

Provides for identity verification of IT employees and contractors

Physical security is an essential element to the overall security of IT resources

Requires protections against malicious software

Requires security controls on public facing systems

Establishes the State’s intent to rely on electronic data as a form of official record and adherence to proscribed records retention requirements

Requires protection from risks associated with remote access

Establishes a need to increase user security awareness through an awareness and training program

Agencies shall periodically review and continuously monitor the management, operational and technical security controls for all information systems to assess their effectiveness to determine the extent to which they are operating as intended and comply with federal, state, enterprise and agency s

Requires log management practices

Requires separation of production from development and test environments

Requirements for a formal IT lifecycle management program

Provisions for third-party access to state facilities and information systems

Requires the use of cryptographic controls