An official website of the State of Georgia.
How you know
Local, state, and federal government websites often end in .gov. State of Georgia government websites and email systems use “georgia.gov” or “ga.gov” at the end of the address. Before sharing sensitive or personal information, make sure you’re on an official state website.
Call 1-800-GEORGIA to verify that a website is an official website of the State of Georgia.
Standards for appropriate use and monitoring of IT resources
Requires managed access to state facilities and information resources
Standards for categorizing personal information
Minimum security requirements for computer operations centers
Requires plans to sustain or recover/restore critical operations in the event of a system disruption or disaster
Minimum requirements for the use of cryptographic controls
Establishes an enterprise Cybersecurity Cabability Maturity Model to provide a structure for State agencies to baseline current capabilities in cybersecurity while establishing a foundation for consistent evaluation.
Impact Level definitions and standards of information assets
Electronic records are 1)relied upon as official records and 2) must adhere to records retention requirements and 3) must be protected from unauthorized destruction, modification or disclosure.
Requires all data to be processed, stored, transmitted and disposed in the geographical United States
Establish a common set of security protocols across all State digital properties (i.e. agency web pages) to ensure the protection of sensitive information.
Requires backup and recovery procedures for critical software and data
Fixes accountability for content and transfer of information through electronic communications
Standards for appropriate use and security of email
Incorporates facilities security into overall protection of IT assets
Requirements for information security incident response and reporting
Requires IT systems to be assessed by an independent third-party
In accordance with the Information Security Control Policy, each agency operating within a shared-service environment is responsible for ensuring that applicable NIST 800-53 (rev. 4) security controls are implemented and operated effectively.
Requirements for creating an information security program and infrastructure
Minimum standards for an information security management organization
Annual reporting requirements
This standard establishes minimum security requirements for teleworking and remotely accessing state information systems while traveling internationally.
Establishes criteria for blocking network traffic from IP addresses and IP address ranges at the boundary of the state network.
Requires monitoring and analyzing systems logs to record events and detect anomalies
Establishes controls to protect systems against malicious software
Establishes physical, logical, and environmental protection requirements for system media.
Establishes standards for sanitization and disposal of all electronic media subject to vendor return
Requires control and monitoring of network sessions
Requires network boundary protection
Rules of appropriate use and all other governance regarding information and data security apply to non-State issued technology devices used to access non-public State information and technology resources
Requires that changes to operational systems be controlled and monitored
Requires third-party adherence to established State security requirements
Establishes standards for protecting passwords
Specifies a reliable PIV system within which a common identity credential can be used to verify a claimed identity and to gain physical and logical access to state controlled facilities and information systems.
Standards for verifying identities of state personnel and contractors
No expectation of privacy shall be assumed when accessing non-public State information resources and assets
Establishes restrictions on third-party vendors, software and services.
Adopts the NIST risk management framework
Requires protection of systems from risks associated with remote access
Requires all employees and contractors to attend annual security awareness training
Establishes requirements for separating operational environments from test/development environments
Establishes standards for creating and using strong passwords
Establishes statewide standard on disposition of surplus electronic media
Requires agencies to establish criteria for accepting a system from development to operations
Requires a formal lifecycle management program for systems in development or operations
Requires data and system owners to create and maintain system security plans
Requires agencies to document system operational procedures
Security requirements for telework and remote access to state information systems
Establishes security requirements for conducting business with contractors, outsourcing vendors and/or other third-parties
Requires control and management of web services
Minimum security requirements for wireless network implementation