Access Control (PS-08-009)

Each agency is responsible for establishing access control measures that limits access (logical and/or physical) to only those individuals that are authorized to obtain it.

Accountability of Assets (PS-08-002)

Establishes accountability for all hardware and software acquired using public funds

Accountability, Change Management and Process Improvement Act of 2016 (HB676) (GM-17-001)

In an effort to increase the success rate of large Information Technology initiatives, Georgia has established best practices for the planning and implementation of these investments.

Acquisition and Use of Telecommunications Services and Equipment (PM-04-002)

Rules, Regulations and Procedures Governing the Acquisition and Use of Telecommunications Services and Equipment

Active Directory (SA-03-009)

Specifies Active Directory requirements, topology and design

Applications with Standard Desktop Client (SA-10-004)

Standard desktop clients

Appropriate Use and Monitoring (SS-08-001)

Standards for appropriate use and monitoring of IT resources

Appropriate Use of Information Technology Resources (PS-08-003.2)

Defines appropriate use IT resources

Artificial Intelligence Responsible Use (SS-23-002)

Establishes requirements for the use of AI tools within agency operations

Artificial Intelligence Responsible Use Guidelines (GS-23-001)

Guidelines for the use of AI tools within agency operations

Authorization and Access Management (SS-08-010)

Requires managed access to state facilities and information resources

Bluetooth (SO-06-004)

Deployment of wireless technology

Business Continuity and Disaster Recovery (PS-08-025)

Requires plans to maintain continuity of essential state government operations and services

Change Management (PS-08-015)

Requirements for a formal change management process

Classification of Personal Information (SS-08-002)

Standards for categorizing personal information

Cloud Provisioning Policy (PS-22-001)

Governance of cloud-based provisioning according to risk.

Computer Operations Center Security (SS-08-016)

Minimum security requirements for computer operations centers

Computer Security Incident Management (PS-08-004)

Establishes the process for detecting and responding to security incidents

Contingency Planning (SS-08-045)

Requires plans to sustain or recover/restore critical operations in the event of a system disruption or disaster

Cryptographic Controls (SS-08-040)

Minimum requirements for the use of cryptographic controls

Cybersecurity Capability Maturity Model (SS-20-001)

Establishes an enterprise Cybersecurity Cabability Maturity Model to provide a structure for State agencies to baseline current capabilities in cybersecurity while establishing a foundation for consistent evaluation.

Cybersecurity Professional Certification Guideline GS-20-001 (GS-20-001)

Provides a set of certifications for statewide cybersecurity positions.

Data and Asset Categorization (PS-08-012)

Provides for inventory and classification of state data and information processing systems

Data Categorization - Impact Level (SS-08-014)

Impact Level definitions and standards of information assets

Data Lifecycle Management (PM-14-009)

Management of business data through its lifecycle

Data Location and Access (SS-15-002)

Requires all data to be processed, stored, transmitted and disposed in the geographical United States

Data Security - Electronic Records (SS-08-003)

Electronic records are 1)relied upon as official records and 2) must adhere to records retention requirements and 3) must be protected from unauthorized destruction, modification or disclosure.

Data Sharing Guidelines (GM-15-008)

Provides guidance for using the enterprise service bus

Data Steward (SM-15-001)

Data Stewardship Requirement for Constituent Data

Deployed Software Currency (SA-10-010)

Requires and defines software currency

Deployment Certification (SA-10-009)

Requires a Deployment Certification

Design Criteria for Data Network Protocols (SA-10-002)

Standard IP based protocols

Design Criteria for Electronic Records Management Applications (SA-06-006)

Records management application criteria

Digital Accessibility Standard (SM-19-002)

All digital properties managed by state entities shall be accessible according to WCAG 2.0 (Level AA) Compliance standards.

Digital Security Standard (SS-19-002)

Establish a common set of security protocols across all State digital properties (i.e. agency web pages)  to ensure the protection of sensitive information.

Disaster Recovery - System Backup (SS-08-046)

Requires backup and recovery procedures for critical software and data

Electronic Communications Accountability (SS-08-009)

Fixes accountability for content and transfer of information through electronic communications

Email Administration - Distribution Lists (SA-07-010)

Standards for large inter-agency and all multi-agency distribution lists

Email Calendaring (SA-07-004)

Standard calendaring format for email systems

Email Naming (SA-07-005)

Standard email address for email systems

Email Use and Protection (SS-08-011)

Standards for appropriate use and security of email

Enterprise Application (PM-13-002)

Provides for Enterprise Applications

Enterprise Application Creation and Management (SM-13-003)

Requirements to create and operate Enterprise Applications

Enterprise Architecture (PM-03-003)

GTA with agency collaboration will establish and maintain Enterprise Architecture

Enterprise Artificial Intelligence Responsible Use (PS-23-001)

Establishes requirements for the use of AI tools within the enterprise

Enterprise Information Security Policy (PS-08-005)

Commits the State of Georgia to protect information systems and data from unauthorized disclosure, modification, use, or destruction

Enterprise Managed Services (EMS) (SM-15-009)

the keystone enterprise standard to guide governance of managing IT provisioning (SaaS, Paas, IaaS, etc.) according to risk.

Exemption from State Policies and Standards (SM-11-007)

Requires a Request for Exemption from a PSG

Facilities Security (SS-08-015)

Incorporates facilities security into overall protection of IT assets

FAQs: Domain Names and SSL Certificates (DOC-20-Domain Names and SSL Certificates)

Domain Name and SSL Certificate supplemental document for SA-03-007 Georgia.Gov Domain Name.

Georgia.Gov Domain Name (SA-03-007)

Naming and approval of web sites

Georgia.Gov Intellectual Property Display (SA-03-005)

Third party intellectual property displays on Georgia.Gov

Georgia.Gov Linking (Revised 2020) (SA-03-008 )

Use, placement and removal of links on Georgia.Gov

GTA Endorsement of Proposed Technology Procurement (SM-14-008)

Establishes requirements for GTA's authorization of technology procurement

Guideline for Obtaining GTA's Endorsement of Proposed Technology Procurement (GM-14-011)

Guidelines for seeking GTA's Endorsement of Technology

IBM Mainframe Batch Job Processing (SO-04-001)

Batch run times, automated scheduler, and tools to modify batch job data

IBM Mainframe Production Acceptance - Batch Jobs (SO-04-003)

Batch job production acceptance requirements

Incident Response and Reporting (SS-08-004)

Requirements for information security incident response and reporting

Independent Security Assessments (SS-08-042)

Requires IT systems to be assessed by an independent third-party

Independent Verification and Validation (SM-06-001)

Requires to use GTA contracts for assurance services for projects with budgets of $1 million or greater

Information Security - Risk Management (PS-08-031)

Requires a risk-based approach to information security management

Information Security Controls Policy (PS-17-001)

Improves how security controls are managed within the State’s shared-service environment. The Security Control Policy addresses this business challenge by establishing clearer lines of delineation between security controls, ownership and the overall responsibility of execution.

Information Security Controls Standard (SS-17-001)

In accordance with the Information Security Control Policy, each agency operating within a shared-service environment is responsible for ensuring that applicable NIST 800-53 (rev. 4) security controls are implemented and operated effectively.

Information Security Infrastructure (SS-08-005)

Requirements for creating an information security program and infrastructure

Information Security Management Organization (SS-08-006)

Minimum standards for an information security management organization

Information Technology Policies and Standards (PM-04-001)

GTA’s statutory authority and approach for setting technology policies, standards and guidelines

Information Technology Portfolio Management Guidelines (GM-09-002)

Guidelines for IT portfolio management

Information Technology Reporting (SS-08-053)

Annual reporting requirements

Information Technology Review Policy (PM-06-001)

To ensure that proposed agency information technology initiatives are consistent with the State's strategies and goals, and with enterprise IT policies and standards.

Information Technology Review Standard SM-08-103 (SM-08-103 )

Specifies GTA and agency responsibilities concerning State oversight of information technology (IT) investments with respect to State and agency strategic goals, and with enterprise policies and standards.

Information Technology Strategic Plan (SM-09-003)

Agencies must develop and maintain an IT strategic plan

Instant Messaging Services (SO-11-005)

Instant Messaging Controls

Integration Middleware (SA-07-020)

Standard middleware platform for enterprise integration

International Teleworking and Remote Access (SS-22-001 )

This standard establishes minimum security requirements for teleworking and remotely accessing state information systems while traveling internationally.

IP Blocking Standard (SS-17-002)

Establishes criteria for blocking network traffic from IP addresses and IP address ranges at the boundary of the state network.

IT Supply Chain Security Controls Policy (PS-20-002)

To provide guidance to State agencies on identifying, assessing, selecting and implementing risk management processes and controls throughout the enterprise to manage IT supply chain risk.

Large IT Project Executive Decision-Making Board (PM-17-001)

Establish the decision-making authority for large IT initiatives/projects (hereafter referred to as “IT Projects”) within the state enterprise.

Log Management Infrastructure (SS-08-036)

Requires monitoring and analyzing systems logs to record events and detect anomalies

Malicious Code Incident Prevention (SS-08-033)

Establishes controls to protect systems against malicious software

Management of IT Operations (PO-09-002)

ITIL is the basis for IT infrastructure management, service delivery and support

Media Controls (PS-08-026)

Requirements protection of system media from unauthorized disclosure, modification, destruction or loss

Media Protection and Handling (SS-08-043)

Establishes physical, logical, and environmental protection requirements for system media.

Media Sanitization - Vendor Return (SS-08-035)

Establishes standards for sanitization and disposal of all electronic media subject to vendor return

Mobile Device Management Guidelines (GM-15-004)

Guidelines for mobile device management

Multi-Factor Authentication Policy (PS-21-002)

The purpose of an Enterprise Multi‐Factor Authentication (MFA) Policy is to enable a means of strong authentication for all users with access to information systems resources while ensuring ease of use and adoption for the user(s).

Network Access and Session Controls (SS-08-048)

Requires control and monitoring of network sessions

Network Security - Boundary Protection (SS-08-047 )

Requires network boundary protection

Network Security - Information Flow (PS-08-030)

Requires protection of information traversing networks

Network Security Controls (PS-08-027)

Requires network security controls

NIST Families with Georgia PSGs Referenced ()

NIST Families with Georgia PSGs Referenced

To see the NIST control statements:  http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

Non-State Technology and Computing Devices (SS-12-002)

Rules of appropriate use and all other governance regarding information and data security apply to non-State issued technology devices used to access non-public State information and technology resources

Operational Change Control (SS-08-026)

Requires that changes to operational systems be controlled and monitored

Outsourced Facilities Management (PS-08-019)

Establishes requirements over outsourcing data processing facilities

Outsourced IT Services and Third-Party Interconnections (SS-08-044)

Requires third-party adherence to established State security requirements

Password Authentication (PS-08-006)

Establishes use of passwords as primary authentication mechanism

Password Security (SS-08-007)

Establishes standards for protecting passwords

Performance Lifecycle Framework (SM-10-006)

The Performance Lifecycle Framework for investments in information technology

Performance Lifecycle Management (SM-10-007)

Minimum processes to manage IT investments using the Enterprise Performance Lifecycle

Performance Lifecycle Management Guideline (GM-11-001)

A guide to executive branch agencies in Georgia state government for Enterprise Performance Life Cycle (EPLC) management.

Performance Lifecycle Stage Gate (SM-10-008)

Formal investment reviews at predetermined points in IT investment lifecycle

Personal Identification Verification (PIV) Cards (SS-19-001)

Specifies a reliable PIV system within which a common identity credential can be used to verify a claimed identity and to gain physical and logical access to state controlled facilities and information systems.

Personnel Identity Verification and Screening (SS-08-017)

Standards for verifying identities of state personnel and contractors

Personnel Security (PS-08-014)

Provides for identity verification of IT employees and contractors

Physical and Environmental Security (PS-08-013)

Physical security is an essential element to the overall security of IT resources

Placing Applications into Production (SA-10-001)

Procedural requirements for placing applications into Production

Privacy in the Workplace (SS-12-001)

No expectation of privacy shall be assumed when accessing non-public State information resources and assets

Prohibited Software & Services (SS-22-002)

Establishes restrictions on third-party vendors, software and services.

Project Financial Management Guidelines (GM-09-001)

Guidelines for project financial management

Project Financial Management Standard (SM-09-001)

Requires project expenditures shall be planned and tracked

Project Integrator (SM-14-006)

Requires a project integrator on complex projects

Project Integrator Statement of Responsibilities (GM-14-007)

Guidelines for Statement of Responsibilities for a Project Integrator

Project Re-Baselining Guidelines (GM-22-001)

Guidance on the appropriate application of re-baselining techniques on complex IT projects within the State of Georgia.

Project Scheduling Guidelines (GM-17-002)

The guideline necessary for State of Georgia projects to comply with Project Assurance schedule review criteria.

Protection from Malicious Software (PS-08-021)

Requires protections against malicious software

Public Access Systems (PS-08-028)

Requires security controls on public facing systems

Reliance on Electronic Records (PS-08-007.02)

Establishes the State’s intent to rely on electronic data as a form of official record and adherence to proscribed records retention requirements

Remote Access (PS-08-023)

Requires protection from risks associated with remote access

Retention of Data Backup Media and Records Management Media - Guideline (GM-13-001)

Guidelines for handling media used for data backup and for records archiving

Risk Management Framework (SS-08-041 )

Adopts the NIST risk management framework

Secure Remote Access (SS-08-038)

Requires protection of systems from risks associated with remote access

Security Awareness Program (PS-08-010)

Establishes a need to increase user security awareness through an awareness and training program

Security Controls Review and Assessment (PS-08-029.02)

Agencies shall periodically review and continuously monitor the management, operational and technical security controls for all information systems to assess their effectiveness to determine the extent to which they are operating as intended and comply with federal, state, enterprise and agency s

Security Education and Awareness (SS-08-012)

Requires all employees and contractors to attend annual security awareness training

Security Log Management (PS-08-022)

Requires log management practices

Separate Production and Development Environments (SS-08-031)

Establishes requirements for separating operational environments from test/development environments

Separation of Production and Development Environments (PS-08-020)

Requires separation of production from development and test environments

Social Media Guidelines (GM-11-002)

Guidelines to Use Social Media

Software Management Standard (SM-19-001)

Provides direction regarding the acquisition, use, distribution and redistribution of commercial, public domain, and State-authored software and Software Licenses.

Statewide Data Sharing (PM-07-003)

Provides for sharing of data among agencies

Strong Password Use (SS-08-008)

Establishes standards for creating and using strong passwords

Surplus Electronic Media Disposal (SS-08-034)

Establishes statewide standard on disposition of surplus electronic media

System Development Lifecycle (SM-10-005)

Agencies select and authorize SDLC’s for their use

System Implementation and Acceptance (SS-08-032)

Requires agencies to establish criteria for accepting a system from development to operations

System Lifecycle Management (SS-08-025)

Requires a formal lifecycle management program for systems in development or operations

System Security Plans (SS-08-028)

Requires data and system owners to create and maintain system security plans

Systems and Development Lifecycle (PS-08-018.02)

Requirements for a formal IT lifecycle management program

Systems Operations Documentation (SS-08-027)

Requires agencies to document system operational procedures

Technology Guideline for the Remote Worker (GS-21-001)

To provide state agencies and employees with detailed processes and procedures that will assist in working from a remote (virtual) environment.

Technology Project Management (SM-08-006)

Project management methodology for technology projects valued at $100,000 or more

Technology Project Management Guideline (GM-08-101)

Guidelines for technology project management when there is greater than $1M investment

Telecommunications Technology Review (SM-05-001)

Administering Enterprise and Agency open contracts for telecommunications systems and long distance services

Teleworking and Remote Access (SS-08-037)

Security requirements for telework and remote access to state information systems

Terms and Conditions for Cloud Services (SM-14-010 )

This standard offers a list of important components for an agency to consider inserting in a service agreement for cloud services. By no means does this list cover all situations that may be included in a service agreement; but those listed here are often overlooked by State agencies.

Third-Party Access (PS-08-011)

Provisions for third-party access to state facilities and information systems

Third-Party Security Requirements (SS-08-013)

Establishes security requirements for conducting business with contractors, outsourcing vendors and/or other third-parties

Use of Cryptography (PS-08-024)

Requires the use of cryptographic controls

Vulnerability Disclosure Program (PS-21-001) (VDP)

The primary focus of the Vulnerability Disclosure Program (VDP) is to securely accept, triage and rapidly remediate vulnerabilities submitted by our security research community.

Web and E-Commerce Security (SS-08-049)

Requires control and management of web services

Website Branding (SA-14-002)

Design techniques to support branding of State of Georgia websites

Website Guidelines (GM-14-005)

Guidelines for website use and construction in GaGov

Wireless and Mobile Computing (SS-08-039)

Minimum security requirements for wireless network implementation

Workstation Operating System (SO-03-010)

Establishes a standard desktop and laptop/notebook operating system

XML - Extensible Markup Language (SA-03-004)

XML standards based upon W3C Consortium XML Open Standards