An official website of the State of Georgia.
How you know
Local, state, and federal government websites often end in .gov. State of Georgia government websites and email systems use “georgia.gov” or “ga.gov” at the end of the address. Before sharing sensitive or personal information, make sure you’re on an official state website.
Call 1-800-GEORGIA to verify that a website is an official website of the State of Georgia.
Each agency is responsible for establishing access control measures that limits access (logical and/or physical) to only those individuals that are authorized to obtain it.
Establishes accountability for all hardware and software acquired using public funds
In an effort to increase the success rate of large Information Technology initiatives, Georgia has established best practices for the planning and implementation of these investments.
Rules, Regulations and Procedures Governing the Acquisition and Use of Telecommunications Services and Equipment
Standards for appropriate use and monitoring of IT resources
Defines appropriate use IT resources
Requires managed access to state facilities and information resources
Requires plans to maintain continuity of essential state government operations and services
Requirements for a formal change management process
Standards for categorizing personal information
Governance of cloud-based provisioning according to risk.
Minimum security requirements for computer operations centers
Establishes the process for detecting and responding to security incidents
Requires plans to sustain or recover/restore critical operations in the event of a system disruption or disaster
Minimum requirements for the use of cryptographic controls
Establishes an enterprise Cybersecurity Cabability Maturity Model to provide a structure for State agencies to baseline current capabilities in cybersecurity while establishing a foundation for consistent evaluation.
Provides a set of certifications for statewide cybersecurity positions.
Provides for inventory and classification of state data and information processing systems
Impact Level definitions and standards of information assets
Management of business data through its lifecycle
Electronic records are 1)relied upon as official records and 2) must adhere to records retention requirements and 3) must be protected from unauthorized destruction, modification or disclosure.
Provides guidance for using the enterprise service bus
Data Stewardship Requirement for Constituent Data
Requires all data to be processed, stored, transmitted and disposed in the geographical United States
Requires and defines software currency
Requires a Deployment Certification
All digital properties managed by state entities shall be accessible according to WCAG 2.0 (Level AA) Compliance standards.
Establish a common set of security protocols across all State digital properties (i.e. agency web pages) to ensure the protection of sensitive information.
Requires backup and recovery procedures for critical software and data
Fixes accountability for content and transfer of information through electronic communications
Standards for appropriate use and security of email
Requirements to create and operate Enterprise Applications
Commits the State of Georgia to protecting information systems and data from unauthorized disclosure, modification, use, or destruction
the keystone enterprise standard to guide governance of managing IT provisioning (SaaS, Paas, IaaS, etc.) according to risk.
Requires a Request for Exemption from a PSG
Incorporates facilities security into overall protection of IT assets
Domain Name and SSL Certificate supplemental document for SA-03-007 Georgia.Gov Domain Name.
Naming and approval of web sites
Third party intellectual property displays on Georgia.Gov
Use, placement and removal of links on Georgia.Gov
Establishes requirements for GTA's authorization of technology procurement
Guidelines for seeking GTA's Endorsement of Technology
Requirements for information security incident response and reporting
Requires IT systems to be assessed by an independent third-party
Requires to use GTA contracts for assurance services for projects with budgets of $1 million or greater
Requires a risk-based approach to information security management
Improves how security controls are managed within the State’s shared-service environment. The Security Control Policy addresses this business challenge by establishing clearer lines of delineation between security controls, ownership and the overall responsibility of execution.
In accordance with the Information Security Control Policy, each agency operating within a shared-service environment is responsible for ensuring that applicable NIST 800-53 (rev. 4) security controls are implemented and operated effectively.
Requirements for creating an information security program and infrastructure
Minimum standards for an information security management organization
Annual reporting requirements
Specifies GTA and agency responsibilities concerning State oversight of information technology (IT) investments with respect to State and agency strategic goals, and with enterprise policies and standards.
Instant Messaging Controls
This standard establishes minimum security requirements for teleworking and remotely accessing state information systems while traveling internationally.
Establishes criteria for blocking network traffic from IP addresses and IP address ranges at the boundary of the state network.
To provide guidance to State agencies on identifying, assessing, selecting and implementing risk management processes and controls throughout the enterprise to manage IT supply chain risk.
Establish the decision-making authority for large IT initiatives/projects (hereafter referred to as “IT Projects”) within the state enterprise.
Requires monitoring and analyzing systems logs to record events and detect anomalies
Establishes controls to protect systems against malicious software
ITIL is the basis for IT infrastructure management, service delivery and support
Requirements protection of system media from unauthorized disclosure, modification, destruction or loss
Establishes physical, logical, and environmental protection requirements for system media.
Establishes standards for sanitization and disposal of all electronic media subject to vendor return
Guidelines for mobile device management
The purpose of an Enterprise Multi‐Factor Authentication (MFA) Policy is to enable a means of strong authentication for all users with access to information systems resources while ensuring ease of use and adoption for the user(s).
Agencies shall use Multi-Factor authentication (MFA) for all network access to privileged accounts as outlined in NIST Special Publication 800-53 Revision 4 and required in federal regulatory requirements.
Requires control and monitoring of network sessions
Requires network boundary protection
Requires protection of information traversing networks
Requires network security controls
NIST Families with Georgia PSGs Referenced
To see the NIST control statements: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Rules of appropriate use and all other governance regarding information and data security apply to non-State issued technology devices used to access non-public State information and technology resources
Requires that changes to operational systems be controlled and monitored
Establishes requirements over outsourcing data processing facilities
Requires third-party adherence to established State security requirements
Establishes use of passwords as primary authentication mechanism
Establishes standards for protecting passwords
The Performance Lifecycle Framework for investments in information technology
Minimum processes to manage IT investments using the Enterprise Performance Lifecycle
Formal investment reviews at predetermined points in IT investment lifecycle
Specifies a reliable PIV system within which a common identity credential can be used to verify a claimed identity and to gain physical and logical access to state controlled facilities and information systems.
Standards for verifying identities of state personnel and contractors
Provides for identity verification of IT employees and contractors
Physical security is an essential element to the overall security of IT resources
Procedural requirements for placing applications into Production
No expectation of privacy shall be assumed when accessing non-public State information resources and assets
Guidelines for project financial management
Requires project expenditures shall be planned and tracked
Requires a project integrator on complex projects
Guidelines for Statement of Responsibilities for a Project Integrator
The guideline necessary for State of Georgia projects to comply with Project Assurance schedule review criteria.
Requires protections against malicious software
Requires security controls on public facing systems
Establishes the State’s intent to rely on electronic data as a form of official record and adherence to proscribed records retention requirements
Requires protection from risks associated with remote access
Guidelines for handling media used for data backup and for records archiving
Adopts the NIST risk management framework
Requires protection of systems from risks associated with remote access
Establishes a need to increase user security awareness through an awareness and training program
Agencies shall periodically review and continuously monitor the management, operational and technical security controls for all information systems to assess their effectiveness to determine the extent to which they are operating as intended and comply with federal, state, enterprise and agency s
Requires all employees and contractors to attend annual security awareness training
Requires log management practices
Establishes requirements for separating operational environments from test/development environments
Requires separation of production from development and test environments
Guidelines to Use Social Media
Provides direction regarding the acquisition, use, distribution and redistribution of commercial, public domain, and State-authored software and Software Licenses.
Provides for sharing of data among agencies
Establishes standards for creating and using strong passwords
Establishes statewide standard on disposition of surplus electronic media
Agencies select and authorize SDLC’s for their use
Requires agencies to establish criteria for accepting a system from development to operations
Requires a formal lifecycle management program for systems in development or operations
Requires data and system owners to create and maintain system security plans
Requirements for a formal IT lifecycle management program
Requires agencies to document system operational procedures
To provide state agencies and employees with detailed processes and procedures that will assist in working from a remote (virtual) environment.
Requires a Project Charter for IT projects
Project management methodology for technology projects valued at $100,000 or more
Guidelines for technology project management when there is greater than $100,000 investment
Administering Enterprise and Agency open contracts for telecommunications systems and long distance services
Security requirements for telework and remote access to state information systems
This standard offers a list of important components for an agency to consider inserting in a service agreement for cloud services. By no means does this list cover all situations that may be included in a service agreement; but those listed here areoften overlooked by State agencies.
Provisions for third-party access to state facilities and information systems
Establishes security requirements for conducting business with contractors, outsourcing vendors and/or other third-parties
Requires the use of cryptographic controls
The primary focus of the Vulnerability Disclosure Program (VDP) is to securely accept, triage and rapidly remediate vulnerabilities submitted by our security research community.
Requires control and management of web services
Design techniques to support branding of State of Georgia websites
Guidelines for website use and construction in GaGov
Minimum security requirements for wireless network implementation