What are “PSGs”?
The term “PSG” refers collectively to “information technology and security “Policies”, “Standards” and “Guidelines.” They are a body of work with applicability to the State enterprise. State agency heads are ultimately responsible for processes and process controls that they employ to accomplish the work of their agencies; however, the enterprise level PSGs establish common controls, governance of resources, technology specifications and review conditions. An agency head should request an exemption from a specific State standard, rather than simply not comply with it.
A Policy is a general or high level statement of a direction, purpose, principle, process, method, or procedure for managing technology and technology resource.
A Standard is a prescribed or proscribed specification, approach, directive, procedure, solution, methodology, product or protocol which must be followed.
A Guideline is similar to either a standard or a policy, in that it outlines a specific principle, direction, directive, specification, or procedure but is not binding. Rather, a guideline is a recommended course of action.
What are the benefits of PSGs?
Without devoting a large amount of text to describe the benefits of PSGs, let us simply provide a list:
- PSGs promote the efficient use of information technology.
- PSGs facilitate a more efficient IT architecture,
- PSGs establish standard processes,
- PSGs establish specifications and standards for procurement of technology and technology resources,
- PSGs guide the use of State resources applied to IT, and
- PSGs establish security standards and services to be used by all agencies for protection of the information assets of the State and its constituents.
What are the target audiences for PSGs?
PSGs are specifically targeted to State Agencies. While the actual scope of authority is slightly different for technology standards and security standards, PSGs generally apply to Executive Branch State Agencies and any information technology that is deployed to accomplish agency work. Two policies interpreting the scope of PSGs can be found in this website – look for PS-08-005 “Enterprise Information Security Charter” and PM-04-001 “Information Technology Policies and Standards”.
What are the target audiences for this website?
This website targets the information technology staff of state agencies, the interested general public and potential vendors of technology solutions for state agencies.
State agency staff will find a ready resource of PSGs cross-referenced to several industry best-practice frameworks to assist their interpretation of the intent of the PSG.
The general public may be more interested in the web-site’s View of PSGs.
Potential Vendors may be specifically interested in the consolidated listing of security standards which are package for their review. Vendors must contractually agree that their products and services meet the security standards of the State.
How are PSGs created?
Any individual may suggest a Policy, Standard or Guideline by bringing the topic to the attention of the State Policy Coordinator with an email to firstname.lastname@example.org. The Policy Coordinator will investigate the topic and, if the PSG appears warranted, perform industry research and develop a draft, seeking assistance from subject matter experts within GTA. The review process that ensues includes a group of agency Chief Information Officers and managers of an enterprise governance group.
A final decision to accept the draft Standard or Guideline is made by the State Chief Information Officer.
A final decision to accept a Policy is made by GTAs Board.
What timelines are implicit in PSG development?
There are no specific times of the year in which PSGs are developed. Also, there are no timelines for completion of a PSG, with actual elapsed times running days to even years of development in some cases.
How do industry best practices factor into Georgia’s PSGs?
There are several organizations which perform research and publish bodies of industry best practice for different areas of specialization in the information technology industry. Georgia’s PSGs rely on these organizations to vet ideas beyond concept and offer proof of stability. Georgia’s PSGs are based on the following specialties:
- Overall structure and framework of Georgia’s body of PSGs is based on the publications of the Control Objectives for Information and related Technology (COBIT®) developed by the Information Technology Governance Institute.
- Security policies and standards are based on the framework established by the Federal Information Security Management Act (FISMA) of 2002 and supporting documentation developed for that Act by the National Institute of Standards (NIST).
- Project, Program and Portfolio Management policies and standards are based on work published in the Project Management Book of Knowledge (PMBOK®).
- Information Technology Operations policies and standards depend on the work of the Office of Government Commerce’s Information Technology Information Library (ITIL®).
How are stakeholders provided a say in the writing and reviewing of PSGs?
Anyone can suggest a PSG. Proposed PSGs are actively reviewed by a group of State agency CIOs and proposed PSGs are discussed with the State Business Management Council.
Even with a website dedicated to PSGS, how can GTA be certain that the published policies and standards reach individuals in the target audiences?
GTA tries to be proactive by publishing PSGs in this website. Notification of new PSGs is provided in the landing page panel entitled “Press Release”. However, merely publishing the new items will not ensure that individuals will load the website to look for new items. Therefore, we also provide a targeted email to agency CIOs announcing new PSGs. In addition, we employ a PSG Management System for State IT personnel who provide more robust search capabilities as well as targeted email notifications. User access to the PSG Management System has been provided to appropriate GTA staff as well as agency chief information officers, information security officers, privacy officers and selected business managers.
If a standard does not apply in a certain situation, can an agency be exempted from the standard?
An agency expecting or experiencing undue hardship in implementing a standard may request exemption from implementation of the item. Exemptions are governed by SM-11-007, which applies to all policies and standards issued by GTA. Exemptions from guidelines are not necessary as agency compliance with guidelines is not mandatory.