SS-08-009 Electronic Communications Accountability

Issue Date:  3/31/2008

Revision Effective Date:  3/31/2008

Review Date: 7/1/2018

PURPOSE

Any information originating from a state electronic information system or state employee while acting in their official capacity could be interpreted as an official position of the state. 

As employees of the state we are custodians of the data we create, receive, transfer, and access.  As such, we are individually responsible for maintaining the image and integrity of the state by exercising due diligence and due care with regards to content and transmission of all electronic correspondence from state information systems or its employees.

This document establishes a standard for individual responsibility with regards to any and all communications generated from State information systems or by state employees or state representatives. 

STANDARD

All electronic communications generated from a State of Georgia Information System or in connection with conducting state business must adhere to the Enterprise Policies and Standards for Appropriate Use.

Anyone in possession of State information assets assumes custodial responsibilities of the information.

Agencies shall establish internal procedures for appropriate handling and storage of all electronically stored State of Georgia information that’s owned or controlled by such agency.

Originators of electronic data or correspondence are responsible for appropriateness of message content, awareness of data classification, and confirming authorization and need-to-know of the recipients (see exceptions) before transmitting any electronic correspondence from a State information system on behalf of the State.

Upon forwarding information, the individual forwarding assumes responsibility as an originator (above) for proper handling and disposition of the information.

RELATED ENTERPRISE POLICIES, STANDARDS, GUIDELINES

Appropriate Use of Information Technology Resources (PS-08-003)

Appropriate Use and Monitoring (SS-08-001)

TERMS and DEFINITIONS

Authorization and need-to-know is above and beyond the administrative approval needed to access sensitive information.  In addition to having the formal approval to access information, individuals must also have system authorization and a need, based on their job functions or role to access the information.  (Example:  GTA system administrators have administrative approval for privileged access to the GTA intranet, however, based on their job functions they are not authorized nor do they have a need-to-know the information contained in personnel files)

Data Custodianship is the responsibility assumed by anyone entrusted with state information for upholding the security objectives of confidentiality, integrity and availability while that information is in that person’s possession either physically or digitally.