Topics: 

  • Title: Information Security Controls Standard, SS-17-001 Information Security Controls
  • Effective Date: 7/1/2017
  • Review Date: 12/1/2024

Purpose

In accordance with the Information Security Control Policy, each agency operating within a shared-service environment is responsible for ensuring that applicable NIST 800-53 (rev. 4) security controls are implemented and operated effectively. This standard establishes responsibilities for security controls per application and/or system operating within a shared-services environment.

Scope and Authority

  • O.C.G.A 50-25-4(a)(8), State Government, Georgia Technology, General Powers
  • O.C.G.A 50-25-4(a)(20), State Government, Georgia Technology, General Powers
  • PM-04-001, Information Technology Policies, Standards and Guidelines
  • PS-08-005, Enterprise Information Security Policy

Terms and Definitions

  • Accountable Party: entity for whom final ownership will be directed for instances of security incidents, breaches or disruptions.
  • Multisourcing Service Integration (MSI): company that is responsible for coordinating and overseeing the delivery of technology services to state agencies by multiple service providers.
  • NIST 800-53 Security and Privacy Controls for Federal Information Systems and Organizations: Provides a catalog of security controls for all U.S. federal information systems except those related to national security.
  • Responsibility: group or individual who completes the task.
  • Service Provider: organization, business or individual which offers a service or services to others in exchange for payment.
  • Shared-service Environment: dedicated unit (including people, processes and technologies) that is structured as a centralized point of service and is focused on defined business functions and providing services for multiple agencies.

Standard

Agencies, service providers and integrators will comply with all applicable security controls outlined within the standard in accordance with NIST 800-53. The applicable control families are:

Technical Controls

  • AC: Access Control
  • AU: Audit and Accountability
  • ID: Identification Authentication (Refer to the Information Security Control Matrix as an example.)
  • SC: Sys and Communication Protection

Operational Controls

  • AT: Awareness Training
  • CM: Configuration Management
  • IR: Incident Response
  • MA: Maintenance
  • MP: Media Protection
  • PE: Physical and Environmental Protection
  • PS: Personnel Security
  • SY: System and Information Integrity

Managerial Controls

  • CA: Security Assessment or Authorization
  • CP: Contingency Planning
  • PL: Planning
  • RA: Risk Assessment
  • SA: System and Services Acquisition

The Information Security Control Matrix, displayed on this page in an accessible text format and a visual format, provides a perspective of shared technical responsibilities for all agencies, service providers, and integrators across the State’s IT enterprise. These responsibilities are based on current NIST best practices and existing enterprise contracts with current service providers and integrators. The matrix is a tool to demonstrate compliance among State agencies during any and all scheduled IT audits and assessments. If an agency believes that a control is not properly aligned with their operational model, the agency is required to submit a request for an exemption to GTA at [email protected]. Although the agency may not have technical responsibilities for certain NIST 800-53 controls, the agency assumes ultimate accountability for NIST 800-53 compliance requirements. Agencies, service providers and service integrators must comply with all applicable NIST security controls as listed in the matrix.

Agencies whose IT solutions are hosted, managed and maintained within the NADC or by a 3rd party service provider are required to abide by this standard and the attached security control matrix. This standard does not apply for any systems and/or applications where security is provisioned, implemented and maintained solely by the agency’s staff. If the Information Security Control Standard does not apply, agencies are still required to comply with all other enterprise IT standards.

Information Security Control Matrix (Accessible Text Version)

Shared Services Model

This matrix describes how responsibility for NIST Security Controls is distributed across three different hosting models: NADC Hosted, Third Party Hosted, and Agency Hosted.

  1. NADC Hosted: Responsibility is shared across three parties, the Agency, Shared Services, and the Vendor. The Standard applies.
    1. Agency: responsible for a portion of controls
    2. Shared Services: responsible for a portion of controls
    3. Vendor: responsible for a portion of controls
  2. Third Party Hosted: Responsibility is shared between two parties, the Agency and the Vendor. There is no Shared Services layer. The Standard applies.
    1. Agency: responsible for a portion of controls
    2. Vendor: responsible for a portion of controls
  3. Agency Hosted: The agency has full responsibility for all NIST Security Controls.

Please note that all other State enterprise IT standards do apply in all three hosting models described.

Information Security Control Matrix (Non-Accessible Visual Version)

Information Security Control Matrix in visual, non-accessible format.