Effective Date: May 1, 2017
The information technology (IT) industry is innovating more effective ways of providing external services (SaaS, IaaS, PaaS) - coupling speed of service provisioning with enticing economic incentives when compared to the development, infrastructure and operational costs of self-provisioned IT. The role of an IT organization in providing services is rapidly changing from that of an internal provider to that of managing external service providers and brokering services for business units which it serves. State of Georgia enterprise managed IT services (EMS) include external provisioned services through GTA’s enterprise agreements and though DOAS negotiated statewide contracts. GTA is recognizing the relative values and risks of market obtained provisioning with the resulting service mix available as agency options available through the GETS catalog of services, via DOAS statewide contract listings and through other enterprise contracts provided by GTA.
This standard is the keystone enterprise standard to guide governance of managing IT provisioning according to risk.
SCOPE and AUTHORITY
Information Technology Policies, Standards and Guidelines (PM-04-001)
1.) An IT service offered as an enterprise managed services (EMS) through GTA or DOAS shall be an information technology standard service.
2.) A State agency proposing to acquire new IT services, or to implement a significant modification to the operational components of current IT systems or services, shall, as a first priority, select from enterprise managed services. Then, if the enterprise managed services are found unsuitable for the agency’s intended business purposes, consider provisioning options of self-development or acquisition from the marketplace, subject to the security categorization of the intended IT service, as follows:
a.) Agencies desiring to implement a service apart from the EMS with a security categorization of LOW/MODERATE must obtain an exemption from this standard from the State CIO. *Agencies shall submit a System Security Plan (SSP) if the request is approved
b.) All services with a security categorization of HIGH shall be State hosted and shall be supported within the EMS. However, should an agency encounter specific conditions or constraints which, beyond that of cost, outweigh the potential impact of loss or compromise of information and/or processing system for a given service, the agency may seek an exemption from this standard from the State CIO.
3.) In order to acquire cloud services, an agency shall adhere to the following governance processes:
a.) If the service acquisition is projected to cost $500,000 or more as defined in Information Technology Review (revised) SM-08-103, submit a Project Initiation Notification (PIN) to GTA in the early planning stages of the project as required by SM-078-103.
b.) For all technology acquisitions, prior to posting procurement documents to the DOAS procurement registry:
i.) Obtain GTAs endorsement of the technology procurement (see GTA Endorsement of Proposed Technology Procurement SM-14-008).
ii.) If an exemption from a State standard is required, submit a Request for Exemption to GTA (see Exemption from State Policies and Standards SM-11-007)
c.) Post procurement documents to the DOAS procurement registry. Select a vendor.
d.) For all cloud services, negotiate a service agreement for services being provisioned, ensuring appropriate contract provisions (see Terms and Conditions for Cloud Services SM-14-010) to protect the State’s interest in the following areas:
i.) Ownership of data and responsibilities of parties,
iii.) Audits and reviews,
iv.) Service provider staffing and strategic business partners,
v.) Operations of the environment, and
vi.) Suspension and termination of the vendor agreement.
4.) For all cloud services enabled for agency use (regardless of the security characterization of the data or system) must forward to GTA’s Enterprise Governance and Planning Division a completed copy of the “Deployment Certification” form within thirty (30) days of the deployment of the service.
5.) Agencies who use cloud services with security categorizations of MODERATE or HIGH, shall additionally provide for internal agency support processes to manage these services as follows:
a.) Define a Cloud Architecture, including a bi-modal pathway to on-premises systems (in-agency and in-North Atlanta Data Center),
b.) Define support processes and software tools,
c.) Define a technical workforce transition plan to a cloud support model, and
d.) Create a realistic (multi-year if necessary) transition plan that encompasses the above.
6.) Any third parties, either as a the prime or as a sub-contractor, who provide an IT service which is approved as an exemption to this standard shall meet specific minimum provisions to protect the State and the agency in the areas of security and recoverability and personnel security (see Outsourced IT Services and Third-Party Interconnections SS-08-044).
TERMS AND DEFINITIONS
IT Service – a means of delivering value to customers by facilitating outcomes customers want to achieve without the ownership of specific information technology costs and risks
IT Service Management – a means of making available capabilities and resources useful to the customer in the usable form of services at acceptable levels of quality, cost and risks
Enterprise Managed Services (EMS) – a means of managing and supporting shared or private cloud services for an organization (the enterprise). In the State of Georgia, EMS means services available through GTA enterprise agreements, through enterprise applications or through DOAS negotiated statewide contracts.
EMS Catalog – a listing and description of IT services supported and managed by the enterprise.
RELATED ENTERPRISE POLICIES, STANDARDS AND GUIDELINES
Exemptions from State Policies and Standards SM-11-007
Data Categorization – Impact Level SS-08-014
Terms and Conditions for Cloud Services SM-14-010
Statewide Data Sharing PM-07-003
Data Storage Location SS-15-002
Data Sharing Guidelines GM-15-008
GTA Endorsement of Proposed Technology Procurement SM-14-008
System Security Plans SS-08-028
Information Technology Review SM-08-103
Outsourced IT Services and Third-Party Interconnections SS-08-044
Deployment Certification SA-10-009
PSGs REPLACED BY THIS STANDARD
Enterprise Operational Environment SO-10-003 (Rescinded)
Requirements to Use Cloud Services SA-14-003 (Rescinded)
Note: The “Deployment of Cloud Services” form which was previously a part of Requirements to Use Cloud Services SA-14-003 will be attached to this standard since SA-14-003 will be rescinded.