Information Security Controls Policy (PS-17-001)

• Title: Information Security Controls PS-17-001
• Effective Date: 05/01/2017
• Review Date: 02/16/2026

Purpose

This policy establishes enterprise requirements for implementation, ownership, inheritance, and governance of security controls aligned to NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations (current published version). It applies to systems hosted on-premises, within shared State facilities, or in cloud-based environments including Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS), as well as systems operated by third-party service providers.

Scope and Authority

• O.C.G.A 50-25-4(a)(10), State Government, Georgia Technology, General Powers
• O.C.G.A 50-25-4(a)(21), State Government, Georgia Technology, General Powers
• PM-04-001, Information Technology Policies, Standards and Guidelines
• PS-08-005, Enterprise Information Security Policy

Terms and Definitions

Agency – means every state department, agency, board, bureau, commission, and authority but shall not include any agency within the judicial or legislative branch of state government, the Georgia Department of Defense, departments headed by elected constitutional officers of the state, or the University System of Georgia and shall also not include any authority statutorily required to effectuate the provisions of Part 4 of Article 9 of Title 11.

Service Integrators/Managed Service Integrators (MSI) - company that is responsible for managing, coordinating, integrating and/or overseeing the delivery of technology services to state agencies by multiple service providers

Service Provider /Third-Party Service Providers - any person or entity that maintains, processes, or otherwise is permitted access to state-owned information through its provision of services. This includes all cloud-based technologies (i.e.):

• Software as a Service (SaaS) providers - companies that provide hosted application services.
• Platform as a Service (PaaS) providers – companies that provide hosted application development or deployment services.
• Infrastructure as a Service (IaaS) providers - companies that provide hosted data storage or processing services.

Policy

All Agencies and Service Providers, including Managed Service Integrators, shall comply with all applicable security controls as adopted by the State and aligned to NIST SP 800, Security and Privacy Controls for Information Systems and Organizations (current publication), as well as other applicable regulatory and industry standards. Security controls shall be selected and implemented in accordance with the system’s designated impact level – Low, Moderate, High – as determined through a formal system classification process. Clear ownership shall be established for controls and the designated owner (Agency, Service Provider, or MSI) shall be responsible for the implementation and management of the assigned control. For controls identified as a Shared Responsibility, participating Agencies and/or Service Providers shall document all respective responsibility allocations. Agencies that engage Third-Party Service providers, including cloud service providers, retain ultimate accountability for ensuring that their systems comply with all applicable security control requirements. 

Related Enterprise Policies, Standards, and Guidelines

• Information Security Control Standard (SS-17-001)
• Risk Management Framework Standard (SS-08-041)

References

• NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations (current published version)
• FIPS 199, Standards for Security Categorization of Federal Information and Information Systems