Information Technology Policies and Standards (PM-04-001)
PM-04-001 Information Technology Policies and Standards
Issue Date: 10/1/2007
Revision Effective Date: 10/1/2007
To define the terms, “policy,” “standard,” and “guideline” and to describe how GTA will issue these in discharging its statutory responsibilities to include establishing technology architecture for the state technology infrastructure.
To promote efficient use of resources and to promote the delivery of public services by an IT enabled system of governance that works better, costs less and is capable of serving the citizens’ needs with ease.
To establish and enforce specifications which shall apply to all technology and technology resource related supplies, materials, and equipment purchased or to be purchased for the use of the state government or any of its agencies. These specifications shall be based to the extent practicable on industry accepted open network architecture and interoperability standards.
All Agencies as that term is defined in O.C.G.A. Section 50-25-1 et seq.
GTA shall establish information technology policies, standards and enterprise architecture for the state technology infrastructure to promote efficient use of resources and to promote economic development.
Establishment of Policy
O.C.G.A. Section 50-25-4 authorizes the GTA to set technology policy for all agencies except those under the authority, direction, or control of the General Assembly or state-wide elected officials other than the Governor. That code section also authorizes GTA to:
- Coordinate with agencies, the legislative and judicial branches of government, and the Board of Regents of the University System of Georgia, regarding technology policy;
- Establish architecture for state technology infrastructure to promote efficient use of resources and to promote economic development;
- Establish technology security standards and services to be used by all agencies;
- Facilitate and encourage the conduct of business on the Internet;
- Expand and establish policies necessary to ensure the legal authority and integrity of electronic documents;
- Establish processes, specifications, and standards for procurement, which shall apply to all technology to be purchased, licensed, or leased by any agency; and,
- Establish and enforce standard specific actions which shall apply to all technology and technology resource related supplies, materials, and equipment purchased or to be purchased for the use of the state government or any of its agencies, which specifications shall be based on and consistent with industry accepted open network architecture standards;
Although agencies under the control of state-wide elected officials may set their own technology policies, the Attorney General has opined that these agencies’ technology resources must comply with GTA’s state-wide standard specifications, architecture for technology infrastructure, security standards, and procurement standards. In setting such standards, however, GTA must consider, accommodate, and include the constitutional agencies’ technology policies.
GTA will provide a web-based site for the dissemination of policies, standards and guidelines.
Enterprise IT policies will be approved and issued by the GTA Board. As provided for by GTA Board Resolution No. 06-12-14:1, the Board delegates to the State Chief Information Officer the following authority:
- To make conforming and other nonsubstantive changes to GTA policies for purposes such as:
- To prevent any portion of an existing GTA policy from conflicting with new or revised policies or laws;
- To update organizational or position titles;
- To conform with a new system of citation;
- To correct spelling, capitalization, hyphenation, grammatical, typographical or factual errors;
- To renumber, redesignate, and rearrange sections, paragraphs or any combination or portion thereof and to change cross-reference numbers to agree with renumbered policies, sections and/or paragraphs.
- To delete a policy which is no longer applicable for such reason as the policy’s provisions have been superseded by law or legal instrument, or the technology referenced by such policy has become obsolete.
The State Chief Information Officer shall notify the Board of proposed changes to be taken under this delegated authority. The changes shall become effective upon approval by the Chair. If the Chairperson believes the proposed changes may exceed the powers granted by this delegation or has other concerns, the proposed changes will be held for presentation and approval at the next Board meeting.
Establishment of Standards and Guidelines
The State Chief Information Officer shall have the authority to establish technology standards and architecture and issue technology guidelines. Guidelines will be issued from time-to-time by GTA, either directly or in conjunction with the establishment of policies and standards.
GTA staff shall issue draft or proposed standards for comment by members of the Georgia CIO Council unless otherwise dictated by the State Chief Information Officer.
GTA shall maintain internal processes to manage the creation and modification of enterprise information technology policies, standards and guidelines.
In the context of information technology, the words policy, standard, and guideline are often used interchangeably. The intent of this document is to 1) provide working definitions for each of these terms as used by the Georgia Technology Authority (“GTA”); 2) identify which state entities are affected by these terms; and, 3) how they are affected. A thumbnail definition of each term:
- Policy – A general or high level statement of a direction, purpose, principle, process, method, or procedure for managing technology and technology resources.
- Standard – A prescribed or proscribed specification, approach, directive, procedure, solution, methodology, product or protocol which must be followed.
- Guideline – A guideline is similar to either a standard or a policy, in that it outlines a specific principle, direction, directive, specification, or procedure but is not binding. Rather, a guideline is a recommended course of action.
A Policy is a general or high level statement of a direction, purpose, principle, process, method, or procedure for managing technology and technology resources. A specific example of a technology policy might be:
Agencies shall take appropriate steps, including the implementation of strongest-available encryption, user authentication, and virus protection measures, to mitigate risks to the security of State of Georgia data and information systems associated with the use of wireless network access technologies.
O.C.G.A. § 50-25-4(a)(10) invests GTA with the authority to “set technology policy for all agencies1 except those under the authority, direction, or control of the General Assembly or state wide elected officials other than the Governor.”
Therefore, when GTA issues a technology policy, it is binding upon all agencies in the executive branch which are not led by constitutional officers2. Agencies under the judicial branch; agencies headed by a state-wide elected official; agencies under the direct control of the General Assembly; or institutions under the Georgia Board of Regents, can opt to adopt, modify, or ignore the Policy. Further, GTA technology policies must be approved by the GTA board.
A Standard is a prescribed or proscribed specification, approach, directive, procedure, solution, methodology, product or protocol which must be followed. An example of a technology standard might be:
Agencies shall appoint, designate or hire an Information Security Officer to administer an information security program to ensure the confidentiality, integrity and availability of state Information Technology assets
GTA has statutory authority to establish technology security Standards and services to be used by all agencies; and, to establish and enforce Standard specifications which shall apply to all technology.3 The Attorney General has opined that such standards apply to all executive branch agencies including those controlled by constitutional officers.4
Therefore, when GTA establishes a standard, it is binding upon all executive branch agencies including those executive branch agencies headed by constitutional officers. 5 Agencies under the judicial or legislative branches, or institutions under the Georgia Board of Regents can opt to adopt, modify, or ignore the standard.
Establishment of Standards
In establishing standards, GTA, whenever practicable, will issue draft or proposed standards for comment by members of the Georgia CIO Council prior to adoption. The purpose of this comment period is to consider, accommodate, and/or include the comments and alternatives presented by state agencies (inclusive of those under the control of constitutional officers). Due to the binding nature of GTA’s established standards on all executive branch agencies, GTA will establish and maintain a procedure to facilitate the comment period and process as an integral part of the standards establishment process.
A Guideline is similar to either a Standard or a Policy, in that it outlines a specific principle, direction, directive, specification, or procedure, but it is advisory in nature. The intent of a Guideline is to promote a “best practice”, while recognizing that there may be several ways of accomplishing the same task or that further analysis is necessary before adoption of a binding uniform approach. It is possible for Guidelines to evolve into Policies or Standards.
An example of a technology Guideline might be:
Users should make their passwords AT LEAST 8 characters in length.
When GTA issues a Guideline, all agencies are encouraged to follow the Guideline, but ultimately it is the agency’s decision whether to use or ignore the Guideline.
The application of these working definitions is intended to provide agencies a common framework and perspective on the development of Policies, Standards, and Guidelines. Enterprise Technology Policies will be issued and approved by the GTA Board. The discussion and establishment of Enterprise Standards will be coordinated through the CIO Council whenever practicable. Guidelines will be issued from time-to-time by GTA, either independently or in conjunction with the establishment of a Policy or Standard.
WEB-BASED ORGANIZATION & DISTRIBUTION
GTA will provide a website for the dissemination of Policies, Standards and Guidelines.
- O.C.G.A. Section 50-25-1 et seq.
- Op. Attorney Gen. 2001-08
- GTA Board Resolution No. 06-12-14:1.
1 Agency is defined as “every state department, agency, board, bureau, commission, and authority which shall not include any agency within the judicial branch of state government or the University System of Georgia and shall also not include any authority statutorily required to effectuate the provisions of Part 4 of Article 9 of Title 11.” O.C.G.A. § 50-25-1(b)(1) (Supp. 2001). [Part 4 is now Part 5.] Therefore, the Board of Regents of the University System of Georgia and the Georgia Superior Court Clerks’ Cooperative Authority are expressly exempted by statute from GTA’s authority as it relates to executive branch agencies, and general references to executive branch agencies within this document do not include them.
2 The scope of certain policies may only apply to certain agencies that are within a “common community of interest.” An example may be certain Policies dealing with HIPAA related data may only apply to agencies that handle certain patient or medical data. The same may be true for certain standards or guidelines.
3 See O.C.G.A. § 50-25-4(a)(15),(21) and (29).
4 In an official opinion analyzing the GTA’s authority, the Attorney General opined as follows:
Viewing the statute as a whole and keeping in mind the legislative intent to consolidate the procurement and management of technology in one agency, it is clear that the ability [of executive branch agencies under the control of constitutional officers] to set technology policy is further constrained by the GTA’s authority to establish architecture for state technology infrastructure, establish technology security standards and services, establish and enforce standard specifications applicable to all technology and technology resources related supplies, and establish standards for procurement. OCGA §§ 50-25-4(a)(15), (21), (29), and (30) (Supp.2001). (Opinion footnotes omitted). Op. Att’y Gen. 2001-08.
5 See note 2.