Information Technology Reporting (SS-08-053)
SS-08-053 Information Technology Reporting
Issue Date: 4/15/2008
Revision Effective Date: 3/31/2011
Review Date: 7/1/2018
On March 19, 2008 the Governor Issued an Executive Order taking the lead on issues of Information security. This order directs GTA to define performance measures and Issue a standard in March of each year requiring agencies to report the status of those measures as of the end of the fiscal year to GTA. This Is consistent with GTA's role established In legislation; "To establish technology security standards and services to be used by all agencies;" (see O.C.G.A 50-25-4(a)(21). In 2009, new legislation updated GTA powers to” . . .publish an annual state information technology report;" and the authority to solicit reporting data from agencies up to twice a year (see O.C.G.A 50-25-7.10).
GTA will compile and analyze the agency reports to assess the adequacy and effectiveness of Information security and IT processes throughout the state and recommend areas for Improvement. GTA will prepare and submit an annual State of Georgia Information Technology Report to the Governor's Office. The annual report will provide a high-level view of the state's information technology assets and projects and their critically to the state. The report will facilitate state executives' and legislators' understanding of the current state of information technology, security and related risks and how each agency is performing in meeting the needs of its organization and managing those risks year to year. It will also provide data needed for prioritizing and making cost effective, risk-based decisions with regards to recommended improvements.
In 2011, GTA will continue obtaining and maintaining ongoing Information regarding each agency's information security program, technology assets, projects and expenditures.
SCOPE; ENFORCEMENT; AUTHORITY; EXCEPTIONS
- Official Code of Georgia Annotated:
- O.C.G.A 50-25-4(a)(21)
- O.C.G.A 50-25-7.10
- Governor's Executive Order on Information Security Reporting 19 March 2008
- Enterprise Information Security Charter (PS-08-005)
While information security plans and measures are specifically exempted from public disclosure under the Open Records Act, agencies are required to strategically plan their IT Initiatives and make these plans and corresponding performance measures or metrics available to the public.
Any exceptions to this standard shall be at the discretion of and approved In writing by the State Chief Information Officer.
To ensure the adequacy, effectiveness, and continuous Improvement of Information assurance throughout the state:
- GTA shall define the performance goals and measures as follows:
- IT performance goals and measures shall be based on specific compliance. Implementation and effectiveness objectives such as but not limited to compliance with technology and security policies and standards, cost-effective service delivery, project management and mission accomplishment.
- The performance goals shall state a desired result of the Implementation of system security and IT process requirements and the actions required to accomplish the goals.
- The metrics shall attempt to measure the accomplishments of each agency by quantifying the level of Implementation, effectiveness and efficiency of the stated objectives.
- The metrics, over time, shall demonstrate progress against established objectives as technology services and security matures and shall facilitate the development of corrective actions and/or Improvement plans.
- Each agency shall conduct an annual review and report the status of its operational IT systems, applications, IT projects and Information security program as of June 30"^ of each year.
- Agencies shall deliver their completed report to GTA, utilizing the web-based Information Technology Governance Reporting (ITGR) system, not later than July 31^*^ of the same year.
- No other format for the report will be accepted.
- The web address for the ITGR system will be sent to agency heads and CIOs.
- GTA shall compile and analyze the agencies' reports and produce an annual State of Georgia Information Technology Report and deliver to the Governor's office by October 1st of each year.
- The report shall provide a summary of statewide IT resources, projects and expenses as well as performance strengths, weaknesses and areas of Improvement.
- It shall include recommendations to improve the maturity of IT processes, governance and security throughout Georgia government.
In addition to continuous update of each agency's IT system, application and project inventories, 2011 performance measures shall seek demonstrated progress over 2010 each agency's technology operations and project management and information security processes in the areas of:
- Security Program Management
- Business Continuity and Disaster Recovery Planning
- Incident Response and Reporting
- Security Education and Awareness
- Enterprise Performance Lifecycle Management (EPLC)
RELATED ENTERPRISE POLICIES, STANDARDS, GUIDELINES
- GTA's full collection of Information Security and Technology policies and standards are available on this website.
NIST Computer Security Resource Center- http://csrc.nist.qov/
- SP 800-53 rev 3 Information Security Controls:
- SP 800-55 Performance Measurement Guide for Information Security
- SP 800-80 Guide for Developing Performance Metrics for Information Security
TERMS and DEFINITIONS
- Performance Goal
- - The desired results of implementing the security objective or technique that are measured by the metric
- Performance Measures
- - The actions required to accomplish the performance goal validated through the completion and analysis of the agency report.
- - Numeric Indicators used to gauge state-wide program performance and monitor progress toward accomplishing state-wide goals and objectives. Monitors and measures accomplishment of goals by quantifying the level of implementation and effectiveness