The Chancellor, the University System of Georgia (USG) chief information officer, the presidents of all USG institutions, and institution chief information officers shall develop, adapt, and administer the information technology (IT) methods and procedures for promoting efficiency of operations and the advancement of learning.
For the purposes of Section 10 of this Policy Manual, unless specifically designated otherwise, the Chancellor’s designee shall be the USG chief information officer or any other person designated by the Chancellor in writing.
The Chancellor and the USG chief information officer may, in the name and on behalf of the Board of Regents, execute documents and take or cause to be taken other actions that, in the reasonable judgment and discretion of such officials, may be necessary, proper, convenient, or required in connection with the execution and delivery of such instruments, documents, or writings in order to carry out the intent of the delegated authority.
The Chancellor and the USG chief information officer are responsible for establishing procedures and guidelines for the acquisition, development, planning, design, construction, renovation, management, and operation of USG technology facilities and systems. Documentation of Board of Regents’ policies, procedures, and guidelines shall be maintained and updated in electronic format and shall be readily available to institutions, consultants, vendors, and any other parties involved in work on USG IT-related initiatives.
The USG chief information officer shall periodically update the Board on the status of documents available for guidance on USG IT-related topics.
All technology acquisitions and upgrades and expansions to existing technology solutions and associated agreements using funds from any source require authorization by the Board of Regents and shall be implemented in accordance with established Board procedures under the direction of the University System of Georgia (USG) chief information officer.
The USG chief information officer may act on behalf of the Board of Regents, without prior approval of the Board, in the authorization of information technology (IT) projects in accordance with state law and existing Board of Regents’ policy governing IT procurement.
10.3.1 Delegation of Project Authorization Authority
The USG chief information officer may delegate any or all of the authority to authorize projects to USG institution presidents or their designees based upon an evaluation by the Chancellor or USG chief information officer of the ability of an institution to properly administer the delegated authority in accordance with Board of Regents policies, procedures, and guidelines. Delegated authority may be withdrawn at the discretion of the Chancellor or the USG chief information officer.
Information created, collected, or distributed using technology by the University System Office (USO), all University System of Georgia (USG) institutions, and the Georgia Public Library Service (GPLS) is a valuable asset and must be protected from unauthorized disclosure, modification, and destruction. The degree of protection needed is determined by the nature of the resource and its intended use. The USO, all USG institutions, and the GPLS shall employ prudent cybersecurity policies, standards, and practices to minimize the risk to the confidentiality, integrity, and availability of data and information and shall create and maintain an internal cybersecurity program.
10.4.1 System-Level Responsibilities
The USG chief information security officer shall develop and maintain a cybersecurity organization and architecture in support of cybersecurity across the USG and between USG institutions.
The USG chief information security officer shall maintain cybersecurity implementation guidelines that the USO, all USG institutions, and the GPLS shall follow in the development of their individualized cybersecurity plans.
10.4.2 Institutional- and Organizational-Level Responsibilities
The President of each USG institution and the GPLS State Librarian shall ensure that appropriate and auditable information security controls are in place, which shall include maintaining a trained and dedicated information security officer.
The USO, all USG institutions, and the GPLS shall each develop, implement, and maintain a cybersecurity plan consisting of cybersecurity policies, standards, procedures, and guidelines that is consistent with the guidelines provided by USG Cybersecurity and submit the plan to USG Cybersecurity for review upon request.
Cybersecurity implementation must include a user awareness, training, and education plan, which is consistent with the guidelines provided by USG Cybersecurity and shall be submitted to USG Cybersecurity for review upon request. Methods for ensuring that applicable laws, regulations, guidelines, and policies concerning cybersecurity awareness training are followed shall be distributed and readily available to each organization’s user community.
Clear procedures for reporting and managing cybersecurity incidents shall be documented, adhered to, and contained in a cybersecurity incident response plan, which shall be submitted to USG Cybersecurity for review upon request. These procedures shall include the reporting of incidents to the USO in a timely manner.
10.4.3 Identity Theft
The USG shall maintain a program and policies designed to protect against identity theft and to safeguard personal and financial information maintained by the USG and its institutions and organizations. The program shall comply with all applicable credit reporting and electronic transaction laws, be reviewed at least annually for effectiveness and legal compliance, and be widely distributed.
↑ Top