The Office of Information Security (OIS) is a component of the Enterprise Governance and Planning (EGAP) division of the Georgia Technology Authority (GTA). It operates in a similar manner to a central information security program as defined by the National Institute of Standards and Technologies (NIST), Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook. Each agency of the state is required to run its own information security program in compliance with the information security policies and standards issued by GTA. To assist the agencies with this responsibility, OIS performs the following activities.
Security Program Reviews
GTA has adopted the security requirements created by the Federal Information Security Management Act (FISMA) of 2002 and the FISMA Implementation Project conducted by NIST. GTA's policies and standards were developed in accordance with FISMA, and OIS conducts program reviews to help agencies identify and remediate deficiencies. These reviews are based on federal guidance from Program Review for Information Security Management Assistance (PRISMA). The reviews are focused on the agency's security management and operational processes based on requirements established by statewide security policies, the Federal Information Security Management Act (FISMA), and the National Institute of Standards and Technology (NIST) Computer Security Division.
The ultimate goal of these reviews is to assist agencies in:
- Building robust information security and risk management programs
- Preparing for future reporting and audit requirements
- Responding to audit or assessment findings
- Improving their and the state's overall security posture
In coordination with the University System of Georgia (USG), GTA has developed a training program for agency information security staff. These classes are delivered by USG on a rotating basis and prepare the security staff to create and operate an information security program. In addition, OIS works with the agencies to develop security awareness training programs and to educate agency leadership about information security issues and responsibilities.
Georgia’s cyber preparedness program is based upon the U.S. Department of Homeland Security’s National Cyber Incident Response Plan – 2010. In partnership with the Georgia Information Sharing and Analysis Center (GISAC), understanding and information of various cyber threats posed by nation-states, cyber-terrorists, hacktivist groups, and organized crime against the citizens and infrastructure of the State will be shared with partner organizations and agencies to facilitate response to a national or state cyber incident.
As agencies work to improve their information security posture, they may require knowledgeable assistance. The EGAP Office of Information Security (OIS) has a small, experienced staff that will work with state agencies on limited consultive engagements. If an agency requires more services than OIS can offer, OIS maintains pre-negotiated contracts with best-of-breed information security vendors that agencies may use.