GTA Announces New and Revised IT Policies, Standards and Guidelines

December 16, 2014

Numerous changes to the state’s enterprise IT policies, standards and guidelines became effective December 14, 2014. Three new standards and one new guideline are now in place along with revisions to six existing standards and three existing policies.

To view the new and revised PSGs in their entirety, go to http://gta.georgia.gov/psg.

The new standards and guideline are:

  • Data Steward, SM-15-001.01 – The standard provides for agency data stewards to manage constituent data. A data steward provides the business perspective for identifying data requirements, maintaining consistency in data naming, complying with regulatory requirements, as well as assisting with applying appropriate security controls. The data steward will be notified of security issues and/or privacy inquiries.
  • Data Storage Location, SM-15-002.01 – The standard requires data, regardless of its security categorization, that is not in the direct control of an agency to be stored within the geographical United States.
  • Spectrum Management, SM-15-006.01 – The standard establishes the spectrum management function within the Georgia Technology Authority (GTA) to manage public safety radio frequencies. This standard describes the purpose and operational processes of the public safety frequency spectrum management for radio frequencies set aside for use by law enforcement functions. 
  • Mobile Device Management, GM-15-004.01 – The guideline describes GTA’s recommended management processes to be employed by agencies for mobile devices.

The revised standards and policies are:

  • Authorization and Access Management, SS-08-010.02 – The revised standard clarifies responsibilities for authorizing access, establishes responsibilities and limitations on privileged users, requires separate access credentials for production and for development and test environments, provides a treatment for public access and requires misuse of access privileges to be reported as a security incident.
  • Cryptographic Controls, SS-08-040.03 – The revised standard clarifies cryptographic requirements based on FIPS 140-2 and provides updated reference materials.
  • Data and Asset Categorization, PS-08-012.02 – The revision clarifies the policy statement for data and asset categorization and provides updated reference materials.
  • Reliance on Electronic Records, PS-08-007.02 – The revised policy updates references to policy content.
  • Data Security - Electronic Records, SS-08-003.02 – The revised standard now covers protection from unauthorized destruction of electronic records. Revisions include definitions for electronic data, information or record, and updated references.
  • Exemption from State Policies and Standards, SM-11-007.02 – The revised standard formalizes categories for waivers and establishes an “Indefinite” waiver category that will allow agencies to operate a waivered application for its life rather than renewing the waiver periodically. It also establishes that the State CIO may revoke an awarded waiver or change its category.
  • Security Awareness Program, PS-08-010.02 – The revised policy requires that security awareness training include information about agency and enterprise security policies and standards and where they can be accessed. It also requires agencies to provide any specific training that may be needed by information owners.
  • Security Education and Awareness, SS-08-012.02 – The revised standard requires that security awareness training include information about agency and enterprise security policies and standards and where they can be accessed. It also requires agencies to provide any specific training that may be needed by information owners. It further requires that security awareness training for contractors meet this standard and that agencies review contractor training records for compliance with this standard.
  • Telecommunications Technology Review, SM-05-001.04 – The revised standard deletes content concerning two-way radio communications because two-way radio procurement is now a function of the Georgia Department of Administrative Services.