The Information Security Controls policy enacted by GTA in 2017 establishes security accountability among the participants (agencies, vendors and integrators) in a shared services IT environment used by state of Georgia entities.
A related new standard implemented by GTA stipulates that each state of Georgia agency operating within a shared services IT environment is ultimately responsible for ensuring applicable National Institute of Standards and Technology [NIST 800-53 (rev. 4)] security controls are put in place and operated effectively. Unique security responsibilities are assigned for each IT application or system in such environments, including the state’s North Atlanta Data Center.
As external or third-party hosting, management or maintenance of IT tools become increasingly commonplace, plainly establishing where security responsibilities lie becomes critical. Delineating responsibility promotes accountability, reduces risk and helps mature security.
An affected agency would coordinate security responsibilities (some having a unique owner, some shared) with its service providers and integrators in shared services settings. That would apply to concerns ranging from access control to ID authentication to physical security and more.