Policy Number: 11.23
Effective Date: March 14, 2023
Revision History: None
Policy Contact: Information Security Officer
I. Purpose and Policy Statement
The purpose of this policy is to facilitate compliance with applicable federal and state laws and regulations as well as University System of Georgia (“USG”) policies and recommendations to protect the confidentiality and integrity of Georgia Gwinnett College (“GGC”)’s information technology (“IT”) resources and enable leaders to make informed decisions regarding risk tolerance and acceptance.
The Information Security Officer (or designees) is authorized to perform periodic information security risk assessments including vulnerability scans to identify vulnerabilities and to initiate appropriate remediation. GGC uses formal Information Security Risk Management (“ISRM”) programs based on National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-30 and its latest version(s) to identify risks and implement plans to address and manage them. The Information Security Officer is responsible for managing the ISRM and coordinating the development and maintenance of program policies, procedures, standards, and reports in collaboration with appropriate leaders and stakeholders.
The ISRM program is based on risk assessment and developed in consideration of GGC priorities, staffing, and budgets. Risk assessments must identify, quantify, and prioritize risk acceptance and objectives relevant to the College. The results are to guide and determine the appropriate management action and priorities for managing information security risks and for implementing controls to protect against these risks. The risk assessment must include the systematic approach of estimating the magnitude of risks (risk analysis) and the process of comparing the calculated risks against risk criteria to determine the significance of the risks (risk evaluation).
Risk assessments are performed periodically to address changes in security requirements and the risk situation (e.g., threats, vulnerabilities, impacts, risk evaluation, and data classification). Risk assessments are to be systematic and capable of producing comparable and reproducible results. The information security risk assessment should have a clearly defined scope to be effective and should include coordination with risk assessments in other areas, if appropriate.
II. Scope
Scope includes all GGC IT resources used on or off campus and all users of GGC IT resources, including but not limited to faculty, administrators, staff including student workers, students, visitors, vendors, and other service providers.
III. Definitions
Information Technology Resource: Any hardware, software, service, system, or database used in support of College activities. This includes systems and applications hosted on premise or in the cloud and applications created by the College.
Control: A process or procedure to reduce risk.
Inherent Risk: The level of risk before Risk Treatments (controls) are applied.
Information Security Risk Management (ISRM): A program that consistently identifies and tracks information security risks, implements plans for remediation, and guides strategic resource planning.
Residual Risk: Level of risk that remains after Risk Treatments (controls) are applied to a given Risk.
Risk: The possibility of suffering harm or loss or the potential for realizing unwanted negative consequences of an event.
Risk Management: The ongoing management process of assessing risks and implementing plans to address them.
Risk Assessment: The process of taking identified risks and analyzing their potential severity of impact and likelihood of occurrence.
Risk Treatment: The process of managing assessed or identified risks. Risk treatment options are risk avoidance (withdraw from), sharing (transfer), modification (reduce or mitigate), and retention (acceptance).
IV. Roles and Responsibilities
- The Information Security Officer (or designees) is authorized to perform periodic information security risk assessments to identify areas of vulnerability and to initiate appropriate remediation.
- All community members are responsible for compliance with technology policies, standards, and procedures and awareness of risk management and remediation controls used to prevent or detect vulnerabilities and unauthorized use or access.
V. Related Regulations, Statutes, Policies, and Procedures
USG IT Handbook
USG Business Procedures Manual
National Institute of Standards and Technology (NIST) Special Publication 800-53
|