The Policy, Compliance, and Assessment Program provides guidance on creating and maintaining Institute-wide information security policies, as well as issue-specific procedures, standards, and guidelines (PSG). These documents are used for IT governance, risk management, and legal & regulatory compliance (e.g. FERPA, GLBA, HIPAA, PCI DSS, DFARS 7012/NIST 800-171).
PSGs are used to achieve policy objectives by defining mandatory controls and requirements. Procedures are used to ensure consistent application of security policies and standards. Standards are used to ensure cybersecurity best practices are easily applied to Georgia Tech resources. Guidelines outline security policies and standards.
Tools and forms related to these are also maintained here.
Procedures:
- Business Continuity Requests
- Data Privacy Procedures
- Patch Management Procedure
- Third Party Security Procedures
- Guide to being a Data Steward or Associate Data Steward (ITAR, EAR, etc.)
- Incident Response Procedure
- Vulnerability Management Procedure
- Policy Exception Request (PER) Walkthrough
- PCI DSS Assessment Procedure
- DFARS 7012 System Security Plan (SSP) and Assessment Procedure
Standards:
- Approved Endpoint Management Tools
- Computer Security Standard (CSS)
- Data Protection Safeguards
- Data Protection Safeguards – Cloud Computing
- Data Protection Safeguards – Endpoints
- Data Protection Safeguards – Mobile Devices
- Data Protection Safeguards – Servers
- Data Categorization
- Encryption Standard
- Network Firewall Standards
- Terms of Use (login banner)
- SSH Server Standard
- Email Standard
- Web Server Standard
Guidelines:
Forms:
- Approved Change Request Form – OIT Software
- Approved Change Request Form – OS upgrades
- How to Create and View Change Requests
- Key Log Template
- Third Party Security Questionnaire
- Visitor Log
- Policy Exception Form