The university Cybersecurity Program Plan provides high-level information describing the university Cybersecurity Program and its major components including the appointment of a coordinator, the selection and implementation of safeguards, ongoing risk assessments, training and the management of service providers.
Specific cybersecurity policies, standards, and guidelines as well as detailed plans and procedures are represented in separate documents.
The Chief Information Security Officer has been appointed to coordinate this program.
Any institutional data classified as Internal, Sensitive or Restricted per the university’s Data Classification and Protection Standard including regulated data (e.g. FERPA, HIPAA, GLBA, etc.) and those data governed by separate policies / committees (e.g. Customer Information Security Program Policy / GLBA Policy, Credit/Debit Card Policy, Data Management and Governance Committee).
Mission critical systems including infrastructure, applications, equipment, etc.
The Office of Information security under direction of the CISO and reporting to the Vice President of Information Technology (VPIT) maintains a dedicated staff of trained cybersecurity professionals. The Office of Information security is responsible for organization-wide risk management, vulnerability management, security operations, incident management and response, and management of the Cybersecurity Program.
Deans, department heads, etc. designate contacts called Departmental Network Liaisons (DNLs) to assist in implementation of the Cybersecurity Program. DNL responsibilities include:
Units are responsible for conducting unit-level risk assessments to identify risks that are unique to their area of operation and for implementing appropriate system-specific safeguards in addition to the common safeguards enumerated below. Risk assessments can be carried out independently as a gap analysis utilizing the Data Classification and Protection Standard or units can request support from the Office of Information Security to complete unit-level assessments.
Risk assessments are conducted at least annually to identify existing and potential safeguards to mitigate foreseeable risks to covered assets. Risk assessments are used to inform the selection and implementation of safeguards. Identified risks without mitigating or compensating safeguards are documented and tracked in a central risk registry.
Program safeguards include physical, administrative and technical safeguards across five high level functions: identification, protection, detection, response, and recovery. Taken together these safeguards constitute a common control environment for university systems.
The Office of Information Security, the Procurement Office, and the Office of Legal Affairs ensure service providers implement appropriate safeguards and that contractual agreements detailing privacy and security requirements are in place via the CESS process. The Office of Information Security also coordinates directly with service providers to test the security of systems that will store or process covered data.
The Cybersecurity Program is evaluated and adjusted continuously. Feedback from risk assessments, security operations, and incident response activities inform the selection and implementation of program components and safeguards by the program coordinator.
The CISO reviews and approves this plan at least annually.
This document is classified as “Public” information per the university Data Classification and Protection Standard and can be shared accordingly. This document shall be published publicly via the EITS website.
Units with data covered by the GLBA policy will also be covered by the UGA Red Flags Rule policy.