




























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Handbook or provide supporting documentation (e.g., templates, risk registers, system risk assessment tools and project tracking tools) to ...
Typology: Summaries
1 / 123
This page cannot be seen from the preview
Don't miss anything!





























































































Abstract: USG Information Technology Handbook’s purpose is to primarily set forth the essential standard components USG organizations must follow to meet statutory or regulatory requirements of the federal government, state government, Board of Regents (BOR) policy, information technology and cybersecurity best practices. Secondly, it is designed to provide new IT professionals within the USG the necessary information and tools to perform effectively. Finally, it serves as a useful reference document for seasoned professionals at USG organizations who need to remain current with changes in federal, state law and BOR policy.
Introduction
The University System of Georgia (USG) comprises public institutions of higher learning, a University System Office, Georgia Public Library System (GPLS), Shared Services Center (SSC), Georgia Archives and Georgia Film Academy; hereinafter referred to as USG organizations. These USG organizations represent the rich diversity of a state system spanning the spectrum of educational and research offerings. This manual respect the value of the diversity of USG organizations while providing guidance with regards to information technology (IT) operations within the USG.
Date Version Description of Change
04/18/2016 1.0 Section 4.
05/02/2016 2.0 PDF, structure and format, initial redesign referenced in a new structure and format.
05/17/2016 2.1 Section 5.12.
05/27/2016 2.2 Section 3.
11/1/2016 2.3 As of Nov. 1, 2016, the department name changed to Cybersecurity; Section 5.13; Section 5.
11/17/2016 2.4 Section 1.3.2; Section 4.
05/15/2017 2.5 Section 1.2, Section 1.3, Section 3.0, Section 3.1, Section 3.2, Section 3.3, Section 5.3, and Section 5..
09/07/2017 2.6 Section 5
09/07/2017 2.7 Section 5
01/02/2019 2.8 Section 5.
03/18/2019 2.9 Migrated to MS Word format, Export to PDF. Relocated Section 9 to the BPM. Value added Appendix: References, Glossary, Acronyms, and Index. Updated BOR policy reference from section 11 to section 10.
02/24/2020 2.9.1 Section 5.3, Section 5.9, Section 5.10, and Section 3.1.2.
04/30/2020 2.9.2 Section 3.1.2, Section 3.3.1, Section 5.1.1, Section 5.1.2, Section 5.3.1, Section 5.5, Section 5.5.2, Section 5.5.5, Section 5.10.1, Section 5.11.7, Section 5.13, Section 5.14, and Section 5.14.5.
07/08/2020 2.9.3 Section 3.1, Section 3.3, Section 5, Section 5.3, and Section 6. Entire Document, Performed a “harmful language” review.
12/18/2020 2.9.4 Entire Document, “Critical Systems” renamed to “Mission-Critical Systems” alignment to BPM, Section 3, Section 4.1.1, Section 5.1, and Section 5.2.
07/15/2021 2.9.5 Entire Document, Updated Index, Section 5.3, Section 5.5, Section 5.7, Section 5.12, Section 5.14, Section 5.15, Section 7.1, and Section 10.
06/02/2022 2.9.6 Section 3.1.2, Section 3.2, Section 3.5, Section 5.1.4, Section 5.5.2, Section 5.8, Section 5.12, Section 5.14.5, and Section 8.
This standard applies to USG organizations and suppliers and affiliates under contract with the USG that accesses, stores, or processes protected information.
A system wide or enterprise approach to IT operations and cybersecurity operations shall be adopted by USG organizations. It is expected that cybersecurity compliance will be embedded into each organization’s cybersecurity plan. All compliance efforts will be focused on supporting the organization’s objectives. Therefore, USG organizations’ executive leaders or designee shall determine the direction and develop the organization’s cybersecurity plans, standards and guidelines to:
USG Cybersecurity shall develop and publish companion documentation to enhance the USG IT
Handbook or provide supporting documentation (e.g., templates, risk registers, system risk assessment tools and project tracking tools) to aid in the development of organizational plans and procedures.
Exceptions to any standard, procedure or guideline set forth in the USG IT Handbook shall be at the discretion of, and approved in writing by, the USG CIO or the USG Chief Information Security Officer (USG CISO) with executive review and approval. In each case, USG organizations or vendors must complete and submit an Exception Request Form (Access to the document is restricted to authorized users only) including the need, scope and extent of the exception, safeguards to be implemented to mitigate risks, specific timeframe, requesting organization and management approval. Contact USG Cybersecurity to obtain more information. Denials of requests for exceptions may be appealed.
The following definitions of Shall , Will , Must , May , May Not , and Should are used throughout this USG IT Handbook.
Section 1 Information Technology (IT) Governance
Section Control
Table 1.1: Revision History
Date Description of Change
05/02/2016 Initial redesign referenced in a new structure and format. PDF, structure, and format
11/17/2016 Section 1.3.2 – added clarification of information system owner roles and responsibilities within the framework of people, process, and technology. Clarification of information system owner
05/15/2017 Section 1.2 – added the correct title to 1.2.1. Revised section for consistency in format and content. Added title.
05/15/2017 Section 1.3 – deleted a misplaced word. Revised section for consistency in format and content.
Table 1.2: Compliance
Section Number Section Name Compilation Date Published Date Compliance Date
1.1 Service Administration July 2015 July 2015 December 2015
Achieving strategic alignment between the Information Technology (IT) organizations and the enterprises they serve is an important goal for any organization. This alignment requires a process to assure that investments in IT projects and assets are directed toward achieving the organization’s strategic vision, goals, and objectives. Without alignment of purpose, intent and actions, the IT organization will not contribute purposefully to the overall mission.
Alignment is achieved through a variety of means, but three essential elements that should be formally prescribed are:
A CIO in a higher education institution must be operationally sound and a skilled leader of staff, peers, and causes. The CIO position must function as a fundamental partner with the other CxOs of the organization and must anticipate the organization’s needs. Therefore, this position must be a contributing member of the leadership team; understand the organization’s mission, purpose, and intent; and provide a sound operating platform on which to launch new initiatives. The CIO may not be the subject matter expert on all things that the organization requires Information Technology (IT) to
The framework will lead to the collective understanding of how IT resources are deployed as well as the potential opportunities for their use. This information can then be used to determine the best use of these resources for the maximum institutional benefit. Priorities should be informed by not only the operational requisites, but also by organizational strategic plan and goals using a disciplined approach to portfolio, program, and project management. The organization must have a methodology and set of practices to demonstrate prioritization of IT services and initiatives.
The IT organization must be defined by considering the requirements of the primary organization it serves. Its placement within the overall structure should be considered based on the scope and breadth of services it is expected to provide to the organization. The organization should have a reporting structure that incorporates IT into planning and decision making at the leadership level.
The CIO should be a regular contributing member of the executive leadership team to participate in relevant decision processes of the stakeholder groups to anticipate technology resource needs, offer advice on technology enabled opportunities and respond to emergent requirements. Decisions about staffing levels, skills, functions, accountability, authority, and supervision should be derived from these expectations.
Organizational Placement of the IT Function
The CIO should be placed in the overall organizational structure based on the scope and breadth of services the IT unit is expected to provide to the organization. Often in complex organizations, a matrix reporting relationship among the most senior executive staff is not unusual. In smaller, less complex organizations, such hierarchies may not be necessary and a direct reporting relationship to the CEO is feasible. The key point is that it should not matter to whom the CIO reports, if the position is incorporated into the organization’s leadership team decision-making processes.
It is also important to distinguish between the role of the CIO and the most senior centralized line management function of the centralized IT function (VP, Director, etc.) Regardless of whether the IT functions are managed in a highly centralized or decentralized manner, the role of the CIO must be recognized as that of the Chief Information (technology) Officer. The responsibilities and authority of this role should span any direct reporting structures and cross over organizational boundaries to encompass all IT functions of the organization. This is so that the CIO is responsible for the organization’s total IT footprint as it relates to policy, compliance, security, and risk management of IT- enabled functions, regardless of any decentralized line management of departmental IT functions.
Management Structure
Decisions about the appropriate balance of a centralized vs. decentralized resource pool of staffing and budget resources is related to the expectations of the organization. The centralized IT organization structure must be defined by considering the requirements of the primary organization it serves.
IT Continuous Improvement Expectations
As with all administrative and educational support functions in higher education organizations, the Commission on Colleges expects units to engage in systematic planning and assessment processes to assure institutional effectiveness (See SACS Core Requirement 3.3). Processes for planning, assessing,
and improving services must be documented. IT processes and services should be periodically and systematically assessed for effectiveness. Opportunities for improvement should be incorporated into the planning process and implemented over time.
Definition of Information System
Information system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. (FIPS 199&200; SP 800-18; SP 800 - 37; SP 800-53A; SP 800-60 and 44 U.S.C Section 3502.)
Selecting, implementing, and maintaining an appropriate set of security controls to protect the information systems, products, or services employed by USG organizations requires strong collaboration between three primary audiences: information system owners, operation and cybersecurity managers, and information system developers. For responsible operation, it is critical each audience understands how evolving mission and business requirements, operational environment and system uses impact system operations.
Information System Ownership Roles
At the highest level, every IT application and service should have an identified information system owner. This individual should be the senior person in the organization responsible for the application or service and ensures that the application or services renders value to the organization. For most infrastructure services such as the local area network, the CIO is that information system owner. For most business and educational support systems, the CxO, vice chancellor, or executive director to whom the function reports are normally the information system owner. However, the designation is dependent upon the organizational structure.
Figure 1: People, Process and Technology Framework
Information system owners may appoint a functionally responsible designee as the primary liaison between the IT service unit and the customers served by the system or services provided by IT. For example, the VP of Enrollment Management who is the information system owner for the student information system might appoint the registrar as the day-to-day liaison between the customers of the enrollment management system and IT for support and service provisioning. Within the USO, the vice chancellor of academic affairs for example may be the designated system owner of GeorgiaBEST. Information system owners serve as the focal point for the information systems, products, or services. In
Each USG organization should have an IT strategic plan that is integrated with the organization’s strategic plan. The effective management of information technology services should include a strategic planning component to direct IT resources across the organization in line with the business strategy and priorities. This direction should be inclusive of all IT resources, regardless of the departmental structure. Within the planning effort, the CIO and other CxOs of the organization assume shared responsibility for ensuring that IT resources are expended toward a catalog of services and projects that provide the maximum benefit to the organization. Strategic planning efforts and discussions also improve key stakeholders’ understanding of IT opportunities and limitations, provide opportunities to assess current performance, identify resource requirements and clarify the level of investment required.
IT strategic planning should be a documented process, which is considered in business goal setting and results in discernible business value through investments in IT. Risk and value-added considerations should be periodically updated in the IT strategic planning process. Realistic long-range IT plans should be developed and regularly updated to reflect changing technology and business developments. Benchmarking against well-understood and reliable industry norms should take place and be integrated with the strategy formulation process. The strategic plan should include how recent technology developments can drive the creation of new business capabilities and improve the competitive advantage of the organization.
Existing and emerging technologies should be analyzed to determine which technological direction is appropriate for IT strategy and business systems architecture. The planning should include identification of which technologies have the potential to create business opportunities and should address systems architecture, technological direction, migration strategies and contingency aspects of infrastructure components.
Standards, procedures, and practices for key IT processes should be identified and maintained. Industry best practices should be used for reference when improving and tailoring the organization’s quality practices.
Standards for all development and acquisition that follow the life cycle of the ultimate deliverable should be adopted and maintained. This should include sign-off by the CIO and Executive Sponsor, or their designees, at key milestones based on agreed-upon criteria.
The CIO must establish a process to periodically review current performance and capacity of IT resources, as well as forecast future needs based on workload, storage, and contingency requirements. This process should highlight the adequacy, or lack, of the resources needed to support the organization.
As a goal, performance and capacity plans should be fully synchronized with the business demand forecasts; for example, enrollment growth or a notable change in business process that results in the peak demand for a resource. The IT infrastructure and business demand should be subject to regular reviews to ensure that optimum capacity is achieved at the lowest possible cost.
Trend analysis should be performed to show imminent performance problems caused by increased business volumes to enable planning and avoid unexpected issues. The CIO should adjust the planning for performance and capacity following analysis of these measures.
Section 2 Project and Service Administration
Section Control
Table 2.1: Revision History
Date Description of Change
05/02/2016 Initial redesign referenced in a new structure and format. PDF, structure, and format.
Table 2.2: Compliance
Section Number Section Name Compilation Date Published Date Compliance Date
IT service can be defined as a set of related functions provided by IT systems, products, or services in support of one or more business areas, which in turn may be made up of software, hardware and communications facilities perceived by the customer as a coherent and self-contained entity. An IT service may range from access to a single application, such as a general ledger system, to a complex set of facilities including many applications, as well as office automation that might be spread across several hardware and software platforms. Effective communication between IT management and their customers regarding services required is enabled by a documented definition of, and agreement on, IT services and service levels. This process also includes monitoring and timely reporting to stakeholders on service level accomplishments. This process enables alignment between IT services and the related business requirements.
A project, by definition, is a temporary activity with a starting date, specific goals and conditions, defined responsibilities, a budget, a plan, a fixed end date and multiple parties involved. Clear and accurate definition of a project is one of the most important actions you can take to ensure the project’s success. The clearer the target the more likely you are to hit it. Defining a project is a process of selection and reduction of the ideas and perspectives of those involved into a set of clearly defined objectives, key success criteria and evaluated risks. A project management framework will help maintain the organization’s portfolio of projects that support its IT-enabled programs by identifying, defining, evaluating, prioritizing, selecting, initiating, managing and controlling these projects in order to ensure that the projects support the organization’s objectives. The framework will help coordinate the activities and interdependencies of multiple projects, manage the contribution of all the projects within the organization to expected outcomes and resolve resource requirements and conflicts.
A documented definition of, and agreement on, required IT services and service levels must be established between IT management and organization customers. A framework for the management of all IT projects must be established to ensure the correct prioritization and coordination of all projects.
information requests. It should be the single point-of-contact for all end user issues. Its first function should be to create a ticket in an issue tracking system that will allow logging and tracking of service support requests. Issues must be classified according to type, business, and service priority. There must be monitoring, and escalation procedures based on agreed-upon service levels relative to the appropriate SLA that allow classification and prioritization of any service support requests (e.g., an incident, problem, service request, information request, etc.).
Once an issue has been logged, an attempt should be made to solve the issue at this level. If the issue cannot be resolved at this level, then it should be passed to a second or third level within the issue tracking system and routed to the appropriate personnel for analysis and resolution. The service desk or service request function should work closely with related processes such as change management, release management and configuration management. Customers must be kept informed of the status of their requests. The function must also include a way to measure the end user’s satisfaction with the quality of the service support and IT services. As a goal, the service desk and service request function should be established and well organized and take on a customer service orientation by being knowledgeable, customer-focused, and helpful. Advice should be consistent, and incidents resolved quickly within a structured escalation process. Extensive, comprehensive FAQs should be an integral part of the knowledge base, with tools in place to enable a user to self-diagnose and resolve issues. Metrics must be systematically measured and reported. Management should use an integrated tool for performance statistics of the service desk and service request function. Processes should be refined to the level of best industry practices, based on the results of analyzing performance indicators, continuous improvement, and benchmarking with other organizations.
Clarification of Issues
Processes to classify issues that have been identified and reported by end users must be implemented to determine category, impact, urgency, and priority. Issues should be identified as incidents or problems, and be categorized into related groups, such as hardware, software, etc., as appropriate. These groups may match the organizational responsibilities of the end user and customer base and should be the basis for allocating problems to the IT support staff. Note that incident management differs from problem management. The purpose of incident management is to return the service to normal level as soon as possible with the smallest possible business impact. The principal purpose of problem management is to find and resolve the root cause of a problem and prevent further incidents.
Incident Management
An incident is any event that is not part of the standard operation of the service and causes, or may cause, an interruption or a reduction of the quality of the service. Incident Management aims to restore normal service operation as quickly as possible and minimize the adverse effect on business operations. Normal service operation is defined here as service operation within SLA limits.
Problem Management
A problem is a condition often identified because of multiple incidents that exhibit common symptoms. Problems can also be identified from a single significant incident, indicative of a single error, for which the cause is unknown. Problem Management aims to resolve the root causes of incidents to minimize the adverse impact of incidents and problems and to prevent recurrence of incidents. The objective of problem management is to reduce the number and severity of incidents and report findings in documentation that is available for the first line and second line of the service desk and service request function.
Tracking of Issues
The issue management process must provide for adequate audit trail capabilities that allow for tracking, analyzing, and determining the root cause of all reported issues considering:
The process should be able to identify and initiate sustainable solutions to reported issues that address the root cause, raising change requests via the established change management process. Throughout the resolution process, regular reports should be made on the progress of resolving reported issues. The continuing impact of reported issues on end user services and against established SLAs should also be monitored.
If this impact becomes severe or reaches established SLA thresholds, the issue management process must escalate the problem.
Escalation of Issues
Service desk and service request function procedures must be established so that issues that cannot be resolved immediately are appropriately escalated according to the guidelines established in the SLAs. Workarounds should be provided if appropriate. These procedures should ensure that issue ownership and life cycle monitoring remain with the service desk for all user issues, regardless of which IT group is working on the resolutions.
Resolution and Closure of Issues
Procedures must be put in place to close issues either after confirmation of successful resolution of the issue or after agreement on how to alternatively manage the issue. When an issue has been resolved, these procedures should ensure that the service desk records the resolution steps and confirms that the customer agrees with the action taken. Unresolved issues should be recorded and reported to provide information for the timely monitoring and clearance of such issues.
Reporting and Analysis
The issue management system must be able to produce reports of service desk activity so that management can measure service performance and service response times, as well as identify trends or recurring issues so that service can be continually improved.
Assessment
An effective service support process requires well-defined monitoring procedures, including self- assessments and third-party reviews. These procedures should allow continuous monitoring and benchmarking to improve the customer service environment and framework. Remedial actions arising from these assessments and reviews should be identified, initiated, implemented, and tracked.
Service Metrics
The need for metrics is driven by the desire to deliver and demonstrate high-quality service. The type of metrics collected is driven by the business and IT requirements for service reporting and Key Performance Indicators (KPIs). Metrics collection and aggregation provide input into key business decisions such as how to equitably allocate costs. Service metrics represent the KPIs of an IT service.