Cyber Security Policy

Type of Policy: 
Administrative
Effective Date: 
January 2017
Last Revised: 
January 2017
Review Date: 
January 2020
Policy Owner: 
Georgia Tech CyberSecurity
Contact Name: 
Blake Penn
Contact Title: 
Information Security Policy and Compliance Manager
Contact Email: 
blakepenn@gatech.edu
Reason for Policy: 

The Georgia Institute of Technology (Georgia Tech) Cyber Security Policy (CSP) provides the guiding principles for securing information technology (IT) resources at Georgia Tech.

Policy Statement: 


Responsibilities

Chief Information Security Officer
The Chief Information Security Officer is responsible for creating and maintaining a cyber security program and leading the Georgia Tech Cybersecurity team.  The purpose of the cyber security program is to maintain the confidentiality, integrity, and availability of Institute IT Resources and Institute data.  In addition, the Chief Information Security Officer, or a designee, is responsible for leading the investigation of and response to cyber security incidents.    The response to any incident will be developed in collaboration with the data steward, Institute Communications, Legal Affairs, and other campus offices as appropriate.

Users
Georgia Tech IT Resource users (IT Resource users include both students and employees) are responsible for protecting the security of all data and IT Resources to which they have access.  This includes implementing appropriate security measures on personally owned devices which access Georgia Tech IT Resources.  In addition, users are required to keep their accounts and passwords secure in compliance with the Institute Password Policy.

Georgia Tech employees may grant IT Resource guest access to third parties (e.g., visiting scholars).  Any Georgia Tech employee who grants guest access to IT Resources is responsible for the actions of their guest users.

Research
Georgia Tech recognizes the value of research in the areas of computer and network security. During the course of their endeavors, researchers may have a need to work with malicious software and with systems that do not adhere to the security standards as prescribed by the Chief Information Security Officer. Researchers are responsible for their actions and must take all necessary precautions to ensure that their research will not affect other Georgia Tech IT Resources or users.  In addition, researchers are responsible for making all appropriate notifications to those that may be affected by their research (see Responsible Disclosure Policy).

Network Management
The Office of Information Technology (OIT) is responsible for planning, implementing, and managing the Georgia Tech network, including wireless connections.

The following network appliances cannot be implemented at Georgia Tech without prior written approval by OIT or a Unit’s IT lead:

  • Routers
  • Switches
  • Hubs
  • Wireless access points
  • Voice over IP (VOIP) infrastructure devices
  • Intrusion detection systems (IDS)
  • Intrusion prevention systems (IPS)
  • Virtual Private Networking (VPN)
  • Consumer grade network technologies
  • Other networking appliances that may not be included in this list

Units or individuals who install any of the technologies listed above are responsible for capturing network traffic logs and storing them for a minimum of 365 days or an appropriate amount as negotiated with the OIT network team.  Network traffic logs should include the following information:

  • Source MAC address
  • Source and destination IP address
  • Physical interface (where applicable)
  • Date and time
  • User account where available (e.g. VPN logs)

System Administration
Every Institute owned IT Resource (including virtual resources such as virtual machines and cloud based services) must have a designated system administrator.  The Institute expectation is that every Institute owned IT Resource will be professionally managed by the unit technical support team unless prevailing regulations dictate otherwise. 

The system administrator is responsible for proper maintenance of the machine, even if the system administrator is not a member of the unit technical support team.  This responsibility must be acknowledged and documented.  In addition, the machine must be accessible to the unit technical support team for incident management purposes unless legal restrictions will not allow such access. 

Negligent management of an Institute owned IT Resource resulting in unauthorized user access or a data breach may result in the loss of system administration privileges.

System administration responsibilities for all Institute owned IT Resources, including those that are self-administered, include the following:

  • Complying with all applicable Institute IT policies and procedures
  • Performing an annual cyber security self-assessment for the set of IT Resources administered
  • Working with the unit technical support team to establish the following:
    • Installing an appropriate endpoint security/management agent(s)
    • Establishing an appropriate backup strategy and performing regular system backups
    • Regularly updating the operating system and other applications installed on the machine
    • Using, where possible and practical, central Georgia Tech IT services for system login and account management (e.g. Active Directory)
Scope: 
All Georgia Tech IT resource users and all Georgia Tech IT resources are covered by this policy.
Policy Terms: 

Endpoint - Laptop computers, desktop computers, workstations, group access workstations, USB drives, personal network attached storage.

Georgia Tech IT Resources – Georgia Tech owned Computers, Networks, Devices, Storage, Applications, or other IT equipment.  “Georgia Tech owned” is defined as equipment purchased with either Institute funding (including sources such as Foundation funds etc.) or Sponsored Research funding (unless otherwise specified in the research agreement).

Procedures: 

Incident Reporting
If a Georgia Tech IT Resource user suspects that a security incident has occurred or will occur, they should report the suspicion immediately to the system administrator or unit technical lead.  Users may also report the suspected security incident directly to the Georgia Tech Cybersecurity team by sending an email to cyber@security.gatech.edu. 

System administrators and unit technical leads who have identified any of the following security events should report the suspected security event to the Georgia Tech Cybersecurity team:

  • Any occurrence of a compromised user account
  • Any breach or exposure of Category 3 sensitive data (see Data Access Policy)
  • Any occurrence of a server infected with malware
  • Three or more simultaneous occurrences of endpoints infected with malware
  • Any other instance of malware or suspected intrusion that seems abnormal
Enforcement: 

Violations of this policy may result in loss of Georgia Tech system and network usage privileges, and/or disciplinary action, up to and including termination or expulsion as outlined in applicable Georgia Tech policies.

Policy History: 
Revision Date Author Description
TBD OIT New Policy