Cyber Security Policy

Cyber Security Policy
Type of Policy
Administrative
s1polics
Effective Date
Last Revised
Review Date
Policy Owner
Georgia Tech CyberSecurity
Contact Name
John Karrh
Contact Title
Governance Risk & Compliance Manager - Cyber Security
Contact Email
johnkarrh@gatech.edu
Reason for Policy

The Georgia Institute of Technology (Georgia Tech) Cyber Security Policy (CSP) provides the guiding principles for securing information technology (IT) resources at Georgia Tech.

Policy Statement

Georgia Tech IT Resource users (IT Resource users include both students and employees) are responsible for protecting the security of all data and IT Resources to which they have access.  This includes implementing appropriate security measures on personally owned devices which access Georgia Tech IT Resources. All users must follow the Security Procedures and Standards published by Georgia Tech Cyber Security including the Georgia Tech Protected Data Practices.  In addition, users must keep their accounts and passwords secure in compliance with the Institute Password Policy.

Georgia Tech employees may grant IT Resource guest access to third parties (e.g., visiting scholars).  Any Georgia Tech employee who grants guest access to IT Resources is responsible for the actions of their guest users.

Research
Georgia Tech recognizes the value of research in the areas of computer and network security. During the course of their endeavors, researchers may have a need to work with malicious software and with systems that do not adhere to the security standards as prescribed by the Chief Information Security Officer. Researchers are responsible for their actions and must take all necessary precautions to ensure that their research will not affect other Georgia Tech IT Resources or users.  In addition, researchers are responsible for making all appropriate notifications to those that may be affected by their research (see Responsible Disclosure Policy).

Network Management
The Office of Information Technology (OIT) is responsible for planning, implementing, and managing the Georgia Tech network, including wireless connections.

The following network appliances cannot be implemented at Georgia Tech without prior written approval by OIT or a Unit’s IT lead:

  • Routers
  • Switches
  • Hubs
  • Wireless access points
  • Voice over IP (VOIP) infrastructure devices
  • Intrusion detection systems (IDS)
  • Intrusion prevention systems (IPS)
  • Virtual Private Networking (VPN)
  • Consumer grade network technologies
  • Other networking appliances that may not be included in this list

Units or individuals who install any of the technologies listed above are responsible for capturing network traffic logs and storing them for a minimum of 365 days or an appropriate amount as negotiated with the OIT network team.  Network traffic logs should include the following information:

  • Source MAC address
  • Source and destination IP address
  • Physical interface (where applicable)
  • Date and time
  • User account where available (e.g. VPN logs)

System Administration
Every Institute owned IT Resource (including virtual resources such as virtual machines and cloud based services) must have a designated system administrator.  The Institute expectation is that every Institute owned IT Resource will be professionally managed by the unit technical support team unless prevailing regulations dictate otherwise. 

The system administrator is responsible for proper maintenance of the machine, even if the system administrator is not a member of the unit technical support team.  This responsibility must be acknowledged and documented.  In addition, the machine must be accessible to the unit technical support team for incident management purposes unless legal restrictions will not allow such access. 

Negligent management of an Institute owned IT Resource resulting in unauthorized user access or a data breach may result in the loss of system administration privileges.

System administration responsibilities for all Institute owned IT Resources, including those that are self-administered include the following found here: System Administration Responsibilities.

Scope

All Georgia Tech IT resource users and all Georgia Tech IT resources are covered by this policy.

Policy Terms

Endpoint - Laptop computers, desktop computers, workstations, group access workstations, USB drives, personal network attached storage.

Georgia Tech IT Resources – Georgia Tech owned Computers, Networks, Devices, Storage, Applications, or other IT equipment.  “Georgia Tech owned” is defined as equipment purchased with either Institute funding (including sources such as Foundation funds etc.) or Sponsored Research funding (unless otherwise specified in the research agreement).

Procedures

Reporting an Incident
If a Georgia Tech IT Resource user suspects that a security incident has occurred or will occur, they should report the suspicion immediately to the system administrator or unit technical lead.  Users may also report the suspected security incident directly to the Georgia Tech Cyber Security team at https://security.gatech.edu/report-incident

System administrators and unit technical leads who have identified any of the following security events should report the suspected security event to the Georgia Tech Cyber Security team:

  • Any occurrence of a compromised user account
  • Any breach or exposure of Category 3 sensitive data (see Data Access Policy)
  • Any occurrence of a server infected with malware
  • Three or more simultaneous occurrences of endpoints infected with malware
  • Any other instance of malware or suspected intrusion that seems abnormal
Responsibilities

Chief Information Security Officer
The Chief Information Security Officer is responsible for creating and maintaining a cyber security program and leading the Georgia Tech Cyber Security team.  The purpose of the cybersecurity program is to maintain the confidentiality, integrity, and availability of Institute IT Resources and Institute data.  In addition, the Chief Information Security Officer, or a designee, is responsible for leading the investigation of and response to cyber security incidents.    The response to any incident will be developed in collaboration with the data steward, Institute Communications, Legal Affairs, and other campus offices as appropriate.

Enforcement

Violations of this policy may result in loss of Georgia Tech system and network usage privileges, and/or disciplinary action, up to and including termination or expulsion as outlined in applicable Georgia Tech policies.

To report suspected instances of ethical violations, please visit Georgia Tech’s Ethics Hotline a secure and confidential reporting system, at: https://secure.ethicspoint.com/domain/en/report_custom.asp?clientid=7508

 

 

Policy History
Revision Date Author Description
January 27, 2017 OIT New Policy
January 23, 2018 OIT Minor clarifications about end point agents
March 6, 2020 OIT Updated to include Secure Data Practices
April 22, 2020 OIT Minor edit regarding hyperlink and terminology