Information Technology

Information Technology srodriguez31

 

The Computer Network Usage and Security Policy (CNUSP) has been replaced by the Georgia Tech Cyber Security policies - the Acceptable Use Policy, the Cyber Security Policy, and the Data Privacy Policy.

Acceptable Use Policy

Acceptable Use Policy
Type of Policy
Administrative
s1polics
Effective Date
Last Revised
Review Date
Policy Owner
Georgia Tech CyberSecurity
Contact Name
John Karrh
Contact Title
Governance Risk & Compliance Manager
Contact Email
johnkarrh@gatech.edu
Reason for Policy

The Georgia Institute of Technology (Georgia Tech) Acceptable Use Policy (AUP) provides the guiding principles for use of Information Technology (IT) Resources at Georgia Tech. Users of Georgia Tech IT Resources are expected to be good stewards of these resources and to act in a responsible manner. Appropriate use of IT Resources allows the Institute to achieve its academic and research missions while maintaining a culture of openness, trust, and integrity within our digital spaces.

Policy Statement

Institute IT Resources must be used in accordance with applicable licenses and contracts, and according to their intended use in support of the Institute’s mission. 

All users must comply with federal, state, and local laws, as well as Georgia Tech policies, when using Georgia Tech IT Resources.

The following sections define the acceptable uses of Georgia Tech IT Resources.  Any conflict between these policies and the legitimate business of the institute can be resolved through the policy exception request process as defined with the Policy Exception Policy.

Acceptable Use
Employees and student employees -
With the exception of incidental personal use, as defined below, Georgia Tech IT Resources must be used only to conduct the legitimate business of the Institute (e.g., scholarly activity, academic instruction, research, learning, business operations).

Incidental personal use of Georgia Tech IT Resources by Georgia Tech employees is permitted if the personal use does not interfere with the execution of job duties, does not incur cost on behalf of the Institute, and is not unacceptable as defined in the Unacceptable Use section below.

Students -
Georgia Tech students may use the ResNet, EastNet, and LAWN networks for recreational and personal purposes to the extent that such use is not unacceptable as defined in the Unacceptable Use section below, and does not adversely affect network service performance for other users engaged in academic, research, or official business activities.

Unacceptable Use
Georgia Tech employees, including students acting as employees, are prohibited from the following actions when using Georgia Tech IT Resources:

  • Unauthorized use of IT Resources for commercial purposes or personal gain
  • Transmitting commercial or personal advertisements, solicitations, or promotions

All users are prohibited from using Georgia Tech IT resources in a manner which results in a violation of law or policy or potentially adversely affects network service performance.  Examples of Unacceptable Use include, but are not limited to, the following:

  • Activity that violates federal, state, or local law
  • Activity that violates any Institute or Board of Regents policy
  • Activities that lead to the destruction or damage of equipment, software, or data belonging to others or the Institute
  • Circumventing information security controls of Institute IT Resources
  • Releasing malware
  • Intentionally installing malicious software
  • Impeding or disrupting the legitimate computing activities of others
  • Unauthorized use of accounts, access codes, passwords, or identification numbers
  • Unauthorized use of systems and networks
  • Unauthorized monitoring of communications

This list is not complete or exhaustive.  It provides examples of prohibited actions.  Any user in doubt about the acceptable use of Georgia Tech IT Resources should contact Cyber Security for further clarification and assistance.

Scope

All Georgia Tech IT resource users are covered by this policy.

Policy Terms

Georgia Tech IT Resources – Georgia Tech owned computers, networks, devices, storage, applications, or other IT equipment. “Georgia Tech owned” is defined as equipment purchased with either Institute funding (including sources such as Foundation funds etc.) or Sponsored Research funding (unless otherwise specified in the research agreement).

Enforcement

Violations of this policy may result in loss of Georgia Tech system and network usage privileges, and/or disciplinary action (up to and including termination or expulsion) as outlined in applicable Georgia Tech policies.

If user suspects that they are a victim of a violation of this policy, then the violation may be reported directly to the Georgia Tech Cyber Security team by sending an email to cyber@security.gatech.edu per the Incident Reporting procedures found in the Cyber Security Policy.  

Users should report any other violations through Georgia Tech’s EthicsPoint, a secure and confidential reporting system, at https://secure.ethicspoint.com/domain/en/report_custom.asp?clientid=7508.   

Policy History
Revision Date Author Description
TBD OIT New Policy

Controlled Unclassified Information

Controlled Unclassified Information
Type of Policy
Administrative
s1polics
Effective Date
Last Revised
Review Date
Policy Owner
Georgia Tech CyberSecurity
Contact Name
John Karrh
Contact Title
Governance Risk & Compliance Manager
Contact Email
johnkarrh@gatech.edu
Reason for Policy

NIST Special Publication 800-171 (NIST 800-171), is a Federal standard that standardizes security controls applied to Controlled Unclassified Information (CUI) and systems and processes involved with this data within federally funded environments. Georgia Tech is obligated to ensure that all systems and processes involved with CUI are compliant with NIST 800-171 to continue receiving Federal funds associated with the use of this data (either directly received from the government or indirectly through associated covered contracts and contractors).

Policy Statement

This approval process applies to all activities involving the use of CUI: All environments (see definitions section) involved with CUI must comply fully with the NIST 800-171 standards (either directly or through compensating controls) and follow the guidance provided by the Georgia Tech System Security Plan (GT SSP). Any deviations from the GT SSP must be approved by the Chief Information Security Officer (CISO). The CISO will route such request to either the Executive Vice President of Research (for research-related activities) or the Executive Vice President for Administration and Finance (for administrative activities), as appropriate, for additional approval. All environments that are involved with CUI must undergo an annual NIST 800-171 compliance assessment by Cyber Security before interacting with CUI. These assessments will result in an attestation report signed by the CISO, or designee. The assessment results will be reported to the Georgia Tech Research Corporation and the Executive Vice President of Research (for research-related activities) or the Executive Vice President for Administration and Finance (for administrative activities). Any items of non-compliance found during the assessment must be remediated before any interaction with CUI is allowed. All environments that are involved with CUI must also operate in a manner which allows incident reporting of cyber incidents involving CUI within 72 hours. This policy provides requirements and guidance for all use of CUI for the Georgia Institute of Technology. These are the minimum requirements for securing CUI - all Institute and other applicable requirements still apply as well.

Scope

Anyone who handles CUI on behalf of the Institute must abide by this policy.

Definitions:

Compensating Controls

A compensating control, also called an alternative control, is a mechanism that is put in place to satisfy the requirement for a security measure that is deemed too difficult or impractical to implement at the present time.  Compensating controls for a NIST 800-171 requirement need to mitigate the underlying risk that the requirement is designed to address.  Cyber Security will work with the labs and units to design and approve compensating controls.  

Controlled Unclassified Information (CUI)

Controlled Unclassified Information is any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.

Environment

Environment is defined as the systems upon which CUI resides and the physical infrastructure that houses these systems.  Examples might be an individual research lab consisting of a room with desktop computers housing CUI or a student records system residing on multiple servers within a cabinet in a datacenter.  The room(s) or area(s) housing the computer systems along with the computer systems themselves define the environments to which this policy applies. 

Policy History
Revision Date Author Description
December 2017 Cyber Security New Policy

 

Credit Card Processing

Credit Card Processing
Type of Policy
Administrative
jgastley3
Effective Date
Last Revised
Review Date
Policy Owner
Georgia Tech CyberSecurity
Contact Name
John Karrh
Contact Title
Governance Risk & Compliance Manager
Contact Email
johnkarrh@gatech.edu
Reason for Policy

This policy provides requirements and guidance for all credit card processing activities for the Georgia Institute of Technology (Georgia Tech).  This policy preempts all other campus policies and procedures for all elements within the scope of this policy.

Policy Statement

This approval process applies to all merchant credit card processing activities at Georgia Tech:

The Associate Vice President of Financial Services (or delegate) must approve all credit card processing activities at Georgia Tech prior to entering into any such contracts or purchasing equipment. 

This requirement applies regardless of the transaction method used (e.g. online processing at Georgia Tech, outsourced to a third party, swipe terminals).

All technology implementation associated with the credit card processing must be approved by the Vice President of Information Technology (or delegate) prior to entering into any contracts or purchasing equipment. 

Storage of cardholder data on Georgia Tech systems is not allowed.”
All environments that process or transmit cardholder data are contractually obligated to and must comply fully with the Payment Card Industry Data Security Standards (PCI DSS).  All units that process or transmit cardholder data must undergo an initial and annual PCI DSS compliance assessment by Georgia Tech Cyber Security.  Any items of non-compliance found during the assessment must be remediated before processing of credit cards is allowed to resume.

The use of non-traditional credit card-type merchant services (such as Square, PayPal, etc.) and supporting technology for Georgia Tech business are not allowed without prior approval by the Associate Vice President of Financial Services and the Vice President of Information Technology (or their delegates).

Violations of this policy should be reported through the Ethics Point process.

Scope

The scope of this policy includes all credit card merchant activity at Georgia Tech.  All environments, units, technologies, and people associated with Georgia Tech merchant IDs and/or that support credit card merchant activity at Georgia Tech must abide by this policy. 

This policy does not apply to non-credit card financial tools (such as Buzzcards). 

This policy does not apply to end-user use of credit cards, including procurement cards (PCards), or any other such instance where Georgia Tech is not acting in a merchant capacity and/or supporting merchant activity.

Procedures

The following are procedures to be followed prior to accepting credit cards in a merchant capacity at Georgia Tech:

  • Document the business need for accepting credit card transactions in that particular unit, method, or location.
  • Meet with Financial Services for justification and approval of the business case.
  • Meet with Cyber Security to evaluate options and costs for implementation (using existing facilities, implementing separate facilities, or outsourcing transaction processing).
  • Meet with the Vice President of Information Technology or designee for technical approval of implementation.
  • Meet with Georgia Tech Legal Affairs to ensure that all contracts meet federal, state, and contractual requirements.
  • Meet with Cyber Security on an annual basis to re-affirm PCI DSS compliance
Policy History

Revision Date

Author

Description

10-02-2018

Cyber Security

Simplified and aligned policy with current regulatory environment.

Cyber Security Policy

Cyber Security Policy
Type of Policy
Administrative
s1polics
Effective Date
Last Revised
Review Date
Policy Owner
Georgia Tech CyberSecurity
Contact Name
John Karrh
Contact Title
Governance Risk & Compliance Manager - Cyber Security
Contact Email
johnkarrh@gatech.edu
Reason for Policy

The Georgia Institute of Technology (Georgia Tech) Cyber Security Policy (CSP) provides the guiding principles for securing information technology (IT) resources at Georgia Tech.

Policy Statement

Georgia Tech IT Resource users (IT Resource users include both students and employees) are responsible for protecting the security of all data and IT Resources to which they have access.  This includes implementing appropriate security measures on personally owned devices which access Georgia Tech IT Resources. All users must follow the Security Procedures and Standards published by Georgia Tech Cyber Security including the Georgia Tech Protected Data Practices.  In addition, users must keep their accounts and passwords secure in compliance with the Institute Password Policy.

Georgia Tech employees may grant IT Resource guest access to third parties (e.g., visiting scholars).  Any Georgia Tech employee who grants guest access to IT Resources is responsible for the actions of their guest users.

Research
Georgia Tech recognizes the value of research in the areas of computer and network security. During the course of their endeavors, researchers may have a need to work with malicious software and with systems that do not adhere to the security standards as prescribed by the Chief Information Security Officer. Researchers are responsible for their actions and must take all necessary precautions to ensure that their research will not affect other Georgia Tech IT Resources or users.  In addition, researchers are responsible for making all appropriate notifications to those that may be affected by their research (see Responsible Disclosure Policy).

Network Management
The Office of Information Technology (OIT) is responsible for planning, implementing, and managing the Georgia Tech network, including wireless connections.

The following network appliances cannot be implemented at Georgia Tech without prior written approval by OIT or a Unit’s IT lead:

  • Routers
  • Switches
  • Hubs
  • Wireless access points
  • Voice over IP (VOIP) infrastructure devices
  • Intrusion detection systems (IDS)
  • Intrusion prevention systems (IPS)
  • Virtual Private Networking (VPN)
  • Consumer grade network technologies
  • Other networking appliances that may not be included in this list

Units or individuals who install any of the technologies listed above are responsible for capturing network traffic logs and storing them for a minimum of 365 days or an appropriate amount as negotiated with the OIT network team.  Network traffic logs should include the following information:

  • Source MAC address
  • Source and destination IP address
  • Physical interface (where applicable)
  • Date and time
  • User account where available (e.g. VPN logs)

System Administration
Every Institute owned IT Resource (including virtual resources such as virtual machines and cloud based services) must have a designated system administrator.  The Institute expectation is that every Institute owned IT Resource will be professionally managed by the unit technical support team unless prevailing regulations dictate otherwise. 

The system administrator is responsible for proper maintenance of the machine, even if the system administrator is not a member of the unit technical support team.  This responsibility must be acknowledged and documented.  In addition, the machine must be accessible to the unit technical support team for incident management purposes unless legal restrictions will not allow such access. 

Negligent management of an Institute owned IT Resource resulting in unauthorized user access or a data breach may result in the loss of system administration privileges.

System administration responsibilities for all Institute owned IT Resources, including those that are self-administered include the following found here: System Administration Responsibilities.

Scope

All Georgia Tech IT resource users and all Georgia Tech IT resources are covered by this policy.

Policy Terms

Endpoint - Laptop computers, desktop computers, workstations, group access workstations, USB drives, personal network attached storage.

Georgia Tech IT Resources – Georgia Tech owned Computers, Networks, Devices, Storage, Applications, or other IT equipment.  “Georgia Tech owned” is defined as equipment purchased with either Institute funding (including sources such as Foundation funds etc.) or Sponsored Research funding (unless otherwise specified in the research agreement).

Procedures

Reporting an Incident
If a Georgia Tech IT Resource user suspects that a security incident has occurred or will occur, they should report the suspicion immediately to the system administrator or unit technical lead.  Users may also report the suspected security incident directly to the Georgia Tech Cyber Security team at https://security.gatech.edu/report-incident

System administrators and unit technical leads who have identified any of the following security events should report the suspected security event to the Georgia Tech Cyber Security team:

  • Any occurrence of a compromised user account
  • Any breach or exposure of Category 3 sensitive data (see Data Access Policy)
  • Any occurrence of a server infected with malware
  • Three or more simultaneous occurrences of endpoints infected with malware
  • Any other instance of malware or suspected intrusion that seems abnormal
Responsibilities

Chief Information Security Officer
The Chief Information Security Officer is responsible for creating and maintaining a cyber security program and leading the Georgia Tech Cyber Security team.  The purpose of the cybersecurity program is to maintain the confidentiality, integrity, and availability of Institute IT Resources and Institute data.  In addition, the Chief Information Security Officer, or a designee, is responsible for leading the investigation of and response to cyber security incidents.    The response to any incident will be developed in collaboration with the data steward, Institute Communications, Legal Affairs, and other campus offices as appropriate.

Enforcement

Violations of this policy may result in loss of Georgia Tech system and network usage privileges, and/or disciplinary action, up to and including termination or expulsion as outlined in applicable Georgia Tech policies.

To report suspected instances of ethical violations, please visit Georgia Tech’s Ethics Hotline a secure and confidential reporting system, at: https://secure.ethicspoint.com/domain/en/report_custom.asp?clientid=7508

 

 

Policy History
Revision Date Author Description
January 27, 2017 OIT New Policy
January 23, 2018 OIT Minor clarifications about end point agents
March 6, 2020 OIT Updated to include Secure Data Practices
April 22, 2020 OIT Minor edit regarding hyperlink and terminology

 

Data Governance and Management Policy

Data Governance and Management Policy
Type of Policy
Administrative
kcross8
Effective Date
Review Date
Policy Owner
Office of Information Technology
Contact Name
Zachary Hayes
Contact Title
Data Governance
Contact Email
zachary@gatech.edu
Reason for Policy

Information is critical to administration, planning, and decision-making and is a strategic asset of the Georgia Institute of Technology (“Georgia Tech” or “GT”) and the University System of Georgia (“USG”). To effectively and responsibly use information, data must be necessary and relevant, secure, well documented, and accessible for use by authorized, trained personnel as outlined in this policy and the corresponding guidelines, procedures, and resources referenced herein.

This policy outlines data governance and management requirements in compliance with the USG’s Business Procedures Manual (“BPM”) Sections 12.1 through 12.5 for Data Governance and Management.

Refer to the Georgia Tech Data Governance website for corresponding guidelines, procedures, and resources.

Policy Statement

2.1 Data Governance
The Georgia Tech data governance structure must include roles and committees to direct the proper use and handling of Organizational Data and Information Systems. The roles and committees as noted below in “Section 5 Responsibilities” must oversee the Data Governance, Data Management, Security, and Compliance of Georgia Tech Organizational Data and Information Systems as outlined in this policy and the corresponding guidelines, procedures, and resources. The GT technology governance structure must provide technical guidance to and support the work of the committees in the data governance structure. Learn more about the Data Governance structure.

2.2 Data Management
All Georgia Tech Organizational Data and Information Systems must be associated with appropriate Data Domains and Data Sub-Domains along with additional applicable categorizations to further assist with proper data management. Learn more about Data Domains. Learn more about Data Management Categorizations.

All Information Systems must be inventoried and have the ability to access and report documentation of the respective system’s Supporting Database schema and Data Elements. Learn more about Information Systems Inventory.

Additionally, all Mission-Critical Systems must have Data Element definitions for key elements, data quality controls and supporting documentation, and a method for communicating details about system and data availability and methods for individuals to report lack of availability. Learn more about Data Element Dictionary.

All Organizational Data must comply with USG and Georgia Tech retention and disposition requirements. Learn more about Records Management.

2.3 Data Security
Georgia Tech cybersecurity representatives, as appointed by the Chief Information Security Officer (“CISO”), must create policies, guidelines, procedures, and resources that facilitate a secure environment for the storage, use, and dissemination of Organizational Data to protect the confidentiality, integrity, and availability of information.

All Organizational Data must have a data protection categorization and a designated regulatory categorization (see “Section 2.4 Compliance”). All Protected Data must be protected in accordance with the appropriate Cyber Security Data Protection Safeguards and Protected Data Practices. These protections are recommended for all Public Data. Regulated Data is also subject to the controls specified in the applicable federal, state, local, and international laws and regulations as well as specifications contained in Georgia Tech grants, contracts, and other agreements entered into by, or for the benefit of, Georgia Tech. Such Regulated Data controls are required in addition to the controls specified in the Cyber Security Data Protection Safeguards and Protected Data Practices. When multiple controls exist, the strictest control will take precedent. Learn more about Data Protection Categorizations. Learn more about Cyber Security’s Data Protection Safeguards. Learn more about Cyber Security’s Protected Data Practices.

Access to an Information System via any interface (except user self-service) must be coordinated and reviewed through the Data User, associated Data Stewards for each applicable Data Domain, and the Data Administrator. Access to an Information System may require additional approvals (e.g., a Data User's supervisor) or may grant access through pre-approved role-based permissions. Access must be granted based on the Principle of Least Privilege, used only for the purpose for which it was originally intended, and used only by the individual Data Users who received approval. Additional training may be required by a Data Steward and/or a System Owner before access is granted. Human Resources must notify Data Stewards and Data Administrators when an employee is terminated or when an employee’s status has changed which requires a change to such employee’s access to Organizational Data and Information Systems. Access must be reviewed and verified on a regular basis to occur at a frequency determined by the Data Governance Committee. Learn more about Access Procedures.

All Georgia Tech units must ensure organizational structure, job duties, and business processes include an adequate system of separation of duties to reduce the risk of loss of confidentiality, integrity, and availability of Organizational Data. Learn more about Separation of Duties.

2.4 Compliance
Organizational Data must be closely managed to verify compliance with applicable federal, state, local, and international laws and regulations as well as specifications contained in Georgia Tech grants, contracts, and other agreements entered into by, or for the benefit of, Georgia Tech. All Organizational Data and Information Systems must have a designated regulatory categorization in order to identify applicable external regulatory requirements. Learn more about Data Regulation Categorizations. Learn more about Regulatory Compliance.

Training is required when a Data User enters any data governance and management role set forth in “Section 5.1 Roles.” Documentation of training participation and successful completion is required. Training must be completed on a regular basis, so employees are made aware of any updates to Policy, guidelines, procedures, or responsibilities of their role. Training frequency shall be determined by the Data Governance Committee. Learn more about Training.

The Data Governance Committee will appoint a Data Governance Officer to actively monitor compliance with this policy, guidelines, procedures, and resources. The roles and committees outlined in “Section 5 Responsibilities” must maintain appropriate documentation and general evidence that Georgia Tech is in compliance. Learn more about Monitoring. Learn more about Auditing.

Scope

This policy applies to all Georgia Tech units. Additionally, this policy applies to all Georgia Tech Information Systems and Organizational Data, including all data to which Georgia Tech has been granted stewardship by third parties. This policy does not address public access to Organizational Data as specified in the Georgia Open Records Act. Furthermore, this policy does not apply to documents and records that are the personal property of individuals in the Georgia Tech community including documents owned by students or personal intellectual property of professors or researchers. Learn more about this policy. Learn more about your role in data governance.

Policy Terms
  • Data Domain / Data Sub-Domain
    A logical representation of a category or grouping of Organizational Data that has been designated, named, and assigned accountability. Reference to a Data Domain includes the Data Sub-Domains within it. Learn more about Data Domains.
  • Data Element
    The smallest named item of Organizational Data that conveys meaningful information.
  • Individual Account
    Logical access to an Information System or Organization Data assigned to an individual Data User.
  • Information System
    The technology, software, and services administered for the purpose of creating, storing, managing, using, and gathering data and communication at Georgia Tech.
  • Mission-Critical System
    A data management categorization (see “Section 2.2 Data Management”) assigned by the Data Governance Committee to Information Systems that are key primary sources for Organizational Data. Unexpected downtime of Mission-Critical Systems could have a severe or catastrophic impact on Georgia Tech, presenting a high risk to Georgia Tech.
  • Organizational Data
    Data generated, owned, or managed, by or on behalf of, Georgia Tech including all data to which Georgia Tech has been granted stewardship by third parties. Organizational Data record facts, statistics, or information, which is read, created, collected, used, updated, reported, shared, stored, transferred, or deleted by Georgia Tech units. Data may be in any form, including electronic or physical. Organizational Data may reside in an Information System hosted by Georgia Tech or a third party.
  • Principle of Least Privilege
    Privileges of information resources permitting access to only what is necessary and relevant for the Data Users to successfully perform their job tasks and requirements.
  • Protected Data
    A data protection categorization (see “Section 2.3 Data Security”) where information is not generally available to parties outside of the Georgia Tech community. This is the default data protection categorization for Organizational Data. A Protected Data categorization does not always mean that the data contained therein is confidential or non-disclosable and such data may be subject to disclosure under the Georgia Open Records Act or other applicable laws and regulations.
  • Public Data
    A data protection categorization (see “Section 2.3 Data Security”) where information is targeted for public use. Examples include website content for general viewing and published press releases.
  • Regulated Data
    A data regulation categorization (see “Section 2.4 Compliance”) where information is bound by requirements of applicable federal, state, local, or international laws and regulations, and/or contractual obligations. This data must be guarded from disclosure; disclosure of this information may contribute to financial fraud and/or violate applicable federal, state, local, or international laws and regulations, and/or contractual obligations.
  • Service Account
    Logical access to an Information System or Organizational Data assigned to one or more Data Users through an established shared account.
  • Supporting Database
    The location where Organizational Data exists within an Information System.
Responsibilities

5.1 Roles
Data Owner

The President of Georgia Tech is the Data Owner and has ultimate responsibility for all Organizational Data.

Data Trustee
Data Trustees are Georgia Tech Executive Vice Presidents (or other direct reports to the President) who have overall responsibility for Organizational Data within their Data Domain(s). Data Trustees are appointed by the Data Owner.

Associate Data Trustee
Associate Data Trustees are executives (at the level of Vice President/Vice Provost or higher) who have responsibility for implementing and managing Data Trustee efforts. Associate Data Trustees are appointed by a Data Trustee.

Data Steward
Data Stewards are Georgia Tech leaders (at the director level of a division/unit) who have day to day responsibility for Organizational Data within their Data Sub-Domain(s). Depending on the size and complexity of a functional division/unit, it may be necessary, and beneficial, for the Data Steward to appoint an Associate Data Steward(s). Data Stewards are appointed by a Data Trustee or an Associate Data Trustee.

Associate Data Steward
Associate Data Stewards are division/unit subject matter experts who have responsibility for implementing and managing Data Steward efforts. Associate Data Stewards are appointed by a Data Steward.

System Owner
A System Owner is a technical expert who has overall responsibility for the data management, security, and compliance efforts of an Information System. Each Information System must be assigned a System Owner.

Technical Manager
A Technical Manager is a technical expert who has day to day responsibility for the data management, security, and compliance efforts of an Information System, including the safe transport and storage of data, establishing and maintaining the underlying infrastructure, and performing activities required to keep the data intact, maintained with data quality controls, and available to Data Users.  Each Information System must be assigned a Technical Manager, appointed by the System Owner.

Data Administrator
A Data Administrator is a technical expert who has responsibility for the provisioning of access to the Information System. Each Information System must be assigned one or more Data Administrators, appointed by the Technical Manager.

Data User
Data Users are Georgia Tech employees, affiliates, contractors, consultants, and vendors who access Organizational Data to perform their assigned duties. Data Users are responsible for safeguarding their access privileges, for the use of Organizational Data in conformity with all applicable Georgia Tech Policies and procedures, and for securing such data in accordance with cybersecurity policies and procedures. Data Users are responsible for the ethical use of Organizational Data.

Human Resources
The central office for Human Resources that maintains the official record of employee new hire, status change (either in job function, job status, or transfer to another unit), or termination. Human Resources must notify appropriate roles (as noted in “Section 2.3 Data Security”) when an employee is terminated or when an employee’s status has changed which requires a change to such employee’s access to Organizational Data and Information Systems.

Chief Information Officer / Chief Information Security Officer
The Chief Information Officer (“CIO”) and the Chief Information Security Officer (“CISO”) are each responsible for the technical infrastructure of Georgia Tech to support the Organizational Data needs and assets, including availability, delivery, access, and security across their operational scope. The CIO and the CISO will work closely with other Georgia Tech entities that contribute to the governance, privacy, compliance, strategy, and risk management of Georgia Tech Organizational Data and Information Systems.

Data Governance Officer
A Data Governance Officer is an individual assigned the responsibility of providing guidance, committee support, monitoring, and general oversight to data governance and management efforts. The Data Governance Officer will work closely with other Georgia Tech entities that contribute to the privacy, security, compliance, strategy, and risk management of Georgia Tech Organizational Data and Information Systems. A Data Governance Officer will be appointed by the Data Governance Committee.

5.2 Committees
Data Governance Committee

The Data Governance Committee is comprised of a selection of Associate Data Trustees and other Georgia Tech leaders (including faculty, staff, and student representatives) as appointed by the Data Owner. The Data Governance Committee is responsible for recommending policy, approving procedures, and providing guidance, direction, and support for data governance, management, security, and compliance efforts.

Data Management Committee
The Data Management Committee is comprised of a selection of Data Stewards and other Georgia Tech leaders (including faculty, staff, and student representatives) as appointed by the Data Governance Committee who are representative of Georgia Tech’s Data Domains. The Data Management Committee is responsible for collective decision making regarding substantive changes to Organizational Data that apply across Georgia Tech’s Data Domains.

Data Domain & Technology Sub-Committees
A Data Domain & Technology Sub-Committee is comprised of Associate Data Trustees, a selection of Data Stewards, and technology experts who are representative of the Organizational Data, business processes, service delivery, and Information System use within the Data Domain. Each Data Domain and Technology Sub-Committee is responsible for collective decision-making concerning substantive changes to Organizational Data and Information Systems within the specific Data Domain.

Frequently Asked Questions:

  • Does the Georgia Tech Data Governance and Management Policy replace the existing Georgia Tech Data Access Policy?
    Yes. Updates to the Georgia Tech Cyber Security Data Categorization resource and Data Protection Safeguards resource have been updated to align with this policy.
  • Where can I find details on the procedural requirements of this policy?
    For more guidelines, procedures, and resources related to the Data Governance and Management Policy, please visit the Georgia Tech Data Governance website. Learn more about this policy and resources.
  • What is the difference between Public, Protected, and Regulated Organizational Data?
    All Organizational Data will be assigned a data protection categorization of “Public” or “Protected,” which determines the minimum Georgia Tech data protection practices that must be followed. Organizational Data will also be categorized with a data regulation categorization of “Not Regulated” or “Regulated,” which may increase the minimum data protection practices that must be followed depending on the requirements of the regulation(s) that apply to the Organizational Data.
  • Are Service Accounts treated the same as Individual Accounts for the purpose of this Policy and the corresponding guidelines, procedures, and resources referenced herein?
    Yes. Service Accounts and Individual Accounts are treated the same.
  • What are some examples of Information Systems?
    Some common examples of Information Systems are Banner, OneUSG Connect, and Workday.  Some less recognized systems that are categorized as Information Systems are GitHub, DocuSign, and Microsoft 365.
  • Can someone serve more than one role as defined in “Section 5.1 Roles”?
    Yes. Examples may include:
    - An Associate Data Trustee of financial Organizational Data who also is a Data User of human resources Organizational Data
    - A System Owner for a small-scale Information System may also be the Technical Manager and Data Administrator for that Information System
Enforcement

Georgia Tech, the University System of Georgia, and/or the state of Georgia may periodically audit compliance with this policy.

To report suspected instances of noncompliance with this policy, please contact the Data Governance team at: datagovernance@gatech.edu

Additionally, to report suspected instances of ethical violations please visit Georgia Tech’s Ethics Hotline, a secure and confidential reporting system, at: https://secure.ethicspoint.com/domain/en/report_custom.asp?clientid=7508

Policy History
Revision Date Author Description
09/20/2021 Data Governance New Policy

Data Privacy Policy

Data Privacy Policy
Type of Policy
Administrative
s1polics
Effective Date
Last Revised
Review Date
Policy Owner
Georgia Tech CyberSecurity
Contact Name
John Karrh
Contact Title
Governance Risk & Compliance Manager
Contact Email
johnkarrh@gatech.edu
Reason for Policy

The Georgia Institute of Technology Data Privacy Policy provides the standards the Institute follows when accessing the files and communications of its students and employees. In the interest of promoting academic freedom and the mission of the Institute, the Georgia Institute of Technology (Georgia Tech) recognizes its obligation not to infringe upon the reasonable privacy expectations of its employees and students in their electronic communications and data.

Policy Statement

Georgia Tech provides information technology resources to faculty members, staff and students for the purpose of furthering Georgia Tech’s mission and conducting Georgia Tech business. While personal use of such systems is permitted, as per the Georgia Tech Acceptable Use policy, personal communications and files transmitted over or stored on Georgia Tech systems are subject to the same regulations as business communications.

Georgia Tech is committed to respecting the privacy expectations of its employees and students; however, consistent with this policy, electronic information that is transmitted over or stored in Georgia Tech systems and networks is subject to being audited, inspected and disclosed to fulfill administrative or legal obligations which may include, but are not limited to, the following:

  • is necessary to comply with legal requirements or process (e.g., Georgia Open Records Act or subpoena);
  • may yield information necessary for the investigation of a suspected violation of law or regulations, or of a suspected infraction of Georgia Tech or Board of Regents policy;
  • is needed to maintain the security of Georgia Tech computing systems and networks;
  • is needed for system administrators to diagnose and correct problems with system software or hardware;
  • may yield information needed to deal with an emergency;
  • is needed for the ordinary business of the Institute to proceed, (e.g., access to data associated with an employee who has been terminated/separated or is pending termination/separation, is deceased, is on extended sick leave, or is otherwise unavailable);
  • is necessary to comply with a written request from the Vice President for Student Life on behalf of the parents, guardian, or personal representative of the estate of a deceased student; or
  • is for research authorized by Georgia Tech under a data use agreement that precludes the disclosure of personally identifiable information.
Scope

This policy governs access to the files and communications transmitted on or stored in Georgia Tech’s IT Resources.

Any individual whose personal files and communications exist on a Georgia Tech IT Resource by virtue of unauthorized access will have no expectation of privacy.

Definitions
Information Technology Resources (IT Resources) – Computers, Networks, Devices, Storage, or other IT equipment

Procedures

Application, System, and Network Login Banner
Where possible, all Georgia Tech applications and systems (excluding endpoints and mobile devices) must display the following login banner to all users prior to authentication of user credentials:

TERMS OF USE
This information technology resource is the property of the Georgia Institute of Technology and is available for authorized use only, in accordance with Institute IT policies (http://policylibrary.gatech.edu/information-technology). Any and all files on this system are subject to being audited, inspected and disclosed to authorized system administrators and/or law enforcement personnel to fulfill administrative and/or legal obligations.  By using this system, I acknowledge these terms.

Requests for Access
All requests for access to information that is transmitted over or stored on Georgia Tech systems and networks should be directed to the Chief Information Officer or designee.  The determination of whether access to information is necessary to fulfill administrative or legal obligations is made by the Chief Information Officer or designee, and may not be made at the departmental or unit level.

Business Continuity
Refer to Security Standards and Procedures for detailed procedures.

Deceased Students
Refer to Security Standards and Procedures for detailed procedures.

Emergency
Refer to Security Standards and Procedures for detailed procedures.

Legal Requirements
Refer to Security Standards and Procedures for detailed procedures.

Research
Refer to Security Standards and Procedures for detailed procedures.

System Integrity
Refer to Security Standards and Procedures for detailed procedures.

Violation of Law or Policy
Refer to Security Standards and Procedures for detailed procedures.

Enforcement

Violations of the policy may result in loss of system, network, and data access privileges, administrative sanctions (up to and including termination or expulsion) as outlined in applicable Georgia Tech disciplinary procedures, as well as personal civil and/or criminal liability.  

Policy History
Revision Date Author Description
TBD OIT New Policy

 

Data Resources

Data Resources jgastley3

The Georgia Tech Data Access Policy was retired in Fall 2021. Information once found within the Data Access Policy has been distributed within the resources below.

Please review the Data Governance and Management Policy for information to learn how data is categorized and accessed.

Please review the Cyber Security Policy and another other practices, procedures, and standards to learn more on how to protect and secure data.

 

Email Forwarding for Life

Email Forwarding for Life
Type of Policy
Administrative
jgastley3
Effective Date
Last Revised
Review Date
Policy Owner
Georgia Tech CyberSecurity
Contact Name
Alana DeAngelis
Contact Title
IT Support Professional Manager Senior
Contact Email
alana.deangelis@oit.gatech.edu
Reason for Policy

The Georgia Institute of Technology offers and encourages the use of electronic mail services in support of the academic, research, and public service mission of the Institute, and the administrative functions that support this mission. An extension of these services includes Email- for-Life (EMFL) for eligible members of the GT community once they separate from Georgia Tech (e.g., alumni and retirees). The service allows users to utilize a single, OIT provided, Georgia Tech email alias in the “gatech.edu” domain, and the ability to forward email messages to a user-selected address. This policy addresses eligibility criteria and proper use of Email-for- Life services provided by Georgia Tech, while recognizing that the Terms of Use for the service may change periodically. As email aliases are an integral part of the EMFL service, the Email Alias Guidelines (See Related Documents) are applicable and included by reference in this document.

Policy Statement

Email-for-Life service is intended for the private use of authorized, Institute-affiliated individuals.

Appropriate Use 

EMFL users are encouraged to use these services in a manner consistent with all applicable laws and policies. Users are prohibited from using the service for commercial use, such as selling products. Any use, which disparages the image and reputation of Georgia Tech, is prohibited and will result in termination of user privileges.

Eligibility

The following groups are eligible for EMFL services: 

Alumni – for purposes of this policy, an alumnus/a is defined as any student who successfully completed at least one Georgia Tech credit course, and who leaves Georgia Tech in good academic and disciplinary standing..

Retirees – faculty and staff who retire from Georgia Tech.

Ex Faculty / Staff Member – faculty and staff who leave Georgia Tech prior to retirement are eligible for EMFL privileges.

Affiliates – individuals not categorized above whom the affiliated Unit Head has approved for business reasons.

Non-Eligibility for Georgia Tech Employees

EMFL is a privilege offered to employees. As such, Georgia Tech reserves the right to deny or terminate EMFL to any employee in its sole discretion. This includes, but is not limited to, employees that are terminated with cause.

Review Process

Should an employee feel that they were denied EMFL wrongly, they may appeal the decision in writing to the Associate Vice President of the Office of Human Resources or his/her designee, who is the final authority in determining EMFL eligibility for former Georgia Tech employees.

Privacy

EMFL Users understand that they may periodically receive email communications from Georgia Tech and/or affiliated organizations. Georgia Tech will take reasonable steps to protect the privacy of EMFL users, including but not limited to, not making forwarding addresses available to any non-affiliated organization.

SPAM and Virus Filtering

To protect Institute computing assets, Georgia Tech may drop messages deemed to contain viruses, SPAM, or other messages that may cause damage to Institute systems. While every effort is made to protect all e-mail users from damaging messages, Georgia Tech is not responsible for damage caused by malicious content contained in messages forwarded through the EMFL program.

Administration & Termination of Service

EMFL users are expected to set up and manage their own email alias, their forwarding email address, and any necessary administrative procedures to manage their user profiles. In an effort to streamline the service, Georgia Tech will send annual renewal messages to all EMFL users. Users who do not respond to the second renewal requests will have their email alias and forwarding service inactivated. Georgia Tech reserves the right to cancel or modify the EMFL service with notice, should the need arise including, but not limited to changes in technology, service availability, or campus resource issues.

Scope

This policy applies to all email services provided, owned, or funded in part by the Georgia Institute of Technology under the Email-for-Life program; and to all users of such services regardless of intended use. The EMFL program provides only an e-mail alias to be used for forwarding purposes. EMFL does not include a functioning mailbox or mail storage.

The Georgia Tech Email alias service does not guarantee access to other services that may or may not be provided by Georgia Tech.

Procedures

The following guidelines apply to the usage of EMFL services as they do to the usage of Institute email services in general:

Email Alias Guidelines

Communication

Upon approval, this policy shall be published on the Georgia Tech IT Policy website. The following offices and individuals shall be notified via email and/or in writing upon approval of the policy and upon any subsequent revisions or amendments made to the original document:

  • Office of Human Resources (OHR)
  • Alumni Office
Enforcement

Any person who uses the Institute's Email-for-Life service consents to all of the provisions of this policy as well as the Acceptable Use Policy, Cyber Security Policy, and Data Privacy Policy and agrees to comply with all of its terms and conditions, and with all applicable state and federal laws and regulations. Violations of these policies or applicable state and federal laws and regulations may result in loss of usage privileges.

Georgia Tech reserves the right to make modifications to the EMFL policy as it deems necessary. Georgia Tech will use reasonable efforts to communicate changes to the EMFL policy to EMFL users in a timely manner. Changes to the EMFL policy apply to all EMFL users and EMFL users agree to comply with these changes.

Related Documents
Email_Alias_Guidelines.pdf (149.79 KB) Download Acrobat Reader
Policy History
Revision Number Author Description
1.2.1 Richard Biever Review and Update of the EMFL policy.
1.2.2 Jimmy Lummis Updated reference links

    

 

 

GLBA Information Security Program

GLBA Information Security Program
Type of Policy
Administrative
jgastley3
Effective Date
Last Revised
Review Date
Policy Owner
Georgia Tech CyberSecurity
Contact Name
John Karrh
Contact Title
Governance Risk & Compliance Manager
Contact Email
johnkarrh@gatech.edu
Reason for Policy

This Information Security Plan ("Plan") describes safeguards implemented by Georgia Tech to protect covered data and information in compliance with the FTC's Safeguards Rule promulgated under the Gramm Leach Bliley Act (GLBA). These safeguards are provided to:

  • Ensure the security and confidentiality of covered data and information;
  • Protect against anticipated threats or hazards to the security or integrity of such information; and
  • Protect against unauthorized access to or use of covered data and information that could result in substantial harm or inconvenience to any customer.

This Information Security Program also identifies mechanisms to:

  • Identify and assess the risks that may threaten covered data and information maintained by Georgia Tech;
  • Develop written policies and procedures to manage and control these risks;
  • Implement and review the program; and
  • Adjust the program to reflect changes in technology, the sensitivity of covered data and information and internal or external threats to information security.
Policy Statement

GLBA mandates that the Institute appoint an Information Security Program Coordinator, conduct a risk assessment of likely security and privacy risks, institute a training program for all employees who have access to covered data and information, oversee service providers and contracts, and evaluate and adjust the Information Security Program periodically.

Information Security Program Coordinator(s)

The Associate Vice President of Financial Services and the Associate Vice President / Associate Vice Provost for Information Technology (CIO) have been appointed as the coordinators of this Program at Georgia Tech. They are responsible for assessing the risks associated with unauthorized transfers of covered data and information, and implementing procedures to minimize those risks to the Institute. Internal Audit personnel will also conduct reviews of areas that have access to covered data and information to assess the internal control structure put in place by the administration and to verify that all departments comply with the requirements of the security polices and practices delineated in this program.

Identification and Assessment of Risks to Customer Information

Georgia Tech recognizes that it is exposed to both internal and external risks, including but not limited to:

  • Unauthorized access of covered data and information by someone other than the owner of the covered data and information
  • Compromised system security as a result of system access by an unauthorized person
  • Interception of data during transmission
  • Loss of data integrity
  • Physical loss of data in a disaster
  • Errors introduced into the system
  • Corruption of data or systems
  • Unauthorized access of covered data and information by employees
  • Unauthorized requests for covered data and information
  • Unauthorized access through hardcopy files or reports
  • Unauthorized transfer of covered data and information through third parties

Recognizing that this may not represent a complete list of the risks associated with the protection of covered data and information, and that new risks are created regularly, Georgia Tech Cyber Security will actively participate and monitor appropriate cybersecurity advisory groups for identification of risks.

Current safeguards implemented, monitored and maintained by Georgia Tech Cyber Security are reasonable, and in light of current risk assessments are sufficient to provide security and confidentiality to covered data and information maintained by the Institute. Additionally, these safeguards reasonably protect against currently anticipated threats or hazards to the integrity of such information.

Employee Management and Training

References and/or background checks (as appropriate, depending on position) of new employees working in areas that regularly work with covered data and information (e.g. Cashier’s Office, Financial Aid) are checked/performed. During employee orientation, each new employee in these departments receives proper training on the importance of confidentiality of student records, student financial information, and all other covered data and information. Each new employee is also trained in the proper use of computer information and passwords. Training includes controls and procedures to prevent employees from providing confidential information to an unauthorized individual, as well as how to properly dispose of documents that contain covered data and information. These training efforts should help minimize risk and safeguard covered data and information.

Physical Security

Georgia Tech has addressed the physical security of covered data and information by limiting access to only those employees who have a legitimate business reason to handle such information. For example, financial aid applications, income and credit histories, accounts, balances and transactional information are available only to Georgia Tech employees with an appropriate business need for such information. Furthermore, each department responsible for maintaining covered data and information is instructed to take steps to protect the information from destruction, loss or damage due to environmental hazards, such as fire and water damage or technical failures.

Information Systems

Access to covered data and information via Georgia Tech’s computer information system is limited to those employees and faculty who have a legitimate business reason to access such information. The Institute has policies and procedures in place to complement the physical and technical (IT) safeguards in order to provide security to Georgia Tech’s information systems. These policies and procedures, listed in Section 3 below, are available upon request from the Chief Information Security Officer.

Social security numbers are considered protected information under both GLBA and the Family Educational Rights and Privacy Act (FERPA). As such, Georgia Tech has discontinued the use of social security numbers as student identifiers in favor of the gtID# as a matter of policy. By necessity, student social security numbers will remain in the student information system; however, access to social security numbers is granted only in cases where there is an approved, documented business need.

Management of System Failures

Georgia Tech Cyber Security has developed written plans and procedures to detect any actual or attempted attacks on Georgia Tech systems and has an Incident Response Plan which outlines procedures for responding to an actual or attempted unauthorized access to covered data and information. This document is available upon request from the Chief Information Security Officer.

Oversight of Service Providers

GLBA requires the Institute to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. This Information Security Program will ensure that such steps are taken by contractually requiring service providers to implement and maintain such safeguards. The Security Program Coordinator(s) will identify service providers who have or will have access to covered data, and will work with the Office of Legal Affairs and other offices as appropriate, to ensure that service provider contracts contain appropriate terms to protect the security of covered data.

Continuing Evaluation and Adjustment

This Information Security Program will be subject to periodic review and adjustment, at least annually. Continued administration of the development, implementation and maintenance of the program will be the responsibility of the designated Information Security Program Coordinator(s), who will assign specific responsibility for technical (IT), logical, physical, and administrative safeguards implementation and administration as appropriate. The Information Security Program Coordinator(s), in consultation with the Office of Legal Affairs, will review the standards set forth in this program and recommend updates and revisions as necessary; it may be necessary to adjust the program to reflect changes in technology, the sensitivity of student/customer data, and/or internal or external threats to information security.

Policy Terms

Covered data and information
for the purpose of this program includes student financial information (defined below) that is protected under the GLBA. In addition to this coverage, which is required under federal law, Georgia Tech chooses as a matter of policy to include in this definition any and all sensitive data, including credit card information and checking/banking account information received in the course of business by the Institute, whether or not such information is covered by GLBA. Covered data and information includes both paper and electronic records.

Pretext calling
occurs when an individual attempts to improperly obtain personal information of Georgia Tech customers so as to be able to commit identity theft. It is accomplished by contacting the Institute, posing as a customer or someone authorized to have the customer's information, and through the use of trickery and deceit (sometimes referred to as “social engineering”), convincing an employee of the Institute to release customer-identifying information.

Student financial information
is that information that Georgia Tech has obtained from a student or customer in the process of offering a financial product or service, or such information provided to the Institute by another financial institution. Offering a financial product or service includes offering student loans to students, receiving income tax information from a student’s parent when offering a financial aid package, and other miscellaneous financial services. Examples of student financial information include addresses, phone numbers, bank and credit card account numbers, income and credit histories and Social Security numbers, in both paper and electronic format.

Procedures

Related Policies, Standards and Guidelines

Georgia Tech has adopted comprehensive policies, standards, and guidelines relating to information security, which are incorporated by reference into this Information Security Program. They include:

Policies

Cyber Security Policy

Unit-Level Network Usage Policies

Data Access Policy (including Sensitive Data & Server Registration)

Credit Card Processing Policy

Standards

Data Protection Safeguards

Communication

Upon approval, this policy shall be published on the Georgia Tech website. The following offices and individuals shall be notified via email and/or in writing upon approval of the program and upon any subsequent revisions or amendments made to the original document:

  • Associate Vice Provosts
  • Deans
  • Associate Vice Presidents
  • Chairs
  • Department Heads
  • Unit-level business officers
  • Internal Auditing

Identity Theft Prevention Policy

Identity Theft Prevention Policy
Type of Policy
Administrative
abruneau3
Effective Date
Last Revised
Review Date
Policy Owner
Georgia Tech CyberSecurity
Contact Name
John Karrh
Contact Title
Governance Risk & Compliance Manager
Contact Email
johnkarrh@gatech.edu
Reason for Policy

The Georgia Institute of Technology (Georgia Tech or the Institute) developed this Identity Theft Prevention Program ("Program") pursuant to the Federal Trade Commission's (FTC) Red Flags Rule. The Red Flags Rule implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003. After consideration of the size and complexity of the Institute's operations and account systems, and the nature and scope of the Institute's activities, the Institute determined that this Program was appropriate.

Policy Statement

Requirements of the Red Flags Rule
Under the Red Flags Rule, the Institute is required to establish an Identity Theft Prevention Program. The program must contain reasonable policies and procedures to:

  1. Identify relevant Red Flags for new and existing covered accounts. and incorporate those Red Flags into the Program;
  2. Detect Red Flags that have been incorporated into the Program;
  3. Respond appropriately to any Red Flags that are detected in order to help prevent and mitigate Identity Theft; and
  4. Ensure the Program is updated periodically to reflect changes in risks to students or to the safety and soundness of the Institute from Identity Theft.

Oversight
Responsibility for developing, implementing, and updating this Program lies with an Identity Theft Committee (Committee) for the Institute. The Committee is headed by the Chief Information Security Officer who is the Program Administrator. The Institute's Chief Information Officer, the Vice President for Legal Affairs and Risk Management, and such other individuals as may be appointed by the President of the Institute comprise the remainder of the committee membership. The Program Administrator is responsible for ensuring appropriate training of Institute staff on the Program, for reviewing any staff reports regarding the detection of Red Flags and the steps for preventing and mitigating Identity Theft, determining which steps of prevention and mitigation should be taken in particular circumstances, and considering periodic changes to the Program.

Staff Training and Reports
Institute staff responsible for implementing the Program shall be trained either by or under the direction of the Program Administrator in the detection of Red Flags and the steps to be taken when a Red Flag is detected. Institute employees are expected to notify the Program Administrator once they become aware of an incident of Identity Theft or of the Institute's failure to comply with this Program.

At least annually, or sooner if requested by the Program Administrator, Institute staff responsible for development, implementation, and administration of the Program shall report to the Program Administrator on compliance with this Program. The report should address such issues as effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the opening and maintenance of Covered Accounts, service provider arrangements, significant incidents involving identity theft and management's response, and recommendations for changes to the Program.

Service Provider Arrangements
In the event the Institute engages a service provider to perform an activity in connection with one or more Covered Accounts, the Institute will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of Identity Theft:

  1. Require, by contract, that service providers have such policies and procedures in place; and
  2. Require, by contract, that service providers review the Institute's Program and report any Red Flags to the Program Administrator or the Institute employee with primary oversight of the service provider relationship.

 

Non-disclosure of Specific Practices
For the effectiveness of the Identity Theft Prevention Program, knowledge about specific Red Flag identification, detection, mitigation, and prevention practices may need to be limited to the Committee who developed this Program and to those employees with a need to know them. Any documents that may have been produced or are produced in order to develop or implement this program that list or describe such specific practices and the information those documents contain are considered confidential and should not be shared with other Institute employees or the public. The Program Administrator shall inform the Committee and those employees with a need to know the information of those documents or specific practices which should be maintained in a confidential manner.

Program Updates
The Committee will periodically review and update the Program to reflect changes in risks to students and the soundness of the Institute from Identity Theft. In doing so, the Committee will consider the Institute's experiences with Identity Theft situations, changes in Identity Theft methods, changes in Identity Theft detection and prevention methods, and changes in the Institute's business arrangements with other entities. After considering these factors, the Program Administrator will determine whether changes to the Program, including the listing of Red Flags, are warranted. If warranted, the Committee will update the Program.

Scope

All employees, students, affiliates, contractors, consultants, vendors, or other consumers of Covered Accounts data, and all Institute data (electronic, paper or otherwise) that could be leveraged to conduct identity theft from Covered Accounts are covered by this policy.

Policy Terms

Covered Accounts
All student accounts or loans that are administered by the Institute, including tuition payment plans, federal and school loans involving multiple payments, and campus payment cards.

Identifying Information
Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including: name, address, telephone number, social security number, date of birth, government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number, student identification number, computer's Internet Protocol address, or routing code.

Identity Theft
A fraud committed or attempted using the identifying information of another person without authority.

Program Administrator
The individual designated with primary responsibility for oversight of the Identity Theft Prevention Program.

Red Flag
A pattern, practice, or specific activity that indicates the possible existence of Identity Theft.

Responsibilities

5.1. Program Administrator
This policy confirms the need for an Information Security organization, which is responsible for ensuring Institute compliance with this policy, and maintaining this policy as business processes, technology, and methods of identity protection improve. The Program Administrator monitors the activities of and works with the Data Stewards on the development and implementation of campus unit level Identity Theft Prevention Programs.

5.2. Identity Theft Committee
The Identity Theft Committee is responsible for confirming incidents of identity theft and determining the appropriate course of action when incidents occur. Additionally the committee is responsible for supporting the Program Administrator in ensuring the ongoing success of the Identity Theft Prevention Program.

5.3. Data Stewards
Data Stewards are responsible for developing and implementing Identity Theft Prevention within their purview. Data Stewards report to the Program Administrator on their activities in implementing unit level Identity Theft Programs.

Enforcement

Individuals covered by the scope of this policy are expected to: a) respect the confidentiality and privacy of individuals whose records they access; b) observe any restrictions that apply to sensitive data; and c) abide by applicable laws, policies, procedures, and guidelines with respect to access, use, or disclosure of information.

Individuals who become aware of potential Identity Theft are expected to report such an incident per the procedures defined by the Identity Theft Prevention Program Administrator. The Program Administrator will report violations to the appropriate Faculty and/or Employment body. Violations of this policy may result in loss of usage privileges, administrative sanctions (including termination or expulsion) as outlined in applicable Georgia Tech disciplinary procedures, as well as personal civil and/or criminal liability.

Policy History
Revision Date Author Description
XX-XX-XXXX OIT-Information Security New policy
04-2013 OIT-Information Security Update to policy

  

 

 

Information Technology Accessibility Policy

Information Technology Accessibility Policy
Type of Policy
Administrative
s1polics
Effective Date
Last Revised
Review Date
Policy Owners
Office of Compliance
Contact Names
J. Denise Johnson-Marshall, ADA Coordinator, dmarshall@gatech.edu
James Logan, Quality Assurance Manager, james.logan@oit.gatech.edu
Reason for Policy

The Georgia Institute of Technology (“Institute”) is committed to providing equality of opportunity to persons with disabilities, including equal access to Institute programs, services and activities provided through Information Technology (IT). This policy establishes minimum standards and expectations regarding the design, acquisition or use of Information Technology.

Policy Statement

The Institute commits to ensuring equal access to all Institute programs, services and activities provided through Information Technology, whether provided directly by the Institute or by a vendor. As provided in Part VII, below, all Institute offices using vendor-provided Information Technology shall ensure that such IT complies with the Accessibility Standards contained in this policy. Unless an exemption applies, all schools, colleges, departments, offices and entities of the Institute shall adhere to the Institute’s Accessibility Standards, as defined below.

Scope

Incorporating principles of universal design in the development, acquisition, and implementation of IT and related resources helps the Institute ensure that these resources (documents, web pages, information, and services) are accessible to the broadest possible audience.

Individual web pages published by students, employees or non-Institute organizations that are hosted by the Institute and which do not conduct Institute-related business are encouraged to adopt the accessibility standards contained in this policy, but fall outside the jurisdiction of this policy.

Definitions:

Information Technology

“Information Technology” means any equipment or interconnected system or subsystem of equipment, that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. The term information technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources, including, but not limited to computers and ancillary equipment, instructional materials, software, videos, multimedia, telecommunications, or web-based content or products developed, procured, maintained, or used in carrying out Institute activities.

Institute Accessibility Standards

“Institute Accessibility Standards” means, at a minimum, the standards of the Web Content Accessibility Guidelines 2.0, Level AA, as created and published by the Web Accessibility Initiative of the World Wide Web Consortium, as well as the requirements of Sections 504 and 508 of the Rehabilitation Act of 1973 and their implementing regulations. “Institute Accessibility Standards” also means, more generally, those generally accepted principles of universal design which helps individuals with disabilities access the services, programs, and academic, extracurricular and research offerings of the Institute.

Legacy Web Pages

Legacy Documents

Legacy Multimedia

“Legacy Web Pages,” “Legacy Documents,” and “Legacy Multimedia”, mean web pages, electronic documents, and multimedia created before January 1, 2013.

Revised Web Page “Revised Web Page” means any web page where a significant alteration or update is made to the visual design of the page or a major revision of the content of the page is made.
Universal Design “Universal Design” means a concept or philosophy for designing and delivering products and services that are usable by people with the widest possible range of functional capabilities, which include products and services that are directly accessible (without requiring assistive technologies) and products and services that are interoperable with assistive technologies.

Applicability:

This policy applies to all IT resources that are acquired, developed, distributed, used, purchased or implemented by or for any Institute unit and used to provide Institute programs, services, or activities, including but not limited to:

1. Web Pages

a. All new web pages and Revised Web Pages, website templates, and website themes must comply with the Institute’s Accessibility Standards.
b. All new and Revised Web Pages must indicate in plain text a method for users having trouble accessing the page to report that inaccessibility.
c. Legacy Pages determined by the publishing department or unit to be of the highest priority in providing Institute services online (core institutional information) shall comply with the Institute’s Accessibility Standards.
d. Unless an exception applies and is appropriately documented, for any Legacy Web Page or any other web page that for any reason does not comply with the Institute’s Accessibility Standards, the Institute will, upon request, convert or render the non-compliant web page so as to meet the Institute’s Accessibility Standards or will provide to the requestor access to the web page’s information in manner that is equally effective as the original page.

2. Electronic Documents

This policy and the Institute Accessibility Standards apply to all electronic documents.

3. Multimedia

This policy and the Institute Accessibility Standards apply to all multimedia.
 

Exemptions:

1. Legacy Web Pages, Legacy Documents, and Legacy Multimedia are not required to comply with Institute’s Accessibility Standards unless

  • specifically requested by an individual with a disability (though units are encouraged to identify and improve the accessibility of Legacy Pages even in the absence of specific requests),
  • significant and substantial revisions to the web pages, documents, or multimedia are undertaken after the creation of the original, or
  • the nature or function of the web page, document, or multimedia is determined by the creating department to be essential to the purpose of the department or program.

2. Undue burden and non-availability may qualify as an exemption from this policy when compliance is not technically possible, or is unreasonably burdensome in that it would require extraordinary measures due to the nature of the IT or would alter the purpose of a web page. The conclusion of undue burden or non-availability is an institutional decision to be made by the Institute’s Office of Equity and Compliance Programs in consultation with the affected unit(s) and others with relevant perspective or expertise. Notwithstanding the foregoing, an individual in need of an accommodation to access the program, service or activity shall request the same of the Institute’s ADA Coordinator or IT Accessibility Coordinator.

3. IT resources specific to a research or development process in which no member of the research or development team requires accessibility accommodations may be exempt. In such cases, the lead investigator must document that, upon inquiry, no member of the research or development team identified as requiring an accommodation.
 

Purchasing:

In order to ensure accessibility of IT products, Institute officials responsible for making decisions about which products to procure must consider accessibility as one of the criteria for acquisition. This is especially critical for enterprise-level systems or technologies that affect a large number of students, faculty, and/or staff. Considering accessibility in procurement involves the following steps:

  1. Vendors must be asked to provide information about the accessibility of their products as required by the Institute’s Computer Technology Request (CTR) process.
  2. The information provided by vendors must be valid and measured using a method that is reliable and objective.
  3. Those making procurement decisions must be able to objectively evaluate the accessibility of products and to scrutinize the information provided by vendors.

Assistance with ensuring that appropriate contractual language is included in all IT purchasing documents may be obtained through the Institute’s Purchasing Office.
 

Compliance:

The Institute’s ADA Coordinator is responsible for overseeing compliance with regard to state and federal laws and regulations that prohibit discrimination on the basis of disability and require reasonable accommodation. Questions or concerns regarding compliance with this policy, or complaints of discrimination, should be directed to the ADA Coordinator, who contact information is contained below.

Questions regarding the Institute’s Accessibility Standards, resources, and other technical matters may be addressed to the Institute’s IT Accessibility Coordinator, who contact information is below.

To report an accessibility issue or non-compliance with this policy, please email gtaccessibility@gatech.edu.

Enforcement

To report suspected instances of noncompliance with this policy, please visit Georgia Tech’s EthicsPoint, a secure and confidential reporting system, and read more about the EthicsPoint Portal.

Contacts

Institute ADA Coordinator:
Denise Johnson-Marshall
ADA Coordinator
dmarshall@gatech.edu
(404) 385-5151

IT Accessibility Coordinator:
James Logan
Quality Assurance Manager,
james.logan@oit.gatech.edu

Assistance with IT Purchasing:
Purchasing Office
purchasing.ask@business.gatech.edu
(404) 894-5000

Policy History
Revision Date Author Description
1/15/2016 Equity and Compliance Programs and OIT New Policy

 

Institution Online Resource Ownership, Control, and Use

Institution Online Resource Ownership, Control, and Use
Type of Policy
Administrative
kcross8
Effective Date
Review Date
Policy Owner
Office of Information Technology
Contact Name
Daren Hubbard
Contact Title
Vice President for Information Technology and Chief Information Officer
Contact Email
daren.hubbard@gatech.edu
Reason for Policy

This policy provides the guiding principles for the ownership, control, and use of all Georgia Institute of Technology (“Institute”) online resources. All Institute owned online resources are the property of the Institute and are under its exclusive control, as well as the exclusive authority to acquire additional online resources in its name in the future. Administrators and users of Institute online resources are expected to be good stewards of these resources and to act in a responsible manner.

Policy Statement

This policy concerns the Institute’s ownership, control, and use of all Institution Online Resources, specifically addressing the following matters: (i) exclusive ownership and control of all Institution Online Resources; (ii) exclusive authority over all Institution Online Resources owned or controlled by the Institute and the exclusive authority to acquire additional online resources in its name in the future; (iii) approval of content published on an Institution Online Resource; and (iv) removal of content improperly published to an Institution Online Resource.

Scope

This policy governs the use of all current and future Institute Online Resources which includes but is not limited to internet domains, websites, user uploaded content, web or mobile applications, official social media accounts, listservs, online educational resources, and content generated by Institute employees.

Policy Terms

Institution Online Resources
Consist of all online resources owned or controlled by the Institute, including internet domains, websites, webpages, web or mobile applications, official social media accounts of the Institute, online educational resources, and content generated by Institute employees.

Institution Online Resources do not include non-publicly facing IT resources (e.g. OneUSG Connect). Institution Online Resources also do not include personal webpages and social media accounts of Institute employees and students.

Department
For purposed of this policy, department means the units of the Institute reporting to directly to a member of the Executive Leadership team or a member of cabinet or a dean. 

Responsibilities

Institute
All Institution Online Resources are the property of the Institute and under its exclusive control. The Institute has the exclusive authority over all Institution Online Resources and the exclusive authority to acquire additional Institution Online Resources in its name in the future.  

Departments
Each Department must maintain its own inventory of Institution Online Resources under its jurisdiction. Members of the Executive Leadership team will retain oversight of over the respective departments reporting to them.

Each Department must have a procedure for the establishment of Institution Online Resources, the management of existing Institution Online Resources, approval of content, and the deletion of online resources no longer needed.

Each Department is responsible for the content created on or posted to Institution Online Resources under its control, including responsibility to ensure that content (i) complies with applicable University System of Georgia (USG) and Institute policies, (ii) complies with federal accessibility requirements and as outlined in the Information Technology Accessibility Policy, and (iii) does not violate the intellectual property rights of third parties. A sample of such procedure is linked at the end of this document.  

Management of Institution Online Resources

Management
Administration privileges for any Institution Online Resources may only be assigned to Institute employees or outside contractors whose job duties include the administration of such accounts.

Transition of Management
Part of the separation process for employees shall include the transition of account control over any Institution Online Resources managed by the departing employee.

Limitation on Management by Student Employees
Student employees shall not be granted administrative access or duties over Institution Online Resources without express written permission from the appropriate employee with designated approval authority for the Institution Online Resource and with appropriate approval and oversight procedures in place for any content the students are to publish on Institution Online Resources.

Moderation of Third-Party Content

Content created by third-party users of Institution Online Resources shall be moderated in compliance with applicable Institute policies governing the posting of content on such Institution Online Resources and subject to any applicable terms and conditions or end user agreements of the thirty-party hosting platform.  

Removal of Unauthorized Content

Any content created on or posted to an Institution Online Resource that has not been approved pursuant to the applicable Department’s required review and approval process or is otherwise not in compliance with Institute or USG policies governing online content shall be removed promptly following discovery. The authority and responsibility for removing unauthorized content will reside with the Department that controls the online resource where the content is located. Ultimate authority for the approval or removal of content on Institution Online Resources rests with the President.  

Cybersecurity
Any suspected unauthorized content should be immediately reported to the Institute’s Office of Cybersecurity (soc@gatech.edu) for review of any potential data privacy and cybersecurity concerns.  

Password Policy

Password Policy
Type of Policy
Administrative
s1polics
Effective Date
Last Revised
Review Date
Policy Owner
Georgia Tech CyberSecurity
Contact Name
John Karrh
Contact Title
Governance Risk & Compliance Manager - Cyber Security
Contact Email
johnkarrh@gatech.edu
Reason for Policy

This policy establishes the minimum requirements for generating and managing Georgia Tech user passwords, or other authentication factors, used by operating systems, applications, databases, and network devices owned by or managed by Georgia Tech. The intent of this policy is to protect access to Sensitive Data, and Georgia Tech systems and networks.

Policy Statement

Single factor authentication (i.e. password authentication) or multifactor authentication (i.e. password and token) must be used to authenticate to any system or application which requires unique logon as defined by the Data Access Policy and Data Protection Safeguards Standard. The standards for single factor password authentication and multifactor authentication are defined in the standards section below.

Georgia Tech account users must take all reasonable measures to protect their passwords and accounts. Georgia Tech users must never share their account passwords with anyone, including third party service providers (e.g. Google). Each user is accountable and responsible for any action taken with that user's account and password. If there is a business need to share access to an account, such sharing should be accomplished through system permission delegation.

Exceptions to the requirements of this policy may be requested per the Policy Exceptions policy.

Standards:
General Standards

  • Georgia Tech user account passwords must never be transmitted over the network in a clear text format
  • Passwords must be protected at all times, and measures must be taken to prevent disclosure to any unauthorized person or entity
  • Passwords must be protected during distribution to the end user
  • Temporary passwords must be changed within 24 hours of creation
  • Default passwords for new servers, endpoints, and applications must be changed

Single Factor Password Configuration Standards
Single factor passwords must:

  • Contain at least 11 characters
  • Contain characters from at least three of the following four character classes:
    • Upper case alphabetic (e.g. A-Z)
    • Lower case alphabetic (e.g. a-z)
    • Numeric (e.g. 0-9)
    • Special characters (e.g. .,!@#$%~)
  • Expire every 120 days (service accounts that are not used to login interactively do not expire)
  • Be different from the last four passwords selected

Multifactor Password Configuration Standards
When logging into systems or applications that require multifactor authentication, the associated password must:

  • Contain at least 8 characters
  • Contain characters from at least three of the following four character classes:
    • Upper case alphabetic (e.g. A-Z)
    • Lower case alphabetic (e.g. a-z)
    • Numeric (e.g. 0-9)
    • Special characters (e.g. .,!@#$%~)
  • Expire every 365 days
  • Be different from the last four passwords selected

Mobile Device Pin/Password Configuration Standards
When using a mobile device, such as a smart phone or tablet, that requires authentication, the associated password/pin must:

  • Contain at least 6 characters, or
  • Leverage some other form of authentication such as
    • Biometrics (e.g. facial recognition or thumbprint)
    • Pattern code
    • Swipe code
Scope

This Institute-wide policy applies to any endpoint, mobile device, or application which requires unique logon as defined by the Data Access Policy and Data Protection Safeguards Standard, as well as all users of those systems.

Policy Terms

Endpoint - Desktop computers, laptop computers, workstations, group access workstations, USB drives, small servers, cloud hosted virtual machines, and personal Network Attached Storage (NAS)

Mobile Device - Mobile devices at Georgia Tech include, but are not limited to:

  • Cellular telephones
  • Smart phones (e.g. iPhones, Android Phones, BlackBerrys)
  • Tablet computers (e.g. iPad, Kindle, Kindle Fire, Android Tablets)
  • Wearable Devices (e.g. Google Glass, watch devices)
  • Personal Digital Assistants
  • Any other mobile device containing Georgia Tech data (e.g handheld scanning devices)

Multifactor Authentication – A process for securing access to a given system, such as a network or website, that identifies the party requesting access through several categories of credentials (e.g. password and soft token or password and thumbprint).

Server - Any computer system that hosts a campus unit or institute wide service, or acts as an authoritative source of data for the institute or campus unit.

Single Factor Authentication - A process for securing access to a given system, such as a network or website, that identifies the party requesting access through only one category of credentials (e.g. password).

Enforcement

Violations of this policy may result in loss of Georgia Tech system and network usage privileges, disciplinary action, up to and including termination or expulsion as outlined in applicable Georgia Tech Employment policies and the Georgia Tech Student Code of Conduct, as well as personal civil and/or criminal liability.

Policy Exceptions

Policy Exceptions
Type of Policy
Administrative
jgastley3
Effective Date
Last Revised
Review Date
Policy Owner
Georgia Tech CyberSecurity
Contact Name
John Karrh
Contact Title
Governance Risk & Compliance Manager
Contact Email
johnkarrh@gatech.edu
Reason for Policy

Situations or scenarios will arise that cannot be effectively addressed within the constraints Georgia Tech’s security policies and standards. There will be times when business processes can and should take precedence over these policies. However, we must still consider the security of Georgia Tech’s infrastructure and data. The process allows unit heads and Institute leadership to make an informed decision on whether or not to request an exception to a particular IT policy by understanding the risk and alternatives involved.

(NOTE: Phrases shown in italics at their first occurrence in this document are defined in the associated IT Policy Definitions - Standards Document No. 05.GIT.170)

Policy Statement

Exception Process

  • Any deviation from security policies and standards must be reviewed via the Information Security Exception Review process.
  • The exception review process must involve qualified information security professionals.
  • The exception review process must log all findings and results in a central repository that is accessible to all Georgia Tech staff involved in the assessment of the exception request.
  • Approved exceptions must be periodically reviewed by OIT-IS, Internal Audit, and the Unit requesting the exception.
  • Exemption requests involving potentially significant risk to the Unit may require approval of the Unit Head, CIO, EVP, or Provost.

Exception Criteria

  • Exception requests must be evaluated in the context of potential risk to the Unit and Georgia Tech as a whole.
  • Exception request evaluations must take into account what value the exception will bring to the Unit requesting the exception.
  • Exception requests that create significant risks without compensating controls will not be approved.
  • Exception requests must be consistently evaluated in accordance with Georgia Tech’s risk acceptance practice.
Scope

This Institute-wide process applies to all units and individuals requesting an exemption to Georgia Tech’s security policies and standards.

Procedures

If a Unit determines they cannot follow an Institute-level policy or standard, then the Unit should request an exception. Before doing so, the Unit should consider what risks they may face by not adhering to the policy as well as the benefit gained by requesting the exception.

The Unit should fill out the Policy Exception Request form and submit it to OIT-Information Security (OIT-IS).

Once OIT-IS has the request, they will review the submission for completeness (ensure no information is missing) and follow up with the Unit as necessary.

OIT-IS will perform a risk assessment of the request, the proposed mitigation, and the benefit of allowing the exception.

OIT-IS, Internal Audit, and the Unit will meet and review the risk assessment and the proposed mitigation measures. The purpose of the review is to examine the exception request, and discuss the potential risk and proposed mitigation by the Unit. If the exception poses a significant risk, OIT-IS will work with the Unit to understand the reason for the exception and propose reasonable alternatives to both mitigate the risk as well as provide the necessary functionality needed by the Unit.

If the review team finds the exemption could lead to significant risk to the Unit or the Institute, then they will inform the Unit Head (Dean, AVP), Director of Internal Audit, and the CIO.

Exemption requests involving potentially significant risk to the Unit may require approval of the Unit Head, CIO, EVP, or Provost.

Once the review of the exception has been completed and the exception approved, the exception will be signed off on by OIT-IS, IA, and the Unit Lead. In doing so, the Unit is accepting the potential risk caused by allowing the exception. An electronic copy of the exception will be maintained.

The exception will be granted for a period of no more than 1 year from the time the exception is granted. At the end of the year, the exception will be reviewed and either terminated or renewed for another period.

Communication

Upon approval, this policy shall be published on the Georgia Tech IT Policy website. The following groups shall be notified via email and/or in writing upon approval of the standard and upon any subsequent revisions or amendments made to the original document:

  • Office Information Technology (OIT)
  • Campus Deans and Chairs
  • Unit Business/Administrative Leads
  • Georgia Tech IT Directors
  • ITAC
  • Campus CSR’s
  • Internal Audit

 

Responsibilities

GT security policies and standards specify the minimum requirements that must be met throughout Georgia Tech’s IT environment.

OIT-IS
Georgia Tech Cyber Security group is responsible for developing and maintaining this procedure.

Units
Georgia Tech Academic and Administrative Units, including OIT, are responsible for communicating this procedure to their users and submitting risk exception requests via the approved process.

Related Documents
Exception Request Process Flowchart.pdf (104.63 KB) Download Acrobat Reader
Policy History
Revision Number  Author Description
1.0 Richard Biever Initial Draft
1.1 Richard Biever Review/Changes from ITAC

      

 

 

Responsible Disclosure Policy

Responsible Disclosure Policy
Type of Policy
Administrative
s1polics
Effective Date
Last Revised
Review Date
Policy Owner
Georgia Tech CyberSecurity
Contact Name
John Karrh
Contact Title
Governance Risk & Compliance Manager
Contact Email
johnkarrh@gatech.edu
Reason for Policy

The Georgia Institute of Technology (Georgia Tech or the Institute) recognizes that security vulnerability research takes place on campus both through sponsored research, internally initiated research, and informal research. In addition, system users often find security vulnerabilities incidentally during the course of some other activity. Georgia Tech is fully committed to the identification and remediation of security vulnerabilities within Institute systems and networks. For these reasons the Institute developed this Responsible Disclosure policy to address the need for an ethical way to identify and report security vulnerabilities within Georgia Tech systems and networks.

Policy Statement

Any individual that is attempting to identify a security vulnerability within a Georgia Tech system or network must first obtain permission from the appropriate system owner prior to engaging in any testing or investigation. The reason system owners must be made aware in advance is to give the system owner an opportunity to prepare for any negative consequences of the security testing or investigation. The system owner may choose not to grant permission or may revoke permission at any time if such use interferes with owners use. The Georgia Tech CyberSecurity team is granted the right to perform vulnerability testing and investigation on Institute systems, networks, and users without obtaining explicit permission. Any system owner is granted the right perform vulnerability testing and investigation on their own systems without any outside permission. Once a security vulnerability has been identified within a Georgia Tech system or network, either through an approved investigation or incidentally, the person identifying the security vulnerability must disclose the security vulnerability to the Georgia Tech Cyber Security team as soon as possible, but no later than 48 hours from the time the investigator is aware of the vulnerability. System owners are not required to disclose vulnerabilities identified in their own systems to Georgia Tech Cyber Security. The identified security vulnerability may not be publicly disclosed before 180 days have elapsed from the time that the vulnerability was reported to Georgia Tech Cyber Security or until permission is received from Georgia Tech Cyber Security.

Scope

All employees, students, affiliates, contractors, consultants, vendors, or other Georgia Tech system and network users are covered by this policy. Georgia Tech systems and networks specifically provisioned for information security research are exempt from this policy.

Policy Terms

PGP
Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting, and decrypting e-mails.

Publicly Disclosed
Posting vulnerability information to a public website or forum, publishing the vulnerability information in a paper or article, or any other form of communication to individuals other than the appropriate Georgia Tech system owner, Georgia Tech Cyber Security, or the software vendor.

Security Vulnerability
A security vulnerability is a weakness in a system or network that could allow an attacker to compromise the integrity, availability, or confidentiality of that system or network.

Procedures

Prior to attempting to identify security vulnerabilities within an Institute system:

  • To identify the appropriate system owner, please first contact the Georgia Tech CyberSecurity team via email at ask@security.gatech.edu
  • Obtain permission from the system owner. This step is not necessary if the system owner is attempting to identify security vulnerabilities in his or her own systems

If a vulnerability is identified inadvertently or incidentally:

  • Proceed to the next section and follow the procedures on reporting the vulnerability to Georgia Tech CyberSecurity

When reporting a security vulnerability:

  • Within 48 hours of discovering the security vulnerability, contact the Georgia Tech CyberSecurity team via encrypted email at vulnerability.reporting@gatech.edu using our PGP key (available on the public PGP servers and at https://security.gatech.edu/report-vulnerability).
  • Include as much information as possible in your report, including a way for the system owner to reproduce the security vulnerability
  • If you are unfamiliar with PGP and encrypting email, then please email us at vulnerability.reporting@gatech.edu and DO NOT include details of the security vulnerability
  • Provide your contact information
Enforcement

Violations of this policy may result in loss of Georgia Tech system and network usage privileges, disciplinary action, up to and including termination or expulsion as outlined in applicable Georgia Tech Employment policies and the Georgia Tech Student Code of Conduct, as well as personal civil and/or criminal liability. In addition, intentionally circumventing the security of a Georgia Tech system without permission is in violation of Georgia Tech’s Cyber Security policies.

Telecommunications

Telecommunications jbarber32

Broadband Connections for Faculty and Staff

Broadband Connections for Faculty and Staff
Type of Policy
Administrative
jgastley3
Last Revised
Review Date
Policy Owner
Info Tech- Information Security
Contact Name
Cas D'Angelo
Contact Title
OIT Telecommunications Director
Contact Email
cas.dangelo@oit.gatech.edu
Policy Statement

 It is the responsibility of Georgia Tech and each of its budgetary units to implement procedures to effectively use communication services and equipment at the lowest possible cost. With the rapid growth in requirements for high speed broadband network access (e.g. DSL, cable-modem) for some Georgia Tech faculty and staff, and with the Georgia Tech philosophy of unit-based management, heads of budgetary units (Vice Presidents, Deans, School Chairs, Department Heads) or their designee are authorized to acquire broadband services for faculty and staff when required for institutional purposes.

The purpose of this policy is to outline the eligibility criteria, acceptable usage, and administration of Georgia Tech-funded broadband service granted to faculty and staff members. Insofar as this policy deals with access to Georgia Tech computing and network resources, all relevant provisions in the Acceptable Use Policy, the Cyber Security Policy, and the Data Privacy Policy are applicable and included by reference in this document.

Eligibility and Acceptable Use

Granting Institute-funded broadband service to faculty and staff members by individual units on campus, with the express intent of conducting Institute business when it is demonstrated an employee cannot perform his/her duties without high speed (broadband service) access to the Internet and/or to the Georgia Tech network, or that improved performance and productivity ensuing from broadband service will justify the investment, shall be authorized under this policy. Each department is to maintain approved justification documentation for each approval of broadband service.

Examples of conditions under which broadband service may be granted to employees include:

  • Broadband service is required to achieve business objectives by an employee who routinely or predominantly telecommutes.
  • An employee cannot adequately meet communications needs with other available alternatives such as dial-up modems.
  • Broadband service is required for on-call personnel required to respond to critical system failures or service disruptions.
  • Broadband service is determined to be the most appropriate means of responding to campus emergencies.
  • Broadband service is needed to facilitate program and business access to campus and Internet resources to remotely conduct Institute business.

Georgia Tech will cover the cost of a competitive broadband service plan used primarily for job-related activities. Employees who wish to add personally-owned computers to any such plan must do so at their own expense. Furthermore, all broadband service users are reminded that such privileges are covered by the Acceptable Use Policy, the Cyber Security Policy, and the Data Privacy Policy as well as any relevant Unit-Level Network Usage Policy.

Ordering and Payment Administration

Managers of employees qualifying for Institute-funded broadband service are to initially determine the business needs and select an appropriate package which meets these requirements. Both the business need and broadband service package selection should be reviewed periodically, at least annually.

The following ordering and payment options are allowed under this policy:

  1. Departmental P-Card Departments may acquire broadband service via departmental P-cards, but they should note that special obligations go along with the convenience. Specifically, only designated Georgia Tech Procurement Officials may enter into contracts on Georgia Tech’s behalf. This means Broadband service contracts obtained via P-card and signed by an employee are, in fact, personal obligations of the employee. Should the employee terminate while an agreement signed by the employee is still in force, it is the responsibility of the employee to fulfill the terms of the agreement. The department is to maintain the approved justification documentation for each broadband service obtained in this manner.
  2. Georgia Tech Purchasing Georgia Tech Purchasing will process requests for Broadband service upon receipt of an approved purchase requisition. Purchasing will procure these services via standing agreements available to Georgia Tech. In special circumstances, Purchasing may utilize other agreements obtained from any carrier who best meets the needs of the Institute. Broadband service will be billed directly to the ordering department, based upon the information on the purchase order (FPO). Object code 773500 Cellular Services, will be used to account for Broadband service costs. Departments will review and verify Broadband service bills on a monthly basis and forward the approved invoice to Accounts Payable for payment. Invoices are to be submitted at least 10 days before due date to allow for payment processing and mail delivery. Invoices may be paid by Pcard. Effective May 1, 2003 the default account must be changed to 773500 utilizing the Georgia Tech Pcard reallocation tool.
  3. Personal Contracts Heads of budgetary units may authorize employee reimbursement for business use of their personal broadband service contracts. Additionally, it may make economic and business sense to pay a differential price to boost an employee’s current service package on their personal phone or cable arrangement by an amount sufficient to cover the addition of authorized broadband service. If the unit head determines that this approach is in the best interest of the Institute, they should document the rationale for this decision, keep on file and review periodically (at least annually) to ensure that this is still the appropriate option.

Right to Monitor Communications and Right to Privacy

Georgia Tech reserves the right to investigate, retrieve and read any communication or data composed, transmitted or received through voice services, online connections and/or stored on its servers and/or property, without further notice to faculty and staff, to the maximum extent permissible by law. Express notice to faculty and staff stating that there is no right to privacy for any use of Institute telecommunications equipment and services, or funded by Institute resources, should be included in the approval form granting funding for broadband services.

Enforcement

All approval and justification documents shall be kept by unit business officers, and shall be subject to periodic reviews by Georgia Tech Internal Audit and/or external audit agencies.

 

Wireless Communication Devices/Mobile Phone Services

Wireless Communication Devices/Mobile Phone Services
Type of Policy
Administrative
jgastley3
Policy No
14.1
Effective Date
Last Revised
Review Date
Policy Owner
Info Tech- Resource Management
Contact Name
Kat Vineyard
Contact Title
Financial Analyst
Contact Email
kat.vineyard@oit.gatech.edu
Policy Statement

It is the responsibility of Georgia Tech and each of its budgetary units to implement procedures to effectively use communication services and equipment at the lowest possible cost. Heads of budgetary units (Vice Presidents, Deans, School Chairs, Unit Heads) or their designee are authorized to approve the acquisition of wireless communication devices and services. Wireless communication devices (WCDs) for purposes of this policy include, but are not limited to: mobile phones (smartphones or otherwise), tablets with mobile data, computers with mobile data, and hotspots. By contrast, cordless telephones, headsets, tablets and computers with wifi or wired connections, and other devices not subject to incremental usage charges are not included.

Guidelines for Acquisition and Use
An Institute assigned WCD/mobile phone and service may be an appropriate resource to conduct Institute business in instances when it will improve performance orwhen it is demonstrated an employee cannot perform his or her duties without a WCD/mobile phone The individual units or departments are responsible for:

  • Specifying authorized and unauthorized uses of wireless or mobile devices
  • Maintaining the approval justification for each WCD/mobile phone device and service issued or approved.
  • Documenting procedures for processing reimbursement for business use of personal WCD or mobile phones.
  • Maintaining an inventory of wireless devices in shared pools and individually-assigned, by type.

The inventory of WCDs maintained by each unit shall document, at the very least, each individual device type, the service provider for such device, and the assignee (individual user or most granular organizational unit in the case of shared/pool devices). Such inventory must be kept current by each unit or department, and made available for inspection by GIT Internal Audit or any authorized external agency upon request. Inventory reports shall be forwarded to Financial Services and/or the Office of Information Technology on a semi-annual basis, as directed.

Criteria for Determining Need
A department may acquire a WCD/mobile phone service for an employee where communications needs cannot be met with other available devices such as standard telephone equipment or soft client. Examples of conditions under which a WCD/mobile phone devices and service may be obtained if these criteria are met include the following:

  • A WCD/mobile phone is required for the employee’s position and need to maintain information or communicate with others as it relates to their job functions.
  • A WCD/mobile phone is required to directly enhance an employee's job responsibility of protecting the physical safety of the general public.
  • A WCD/ mobile phone is required for an employee to respond better to environmental emergencies.
  • A WCD/mobile phone is required for additional protection for the employee in potentially hazardous working conditions.
  • An employee cannot adequately meet communications needs with other available alternatives such as a standard land-line or soft client.
  • A WCD/mobile phone is required for on-call personnel required to respond to critical system failures or service disruptions
  • A WCD/mobile phone is determined to be the most appropriate means of responding to campus emergencies or to achieve business efficiencies.
  • Cost savings are realized when an employee combines or eliminates landline or services.

The unit head (or designee) of employees using Institute owned WCD/mobile phone is to initially determine the business needs and select an appropriate airtime package that meets these needs. If a manager identifies any non-reimbursed personal expenses, which have not been reported by the affected employee, the department will collect the cost of such call(s) from the employee and take any appropriate disciplinary action, up to and including termination.

Personal Usage
WCD/mobile phones assigned to Institute faculty or staff members are primarily for official business use. While incidental personal use may occur, this use should not result in additional charges to the Institute. If a personal emergency arises that requires the extended or extensive use of the WCD/mobile phone to make personal calls, the faculty or staff member is to notify their unit head or supervisor and reimburse the Institute for charges incurred in the use of the device. Reimbursement to Georgia Tech for any WCD/mobile call for personal use should be deposited with the Bursar's Office by the department, along with a copy of the annotated bill noting the personal call and cost.

Ordering and Payment Administration
The following ordering and payment processing options shall be used for all WCDs/mobile phones issued for positions meeting the requisite criteria. The Procurement and Business Services will procure WCD/mobile phone services via negotiated agreements available to Georgia Tech employees. In special circumstances, Purchasing may utilize other agreements obtained from any carrier who best meets the needs of the Institute.

  • Institute-Owned WCD/mobile phones and Service
    For positions meeting the requisite criteria, departments should acquire WCD/mobile phone services via departmental PCard or Supplier Invoice Request (SIR), after completing any necessary forms provided by the service vendor representative to establish legitimate Georgia Tech service account(s). Only designated Georgia Tech Procurement officials may enter into contracts on behalf of Georgia Tech, and any actual contracts should be forwarded to Procurement for review and signature; any contracts signed by an unauthorized employee are in effect, personal obligations of the employee. When using the PCard or SIR for payment, the default expense code must be changed to 773500 utilizing the Georgia Tech PCard reallocation tool or cost transfer application. The Request for Wireless Communication Devices/Mobile phone Service form should be completed by the employee and approved by the Dean, Vice President, School Chair, Department Head or their designee and filed in the department.
  • Privately-Owned WCD/mobile phones and Service
    Heads of budgetary units may authorize employees to receive reimbursement for business-related calls made from privately-owned WCD/mobile phones. Such reimbursements shall be for the cost of business-related calls only and shall not include any portion of the cost of WCD/mobile phone equipment, installation or basic monthly service fees unless the WCD is used solely for official business. A completed Check Request Form (CRF) should be submitted to Accounts Payable including a copy of WCD/mobile phone bill with the business related calls and charges highlighted. For calls over $10.00, the person or organization called and business purpose is to be noted.

Additionally, it may make economic and business sense to pay a differential price to boost an employee's current airtime package on their personal phone by an amount sufficient to cover the addition of business calls. If the unit head determines that this approach is in the best interest of the Institute, they should document the rationale for this decision, keep on file, and review annually to ensure that this is still appropriate. The employee shall keep a copy of all monthly usage bills for the current review period, to assist with the annual review and service renewal process.

Right to Monitor Communications and Right to Privacy
Georgia Tech reserves the right to investigate, retrieve and read any communication or data composed, transmitted or received through voice services, online connections and/or stored on its servers and/or property, without further notice to employees, to the maximum extent permissible by law. Express notice to employees stating that there is no right to privacy for any use of Institute telecommunications equipment and services should be included in the assignment form granting access to Institute WCDs/mobile phones and/or services.

Policy Terms

Soft Client

Software or app that can be operated on a computer, smartphone, or tablet to make and receive telephone calls and/or messaging.

Responsibilities
The individual units or departments are responsible for:
  • Specifying authorized and unauthorized uses of wireless or mobile devices.
  • Maintaining the approval justification for each WCD/mobile phone device and service issued or approved.
  • Documenting procedures for processing reimbursement for business use of personal WCD/mobile phones.
  • Maintaining an inventory of wireless devices in shared pools and individually-assigned, by type.
The individual assigned a WCD (primary user) is responsible for:
  • Ensuring the WCD is used for business functions.

  • Using reasonable care to prevent damage to the WCD.

  • Reporting personal usage that results in additional charges to the Institute.

  • Reimbursement for charges in the case of usage during a personal emergency.

  • Export review before leaving the United States with a WCD.