Jan 08 2015

New and Revised IT Standards Take Effect in Georgia

Standards include requirements for securing mobile devices and restrictions on where cloud-based data can be stored.

Georgia isn’t leaving room for interpretation when it comes to standards and policies that govern mobile security, employee access to the state’s sensitive data, and data storage requirements for cloud providers.

Last month, the Georgia Technology Authority (GTA) detailed a host of new and revised IT standards to address these and other issues. Among the new standards, which took effect in mid-December, is a mobile device management guideline for securing government-issued and personal devices that access state data. It outlines recommendations for encrypting data stored on a device and capabilities to wipe state data and email from the device if it is lost or stolen.

The state also released a new policy governing data storage location and government information hosted in the cloud. All data, regardless of its security categorization, must be stored within the geographical United States if it is not under an agency’s direct control.

“In general, principles of good governance and caution require the state of Georgia to control its own destiny,” GTA explains. “Third-party hosted applications and cloud based services might utilize servers located anywhere in the world unless restricted by the state’s contract with the service provider.”

Georgia isn’t the only state with restrictions on where commercial providers store information. California’s Cloud First policy requires that facilities that store government data be located within the continental United States.

Managing Access to Government Data

Along with creating new standards, Georgia revised several policies, including one on authorizing access to sensitive government data. The changes establish responsibilities and limitations for privileged users, such as system administrators, to ensure they are accessing only what’s necessary to do their jobs.

Under the revised standards, the state will audit privileged users’ activities on systems categorized as moderate and high. State agencies are required to report any misuse of access privileges as a security incident.

As part of their annual security awareness training, state agencies are now required to include information about agency and enterprise security policies and standards and where the policies can be found.

Training is required for state employees as well as contractors who have unescorted access to state facilities and information resources. Agencies must ensure that contractors provide their employees with annual security training that covers the necessary material.

A complete summary of the new and revised standards can be found here.

Read more about other GTA initiatives on the agency’s blog. The blog was named one of StateTech's 2014 Must-Read State and Local IT Blogs.

StateTech Magazine Top 50 Bloggers 2014