Gov. Perdue Signs Executive Order Strengthening Georgia's Information Technology Security

Gov. Perdue today signed an executive order to protect state data by standardizing information security reporting.

"This executive order is a critical part of the larger plan I announced in December 2007 to transform the state's technology and shore up the underpinnings we found lacking," said Governor Sonny Perdue.  "As I stated then, technology is the foundation of a well-run, modern-day enterprise.  This action will go a long way toward addressing our security gaps and giving the state the secure IT infrastructure it requires to responsibly serve Georgia's citizens." 

The Executive Order calls for a single set of information security reporting standards for all agencies to follow.  Currently, state agencies use a variety of reporting standards, making it difficult to measure information security across state government or to track progress from year to year.
 
Governor Perdue has directed the Georgia Technology Authority (GTA) to work with the Georgia Department of Audits and Accounts and the Governor's Office of Planning and Budget to develop a reporting format and required content for agency information security reports.   Each agency will be responsible for reporting to GTA at the end of the fiscal year.   GTA will compile agency reports into a single Enterprise Information Security Report, available by October 31 of each year.

"Our security systems block more than 10,000 attempts every day to break into state information systems," said GTA Executive Director Patrick Moore.  "Governor Perdue's executive order is a critical part of our ongoing efforts to ensure greater information security and improve the ability of the state to manage its technology.  Our goal is a stable, secure and well-governed IT environment for state government that ensures Georgians receive the services they need and expect."

The text of the Governor's Executive Order is below:

Whereas:

The continuous and efficient operation of state government data systems is both vital and necessary to the mission of providing essential and non-essential governmental services in Georgia; and

Whereas:

The Georgia Technology Authority and the various state agencies have the responsibility for providing critically important, coordinated, robust and effective information technology security in order to protect the state's data, to protect the citizens and to ensure the efficient operation of state government; and

Whereas:

There are currently many different information security reporting standards and many different mechanisms for security reporting within Georgia state government, and there is a need for a single, coordinated mandatory statewide information security reporting standard for the improvement of information technology security; and

Whereas:

The National Institute of Standards and Technologies (NIST) has provided a model for information technology security in its implementation of the Federal Information Security Management Act (FISMA) of 2002; and

Whereas:

An effective mechanism to improve the oversight of state agency information security programs will:

• Provide state decision makers with information to oversee the security of the State's information assets,
• Provide a comprehensive framework to ensure the effectiveness of the State's information security controls,
• Allow for differing requirements of state agencies and their federal partners,
• Identify risks without exposing vulnerability information to inappropriate parties, and
• Control associated expenses.

Whereas:

The Georgia Technology Authority's Office of Information Security is developing technical security standards and services for use by all agencies that are consistent with the information security risk management model produced by NIST in support of FISMA.

Now, therefore, pursuant to the authority vested in me as Governor of the State of Georgia, it is hereby

Ordered:

That, in coordination with the Georgia Department of Audits and Accounts and the Governor's Office of Planning and Budget, the Executive Director of the Georgia Technology Authority shall develop a reporting format and the required content for agency information security reports, which shall be made available to the agencies by March 31st of each year.

It is further Ordered that:

The Executive Director of each agency shall report on the status of their agency information security program as of June 30th of each year using the format and content requirements as specified by the Executive Director of the Georgia Technology Authority, and that this report is to be delivered to the Georgia Technology Authority on or before July 31st of the same year.

It is further Ordered that:

The Georgia Technology Authority shall compile the agencies' information security status reports into a single Enterprise Information Security Report, which will be available by October 31st of each year.