• About
• Services
• People
• Units
• Initiatives
• Policies
• Contact
• IS&T Home

• Students
• Faculty
• IT Staff
• Staff

• Help Center
• Workstations
• Classrooms and Labs
• IT Procurement Review

Security Review Policy

Policy
Rationale
Standards & Procedures
Revisions
Approval Dates
(Summary of Changes/Additions/Deletions)

Policy

Where appropriate, information security personnel will conduct risk assessments of technologies/processes that are being evaluated and/or used at Georgia State University. The purpose of these assessments is to quantify the impact and probability of potential threats and vulnerabilities.  Furthermore, information security personnel may recommend which security controls, if any, are commensurate with the risks to which the university would be exposed.

Rationale

Managing the security risks associated with Georgia State University’s ever changing information technology infrastructure presents an enormous challenge. Although some risks can be assessed and managed locally, there are many that cannot be easily understood and/or controlled. In these situations, information security personnel should perform security reviews to determine the threats, the likelihood of such events taking place, the estimated impact if they were to occur and recommend controls.

Standards & Procedures

Standards

Threats. Things that can go wrong or that can 'attack' the system. Examples might include fire, system failure or hacking. Threats are present in every system.

Vulnerabilities. These make a system more prone to attack by a threat or make an attack more likely to have some success or impact. For example, a hacking vulnerability would be the lack of patches on a computer operating system.

Controls. These are the countermeasures for vulnerabilities. There are four types:

• Deterrent controls reduce the likelihood of a deliberate attack
• Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its impact
• Corrective controls reduce effect of an attack
• Detective controls discover attacks and trigger preventative or corrective controls

Procedures

Secure Your Workstation

Revisions

Approval Date(s)

Reviewed by IS&T
Reviewed by Information Security Subcommittee
Reviewed by ISAT Senate Committee
Approved by: University Administrative Council
Approved on: November 2, 2005
Version number: 1.0.0
Effective Date: November 2, 2005

Summary of Changes/Additions/Deletions