Vulnerability Assessment Program

OIT Information Security (OIT-IS) will conduct a semi-annual comprehensive of the Georgia Tech network to proactively identify and provide remediation recommendations to vulnerabilities plaguing the Institute's information assets. This systematic examination of the Georgia Tech network will help determine the adequacy of security measures' identify security deficiencies, provide data from which to predict the effectiveness of proposed information security measures and confirm the adequacy of such measures after implementation.

Credit Card Compliance Program

Visa, USA has mandated the Cardholder Information Security Program (CISP) for organizations accepting or storing credit card information on-line. MasterCard, Discover, and American Express are developing similar programs. To accept these credit cards, compliance is required with possible fines or loss of business relationship resulting from violation. Compliance includes policy requirements, hardware requirements, software security requirements, and physical security requirements.

Education, Awareness and Training Program

The Information Security Education and Awareness program will be developed as a complement to the technology initiatives designed to protect the Institute. The Program will benefit the Institute by developing and delivering education and awareness activities that will minimize security incidents at the Institute.

Sensitive Information Protection Program

The Georgia Institute of Technology currently has a data access policy and an order from the President of the Institute for all units to report all systems containing sensitive information to the Office of Information Technology Information Security Directorate (OIT-IS). The goal is to track all locations (virtual and real) where sensitive information is stored, to track all locations (virtual and real) where sensitive information is transmitted or received, to help ensure the security of the information at all times, and to track who in the unit is responsible for data security and access.

Unit-level Information Security Policy Program

The Georgia Institute of Technology enacted a new Institute-level information security policy (Computer and Network Usage Policy) in 2001. Because this policy was extremely broad due to the extraordinarily broad audience for this policy, individual units were encouraged to implement appropriate unit-level policies to better address security requirements and concerns appropriate to their environment. In the fall of 2002, the Provost and Senior Vice President for the Institute stated that these policies were a requirement for all academic and business units.

Unit-level Perimeter Protection Program

Most academic and business units within the Georgia Institute of Technology rely exclusively on host-based security to protect computers from compromise. If a computer is not appropriately administered within the Georgia Tech environment, it will be compromised. The Unit-level Perimeter Protection Program is designed specifically to address this issue by introducing security measures at academic unit or business unit perimeters. This change provides for an additional layer of protection in keeping with information security industry best practices.

Information Security Risk Self-Assessment Program

Section 6 of the Computer and Network Usage Policy requires every unit on the Georgia Tech campus to conduct an annual self-assessment. This self-assessment covers the general areas addressed in information systems audits by Internal Audit and should help units better self-identify and remedy situations before Internal Audit reviews.

Intrusion Detection/Prevention Program

The Intrusion Detection program will allow the Institute to detect intrusion and take appropriate actions to prevent compromise of the Institute's information assets. This program will allow the Institute to be proactive in our Information Security stance and will allow the OIT Information Security (OIT-IS) to quickly determine security trends and communicate risks to campus units and senior management.

Incident Response Program

A security incident refers to an adverse event in an information system, and/or network, or the threat of the occurrence of such an event. An will help in mitigation of those disasters. The Program is an on-going process that must be kept current and reflect organizational / infrastructure changes and newly discovered vulnerabilities as they occur.