SOP 105.26: Identification and Authentication

Division:
Executive Division (Office of Information Technology)
Effective Date:
February 11, 2022
Topic Area:
105 Policy-Information Technology
PowerDMS:
View on PowerDMS
Length:
567 words

Summary

This policy establishes standards for identification and authentication security controls across all GDC information systems and users, based on federal standards including NIST 800-53 and CJIS requirements. It applies to all GDC employees, contractors, and system users, and requires the Information Security Officer to develop, maintain, and annually update identification and authentication policies and procedures. Violations may result in disciplinary action up to termination and potential criminal prosecution.

Key Topics

  • identification and authentication
  • IA controls
  • information security
  • NIST 800-53
  • CJIS security
  • user access controls
  • system security
  • information technology security
  • credentials
  • authentication procedures
  • access management

Full Text

|GEORGIA DEPARTMENT OF CORRECTIONS
Standard Operating Procedures|Col2|Col3|
|---|---|---|
|Policy Name:Identification and Authentication|Policy Name:Identification and Authentication|Policy Name:Identification and Authentication|
|Policy Number: 105.26|Effective Date: 02/11/2022|Page Number: 1 of 3|
|Authority:
Commissioner
|Originating Division:
Executive Division (Office of
Information Technology)|Access Listing:
Level I: All Access
|

I. Introduction and Summary:

This SOP addresses the establishment of policy and procedures for the effective
implementation of selected security controls and control enhancements in the
Identification and Authentication (IA) family of controls as documented in the
National Institute of Standards and Technology (NIST) Special Publication (SP) 80053, Revision 4, Security and Privacy Controls for Federal Information Systems and
Organizations.

This policy and related procedures reflect applicable federal laws, Executive Orders,
directives, regulations, policies, standards, and guidance. The Department of
Corrections risk management strategy is a key factor in establishing policy and
procedures.

II. Authority:

A. Georgia Technology Authority: Enterprise Policies, Standards, and Guidelines
PS-08005 Enterprise Information Security Charter;

B. Criminal Justice Information Services (CJIS) Security Policy, Version 5.5 CJISD
ITSDOC-08140-5.5, 06/01/2016;

C. NIST 800-53 Rev. 4, Recommended Security Controls for Federal Information

Systems and Organizations, February 2013, January 2012; and

D. HIPAA Administrative Simplification Regulation, Security and Privacy, CFR 45

Part 164, March 2013.

III. Definitions: None.

IV. Statement of Policy and Applicable Procedures:

Note: Procedures specific to information technology may be confidential and are
securely stored elsewhere, available only to authorized individuals.

|GEORGIA DEPARTMENT OF CORRECTIONS
Standard Operating Procedures|Col2|Col3|
|---|---|---|
|Policy Name:Identification and Authentication|Policy Name:Identification and Authentication|Policy Name:Identification and Authentication|
|Policy Number: 105.26|Effective Date: 02/11/2022|Page Number: 2 of 3|
|Authority:
Commissioner
|Originating Division:
Executive Division (Office of
Information Technology)|Access Listing:
Level I: All Access
|

A. Scope:

This policy and related procedures apply to all GDC employees, contractors, and
all other users of GDC information and information systems that support GDC
operations and assets.

This policy and related procedures are applicable to all GDC information and
information systems used, managed, or operated on behalf of GDC by a contractor
or another organization.

B. Violations:

A violation of any policy, standard or procedure contained herein may be subject
to disciplinary action, up to and including termination of employment. Violators
of local, state, Federal, and/or international law may be reported to the appropriate
law enforcement agency for civil and/or criminal prosecution.

Other Department of Corrections divisions may adopt security requirements in
accordance with this policy at a minimum or, if necessary, a more stringent
division specific policy in compliance with division and business-related
directives, laws, and regulations.

C. IA-1 Identification and Authentication Policy and Procedures:

The Information Security Officer (ISO), under direction of the Chief Information
Officer (CIO) and in coordination with the Office of Information Technology
(OIT), shall:

1. Develop, document, and disseminate:

a. An identification and authentication policy that addresses purpose, scope,

roles, responsibilities, management commitment, coordination among
organizational entities, and compliance; and

|GEORGIA DEPARTMENT OF CORRECTIONS
Standard Operating Procedures|Col2|Col3|
|---|---|---|
|Policy Name:Identification and Authentication|Policy Name:Identification and Authentication|Policy Name:Identification and Authentication|
|Policy Number: 105.26|Effective Date: 02/11/2022|Page Number: 3 of 3|
|Authority:
Commissioner
|Originating Division:
Executive Division (Office of
Information Technology)|Access Listing:
Level I: All Access
|

b. Procedures to facilitate the implementation of the identification and

authentication policy and associated identification and authentication
controls.

2. Reviews and updates the current:

a. Identification and authentication policy annually; and

b. Identification and authentication procedures annually.

V. Attachments: None.

VI. Record Retention of Forms Relevant to this Policy: None.

Machine-readable: JSON Plain Text