Institute IT Resources must be used in accordance with applicable licenses and contracts, and according to their intended use in support of the Institute’s mission. 

All users must comply with federal, state, and local laws, as well as Georgia Tech policies, when using Georgia Tech IT Resources.

The following sections define the acceptable uses of Georgia Tech IT Resources.  Any conflict between these policies and the legitimate business of the institute can be resolved through the policy exception request process as defined with the Policy Exception Policy.

Acceptable Use
Employees and student employees -
With the exception of incidental personal use, as defined below, Georgia Tech IT Resources must be used only to conduct the legitimate business of the Institute (e.g., scholarly activity, academic instruction, research, learning, business operations).

Incidental personal use of Georgia Tech IT Resources by Georgia Tech employees is permitted if the personal use does not interfere with the execution of job duties, does not incur cost on behalf of the Institute, and is not unacceptable as defined in the Unacceptable Use section below.

Students -
Georgia Tech students may use the ResNet, EastNet, and LAWN networks for recreational and personal purposes to the extent that such use is not unacceptable as defined in the Unacceptable Use section below, and does not adversely affect network service performance for other users engaged in academic, research, or official business activities.

Unacceptable Use
Georgia Tech employees, including students acting as employees, are prohibited from the following actions when using Georgia Tech IT Resources:

• Unauthorized use of IT Resources for commercial purposes or personal gain
• Transmitting commercial or personal advertisements, solicitations, or promotions

All users are prohibited from using Georgia Tech IT resources in a manner which results in a violation of law or policy or potentially adversely affects network service performance.  Examples of Unacceptable Use include, but are not limited to, the following:

• Activity that violates federal, state, or local law
• Activity that violates any Institute or Board of Regents policy
• Activities that lead to the destruction or damage of equipment, software, or data belonging to others or the Institute
• Circumventing information security controls of Institute IT Resources
• Releasing malware
• Intentionally installing malicious software
• Impeding or disrupting the legitimate computing activities of others
• Unauthorized use of accounts, access codes, passwords, or identification numbers
• Unauthorized use of systems and networks
• Unauthorized monitoring of communications

This list is not complete or exhaustive.  It provides examples of prohibited actions.  Any user in doubt about the acceptable use of Georgia Tech IT Resources should contact Cyber Security for further clarification and assistance.

This approval process applies to all activities involving the use of CUI: All environments (see definitions section) involved with CUI must comply fully with the NIST 800-171 standards (either directly or through compensating controls) and follow the guidance provided by the Georgia Tech System Security Plan (GT SSP). Any deviations from the GT SSP must be approved by the Chief Information Security Officer (CISO). The CISO will route such request to either the Executive Vice President of Research (for research-related activities) or the Executive Vice President for Administration and Finance (for administrative activities), as appropriate, for additional approval. All environments that are involved with CUI must undergo an annual NIST 800-171 compliance assessment by Cyber Security before interacting with CUI. These assessments will result in an attestation report signed by the CISO, or designee. The assessment results will be reported to the Georgia Tech Research Corporation and the Executive Vice President of Research (for research-related activities) or the Executive Vice President for Administration and Finance (for administrative activities). Any items of non-compliance found during the assessment must be remediated before any interaction with CUI is allowed. All environments that are involved with CUI must also operate in a manner which allows incident reporting of cyber incidents involving CUI within 72 hours. This policy provides requirements and guidance for all use of CUI for the Georgia Institute of Technology. These are the minimum requirements for securing CUI - all Institute and other applicable requirements still apply as well.

This approval process applies to all merchant credit card processing activities at Georgia Tech:

The Associate Vice President of Financial Services (or delegate) must approve all credit card processing activities at Georgia Tech prior to entering into any such contracts or purchasing equipment. 

This requirement applies regardless of the transaction method used (e.g. online processing at Georgia Tech, outsourced to a third party, swipe terminals).

All technology implementation associated with the credit card processing must be approved by the Vice President of Information Technology (or delegate) prior to entering into any contracts or purchasing equipment. 

Storage of cardholder data on Georgia Tech systems is not allowed.”
All environments that process or transmit cardholder data are contractually obligated to and must comply fully with the Payment Card Industry Data Security Standards (PCI DSS).  All units that process or transmit cardholder data must undergo an initial and annual PCI DSS compliance assessment by Georgia Tech Cyber Security.  Any items of non-compliance found during the assessment must be remediated before processing of credit cards is allowed to resume.

The use of non-traditional credit card-type merchant services (such as Square, PayPal, etc.) and supporting technology for Georgia Tech business are not allowed without prior approval by the Associate Vice President of Financial Services and the Vice President of Information Technology (or their delegates).

Violations of this policy should be reported through the Ethics Point process.

Georgia Tech IT Resource users (IT Resource users include both students and employees) are responsible for protecting the security of all data and IT Resources to which they have access.  This includes implementing appropriate security measures on personally owned devices which access Georgia Tech IT Resources. All users must follow the Security Procedures and Standards published by Georgia Tech Cyber Security including the Georgia Tech Protected Data Practices.  In addition, users must keep their accounts and passwords secure in compliance with the Institute Password Policy.

Georgia Tech employees may grant IT Resource guest access to third parties (e.g., visiting scholars).  Any Georgia Tech employee who grants guest access to IT Resources is responsible for the actions of their guest users.

Research
Georgia Tech recognizes the value of research in the areas of computer and network security. During the course of their endeavors, researchers may have a need to work with malicious software and with systems that do not adhere to the security standards as prescribed by the Chief Information Security Officer. Researchers are responsible for their actions and must take all necessary precautions to ensure that their research will not affect other Georgia Tech IT Resources or users.  In addition, researchers are responsible for making all appropriate notifications to those that may be affected by their research (see Responsible Disclosure Policy).

Network Management
The Office of Information Technology (OIT) is responsible for planning, implementing, and managing the Georgia Tech network, including wireless connections.

The following network appliances cannot be implemented at Georgia Tech without prior written approval by OIT or a Unit’s IT lead:

• Routers
• Switches
• Hubs
• Wireless access points
• Voice over IP (VOIP) infrastructure devices
• Intrusion detection systems (IDS)
• Intrusion prevention systems (IPS)
• Virtual Private Networking (VPN)
• Consumer grade network technologies
• Other networking appliances that may not be included in this list

Units or individuals who install any of the technologies listed above are responsible for capturing network traffic logs and storing them for a minimum of 365 days or an appropriate amount as negotiated with the OIT network team.  Network traffic logs should include the following information:

• Source MAC address
• Source and destination IP address
• Physical interface (where applicable)
• Date and time
• User account where available (e.g. VPN logs)

System Administration
Every Institute owned IT Resource (including virtual resources such as virtual machines and cloud based services) must have a designated system administrator.  The Institute expectation is that every Institute owned IT Resource will be professionally managed by the unit technical support team unless prevailing regulations dictate otherwise. 

The system administrator is responsible for proper maintenance of the machine, even if the system administrator is not a member of the unit technical support team.  This responsibility must be acknowledged and documented.  In addition, the machine must be accessible to the unit technical support team for incident management purposes unless legal restrictions will not allow such access. 

Negligent management of an Institute owned IT Resource resulting in unauthorized user access or a data breach may result in the loss of system administration privileges.

System administration responsibilities for all Institute owned IT Resources, including those that are self-administered include the following found here: System Administration Responsibilities.

2.1 Data Governance
The Georgia Tech data governance structure must include roles and committees to direct the proper use and handling of Organizational Data and Information Systems. The roles and committees as noted below in “Section 5 Responsibilities” must oversee the Data Governance, Data Management, Security, and Compliance of Georgia Tech Organizational Data and Information Systems as outlined in this policy and the corresponding guidelines, procedures, and resources. The GT technology governance structure must provide technical guidance to and support the work of the committees in the data governance structure. Learn more about the Data Governance structure.

2.2 Data Management
All Georgia Tech Organizational Data and Information Systems must be associated with appropriate Data Domains and Data Sub-Domains along with additional applicable categorizations to further assist with proper data management. Learn more about Data Domains. Learn more about Data Management Categorizations.

All Information Systems must be inventoried and have the ability to access and report documentation of the respective system’s Supporting Database schema and Data Elements. Learn more about Information Systems Inventory.

Additionally, all Mission-Critical Systems must have Data Element definitions for key elements, data quality controls and supporting documentation, and a method for communicating details about system and data availability and methods for individuals to report lack of availability. Learn more about Data Element Dictionary.

All Organizational Data must comply with USG and Georgia Tech retention and disposition requirements. Learn more about Records Management.

2.3 Data Security
Georgia Tech cybersecurity representatives, as appointed by the Chief Information Security Officer (“CISO”), must create policies, guidelines, procedures, and resources that facilitate a secure environment for the storage, use, and dissemination of Organizational Data to protect the confidentiality, integrity, and availability of information.

All Organizational Data must have a data protection categorization and a designated regulatory categorization (see “Section 2.4 Compliance”). All Protected Data must be protected in accordance with the appropriate Cyber Security Data Protection Safeguards and Protected Data Practices. These protections are recommended for all Public Data. Regulated Data is also subject to the controls specified in the applicable federal, state, local, and international laws and regulations as well as specifications contained in Georgia Tech grants, contracts, and other agreements entered into by, or for the benefit of, Georgia Tech. Such Regulated Data controls are required in addition to the controls specified in the Cyber Security Data Protection Safeguards and Protected Data Practices. When multiple controls exist, the strictest control will take precedent. Learn more about Data Protection Categorizations. Learn more about Cyber Security’s Data Protection Safeguards. Learn more about Cyber Security’s Protected Data Practices.

Access to an Information System via any interface (except user self-service) must be coordinated and reviewed through the Data User, associated Data Stewards for each applicable Data Domain, and the Data Administrator. Access to an Information System may require additional approvals (e.g., a Data User's supervisor) or may grant access through pre-approved role-based permissions. Access must be granted based on the Principle of Least Privilege, used only for the purpose for which it was originally intended, and used only by the individual Data Users who received approval. Additional training may be required by a Data Steward and/or a System Owner before access is granted. Human Resources must notify Data Stewards and Data Administrators when an employee is terminated or when an employee’s status has changed which requires a change to such employee’s access to Organizational Data and Information Systems. Access must be reviewed and verified on a regular basis to occur at a frequency determined by the Data Governance Committee. Learn more about Access Procedures.

All Georgia Tech units must ensure organizational structure, job duties, and business processes include an adequate system of separation of duties to reduce the risk of loss of confidentiality, integrity, and availability of Organizational Data. Learn more about Separation of Duties.

2.4 Compliance
Organizational Data must be closely managed to verify compliance with applicable federal, state, local, and international laws and regulations as well as specifications contained in Georgia Tech grants, contracts, and other agreements entered into by, or for the benefit of, Georgia Tech. All Organizational Data and Information Systems must have a designated regulatory categorization in order to identify applicable external regulatory requirements. Learn more about Data Regulation Categorizations. Learn more about Regulatory Compliance.

Training is required when a Data User enters any data governance and management role set forth in “Section 5.1 Roles.” Documentation of training participation and successful completion is required. Training must be completed on a regular basis, so employees are made aware of any updates to Policy, guidelines, procedures, or responsibilities of their role. Training frequency shall be determined by the Data Governance Committee. Learn more about Training.

The Data Governance Committee will appoint a Data Governance Officer to actively monitor compliance with this policy, guidelines, procedures, and resources. The roles and committees outlined in “Section 5 Responsibilities” must maintain appropriate documentation and general evidence that Georgia Tech is in compliance. Learn more about Monitoring. Learn more about Auditing.

Georgia Tech provides information technology resources to faculty members, staff and students for the purpose of furthering Georgia Tech’s mission and conducting Georgia Tech business. While personal use of such systems is permitted, as per the Georgia Tech Acceptable Use policy, personal communications and files transmitted over or stored on Georgia Tech systems are subject to the same regulations as business communications.

Georgia Tech is committed to respecting the privacy expectations of its employees and students; however, consistent with this policy, electronic information that is transmitted over or stored in Georgia Tech systems and networks is subject to being audited, inspected and disclosed to fulfill administrative or legal obligations which may include, but are not limited to, the following:

• is necessary to comply with legal requirements or process (e.g., Georgia Open Records Act or subpoena);
• may yield information necessary for the investigation of a suspected violation of law or regulations, or of a suspected infraction of Georgia Tech or Board of Regents policy;
• is needed to maintain the security of Georgia Tech computing systems and networks;
• is needed for system administrators to diagnose and correct problems with system software or hardware;
• may yield information needed to deal with an emergency;
• is needed for the ordinary business of the Institute to proceed, (e.g., access to data associated with an employee who has been terminated/separated or is pending termination/separation, is deceased, is on extended sick leave, or is otherwise unavailable);
• is necessary to comply with a written request from the Vice President for Student Life on behalf of the parents, guardian, or personal representative of the estate of a deceased student; or
• is for research authorized by Georgia Tech under a data use agreement that precludes the disclosure of personally identifiable information.

Email-for-Life service is intended for the private use of authorized, Institute-affiliated individuals.

Appropriate Use 

EMFL users are encouraged to use these services in a manner consistent with all applicable laws and policies. Users are prohibited from using the service for commercial use, such as selling products. Any use, which disparages the image and reputation of Georgia Tech, is prohibited and will result in termination of user privileges.

Eligibility

The following groups are eligible for EMFL services: 

Alumni – for purposes of this policy, an alumnus/a is defined as any student who successfully completed at least one Georgia Tech credit course, and who leaves Georgia Tech in good academic and disciplinary standing..

Retirees – faculty and staff who retire from Georgia Tech.

Ex Faculty / Staff Member – faculty and staff who leave Georgia Tech prior to retirement are eligible for EMFL privileges.

Affiliates – individuals not categorized above whom the affiliated Unit Head has approved for business reasons.

Non-Eligibility for Georgia Tech Employees

EMFL is a privilege offered to employees. As such, Georgia Tech reserves the right to deny or terminate EMFL to any employee in its sole discretion. This includes, but is not limited to, employees that are terminated with cause.

Review Process

Should an employee feel that they were denied EMFL wrongly, they may appeal the decision in writing to the Associate Vice President of the Office of Human Resources or his/her designee, who is the final authority in determining EMFL eligibility for former Georgia Tech employees.

Privacy

EMFL Users understand that they may periodically receive email communications from Georgia Tech and/or affiliated organizations. Georgia Tech will take reasonable steps to protect the privacy of EMFL users, including but not limited to, not making forwarding addresses available to any non-affiliated organization.

SPAM and Virus Filtering

To protect Institute computing assets, Georgia Tech may drop messages deemed to contain viruses, SPAM, or other messages that may cause damage to Institute systems. While every effort is made to protect all e-mail users from damaging messages, Georgia Tech is not responsible for damage caused by malicious content contained in messages forwarded through the EMFL program.

Administration & Termination of Service

EMFL users are expected to set up and manage their own email alias, their forwarding email address, and any necessary administrative procedures to manage their user profiles. In an effort to streamline the service, Georgia Tech will send annual renewal messages to all EMFL users. Users who do not respond to the second renewal requests will have their email alias and forwarding service inactivated. Georgia Tech reserves the right to cancel or modify the EMFL service with notice, should the need arise including, but not limited to changes in technology, service availability, or campus resource issues.

GLBA mandates that the Institute appoint an Information Security Program Coordinator, conduct a risk assessment of likely security and privacy risks, institute a training program for all employees who have access to covered data and information, oversee service providers and contracts, and evaluate and adjust the Information Security Program periodically.

Information Security Program Coordinator(s)

The Associate Vice President of Financial Services and the Associate Vice President / Associate Vice Provost for Information Technology (CIO) have been appointed as the coordinators of this Program at Georgia Tech. They are responsible for assessing the risks associated with unauthorized transfers of covered data and information, and implementing procedures to minimize those risks to the Institute. Internal Audit personnel will also conduct reviews of areas that have access to covered data and information to assess the internal control structure put in place by the administration and to verify that all departments comply with the requirements of the security polices and practices delineated in this program.

Identification and Assessment of Risks to Customer Information

Georgia Tech recognizes that it is exposed to both internal and external risks, including but not limited to:

• Unauthorized access of covered data and information by someone other than the owner of the covered data and information
• Compromised system security as a result of system access by an unauthorized person
• Interception of data during transmission
• Loss of data integrity
• Physical loss of data in a disaster
• Errors introduced into the system
• Corruption of data or systems
• Unauthorized access of covered data and information by employees
• Unauthorized requests for covered data and information
• Unauthorized access through hardcopy files or reports
• Unauthorized transfer of covered data and information through third parties

Recognizing that this may not represent a complete list of the risks associated with the protection of covered data and information, and that new risks are created regularly, Georgia Tech Cyber Security will actively participate and monitor appropriate cybersecurity advisory groups for identification of risks.

Current safeguards implemented, monitored and maintained by Georgia Tech Cyber Security are reasonable, and in light of current risk assessments are sufficient to provide security and confidentiality to covered data and information maintained by the Institute. Additionally, these safeguards reasonably protect against currently anticipated threats or hazards to the integrity of such information.

Employee Management and Training

References and/or background checks (as appropriate, depending on position) of new employees working in areas that regularly work with covered data and information (e.g. Cashier’s Office, Financial Aid) are checked/performed. During employee orientation, each new employee in these departments receives proper training on the importance of confidentiality of student records, student financial information, and all other covered data and information. Each new employee is also trained in the proper use of computer information and passwords. Training includes controls and procedures to prevent employees from providing confidential information to an unauthorized individual, as well as how to properly dispose of documents that contain covered data and information. These training efforts should help minimize risk and safeguard covered data and information.

Physical Security

Georgia Tech has addressed the physical security of covered data and information by limiting access to only those employees who have a legitimate business reason to handle such information. For example, financial aid applications, income and credit histories, accounts, balances and transactional information are available only to Georgia Tech employees with an appropriate business need for such information. Furthermore, each department responsible for maintaining covered data and information is instructed to take steps to protect the information from destruction, loss or damage due to environmental hazards, such as fire and water damage or technical failures.

Information Systems

Access to covered data and information via Georgia Tech’s computer information system is limited to those employees and faculty who have a legitimate business reason to access such information. The Institute has policies and procedures in place to complement the physical and technical (IT) safeguards in order to provide security to Georgia Tech’s information systems. These policies and procedures, listed in Section 3 below, are available upon request from the Chief Information Security Officer.

Social security numbers are considered protected information under both GLBA and the Family Educational Rights and Privacy Act (FERPA). As such, Georgia Tech has discontinued the use of social security numbers as student identifiers in favor of the gtID# as a matter of policy. By necessity, student social security numbers will remain in the student information system; however, access to social security numbers is granted only in cases where there is an approved, documented business need.

Management of System Failures

Georgia Tech Cyber Security has developed written plans and procedures to detect any actual or attempted attacks on Georgia Tech systems and has an Incident Response Plan which outlines procedures for responding to an actual or attempted unauthorized access to covered data and information. This document is available upon request from the Chief Information Security Officer.

Oversight of Service Providers

GLBA requires the Institute to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. This Information Security Program will ensure that such steps are taken by contractually requiring service providers to implement and maintain such safeguards. The Security Program Coordinator(s) will identify service providers who have or will have access to covered data, and will work with the Office of Legal Affairs and other offices as appropriate, to ensure that service provider contracts contain appropriate terms to protect the security of covered data.

Continuing Evaluation and Adjustment

This Information Security Program will be subject to periodic review and adjustment, at least annually. Continued administration of the development, implementation and maintenance of the program will be the responsibility of the designated Information Security Program Coordinator(s), who will assign specific responsibility for technical (IT), logical, physical, and administrative safeguards implementation and administration as appropriate. The Information Security Program Coordinator(s), in consultation with the Office of Legal Affairs, will review the standards set forth in this program and recommend updates and revisions as necessary; it may be necessary to adjust the program to reflect changes in technology, the sensitivity of student/customer data, and/or internal or external threats to information security.

Requirements of the Red Flags Rule
Under the Red Flags Rule, the Institute is required to establish an Identity Theft Prevention Program. The program must contain reasonable policies and procedures to:

1. Identify relevant Red Flags for new and existing covered accounts. and incorporate those Red Flags into the Program;
2. Detect Red Flags that have been incorporated into the Program;
3. Respond appropriately to any Red Flags that are detected in order to help prevent and mitigate Identity Theft; and
4. Ensure the Program is updated periodically to reflect changes in risks to students or to the safety and soundness of the Institute from Identity Theft.

Oversight
Responsibility for developing, implementing, and updating this Program lies with an Identity Theft Committee (Committee) for the Institute. The Committee is headed by the Chief Information Security Officer who is the Program Administrator. The Institute's Chief Information Officer, the Vice President for Legal Affairs and Risk Management, and such other individuals as may be appointed by the President of the Institute comprise the remainder of the committee membership. The Program Administrator is responsible for ensuring appropriate training of Institute staff on the Program, for reviewing any staff reports regarding the detection of Red Flags and the steps for preventing and mitigating Identity Theft, determining which steps of prevention and mitigation should be taken in particular circumstances, and considering periodic changes to the Program.

Staff Training and Reports
Institute staff responsible for implementing the Program shall be trained either by or under the direction of the Program Administrator in the detection of Red Flags and the steps to be taken when a Red Flag is detected. Institute employees are expected to notify the Program Administrator once they become aware of an incident of Identity Theft or of the Institute's failure to comply with this Program.

At least annually, or sooner if requested by the Program Administrator, Institute staff responsible for development, implementation, and administration of the Program shall report to the Program Administrator on compliance with this Program. The report should address such issues as effectiveness of the policies and procedures in addressing the risk of identity theft in connection with the opening and maintenance of Covered Accounts, service provider arrangements, significant incidents involving identity theft and management's response, and recommendations for changes to the Program.

Service Provider Arrangements
In the event the Institute engages a service provider to perform an activity in connection with one or more Covered Accounts, the Institute will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of Identity Theft:

1. Require, by contract, that service providers have such policies and procedures in place; and
2. Require, by contract, that service providers review the Institute's Program and report any Red Flags to the Program Administrator or the Institute employee with primary oversight of the service provider relationship.

Non-disclosure of Specific Practices
For the effectiveness of the Identity Theft Prevention Program, knowledge about specific Red Flag identification, detection, mitigation, and prevention practices may need to be limited to the Committee who developed this Program and to those employees with a need to know them. Any documents that may have been produced or are produced in order to develop or implement this program that list or describe such specific practices and the information those documents contain are considered confidential and should not be shared with other Institute employees or the public. The Program Administrator shall inform the Committee and those employees with a need to know the information of those documents or specific practices which should be maintained in a confidential manner.

Program Updates
The Committee will periodically review and update the Program to reflect changes in risks to students and the soundness of the Institute from Identity Theft. In doing so, the Committee will consider the Institute's experiences with Identity Theft situations, changes in Identity Theft methods, changes in Identity Theft detection and prevention methods, and changes in the Institute's business arrangements with other entities. After considering these factors, the Program Administrator will determine whether changes to the Program, including the listing of Red Flags, are warranted. If warranted, the Committee will update the Program.

The Institute commits to ensuring equal access to all Institute programs, services and activities provided through Information Technology, whether provided directly by the Institute or by a vendor. As provided in Part VII, below, all Institute offices using vendor-provided Information Technology shall ensure that such IT complies with the Accessibility Standards contained in this policy. Unless an exemption applies, all schools, colleges, departments, offices and entities of the Institute shall adhere to the Institute’s Accessibility Standards, as defined below.

This policy concerns the Institute’s ownership, control, and use of all Institution Online Resources, specifically addressing the following matters: (i) exclusive ownership and control of all Institution Online Resources; (ii) exclusive authority over all Institution Online Resources owned or controlled by the Institute and the exclusive authority to acquire additional online resources in its name in the future; (iii) approval of content published on an Institution Online Resource; and (iv) removal of content improperly published to an Institution Online Resource.

Single factor authentication (i.e. password authentication) or multifactor authentication (i.e. password and token) must be used to authenticate to any system or application which requires unique logon as defined by the Data Access Policy and Data Protection Safeguards Standard. The standards for single factor password authentication and multifactor authentication are defined in the standards section below.

Georgia Tech account users must take all reasonable measures to protect their passwords and accounts. Georgia Tech users must never share their account passwords with anyone, including third party service providers (e.g. Google). Each user is accountable and responsible for any action taken with that user's account and password. If there is a business need to share access to an account, such sharing should be accomplished through system permission delegation.

Exceptions to the requirements of this policy may be requested per the Policy Exceptions policy.

Standards:
General Standards

• Georgia Tech user account passwords must never be transmitted over the network in a clear text format
• Passwords must be protected at all times, and measures must be taken to prevent disclosure to any unauthorized person or entity
• Passwords must be protected during distribution to the end user
• Temporary passwords must be changed within 24 hours of creation
• Default passwords for new servers, endpoints, and applications must be changed

Single Factor Password Configuration Standards
Single factor passwords must:

• Contain at least 11 characters
• Contain characters from at least three of the following four character classes:
  • Upper case alphabetic (e.g. A-Z)
  • Lower case alphabetic (e.g. a-z)
  • Numeric (e.g. 0-9)
  • Special characters (e.g. .,!@#$%~)
• Expire every 120 days (service accounts that are not used to login interactively do not expire)
• Be different from the last four passwords selected

Multifactor Password Configuration Standards
When logging into systems or applications that require multifactor authentication, the associated password must:

• Contain at least 8 characters
• Contain characters from at least three of the following four character classes:
  • Upper case alphabetic (e.g. A-Z)
  • Lower case alphabetic (e.g. a-z)
  • Numeric (e.g. 0-9)
  • Special characters (e.g. .,!@#$%~)
• Expire every 365 days
• Be different from the last four passwords selected

Mobile Device Pin/Password Configuration Standards
When using a mobile device, such as a smart phone or tablet, that requires authentication, the associated password/pin must:

• Contain at least 6 characters, or
• Leverage some other form of authentication such as
  • Biometrics (e.g. facial recognition or thumbprint)
  • Pattern code
  • Swipe code

Exception Process

• Any deviation from security policies and standards must be reviewed via the Information Security Exception Review process.
• The exception review process must involve qualified information security professionals.
• The exception review process must log all findings and results in a central repository that is accessible to all Georgia Tech staff involved in the assessment of the exception request.
• Approved exceptions must be periodically reviewed by OIT-IS, Internal Audit, and the Unit requesting the exception.
• Exemption requests involving potentially significant risk to the Unit may require approval of the Unit Head, CIO, EVP, or Provost.

Exception Criteria

• Exception requests must be evaluated in the context of potential risk to the Unit and Georgia Tech as a whole.
• Exception request evaluations must take into account what value the exception will bring to the Unit requesting the exception.
• Exception requests that create significant risks without compensating controls will not be approved.
• Exception requests must be consistently evaluated in accordance with Georgia Tech’s risk acceptance practice.

Any individual that is attempting to identify a security vulnerability within a Georgia Tech system or network must first obtain permission from the appropriate system owner prior to engaging in any testing or investigation. The reason system owners must be made aware in advance is to give the system owner an opportunity to prepare for any negative consequences of the security testing or investigation. The system owner may choose not to grant permission or may revoke permission at any time if such use interferes with owners use. The Georgia Tech CyberSecurity team is granted the right to perform vulnerability testing and investigation on Institute systems, networks, and users without obtaining explicit permission. Any system owner is granted the right perform vulnerability testing and investigation on their own systems without any outside permission. Once a security vulnerability has been identified within a Georgia Tech system or network, either through an approved investigation or incidentally, the person identifying the security vulnerability must disclose the security vulnerability to the Georgia Tech Cyber Security team as soon as possible, but no later than 48 hours from the time the investigator is aware of the vulnerability. System owners are not required to disclose vulnerabilities identified in their own systems to Georgia Tech Cyber Security. The identified security vulnerability may not be publicly disclosed before 180 days have elapsed from the time that the vulnerability was reported to Georgia Tech Cyber Security or until permission is received from Georgia Tech Cyber Security.