Executive order, 2015 June 25

THE STATE OF GEORGIA
EXECUTIVE ORDER

BY THE GOVERNOR:

WHEREAS: The continuous and efficient operation of state government data systems is both vital and necessary to the mission of providing governmental services in Georgia; and

WHEREAS:

The Georgia Technology Authority and the various state agencies have the responsibility for providing critically important, coordinated, robust and effective information technology security in order to protect the state's data, to protect the citizens and to ensure the efficient operation of state government; and

WHEREAS:

Information technology security risks continue to evolve and. grow, with currently over a million cybersecurity events on state government systems each day, which present a danger of disruption, costly financial damage and even bodily harm if not adequately managed; and

WHEREAS:

Effective information technology security risk management requires interagency coordination, reporting, training, sharing of data and information about systems, and a consolidated view of the state's risks, readiness, constraints, priorities, and responsiveness to risk remediation; and

WHEREAS:

It is in the best interest of the state to encourage coordination through the engagement of the highest level of management at those state agencies which are most directly involved in information technology risk reduction, and to provide for a coordinated and structured review to ensure that state government's cybersecurity risks are being managed appropriately.

NOW, THEREFORE, PURSUANT TO THE AUTHORITY VESTED IN ME AS GOVERNOR OF THE STATE OF GEORGIA, IT IS HEREBY

ORDERED: That, there is created a State Government Systems Cybersecurity Review Board (herein referred to as the Cybersecurity Board) to focus internally on the protection and privacy of state data.

IT IS FURTHER

ORDERED:

The State CIO is the Cybersecurity Board's permanent chair and will provide administrative support. Three other agency heads are appointed by the Governor: the Director of the Georgia Emergency Management Agency/Homeland Security, the Adjutant General of Georgia, and the Commissioner of the Department of Administrative Services or designee responsible for risk management.

IT IS FURTHER
ORDERED: That the Cybersecurity Board will establish its own charter and rules of operations. It shall meet quarterly or more frequently if it decides that is necessary.

IT IS FURTHER

ORDERED:

That the Cybersecurity Board will review the cybersecurity preparedness of the executive branch state agencies and the resulting risks to the state's citizens and government including critical state operations. The Cybersecurity Board shall conduct periodic reviews of agency security programs, plans, actions and results. It will develop recommendations to state agencies for the proper management of cybersecurity risks. The Cybersecurity Board shall provide an annual briefing to the Governor.

IT IS FURTHER

ORDERED: That the Cybersecurity Board will identify common security measures for all state agencies to implement while leveraging the state's purchasing power.

IT IS FURTHER

ORDERED: That, in the execution of its duties, the Cybersecurity Board will take the necessary steps to protect sensitive security plans of state agencies In accordance with existing federal and state laws and regulations.

IT IS FURTHER

ORDERED: That the Cybersecurity Board will provide a report as to its findings within six months to the Governor.

IT IS FURTHER

ORDERED:

That the Cybersecurity Board shall consider the risks created by operations of state agencies, not inclusive of the judicial and legislative branches, nor the Board of Regents, nor agencies headed by statewide elected officials other than the Governor. However, state entities not included may opt to participate.

This - ~ t'),e-71- day of June, 2015.

GOVERNOR