1. The Chief Information Security Officer (or their appointed designee) must monitor:
   1. Cybersecurity policies, guidelines, procedures, and resources
   2. Georgia Tech Protected Data Practices
   3. Cybersecurity Training
2. The Dean of Libraries (or their appointed designee) must monitor:
   1. Data Retention and Disposition policies, guidelines, procedures, and resources
   2. Data Retention and Disposition Training
3. The Data Governance Officer must monitor:
   1. Data Governance Structure
   2. Intersection with the Technology Governance Structure
   3. Data Domains
   4. Data Categorizations
   5. Systems Inventory
   6. Data Element Dictionary
   7. Access Procedures
   8. Separation of Duties
   9. Regulatory Compliance
   10. Data Governance and Management Training
4. The General Counsel and Vice President for Ethics & Compliance (or their appointed designee) may partner in the monitoring areas described above (#1-3).
5. The roles described above (#1-4) must consult with the Chief Audit Executive (or their appointed designee) in the creation and execution of their respective monitoring programs.
6. The roles indicated in the “Support” section of the “Audience” list above must support monitoring efforts by participating in surveys, interviews, and review of documentation that supports compliance with the Policy and the corresponding guidelines, procedures, and resources.

1. Monitoring efforts may be prioritized using the following guidelines:
   1. Data Domains with a “Data Impact Categorization” of “High Impact,” then “Moderate Impact,” then “Low Impact.”
   2. Information Systems with a “System Criticality Categorization” of “Mission-Critical,” then “Moderate Criticality,” then “Low Criticality.”
2. Monitoring must be conducted at a frequency determined by the Data Governance Committee.
3. Monitoring may be conducted through the use of surveys, interviews, and review of documentation that supports compliance with the Policy, guidelines, procedures, and resources. Monitoring must inform:
   1. Understanding of the Data Governance and Management Program (“Program”)
   2. Steps towards compliance
   3. Documentation supporting compliance
4. Monitoring must be conducted with a sampling of Associate Data Trustees, Data Stewards, Associate Data Stewards, System Owners, Technical Managers, Data Administrators, and Data Users. Monitoring may be conducted with the Data Governance Committee, the Data Management Committee, and the Data Domain & Technology Sub-Committees.
5. Monitoring results will be documented and retained for a period determined by the Data Governance Committee. A summary of findings will be provided to the Data Governance Committee, highlighting areas of concern, improvement, and success.
6. The Data Governance Committee will communicate any areas of concern to the Data Trustees and Data Owner as appropriate.

The USG expects all institutions to have a Data Governance and Management Program in place by June 2021. Monitoring of this Program may begin as early as the second half of 2021.