SD24 - A Review of Information Security in the Commonwealth of Virginia


Executive Summary:
The information security programs in the agencies and institutions of the Commonwealth are generally inadequate and do not address the business needs to adequately control information as well as risks associated with not controlling information. The Commonwealth, however, has several agencies and institutions, such as the Departments of Taxation and General Services and the three largest institutions of higher education, University of Virginia, Virginia Commonwealth University, and Virginia Polytechnic Institute and State University, which provide working models of the best practices of information security programs.

All state agencies and institutions have some type of security over their information technology infrastructure and systems. The security, in most cases, provides coverage over information existing within the agency. Further, almost all agencies and institutions have at least some plan to recover from a disaster; however, this plan does not always extend to how and under what circumstances.

The Auditor of Public Accounts has been conducting security reviews of financial system for over a decade and reporting our findings. This review’s results are consistent with our previously reported findings. With the exception of smaller agencies without financial systems, we have previously issued or commented on all the agencies with either no or inadequate information security programs.

In reviewing the results, the reason for inadequate information security programs in the larger agencies, when considering either number of employees or agency budget, appears to center around the resolution of who has responsibility for the infrastructure between the Virginia Information Technologies Agency (VITA) and the agency. The large institutions of higher education with inadequate programs typically do not have the managerial placement of the program at the appropriate level for the organization, although this does occur in other agencies.

Overall, the Commonwealth’s standards address most of the components found in the best practices. The difference between the Commonwealth’s standards and the best practices, to the most part, occurs within the processes of the components.

We believe the large agencies and institutions can address our recommendations without significant operational changes. However, the Commonwealth will need to develop and implement a process to provide information security programs for smaller agencies and institutions.

Finally, the General Assembly may wish to amend the Code of Virginia to provide for the audit of information security programs, rather than focusing on databases and data communications. The current statute does not address the real risk to the Commonwealth.