RD434 - 2008 Commonwealth of Virginia Information Security Report


Executive Summary:
This 2008 Commonwealth of Virginia Information Security Report is the first annual report to the Governor and the General Assembly and will establish a baseline for assessing the strength of the information security programs of the 88 independent and executive branch agencies, including higher education except for the four charter universities (College of William and Mary, University of Virginia, Virginia Commonwealth University and the Virginia Polytechnic Institute and State University). The detailed listing of agencies and specific security information points can be found in Appendix I.

The Commonwealth Information Security Program is comprised of the information security work done collectively at the Commonwealth level as well as all of the individual agency information security programs. The Commonwealth Information Security Program is only as sound as the sum of these collective parts and therefore the individual agency programs are of great importance.

This report is based on data points available to the Chief Information Security Officer (CISO) on behalf of Chief Information Officer (CIO) as a result of fulfilling the CIO responsibilities under §2.2-2009 of the Code of Virginia, Additional duties of the CIO relating to security of government information. This data includes whether the agency head has:

• Designated an Information Security Officer within the past two years
• Submitted a Security Audit Plan for Sensitive Systems
• Provided Corrective Action Plans for completed Security Audits
• Supplied Quarterly Updates for Corrective Action Plans
• Had personnel attend a voluntary Information Security Orientation session (Attendance is not required but indicates agencies that have taken extra action to learn how to build an effective agency information security program.)

We also utilized the reports from the Auditor of Public Accounts (APA) and consulted with APA staff concerning the preliminary results of their SJR 51 (2006) follow-up review. We analyzed the security incidents reported by executive branch agencies as required by §2.2-603.F. In addition, we utilized information from the Commonwealth Information Technology Infrastructure Partnership relative to operational security changes with network transformation as well as the status of information technology disaster recovery plans.

For this 2008 report, we conclude that most every agency is making progress in establishing information security programs adequate to safeguard the information of the Commonwealth but that more work is needed particularly in the area of security audits of sensitive systems and disaster recovery planning for those systems sensitive relative to availability. Traditionally, these areas have not been consistently planned and budgeted for when developing and implementing sensitive systems. The comprehensive assessment can be found in the Analysis Section and the detailed information by agency is available in Appendix I.

The mission of having a strong Commonwealth Information Security Program is a journey without end as the threats and defenses change daily as the underlying information transmission and storage methods change. However, we believe that the Commonwealth of Virginia is on the right path and the accuracy of the path was recognized in September 2008 when the Commonwealth of Virginia was selected by the National Association of State Chief Information Officers as the winner of the 2008 Recognition Awards for Outstanding Achievement in the Field of Information Technology in the category of Security and Privacy for the entry Interlocking Spheres of Collaborative Protection. http://www.nascio.org/awards/2008Awards/securityPrivacy.cfm