RD73 - Virginia Information Technologies Agency 2009 Commonwealth of Virginia Information Security Report


Executive Summary:
This 2009 Commonwealth of Virginia (COV) Information Security Report is the second annual report to the Governor and the General Assembly and follows a baseline created in 2008 for assessing the strength of the information security programs that have been established to protect Commonwealth information. The scope of this report is limited to the 85 independent and executive branch agencies including higher education, but excluding charter universities and Tier II universities.

The detailed listing of agencies and specific security information points can be found in Appendix I.

The Commonwealth Information Security Program is comprised of the information security work done collectively at the Commonwealth level and all of the individual agency information security programs. The Commonwealth Information Security Program is only as sound as the sum of these collective parts and, therefore, the individual agency programs are of great importance.

This report is based on data points as of December 31, 2009, available to the Chief Information Security Officer (CISO) working on behalf of Chief Information Officer (CIO). We also utilized reports from the Auditor of Public Accounts (APA), specifically Commonwealth Information Security Implementation Semi-annual Update, November 2009. We analyzed the security incidents reported by executive branch agencies as required by § 2.2-603.F. In addition, we utilized information from the Commonwealth Information Technology Infrastructure Partnership relative to operational security changes with network transformation and the status of information technology disaster recovery planning.

For this 2009 report, we conclude that significant, continued progress has been made in establishing and operating electronic information security programs adequate to safeguard the information of the Commonwealth. However, more work is needed, particularly in the area of application security practices as they relate to the development and maintenance of sensitive applications. Current threat trends indicate that malicious activity is focused on the exploitation of applications to gain access to sensitive systems and personal data. The comprehensive assessment can be found in the Analysis Section and the detailed information by agency is available in Appendix I.

The mission of having a strong Commonwealth Information Security Program is a journey without end as the threats and required defenses change daily as underlying information transmission and storage methods change. However, we believe that the Commonwealth of Virginia is on the right path.