RD85 - 2010 Commonwealth of Virginia Information Security Report


Executive Summary:
This 2010 Commonwealth of Virginia (COV) Information Security Report is the third annual report to the Governor and the General Assembly and follows a baseline created in 2008 for assessing the strength of agency information security programs that have been established to protect Commonwealth information. The scope of this report is limited to the independent and executive branch agencies including higher education, and excluding charter and Tier II universities.

The detailed listing of agencies and specific security information points can be found in the Appendix.

The Commonwealth Information Security Program is comprised of work done cooperatively at the Commonwealth level and at each individual agency. The overall program is only as sound as the sum of these collective parts; therefore, the individual agency programs are of great importance.

For this 2010 report, we conclude that progress continues to be made by Commonwealth agencies in establishing and operating information security programs that are compliant with published policies and standards. In almost every case, the available metrics show positive trends and improvement. Executive branch consolidation and transformation efforts have demonstrated undeniable security benefits for agencies in the Commonwealth enterprise; however, those agencies that have not yet transformed continue to expend unnecessary resources and operate at an elevated level of risk to both themselves and the Commonwealth.

Although the metrics we have analyzed are overwhelmingly positive, there is one disconcerting area that deserves attention. Audit plan data suggests that agencies are not consistently auditing their sensitive systems at least once every three years as required by COV standards. These audits are a crucial part of the Commonwealth Information Security Program. Neglecting to perform these audits can undermine the entire Commonwealth program and place sensitive Commonwealth data at great risk.

The mission of having a strong Commonwealth Information Security Program is a journey without end as the threats and required defenses change daily; however, we believe that the Commonwealth is on the right path.