RD201 - 2011 Commonwealth of Virginia Information Security Report

Executive Summary:
This 2011 Commonwealth of Virginia (COV) Information Security Report is the fourth annual report to the Governor and the General Assembly. It follows a baseline created in 2008 for assessing the strength of agency information technology (IT) security programs that have been established to protect Commonwealth data and systems. The scope of this report is limited to the independent and executive branch agencies, including higher education excluding charter and Tier II universities.

The detailed listing of agencies and specific security information points can be found in the appendix.

Limited progress has been made by agencies toward the establishment and operation of IT security programs that comply with published Commonwealth policies and standards. Commonwealth data will remain at risk until all agencies and VITA are able to allocate the resources needed to perform their information security obligations.

Despite increases in IT spending, agencies are not maintaining security programs to the degree needed to keep pace with an expanding use of IT. Data in this report indicate that many agencies are not fulfilling their IT security obligations. For example:

• Although the total number of audits of sensitive systems increased over the last three years, 57 percent of Commonwealth systems have not been audited.

• Of the 82 agencies, 20 (24 percent) have an expired IT security audit plan.

Shortcomings in agency IT audit practices in the face of increased spending indicate that investment in information security is not keeping pace with the growing use of IT.

Because the operational security program within VITA lacks the resources needed to maintain an effective security program, VITA must increase security staffing and funding to meet its statutory obligations. In order to respond to the 43 percent increase in IT security incidents that occurred in 2011, meet additional demands from enterprise-wide programs such as electronic data management and electronic health records, and oversee the increase in use of infrastructure services, VITA must increase security staffing and funding accordingly.

Due to the indicators of non-compliance with security requirements, Commonwealth Security and Risk Management (CSRM) will review how agency IT security programs are evaluated. The goal will be to identify where security programs are carrying the most risk. Once the risks are identified, limited resources that are available can be directed to mitigate the most significant risks. While this review may help mitigate the most egregious risks, the lack of resources may still impede progress. In addition, CSRM will begin to investigate the possibility of identifying what resources have been allocated historically to the information security programs at state agencies. This information will help establish where the gaps exist and if additional support from CSRM or another state entity would be appropriate.

In today’s digital world of information sharing and online services, the Commonwealth of Virginia must remain vigilant in its mission to maintain a strong IT security program. As new technologies emerge and threats evolve, it is imperative that the Commonwealth meet the challenge of ensuring that the data with which it is entrusted continue to be protected.