RD176 - 2013 Commonwealth of Virginia Information Security Report

Executive Summary:
This 2013 Commonwealth of Virginia (COV) Information Security Report is the sixth annual report by the Chief Information Officer of the Commonwealth (CIO) to the Governor and the General Assembly. As directed by § 2.2-2009 (C) of the Code of Virginia, the CIO is required to annually identify those agencies that have not implemented acceptable policies, procedures, and standards to control unauthorized uses, intrusions or other security threats. In accordance with § 2.2-2009 (C), the scope of this report is limited to independent and executive branch agencies, including Tier I institutions of higher education. This report does not address Tier III and Tier II institutions that have been statutorily exempted from compliance with Commonwealth policies and standards.

To fulfill his information security duties under § 2.2-2009, the CIO has established a Commonwealth Security and Risk Management (CSRM) directorate within the Virginia Information Technologies Agency (VITA). CSRM is led by the commonwealth’s Chief Information Security Officer (CISO). This report has been prepared by CSRM on behalf of the CIO, and it follows a baseline created by CSRM in 2008 to assess the strength of agency information technology (IT) security programs that have been established to protect Commonwealth data and systems. A detailed listing of agencies and their specific security information concerns can be found in the appendix.

Agency business applications remain the primary attack vector within state government. Although agencies that use VITA’s enterprise-wide infrastructure services have enterprise grade controls and security best practices for infrastructure services, each agency remains statutorily responsible for implementing security controls for their unique applications and data. However, agencies are not implementing the controls needed to protect their data and ensure only authorized personnel can access the applications. Controls for these applications are not evenly applied, and agencies have historically reported insufficient resources to remediate identified vulnerabilities. The lack of security controls on agency-specific applications contributes significantly to the malicious attacks that cause the most impact.

Those agency-specific systems and infrastructure that are not protected by VITA’s enterprise services face an increased risk of attack. Similar to business applications, many agencies operate unique IT systems that are not supported or protected by VITA’s enterprise services. Many of these agency-specific systems support critical infrastructure, and agencies need to secure them by ensuring that effective security controls are in place. However, agencies often do not protect their systems to the same degree as VITA’s enterprise infrastructure, putting parts of the Commonwealth’s infrastructure at risk. This elevated level of risk is of particular concern for Supervisory Control and Data Acquisition (SCADA) networks, also known as control systems, that contain computers and applications which support critical infrastructure such as transportation and public safety. The Hampton Roads area serves as an example of an area where bridges and tunnels could cripple the local area, should the supporting IT infrastructure be compromised.

Non-transformed agencies remain at significant operational security risk and cannot be adequately secured. The three “untransformed” agencies remain in an insecure state and are at a substantially elevated risk for compromise: The Virginia State Police, the Virginia Department of Emergency Management, and the Virginia Employment Commission. These agencies operate outside the enterprise security infrastructure and are vulnerable to attacks that would otherwise be mitigated by monitoring, intrusion detection, firewalls, encryption, virtual private networks (VPN) and other enterprise tools and resources. These agencies need to complete transformation as soon as possible.

Corrective action is required in 2014 to remediate a continued reduction in the percentage of agencies that complete their audit obligations. For the past three years, the majority of agencies have failed to meet minimum requirements for auditing their sensitive systems. Commonwealth security standards require each agency to audit their sensitive systems at least once every three years. However, in 2011 and 2012 only 43 percent of agencies met this requirement. This compliance rate dropped in 2013, falling to 33 percent. Accordingly, the CIO may be required to exercise his obligation to order security audits be performed for these agencies per § 2.2-2009 of the Code of Virginia.

Inadequate access control was the number one issue found in risk-based evaluations, comprising 20 percent of all security audit findings. Access control risk is widespread, with 55 percent of all agencies that submitted audits reporting at least one access control related finding. Ninety-nine percent of all findings were rated high by the agencies, based on industry standards. These findings were typically associated with agency-specific applications and indicate the need for an identity access management standard which would provide guidance in the remediation of these findings.

Evidence suggests that higher education institutions are at greater risk for cyber attacks and other incidents. In Virginia, institutions with management agreements are statutorily exempt from VITA’s oversight, but they are still required to develop and adopt their own IT security policies and standards. In practice, the management agreements have resulted in a lack of insight by VITA regarding the security policies and practices at covered institutions and the extent to which security incidents (including data breaches) occur. CSRM recommends that a standard set of governance requirements be established for these agencies, and that the institutions be required to report on metrics similar to the ones used in this annual report.

The Commonwealth significantly reduced the number of successful attacks within the enterprise in 2013. Operational changes such as a reduction in the number of devices with elevated privileges, and patching of commonly used software, drove the reduction in security incidents. These reductions required a substantial degree of communication, coordination, and cooperation between agencies and VITA. Going forward, improvements in these areas will be needed in order to effectively and rapidly remediate future threats.

In 2013, Commonwealth agencies made improvements, both in the quantity and quality of business impact analysis (BIA), risk assessment and intrusion detection reporting. The most noticeable improvement was a 21 percent increase in BIA submissions over the previous year. While noticeable improvements were made in the Commonwealth’s risk management program in 2013, the IT Risk Management Standard introduced additional risk management activities for agencies to address. The Commonwealth’s risk management posture has improved since 2012, but significant work remains. CSRM anticipates continued improvement in the risk management program data as processes mature.

The Commonwealth’s new information security officer (ISO) certification program had a promising start and has provided a strong baseline upon which to build. Fifty-two of the 76 designated primary ISOs established a common educational background in information security specific to the commonwealth. With 88 percent of ISOs participating in training and discussions, Virginia’s ISOs are now better equipped to tackle the challenges of protecting their agencies.

The past year has seen progress in some areas, however a number of issues included in the 2012 report still remain. In 2013, CSRM integrated the requirements of the National Institute of Standards and Technology (NIST) CyberSecurity Framework into the Commonwealth’s IT Risk Management Standard. In doing so, the Commonwealth became the first state in the nation to adopt the NIST framework and report results. In addition, CSRM saw an increase in awareness about our information security program (due to increased participation in the ISO certification program and the advisory group), a heightened understanding of the impacts of security risks, and an increase in the number of attacks against Commonwealth systems that were successfully mitigated.

However, the lack of attention by agencies to the security audit program continues to put the Commonwealth at risk, and the lack of insight into untransformed and out-of-scope agencies and systems continues to present the Commonwealth with an elevated level of risk. These concerns could be reduced by ensuring that the information security program is consistently applied to all Commonwealth systems, and by requiring broader compliance with IT security and risk management standards and policies. CSRM is assessing methods for restructuring and possibly centralizing the information security audit program in order to improve the information security audit program in the Commonwealth.