RD183 - Fiscal Year 2019 Commonwealth of Virginia Report on Cybersecurity Policies

Executive Summary:

The Fiscal Year 2019 Commonwealth of Virginia (COV) Comprehensive Cybersecurity Policies Review is the first such report by the chief information officer (CIO) of the commonwealth. As directed by § 2.2-2009(C) of the Code of Virginia, effective July 1, 2018, “the CIO shall conduct an annual comprehensive review of cybersecurity policies of every executive branch agency, with a particular focus on any breaches in information technology that occurred in the reviewable year and any steps taken by agencies to strengthen cybersecurity measures. Upon completion of the annual review, the CIO shall issue a report of his findings to the Chairman of the House Committee on Appropriations and the Senate Committee on Finance. Such report shall not contain technical information deemed by the CIO to be security sensitive or information that would expose security vulnerabilities."

The CIO established the commonwealth security and risk management (CSRM) directorate within the Virginia Information Technologies Agency (VITA) to fulfill his information security duties under §2.2-2009. CSRM is led by the commonwealth’s chief information security officer (CISO).

VITA’s CIO works with the chief information security officer (CISO) to address cybersecurity issues in the commonwealth. In addition, VITA is responsible for oversight of the commonwealth’s IT infrastructure, including establishing information security programs for the executive branch departments and agencies. VITA also oversees IT investments and acquisitions on behalf of state departments, agencies and institutions of higher learning.

Based on research for this report, we have determined that effective cybersecurity policies significantly help the commonwealth’s security posture. Effective policies lead to fewer security incidents. Fewer incidents result in more up time for applications and agency business as issues are pre-emptively avoided.

Effective policies implemented at the agencies help to better prepare staff for auditing and compliance requirements. Remediation after the fact is more difficult, expensive and time-consuming than addressing the issue correctly from the outset. Auditors in the commonwealth routinely review and assess whether agencies have and are maintaining required cybersecurity documentation. Auditors have often cited audit issues that relate to policy deficiencies over the last two years.

CSRM monitors (through reporting, corrective actions and governance) all IT audit issues, and most agencies can remediate these in a timely fashion. In addition, various IT security metrics for each agency are continually measured and monitored. Agencies that do not effectively remediate audit issues, do not perform required audits, or fail to adequately meet CSRM’s audit and risk management requirements pose a greater risk to the commonwealth overall.

One issue identified by CSRM is the use of hardware and software that is not supported by the manufacturer because it is out-of-date or end-of-life. Agencies may be using out-of-date IT components to support a “legacy" application for which a newer, updated and more secure application has not been developed or procured. The use of outdated hardware and software is a major IT security vulnerability. It is a common practice for malicious third parties to attempt to attack weaknesses in unsupported or outdated systems because technical weaknesses are well-known and therefore easier to exploit. When CSRM identifies these issues, we require agencies to present a plan to address the problem in a timely and complete manner.

VITA uses its governance authority over agency IT budgets and IT acquisitions to ensure that agencies are adhering to information security standards. IT budget requests from agencies that are underperforming in the IT security area could be rejected by VITA until acceptable and actionable remediation steps have been taken.

The Code of Virginia requires all executive branch agencies to report cybersecurity incidents to VITA. A cybersecurity incident is any event or activity that could do harm or threatens to do harm to commonwealth IT systems or data.

An incident response team is on-call around the clock and works to immediately contain, identify, prioritize and mitigate any threat. All incidents are recorded into our enterprise governance and compliance database for tracking purposes.

Each incident is also categorized according to type. The most frequently tracked incident in the commonwealth is for malware. Malware can infect or damage a computer and may be used as a means to gain unauthorized access to a network.

Malware and other incidents have occasionally led to data breaches. In the last two years, all such breaches have been quickly identified and contained, so that minimal data was lost or exposed. All breaches are analyzed extensively after the fact to assure that all underlying issues have been identified and corrected to prevent it from reoccurring.

Attacks on the commonwealth’s cybersecurity occur on a minute-by-minute basis. CSRM aggressively takes measures to prevent, counter and investigate all cybersecurity incidents. Although CSRM has been able to prevent and mitigate most attacks and breaches, we are acutely aware of the rising number of cyberattacks we are seeing. In particular, we have documented an increase in “ransomware" attacks and are taking focused efforts to identify and prevent them.

Key takeaways:

• Effective policies are an important component of a comprehensive cybersecurity program. Each agency must develop policies that take into account how the agency conducts business, the types of data that it handles and the laws and regulations that govern it.

• VITA uses its governance position to develop overall policies and standards to manage cybersecurity in the commonwealth and protect commonwealth data assets and IT services. VITA is constantly identifying and reviewing cybersecurity issues and adjusting policies, procedures and processes to address cybersecurity priorities.

• Audits, training and working with agencies are key steps that VITA CSRM utilize to understanding the threat landscape and strengthen cybersecurity in the commonwealth.

• The commonwealth’s new multi-vendor IT service provider model has had a significant and positive impact on cybersecurity effectiveness and flexibility.

• VITA’s investment in a shared cybersecurity model has improved cybersecurity for the agencies that participate in the model, as well as the overall cybersecurity posture of the commonwealth.

• VITA expects the new cybersecurity implementation within the multi-vendor model to provide increased transparency, effectiveness, and understanding for commonwealth systems.

• The commonwealth’s reliance on technology continues to grow, increasing the critical nature of service and data availability. The material impact of a loss of those services is expected to increase as our technology footprint continues to grow by approximately 8% each year.

• New technology introduced with the multi-supplier model will help to improve cyber hygiene for data protection. More than 10 new services are now available with data encryption capabilities to enable secure hosting on cloud platforms.

• Centralized services continue to be an integral part of our IT strategy. Incorporating centralized security program and security audit services has resulted in a continued upward trend in the progress of commonwealth security programs. Compliance scores for security programs of participating agencies increased 19% for audit compliance and 22% for risk management compliance over the previous three years showing marked improvement in the programs.

• VITA continues to evaluate both the infrastructure and security programs for enhancements. Additional focus is needed on commonwealth partners such as localities and third party partners as they will be the primary source of risk to the Commonwealth in the future.