RD431 - Virginia Report on Cybersecurity Policies Fiscal Year 2020 – June 11, 2021

Executive Summary:

Report Directive

The Fiscal Year 2020 Commonwealth of Virginia (COV) Comprehensive Cybersecurity Policies Review is the second such report by the chief information officer (CIO) of the Commonwealth. As directed by § 2.2-2009(C) of the Code of Virginia, as amended July 1, 2018, “the CIO shall conduct an annual comprehensive review of cybersecurity policies of every executive branch agency, with a particular focus on any breaches in information technology that occurred in the reviewable year and any steps taken by agencies to strengthen cybersecurity measures. Upon completion of the annual review, the CIO shall issue a report of his findings to the Chairman of the House Committee on Appropriations and the Senate Committee on Finance. Such report shall not contain technical information deemed by the CIO to be security sensitive or information that would expose security vulnerabilities."

The CIO established the Commonwealth Security and Risk Management (CSRM) directorate within the Virginia Information Technologies Agency (VITA) to fulfill his information security duties under §2.2-2009. CSRM is led by the Commonwealth’s chief information security officer (CISO). VITA’s CIO works with the CISO to address cybersecurity issues in the Commonwealth. Additionally, VITA is responsible for oversight of the Commonwealth’s IT infrastructure, including establishing information security programs for the executive branch departments and agencies. VITA also oversees IT investments and acquisitions on behalf of state departments, agencies and institutions of higher learning and establishes IT security policy and standards for the Commonwealth.

Report Objectives

This report will examine the current state of cybersecurity policies in the Commonwealth’s executive branch, including policy implementation and use, as well as data breaches that have occurred. The report will utilize information collected from audit reports, assessment documents, and cybersecurity incidents. In addition, this report will analyze data collected directly from agencies in a self-assessment survey where they rated how their agency has developed and implemented cybersecurity policies.

Documented cybersecurity policies are an essential tool in any organization. Cybersecurity policies and procedures provide a roadmap for day-to-day operations and create an internal control framework within an organization. Management uses this internal control framework to rely upon and ensure that the organization meets its objectives.

Having well written cybersecurity policies and procedures helps an agency ensure compliance with laws and regulations, identify and deter cybersecurity threats, respond to cybersecurity incidents, gives guidance for decision-making, and streamlines internal processes. Policies also enable agency management to make consistent cybersecurity based decisions.

Underlying Assumptions

• Improving cybersecurity policy compliance will result in an improved security risk posture for the Commonwealth.

• As agencies implement effective cybersecurity policies and procedures, they will improve security and further compliance with Commonwealth IT security standards, as well as other statutory and contractual mandates.

• Agency Information Security Officers are key to assembling and maintaining a wellmanaged set of cybersecurity policies.

• As VITA’s Shared Centralized Services continue to mature and staffing increases, we expect that participating agencies will have performed an audit and risk assessment on nearly all of their sensitive systems. Timely performance of audits and risk assessments identifies problems that need correcting before they are exploited by cyber threats.

• Commonwealth wide security training and education will help limit the Commonwealth’s exposure to increasing cybersecurity threats, but must be ongoing.

Conclusions and Recommendations

• Although Commonwealth agencies are required to develop agency policies and procedures, 21% of all security issues determined from agency audits and risk assessments were due to a lack of policy.

• Agencies often lack staff, resources and funding to devote to policy development and implementation. As a result, we recommend additional funding to address these IT security policy deficiencies.

• The Commonwealth has implemented several risk mitigation strategies to prevent breaches, including implementing vulnerability scanning services, offering audit services, and risk management services.

• In a national survey, Commonwealth agencies reported that the development and implementation of cybersecurity policies is slightly above the average of agencies from other states, but still significantly below optimal.

• End-of-Life (EOL) technology is a risk to the Commonwealth. End-of-life technology is hardware or software that has reached the end of its life cycle and is no longer supported by the manufacturer. There are a significant number of agencies still employing end-of-life hardware or software.

• The human factor is often the weakest link in the security chain. VITA has established a new training standard to improve IT security awareness that will help protect against potential breaches. The new standard sets a required minimum baseline of knowledge areas that agencies must follow to educate their personnel and to help them identify and prevent potential cyberattacks.

• VITA has developed a quantitative cyber-risk analysis methodology to improve agency IT risk management decisions. Quantification of risk helps agencies focus on systems with the highest risk, allowing them to prioritize risk remediation accordingly.

• Ransomware continues to be a growing threat, particularly for state and local government agencies. In January 2021, VITA delivered a legislative report that evaluated the readiness of the Commonwealth to defend against ransomware attacks and made recommendations to improve its security posture.

• During the last fiscal year, agencies remediated more than 3,800 issues identified through the audits, risk assessments and vulnerability scans that VITA requires. VITA monitors remediation to ensure that issues are corrected in a timely manner and to provide technical assistance where needed.