1. What is the contact information for Commonwealth Security and Risk Management (CS/RM)?

    Commonwealth Security and Risk Management can be contacted in the following ways:

    • Mail: Chief Information Security Officer, Virginia Information Technologies Agency, 11751 Meadowville Lane, Chester, VA 23836

    • Email: commonwealthsecurity@vita.virginia.gov.

    • Fax: 804-416-6359

  2. Where can I find Information Technology Resource Management (ITRM) policies?

    Commonwealth polices, standards, and guidelines are located here.

  3. Is an agency head responsible for security in their agency?

    Yes, the agency head is ultimately responsible for the security of the agency's information technology systems and data.

  4. What specific security responsibilities does an agency head have?

    Specific responsibilities of the agency head, per the Information Security Standard (SEC 501) "Key Information Security Roles and Responsibilities", are to:

    • Designate an Information Security Officer (ISO) for the agency, biennially.

    • Ensure that an agency information security program is maintained, that is sufficient to protect the agency's IT systems, and that is documented and effectively communicated.

    • Review and approve the agency's Business Impact Analyses (BIA), Risk Assessments (RAs), and Continuity of Operations Plan (COOP), to include an IT Disaster Recovery Plan, if applicable.

    • Review and approve the System Security Plans for all agency IT systems classified as sensitive.

    • Ensure that an Information Security Audit Program is established. Note: Please see the IT Security Audit Standard (COV ITRM Standard SEC502-00) for the agency heads specifics responsibilities regarding audit program compliance.

    • Ensure a program of Information Security Program is established.

    • Ensure an Information Security Awareness and Training Program is established.

    • Provide the resources to enable employees to carry out their responsibilities for securing IT systems and data.

    • Identify a System Owner, generally the Business Owner, for each agency sensitive system.

    • Prevent conflict of interests by adhering to the security concept of separation of duties for the Information Security Officer, System/Data Owners and System Administrators.

    • Ensure that data breaches are reported to the Chief Information Security Officer. (Only applicable for Executive Branch agencies.)

    For additional information regarding the implementation of these responsibilities, please see the Information Security Standard (SEC 501).

  5. What security responsibilities can an agency head delegate to others?

    The agency head may delegate all Information Security responsibilities, with the exception of the following:

    • Designating an Information Security Officer.

    • Ensuring the implementation of an Information Security Program.

    • Ensuring the implementation an Audit Program.

    Note: The delegated party must copy the agency head on email submissions to the Chief Information Security Officer.

  6. How is an Information Security Officer (ISO) designated?

    The ISO is designated by submittal of the ISO and back-up ISO name, title, and contact information to the Chief Information Security Officer (CISO) biennially by the agency head. For additional details see the Information Security Standard (SEC 501) "Key Information Security Roles and Responsibilities".

    If the submission is sent by email, the submittal will be accepted from someone other than the agency head, if the agency head is copied.

  7. How do I complete and submit an exception to an Information Security standard?

    If an agency head determines that compliance with the provisions of the information security standards would adversely impact a business process of the agency, the agency head may request approval to deviate from a specific requirement by submitting an exception request to the Chief Information Security Officer. Please use the Exception Request Form to submit an exception.

    The exception request should be submitted to the Chief Information Security Officer (CISO). If the submission is sent by email, the ISO may send the email and copy the agency head.

    If the exception contains sensitive information, email CommonwealthSecurity@VITA.Virginia.Gov to request assistance with identifying an efficient and secure manner of transmitting the exception.

  8. How do I complete and submit an audit plan?

    Your agency Information Technology (IT) security audit plan should be developed based on the direction given in the IT Security Audit Standard (SEC 502) "Planning for IT Security Audits" and IT Security Audit Guideline (SEC 512-00) "IT Security Audit Plan". Please use the IT Security Audit Plan Template to complete your plan.

    The agency head or designee must submit the audit plan annually to the Chief Information Security Officer (CISO). If the submittal is emailed by the designee, the agency head must be copied.

  9. How do I complete and submit corrective action plan (CAP)?

    Your agency Information Technology (IT) security corrective action plan should be developed based on the direction given in the IT Security Audit Standard (SEC 502) "Documentation of IT Security Audits" and IT Security Audit Guideline (SEC 512-00) "Corrective Action Plan" and "CAP Periodic Reporting". Please use the Corrective Action Plan Template to complete your plan.

    The agency head or designee must submit the corrective action plan quarterly to the Chief Information Security Officer (CISO) of the Commonwealth.

    If the plan contains sensitive information, email CommonwealthSecurity@VITA.Virginia.Gov to request assistance with identifying an efficient and secure manner of transmitting the plan.

  10. What do I do if I suspect an information security incident or how do I submit a known security incident?

    There are two primary ways to submit a suspected or known security incident. One way to submit a security incident is to complete the online reporting form located here: Incident Reporting Form.

    The second way to submit a security incident is to call the VITA Customer Care Center (VCCC) at 1-866-637-8482. The VCCC will accept security incident reports for both IT partnership and non-IT partnership agencies.

    It is imperative that you do not touch or turn off the computer until you receive instructions.

  11. How do I obtain access to additional applications, network drives, etc?

    If you require additional access in the network environment to applications, network drives, etc, have your Agency Information Technology Resource (AITR) or Information Security Officer (ISO) email the request to the VITA Customer Care Center (VCCC) at vccc@vita.virginia.gov.

  12. Can my organization/state use the "Duhs of Security" video for our security awareness training?

    Please feel free to use the "Duhs of Security" video in your information security awareness efforts. We are glad that you see enough value in our product to add it to your program.