Your browser does not support JavaScript! Skip to main content
Skip to Content
VITA home

Data protection standards for commonwealth agencies

Data protection standards for commonwealth agencies

Commonwealth of Virginia agencies must ensure that systems used to access, process or store data entrusted to that agency comply with all commonwealth, federal, and industry standards and regulations relevant to the data. This collection of standards and regulations are commonly referred to as VITA Rules

Commonwealth Legal Statues

Commonwealth Security Standards

  • COV ITRM SEC 519 (IT Information Security Policy) 
  • COV ITRM SEC 501 (IT Information Security Standard)
    • Standard defines the minimum acceptable level of information security and risk management activities for the commonwealth that agencies must implement an information security program that complies with requirements identified in this standard. 
  • COV ITRM SEC 525 (Hosted Environment Information Security Standard)
    • Standard defines the baseline for information security and risk management activities associated with commonwealth data stored in a data center not owned or leased by the Commonwealth of Virginia. 
  • COV ITRM SEC 502 (IT Security Audit Standard) 
    • Standard defines the baseline for an IT Security Audit Program. The program shall include assessing the risks associated with the systems accessing, processing, or storing commonwealth data at a frequency relative to the risk identified by the agency.  At a minimum, systems that contain sensitive data, either rated for confidentiality, integrity or availability, shall be assessed at least once every three years.
  • COV ITRM SEC 514 (Removal of Commonwealth Data from Electronic Media Standard)
    • Standard defines the acceptable process for the removal of all commonwealth data from electronic media prior to the surplus, transfer, trade-in, disposal or replacement of the electronic media. This standard applies to all electronic media that has memory such as the hard drives of personal computers, servers, mainframes, Personal Digital Assistants (PDAs), routers, firewalls, switches, tapes, diskettes, CDs, DVDs, cell phones, printers, Multi-Function Devices (MFD), and Universal Serial Bus (USB) data storage devices.
  • COV ITRM SEC 520 (IT Risk Management Standard) 
    • The intent of the Information Risk Management Standard is to establish a risk management framework, setting a baseline for information risk management activities for agencies across the Commonwealth of Virginia (COV). These risk management activities include, but are not limited to, any regulatory requirements that an agency is subject to, information security best practices, and the requirements defined in this standard.  

ITRM Wide and Supporting Documents

  • COV ITRM Policies, Guidelines, Standards (PSGs) Brief & Supporting Documents (12/08/2015)

Commonwealth Enterprise Architecture

  • Enterprise Architecture Standard (EA 225-11) (06/01/2016)
    • The commonwealth’s enterprise architecture is a strategic asset used to manage and align the commonwealth’s business processes and Information Technology (IT) infrastructure/solutions with the state’s overall strategy.

Commonwealth Records Retention

Federal Regulations

  • Health Insurance Portability and Accountability Act (HIPAA-HITECH) 
  • IRS Federal Tax Information Pub-1075 (FTI/TOPS) 
  • Social Security Administration Data Protection Regulation (SSA) 
    • Data protection requirements governing the one or two-way electronic sharing of individual or aggregated Personally Identifiable Information (PII) with a government or private entity.
  • Section 508 Standards of the Rehabilitation Act of 1973, as amended (29 U.S.C. § 794 (d)) 
  • Federal Information Security Management Act (FISMA) 
    • Provides a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets.

Industry Regulations

  • Payment Card Industry – Data Security Standard (PCI-DSS) 


VITA Customer Care Center (VCCC): (866) 637-8482
Virginia Information Technologies Agency
11751 Meadowville Lane Chester, VA 23836
Contact Us

© Commonwealth of Virginia 2016
Internet Privacy Policy Statement

VITA provides content in several formats that require software in addition to your browser to view. If you have problems accessing a file on this site, links to the needed software are below. All required software products (except the non-trial version of WinZip) are free to use.

Word Viewer (.doc) | Adobe Acrobat Reader (.pdf) | Excel Viewer (.xls) | PowerPoint Viewer (.ppt) | WinZip (.zip) | Windows Media Player (.wmv)

Level A conformance icon, W3C-WAI Web Content Accessibility Guidelines 1.0 If you have difficulty reading or accessing documents, please contact our accessibility group for assistance.


Back to top