Your browser does not support JavaScript! Skip to main content
Skip to Content
VITA home

Executive Awareness

Agency Head Responsibilities

Designate an Information Security Officer and Implement an Information Security Program

Because the security of information is essential to citizen's trust and continuity of government services, the agency head bears the responsibility for the security of the agency's IT systems and data as set forth in the Information Security Standard (SEC501-01). To secure the agency's IT systems and data, the agency head is required to designate an Information Security Officer (ISO) no less than biennially and, where feasible, a back-up ISO to implement a Commonwealth of Virginia (COV) compliant Information Security program that is properly documented and effectively communicated. The ISO and back-up ISO name, title, and contact information must be submitted to Chief Information Security Officer of the Commonwealth at

Implement an Audit Program

As the commonwealth's reliance on information technology increases, it is imperative that agencies maintain compliance with Information Technology (IT) Security Audit Standard.

The agency head is responsible for the development and implementation of an agency plan for IT security audits, and for submitting this plan to the Chief Information Security Officer (CISO) of the Commonwealth at Overall compliance with the standard includes:

  • Requiring that the planned IT security audits are conducted on schedule,
  • Receiving reports of the results of IT security audits,
  • Requiring development of Corrective Action Plans to address findings of IT security audits, and
  • Reporting to the CISO all IT security audit findings and progress in implementing corrective actions in response to IT security audit findings.

In addition, if the IT security audit shows no findings, this is to be reported to the CISO as well.

Report Data Breaches to the Chief Information Officer

Data breaches can be costly to organizations and severely damage their reputation; therefore, it is crucial that the agency head be diligent in reporting known data breaches. The Code of Virginia § 2.2-603.F, requires the director of every department in the executive branch of state government to report to the Chief Information Officer, all known incidents that threaten the security of the commonwealth's databases and data communications resulting in exposure of data protected by federal or state laws, or other incidents compromising the security of the commonwealth's information technology systems with the potential to cause major disruption to normal agency activities. Reports shall be made to the Chief Information Officer within 24 hours from when the department discovered or should have discovered the occurrence. An online incident reporting form is located here.


VITA Customer Care Center (VCCC): (866) 637-8482
Virginia Information Technologies Agency
11751 Meadowville Lane Chester, VA 23836
Contact Us

© Commonwealth of Virginia 2016
Internet Privacy Policy Statement

VITA provides content in several formats that require software in addition to your browser to view. If you have problems accessing a file on this site, links to the needed software are below. All required software products (except the non-trial version of WinZip) are free to use.

Word Viewer (.doc) | Adobe Acrobat Reader (.pdf) | Excel Viewer (.xls) | PowerPoint Viewer (.ppt) | WinZip (.zip) | Windows Media Player (.wmv)

Level A conformance icon, W3C-WAI Web Content Accessibility Guidelines 1.0 If you have difficulty reading or accessing documents, please contact our accessibility group for assistance.


Back to top