Your browser does not support JavaScript! Skip to main content
Skip to Content
VITA home

Toolkit FAQs

  1. What is the contact information for Commonwealth Security and Risk Management (CS/RM)?

  2. Where can I find Information Technology Resource Management (ITRM) policies?

  3. Is an agency head responsible for security in their agency?

  4. What specific security responsibilities does an agency head have?

  5. What security responsibilities can an agency head delegate to others?

  6. How is an Information Security Officer (ISO) designated?

  7. How do I complete and submit an exception to an Information Security standard?

  8. How do I complete and submit an audit plan?

  9. How do I complete and submit corrective action plan (CAP)?

  10. What do I do if I suspect an information security incident or how do I submit a known security incident?

  11. How do I obtain access to additional applications, network drives, etc?

  12. Can my organization/state use the "Duhs of Security" video for our security awareness training?


  1. What is the contact information for Commonwealth Security and Risk Management (CS/RM)?

    Commonwealth Security and Risk Management can be contacted in the following ways:

    • Mail: Chief Information Security Officer, Virginia Information Technologies Agency, 11751 Meadowville Lane, Chester, VA 23836

    • Email: commonwealthsecurity@vita.virginia.gov.

    • Fax: 804-416-6359

     
  2. Where can I find Information Technology Resource Management (ITRM) policies?

    • Commonwealth polices, standards, and guidelines are located here.

     
  3. Is an agency head responsible for security in their agency?

    Yes, the agency head is ultimately responsible for the security of the agency's information technology systems and data.

     
  4. What specific security responsibilities does an agency head have?

    Specific responsibilities of the agency head, per the Information Security Standard (SEC 501)-"Key Information Security Roles and Responsibilities", are to:

    • Designate an Information Security Officer (ISO) for the agency, biennially.

    • Ensure that an agency information security program is maintained, that is sufficient to protect the agency's IT systems, and that is documented and effectively communicated.

    • Review and approve the agency's Business Impact Analyses (BIA), Risk Assessments (RAs), and Continuity of Operations Plan (COOP), to include an IT Disaster Recovery Plan, if applicable.

    • Review and approve the System Security Plans for all agency IT systems classified as sensitive.

    • Ensure that an Information Security Audit Program is established. Note: Please see the IT Security Audit Standard (COV ITRM Standard SEC502-00) for the agency heads specifics responsibilities regarding audit program compliance.

    • Ensure a program of Information Security Program is established.

    • Ensure an Information Security Awareness and Training Program is established.

    • Provide the resources to enable employees to carry out their responsibilities for securing IT systems and data.

    • Identify a System Owner, generally the Business Owner, for each agency sensitive system.

    • Prevent conflict of interests by adhering to the security concept of separation of duties for the Information Security Officer, System/Data Owners and System Administrators.

    • Ensure that data breaches are reported to the Chief Information Security Officer. (Only applicable for Executive Branch agencies.)

    For additional information regarding the implementation of these responsibilities, please see the Information Security Standard (SEC 501).

     
  5. What security responsibilities can an agency head delegate to others?

    The agency head may delegate all Information Security responsibilities, with the exception of the following:

    • Designating an Information Security Officer.

    • Ensuring the implementation of an Information Security Program.

    • Ensuring the implementation an Audit Program.

    Note: The delegated party must copy the agency head on email submissions to the Chief Information Security Officer.

     
  6. How is an Information Security Officer (ISO) designated?

    The ISO is designated by submittal of the ISO and back-up ISO name, title, and contact information to the Chief Information Security Officer (CISO) biennially by the agency head. For additional details see the Information Security Standard (SEC 501)- "Key Information Security Roles and Responsibilities".

    If the submission is sent by email, the submittal will be accepted from someone other than the agency head, if the agency head is copied. For contact information, see response #1.

     
  7. How do I complete and submit an exception to an Information Security standard?

    If an agency head determines that compliance with the provisions of the information security standards would adversely impact a business process of the agency, the agency head may request approval to deviate from a specific requirement by submitting an exception request to the Chief Information Security Officer. Please use the Exception Request Formto submit an exception.

    The exception request should be submitted to the Chief Information Security Officer (CISO). If the submission is sent by email, the ISO may send the email and copy the agency head. For contact information, see response #1.

    If the exception contains sensitive information, email CommonwealthSecurity@VITA.Virginia.Govto request assistance with identifying an efficient and secure manner of transmitting the exception.

     
  8. How do I complete and submit an audit plan?

    Your agency Information Technology (IT) security audit plan should be developed based on the direction given in the IT Security Audit Standard (SEC 502)- "Planning for IT Security Audits" and IT Security Audit Guideline (SEC 512-00)- "IT Security Audit Plan". Please use the IT Security Audit Plan Templateto complete your plan.

    The agency head or designee must submit the audit plan annually to the Chief Information Security Officer (CISO). If the submittal is emailed by the designee, the agency head must be copied. For contact information, see response #1.

     
  9. How do I complete and submit corrective action plan (CAP)?

    Your agency Information Technology (IT) security corrective action plan should be developed based on the direction given in the IT Security Audit Standard (SEC 502)- "Documentation of IT Security Audits" and IT Security Audit Guideline (SEC 512-00)- "Corrective Action Plan" and "CAP Periodic Reporting". Please use the Corrective Action Plan Templateto complete your plan.

    The agency head or designee must submit the corrective action plan quarterly to the Chief Information Security Officer (CISO) of the Commonwealth. For contact information, see response #1.

    If the plan contains sensitive information, email CommonwealthSecurity@VITA.Virginia.Govto request assistance with identifying an efficient and secure manner of transmitting the plan.

     
  10. What do I do if I suspect an information security incident or how do I submit a known security incident?

    There are two primary ways to submit a suspected or known security incident. One way to submit a security incident is to complete the online reporting form located here: Incident Reporting Form.

    The second way to submit a security incident is to call the VITA Customer Care Center (VCCC) at 1-866-637-8482. The VCCC will accept security incident reports for both IT partnership and non-IT partnership agencies.

    It is imperative that you do not touch or turn off the computer until you receive instructions.

     
  11. How do I obtain access to additional applications, network drives, etc?

    If you require additional access in the network environment to applications, network drives, etc, have your Agency Information Technology Resource (AITR) or Information Security Officer (ISO) email the request to the VITA Customer Care Center (VCCC) at vccc@vita.virginia.gov.

     
  12. Can my organization/state use the "Duhs of Security" video for our security awareness training?

    Please feel free to use the "Duhs of Security" video in your information security awareness efforts. We are glad that you see enough value in our product to add it to your program.

 

VITA Customer Care Center (VCCC): (866) 637-8482
Virginia Information Technologies Agency
11751 Meadowville Lane Chester, VA 23836
Contact Us


© Commonwealth of Virginia 2016
Internet Privacy Policy Statement



VITA provides content in several formats that require software in addition to your browser to view. If you have problems accessing a file on this site, links to the needed software are below. All required software products (except the non-trial version of WinZip) are free to use.

Word Viewer (.doc) | Adobe Acrobat Reader (.pdf) | Excel Viewer (.xls) | PowerPoint Viewer (.ppt) | WinZip (.zip) | Windows Media Player (.wmv)

Level A conformance icon, W3C-WAI Web Content Accessibility Guidelines 1.0 If you have difficulty reading or accessing documents, please contact our accessibility group for assistance.

 

Back to top