Centralized Information Security Officer (ISO) Service

generic network product image

Price: No Cost

Unit of Measure: Usage Based

Pricing Type: No Charge

Billing Cycle: N/A

Service Lead: Ed Miller Edward.Miller@vita.virginia.gov

Description:

The Centralized Information Security Officer (ISO) service will assist agencies in performing and documenting:  Business Impact Analysis and IT System Security Plans (consisting of IT Security Risk Assessment and Risk Treatment Plans) including required annual updates.  ISO Service analysts will also be able to provide consulting and other ISO services.

For additional information visit: ​Commonwealth Security and Risk Management.

How to Order

Funding has been made available for each agency to use to acquire ISO Services.  The amount appropriated for each agency is different.  Please contact your Department of Planning and Budget (DPB) analyst for agency funding information.

Your agency head, AITR, (or other authorized approver) should complete form #3-005 - Standard Form for Information Security Officer (ISO) Services found in the Service Catalog Form Library.  This form will serve as the formal agreement between VITA and your agency.  The VITA CSRM analyst assigned to your agency can assist you with completing the order form. If you do not know your CSRM analyst, please send contact CSRM at commonwealthsecurity@vita.virginia.gov.  Forms should be submitted to VITA OneStop (VITAOneStop@vita.virginia.gov).

Need help?

Frequently Asked Questions

Click on question to show or hide answer.

The Centralized ISO Service includes a qualified information security specialist who will create Business Impact Analyses (BIA) and system security plans (which include risk assessments & risk treatment plans) and will help the agency stay in compliance with commonwealth IT security policies and standards.

Funding has been made available for each agency to use to acquire ISO Services. The amount appropriated for each agency is different. Please contact your Department of Planning and Budget (DPB) analyst for agency funding information.

Yes. VITA Commonwealth Security and Risk Management (CSRM) will assist in determining the type and complexity of BIA and system security plans that your agency requires.

Once ordered and scheduled, based on complexity, a BIA can take anywhere from 2 weeks to 2 months. Once ordered and scheduled, based on complexity, a System Security Plan, which includes Risk Assessment and a Risk Treatment Plan, can take a week to a month. All times are based on the agency's ability to provide all requested documentation and information in a timely manner.

Service offerings will be scheduled as resources become available. We will coordinate with the agency to ensure that services performed do not overlap or interfere with critical business periods.

No, an agency may choose to use the funding provided to contract with an outside firm or consultant or hire staff. However, the agency must submit an updated IT Risk Assessment plan to CSRM. CSRM will review and determine if the plan is acceptable and will bring the agency in compliance of the risk management requirements mandated by SEC501, the IT Security Standard.

BIAs, Risk Assessments, and System Security Plans are living documents, meaning that they must be continually reviewed and updated as circumstances within your agency, your IT systems, or the environment in which they function change. VITA Centralized services will be in routine communication with your agency and will monitor your BIA, Risk Assessments, System Security Plans and all related documentation to ensure that they are maintained and kept current.

Send VITA Onestop an email: vitaonestop@vita.virginia.gov to collaborate or handle your order.