Reminder: The method for ordering VITA services has changed. Please follow the revised instructions in the "How to Order" section, below.
Price: No Cost
Unit of Measure: Usage Based
Pricing Type: No Charge
Billing Cycle: N/A
Service Lead: Ed Miller Edward.Miller@vita.virginia.gov
Agencies may contract for IT security audits to be conducted through this service. The audits will be performed in accordance with commonwealth IT auditing standards and will be compliant with the requirement to have a sensitive IT system audited (at least once every 3 years).
For additional information visit: Commonwealth Security and Risk Management.
Effective 12/15/18, this service can be ordered from the VITA Service Catalog in the new VITA Service Portal. To submit your request:
If you are uncertain as to whether you have a COV account, start by trying to access the VITA Service Portal. If you are unable to do so, then use the email-to-the-VCCC method.
If you need additional assistance, you may check with your agency information technology resource (AITR) or call the VCCC at 866-637-8482.
You will be contacted to confirm that your request has been received and to obtain any additional required information.
Click on question to show or hide answer.
An IT Security Audit is an examination, evaluation, and a report on the agency's use of an information technology (IT) system to provide reasonable assurance that security controls are implemented and operating as intended. Audits may also include an examination and evaluation of related systems, operations, processes, and practices.
An audit of a sensitive IT system is required at least once every 3 years. Sensitive systems may need to be audited more frequently commensurate with the system's risk or if significant changes have occurred to the system, its use or business purpose, or the environment in which it operates.
Review the status of your system using CSRM's governance risk and compliance tool – Archer or contact Commonwealth Security and Risk Management (firstname.lastname@example.org).
Each engagement will be priced depending on type and complexity. Please contact your Department of Planning and Budget (DPB) analyst for funding information for your agency.
No, an agency may choose to use the funding provided to contract with an outside audit firm or else hire staff or contract labor. However the agency must submit an updated IT Security Audit plan. CSRM will review and determine if the plan is acceptable and whether the plan will bring the agency in compliance of the audit requirements mandated by SEC501, the IT Security Standard.
Yes. VITA CSRM will assist you in identifying the systems requiring audits, the scheduling of audits according to risk or resource factors and in choosing the right scope of audit for your system.
Based on the size and complexity of the system and the agency's ability to provide the auditors all required documentation and information an audit can take 2 - 3 months.
Audits will be scheduled as CSRM resources become available. We will coordinate with the agency to ensure that the audit does not overlap or interfere with critical business periods.
Agencies are responsible for providing adequate workspace for auditors while on customer site; assisting auditors in providing requested information as well as prompt and complete participation in auditor interviews. In addition, all costs and processes related to any corrective action or remediation plans resulting from the audits performed by VITA are the responsibility of the customer.
An auditor will come to your agency and complete field work and analysis. After completing field work and analysis, the auditor will present a first draft of findings and recommendations to the agency. A final report will be issued to the agency head with the auditor's findings and recommendations as well as the agency's responses.
Agencies are required to submit a corrective action plan to CSRM following the completion of the audit. Each quarter an agency is required to submit an updated corrective action plan showing remediation work to-date.
The agency head or Agency Information Technology Resource (AITR) is authorized to place orders for information technology services.