Because the security of information is essential to citizen's trust and continuity of government services, the agency head bears the responsibility for the security of the agency's IT systems and data as set forth in the Information Security Standard (SEC501-01). To secure the agency's IT systems and data, the agency head is required to designate an Information Security Officer (ISO) no less than biennially and, where feasible, a back-up ISO to implement a Commonwealth of Virginia (COV) compliant Information Security program that is properly documented and effectively communicated. The ISO and back-up ISO name, title, and contact information must be submitted to Chief Information Security Officer of the Commonwealth at CommonwealthSecurity@vita.virginia.gov.
As the commonwealth's reliance on information technology increases, it is imperative that agencies maintain compliance with Information Technology (IT) Security Audit Standard.
The agency head is responsible for the development and implementation of an agency plan for IT security audits, and for submitting this plan to the Chief Information Security Officer (CISO) of the Commonwealth at CommonwealthSecurity@VITA.virginia.gov. Overall compliance with the standard includes:
In addition, if the IT security audit shows no findings, this is to be reported to the CISO as well.
Data breaches can be costly to organizations and severely damage their reputation; therefore, it is crucial that the agency head be diligent in reporting known data breaches. The Code of Virginia § 2.2-603.F, requires the director of every department in the executive branch of state government to report to the Chief Information Officer, all known incidents that threaten the security of the commonwealth's databases and data communications resulting in exposure of data protected by federal or state laws, or other incidents compromising the security of the commonwealth's information technology systems with the potential to cause major disruption to normal agency activities. Reports shall be made to the Chief Information Officer within 24 hours from when the department discovered or should have discovered the occurrence. An online incident reporting form is located here.