1

expect the best

www.vita.virginia.gov

Jeff DeasonChief Information Security OfficerVirginia Information Technologies Agency

Joint Commission on Technology and ScienceAdvisory Committee on PrivacyJune 23, 2005

State Agency Database Security in the Commonwealth

www.vita.virginia.gov 2expect the best

Today’s Topics

• Security Services Mission • VITA’s Security Transition to Governance• Mature Enterprise Security Program • Where are we today?• What are we doing?• State Database Audits• Senate Bill 1252• Questions

www.vita.virginia.gov 3expect the best

Mission

Provide comprehensive information securityservices that allow state agencies to

accomplish their respective missions in asafe and secure technology environment.

www.vita.virginia.gov 4expect the best

Transition from Operations to Governance

FY04

Operations

FY05

Operations/Governance

FY06

Governance

VITA

EnterpriseVITA / Enterprise

www.vita.virginia.gov 5expect the best

Mature Enterprise Security Program

Security Awareness

Program Compliance

Protection• Incident Management• Secure Infrastructure• VITA Critical Infrastructure and Business Continuity

• Incident Management• Secure Infrastructure• VITA Critical Infrastructure and Business Continuity

• Security Policies, Standards and Procedures• Risk Management

• Information Security Training and Awareness

www.vita.virginia.gov 6expect the best

Where are we today?

• As noted by the APA, current Commonwealth information security and protection is inadequate.

• Inconsistent security tools and programs.• The enterprise information security

program which we are now implementing will address these inadequacies.

www.vita.virginia.gov 7expect the best

What are we doing?

• Constructing a new internal service fund:– $1.53 million for incident management.– $1.74 million for database risk assessments.

• Pursuing state homeland security grants:– $950,000 for incident management.

• Developing database audit standards.• Will leverage this large, necessary

investment through public-private partnerships.

www.vita.virginia.gov 8expect the best

State Database Audits

• Current Code language provides needed flexibility for database audits based on:– Sensitivity and Criticality of information.– Exposure to risk.

• There are approximately 1685 applications in VITA customer agencies.– These applications access an unknown number of

databases.– Determining the number of databases is a major

challenge.

www.vita.virginia.gov 9expect the best

Senate Bill 1252• As introduced:

– Would have required semi-annual database audits.• It is difficult to justify the cost of auditing every database

twice each year.

• As amended:– Would have required annual database audits and

increased reporting.• Annual audits are more easily cost-justified than semi-

annual audits.• Reporting requirements are a positive step as they

increase the visibility of the audits.• Including incident reports in annual audit reports provides

a fuller view of actual risks.

www.vita.virginia.gov 10expect the best

Questions