2.2-2009 - Additional duties of the CIO relating to security of government information.
§ 2.2-2009. Additional duties of the CIO relating to security of governmentinformation.
A. To provide for the security of state government electronic informationfrom unauthorized uses, intrusions or other security threats, the CIO shalldirect the development of policies, procedures and standards for assessingsecurity risks, determining the appropriate security measures and performingsecurity audits of government electronic information. Such policies,procedures, and standards will apply to the Commonwealth's executive,legislative, and judicial branches, and independent agencies and institutionsof higher education. The CIO shall work with representatives of the ChiefJustice of the Supreme Court and Joint Rules Committee of the GeneralAssembly to identify their needs.
B. The CIO shall also develop policies, procedures, and standards that shalladdress the scope of security audits and the frequency of such securityaudits. In developing and updating such policies, procedures, and standards,the CIO shall designate a government entity to oversee, plan and coordinatethe conduct of periodic security audits of all executive branch andindependent agencies and institutions of higher education. The CIO willcoordinate these audits with the Auditor of Public Accounts and the JointLegislative Audit and Review Commission. The Chief Justice of the SupremeCourt and the Joint Rules Committee of the General Assembly shall determinethe most appropriate methods to review the protection of electronicinformation within their branches.
C. The CIO shall annually report to the Governor, the Secretary, and GeneralAssembly those executive branch and independent agencies and institutions ofhigher education that have not implemented acceptable policies, procedures,and standards to control unauthorized uses, intrusions, or other securitythreats. For any executive branch or independent agency or institution ofhigher education whose security audit results and plans for corrective actionare unacceptable, the CIO shall report such results to (i) the Secretary,(ii) any other affected cabinet secretary, (iii) the Governor, and (iv) theAuditor of Public Accounts. Upon review of the security audit results inquestion, the CIO may take action to suspend the public body's informationtechnology projects pursuant to § 2.2-2015, limit additional informationtechnology investments pending acceptable corrective actions, and recommendto the Governor and Secretary any other appropriate actions.
The CIO shall also include in this report (a) results of security audits,including those state agencies, independent agencies, and institutions ofhigher education that have not implemented acceptable regulations, standards,policies, and guidelines to control unauthorized uses, intrusions, or othersecurity threats and (b) the extent to which security standards andguidelines have been adopted by state agencies.
D. All public bodies subject to such audits as required by this section shallfully cooperate with the entity designated to perform such audits and bearany associated costs. Public bodies that are not required to but elect to usethe entity designated to perform such audits shall also bear any associatedcosts.
E. The provisions of this section shall not infringe upon responsibilitiesassigned to the Comptroller, the Auditor of Public Accounts, or the JointLegislative Audit and Review Commission by other provisions of the Code ofVirginia.
F. To ensure the security and privacy of citizens of the Commonwealth intheir interactions with state government, the CIO shall direct thedevelopment of policies, procedures, and standards for the protection ofconfidential data maintained by state agencies against unauthorized accessand use. Such policies, procedures, and standards shall include, but not belimited to:
1. Requirements that any state employee or other authorized user of a statetechnology asset provide passwords or other means of authentication to (i)use a technology asset and (ii) access a state-owned or operated computernetwork or database; and
2. Requirements that a digital rights management system or other means ofauthenticating and controlling an individual's ability to access electronicrecords be utilized to limit access to and use of electronic records thatcontain confidential data to authorized individuals.
G. The CIO shall promptly receive reports from directors of departments inthe executive branch of state government made in accordance with § 2.2-603and shall take such actions as are necessary, convenient or desirable toensure the security of the Commonwealth's electronic information andconfidential data.
H. The CIO shall also develop policies, procedures, and standards that shalladdress the creation and operation of a risk management program designed toidentify information technology security gaps and develop plans to mitigatethe gaps. All agencies in the Commonwealth shall cooperate with the CIO. Suchcooperation includes, but is not limited to, (i) providing the CIO withinformation required to create and implement a Commonwealth risk managementprogram; (ii) creating an agency risk management program; and (iii) complyingwith all other risk management activities.
(2000, c. 961, §§ 2.1-563.42 - 2.1-563.44; 2001, c. 844, §§ 2.2-136 -2.2-138; 2002, c. 247, § 2.2-226.1; 2003, cc. 981, 1021; 2004, c. 638; 2007,cc. 769, 775; 2010, cc. 136, 145.)