Narrative: III. b. 6. D.

The Commonwealth of Virginia (COV) uses the Information Security Standard (SEC 501-09)[1], developed by the Virginia Information Technologies Agency (VITA), as the baseline for information security and risk management practices across the state. These baseline practices include, but are not limited to, agency regulatory requirements, information security best practices, and the criteria defined in SEC 501-09. VITA regularly reviews and updates the state Information Security Standard to ensure that information systems used to support COV agency data collection and reporting are sufficiently managed and protected, especially with respect to the collection and reporting of personal identifiable information (PII).

The state Information Security Standard was created using the National Institute of Standards and Technology (NIST) Special Publication 800-53 rev. 4, Recommended Security Controls for Federal Information Systems and Organizations, as a framework.

The COV Information Security Program consists of the following Control Families:

• AC - Access Control

• AT - Awareness and Training

• AU - Audit and Accountability

• CA - Security Assessment and Authorization

• CM - Configuration Management

• CP - Contingency Planning

• IA - Identification and Authentication

• IR - Incident Response

• MA – Maintenance

• MP - Media Protection

• PE - Physical and Environmental Protection

• PL – Planning

• PS - Personnel Security

• RA - Risk Assessment

• SA - System and Services Acquisition

• SC - System and Communications Protection

• SI - System and Information Integrity

• PM – Program Management

These component areas provide a framework of minimal requirements that agencies use to develop their agency information security programs with a goal of allowing agencies to accomplish their missions in a safe and secure environment. Each component listed above contains requirements that, together, comprise the Information Security Standard.

This Standard recognizes that agencies may procure IT equipment, systems, and services covered by this Standard from third parties. In such instances, Agency Heads remain accountable for maintaining compliance with this Standard and agencies must enforce these compliance requirements through documented agreements with third party providers and oversight of the services provided.

Each Agency Head is responsible for the security of the agency's IT systems and data. Each Agency Head must designate an Information Security Officer (ISO) for the agency, no less than biennially. An agency must have a Privacy Officer if required by law or regulation, such as Health Insurance Portability and Accountability Act (HIPAA), and may choose to have one where not required. Otherwise, these responsibilities are carried out by the ISO.

The Privacy Officer provides guidance on:

1. The requirements of state and federal Privacy laws, including but not limited to Section 444 of the General Education Provisions Act (34 CFR Part 99: Family Educational Rights and Privacy Act (FERPA))

2. Disclosure of and access to sensitive data, including PII

3. Security and protection requirements in conjunction with IT systems when there is some overlap among sensitivity, disclosure, privacy, and security issues

For wage records matching, each agency must enter into a Restricted Use Data Agreement (RUDA) with VEC. Because data matching requires the transmission and handling of PII, the RUDA identifies the security protocols with which the VEC and the agency requesting the data match must follow to conduct the data match, including the transmission of sensitive data between agencies.

[1] Commonwealth of Virginia Information Technology Resource Management – Information Security Standard