IT Security in the Commonwealth

1. IT Security in the Commonwealth Sam A. Nixon Jr. Chief Information Officer of the Commonwealth Michael Watson Commonwealth Chief Information Security Officer Virginia Cyber Security CommissionJune 11, 2014 www.vita.virginia.gov 1

2. VITA Is Statutorily Responsible for IT Security • CIO responsible for security of government information (§ 2.2-2009 of the Code of Virginia) • Risk management, audits, security measures • Applies to all branches of state government • VITA performs overall incident response • Share intel & information (FBI, DHS, etc) • CIO & VITA have limited authority • Direct oversight limited to NG infrastructure • No direct authority over agency applications, agency infrastructure, & data

3. VITA/NG Provision IT Infrastructure • VITA/NG protect security of IT infrastructure • 60k PCs, 3k servers, 1.5 petabytes data, 2k circuits • Firewalls, intrusion monitors, encryption, compartmentalization, antivirus, spam filters, security operations center, authentication • 95.5 million attack attempts in CY 2013 • 86 of 89 executive branch agencies protected by transformed environment • However, primary attack vector is against applications not the infrastructure • Agencies remain responsible for applications & data

4. Cyber Security Challenges • State agency staffing constraints impede security gap correction & limit auditing • Only 33% of agencies meet minimum requirement to audit their sensitive systems every 3 years • VITA needs cyber intelligence program to analyze threats & attacks • Additional security efforts are required • SSL VPN, more frequent password resets, two-factor authentication, hard drive encryption • Agility needed to support evolving threats

5. Questions? Samuel A. Nixon Jr. sam.nixon@vita.virginia.gov (804) 416-6004 Michael Watson michael.watson@vita.virginia.gov (804) 416-6030