Executive Directive would expand cyber-related risk management activities
RICHMOND – Today Governor McAuliffe signed Executive Directive 6 to strengthen the Commonwealth’s cybersecurity measures in order to protect personal information and sensitive data through the expansion of cyber-related risk management activities.
“A key ingredient to building a new Virginia economy is a solid cyber infrastructure,” said Governor McAuliffe. “That is why it’s vital that the Commonwealth take the proper precautions to protect and safeguard the information entrusted to our care. I am proud to sign this Directive, which initiates enhanced risk management processes that will increase our ability to mitigate the ever increasing flow of cyber threats.”
The Directive requires the Virginia Information Technologies Agency to provide an updated inventory of all data and computer systems while recommending strategies to strengthen and modernize agencies’ cyber security profiles.
“Cybersecurity is a responsibility shared by every level of government,” said Secretary of Technology Karen Jackson. “These risk mitigation steps will allow the Commonwealth to take a more strategic approach to securing our systems and data.”
The full Executive Directive is below:
Executive Directive 6 (2015)
EXPANDING CYBER-RELATED RISK MANAGEMENT ACTIVITIES
Importance of the Initiative
One of the primary responsibilities of the Chief Executive Officer of the Commonwealth of Virginia is to protect and safeguard citizen data. In light of ever-increasing cybersecurity attacks on personal information, sensitive data, and systems, I am committed to expanding our cyber-related risk management activities and strengthening our ability to protect the information entrusted to our care.
I am directing the Secretaries of Technology and Finance and the Commonwealth’s Chief Information Officer to take the necessary steps to complete a review of all Commonwealth of Virginia systems and associated data in the following manner:
1. The Virginia Information Technologies Agency (VITA) shall provide an updated inventory of all data and computer systems to the Governor’s Office by October 15, 2015. The inventory shall include but not be limited to:
a. Determination of sensitivity and criticality of systems and data
b. Risk prioritization and scope of systems and data, and
c. Development of a risk-based approach to enhance protection of systems and data
2. The Secretary of Technology and VITA shall recommend strategies to strengthen and modernize agencies’ cyber-security profiles by October 15, 2015, including:
a. Completion of security audits,
b. Development of risk mitigation and resilience plans, and
c. Plans for remediation with completion dates.
3. VITA shall provide a status report on the execution of the strategies, along with associated plans and actions, to the Governor and the Secretaries of Technology and Finance by October 1, 2016.
These risk-mitigation steps to strengthen our sensitive systems and data cannot be effectively and accurately completed without the cooperation of each executive branch agency. For this reason, I am directing each executive branch agency to assist VITA by providing all requested information required to complete this inventory in a timely manner.
Office of Governor Terence R. McAuliffe
Press Special Assistant