A majority of state government agenciesin Virginia are doing an unacceptable job of protecting information like Social Security and credit card numbers, driving records and medical information, according to a state report.
Eighty percent of the 104 state agencies and institutions surveyed by the Auditor of Public Accounts had inadequate security programs, the report said. Still, almost all state agencies had some kind of oversight of their information-technology systems.
“There are significant risks that the information they have that should be protected will get out,” Walter J. Kucharski, the state’s auditor of public accounts told the Richmond Times-Dispatch. “If I can let somebody copy (data) on a thumb drive, you’ve got a problem.”
The Virginia departments of Taxation and General Services, Virginia Commonwealth University, the University of Virginia and Virginia Tech have model security systems, the report said.
The study also said that because government information systems are interconnected, porous information systems in smaller agencies can create risks for larger agencies and the information they keep.
Since there’s no agency that is in charge, the three branches of government do not have a statewide way to ensure the security of information, Kucharski said.
Oversight in the state’s legislative and judicial branches is particularly weak, the report said, adding that the branches “establish their own information-security programs without any guidance or minimum requirements.”
While the Virginia Information Technologies Agency is charged with establishing information security practices for the state, Kucharski said, the agency does not have the power to make every part of state government comply.
The IT agency noted that while it is tightening security, the executive branch alone uses more than 3,000 computer servers, at least 85 Internet entrances to the state’s system, and more than 40 different intrusion-detection systems.
“We are at risk,” said VITA chief Lemuel C. Stewart Jr. But, “it’s not like we’re just sitting there, open and totally exposed.”
And, he said, “it’s not all technology. Your greatest security risk is in the people.”