Cybersecurity Governance in the Commonwealth of Virginia: A Case Study   [open pdf - 2MB]

"This case study describes how the Commonwealth of Virginia (the Commonwealth) has used laws, policies, structures, and processes to help govern cybersecurity as an enterprise-wide, strategic issue across state government and other public and private sector stakeholders. It explores cross-enterprise governance mechanisms used by Virginia across a range of common cybersecurity areas--strategy and planning, budget and acquisition, risk identification and mitigation, incident response, information sharing, and workforce and education. This case study is part of a pilot project intended to demonstrate how states use governance mechanisms to help prioritize, plan, and make cross-enterprise decisions about cybersecurity. It offers concepts and approaches to other states and organizations that face similar challenges. As this case covers a broad range of areas, each related section provides an overview of the Commonwealth's governance approach, rather than a detailed exploration. Individual states and organizations seeking greater detail would likely need to engage directly with the Commonwealth to better understand how to tailor solutions to their specific circumstances."