VA agencies skewered over weak security measures

Of 104 state agencies surveyed, 80 percent had inadequate security programs, the report said.

"There are significant risks that the information they have that should be protected will get out," said Walter J. Kucharski, the state's auditor of public accounts. "If I can let somebody copy [data] on a thumb drive, you've got a problem." "There's a lot more information out there than people are aware of," Kucharski said.

Data like tax returns, driving records, Social Security numbers, home addresses, credit-card numbers, student grades, medical information and child-abuse reports.

It's not all bad news, though; Virginia has a few institutions that are a model of security practices: the state departments of Taxation and General Services, Virginia Commonwealth University, the University of Virginia and Virginia Tech.

Virginia's problems are largely a function of its decentralized, "silo" approach to IT. the Virginia Information Technologies Agency (VITA) is charged with establishing information security practices for the state, Kucharski said, but the IT agency does not have the power to make every part of state government comply.

"We are at risk," said VITA chief Lemuel C. Stewart Jr. But, "it's not like we're just sitting there, open and totally exposed."

Further complicating the security picture, the auditor's report noted, the state has outsourced its IT system to the Northrop Grumman company. "It's something we intend to deal with as part of our partnership" with Northrop Grumman, Stewart said.

And, he said, "it's not all technology. Your greatest security risk is in the people."