An annual Statement of Compliance is prepared once all the preceding steps have been completed. The document will be forwarded to the College President or Vice Chancellor ITS at the System Office confirming that all appropriate steps have been taken, and documents have been prepared in accordance with this program and that the college is in compliance with the Commonwealth of Virginia (COV) Information Technology Resource Management Standard, COV ITRM 501-01, VCCS and applicable State and Federal requirements.

The Annual Statement of Compliance is applicable to the System Office and all Colleges.

Requirement:

The checklist (downloadable Annual Statement of Compliance ) must be signed by the preparer (Planning Coordinator) and the agency head (College President) and forwarded to:

A copy must be retained by the College Information Security Officer (ISO) along with applicable supporting documentation.

VCCS Planning and Business Recovery Program (ITRM Standard SEC501-01)   Completion Checklist and Statement of Compliance
Component	Completion Status [If not completed, indicate when the process will be completed and a justification for not completing the process in entirety]		Comments
Risk Management	oCompleted  o In Progress
·       Business Impact Analysis
·        IT Security Roles and Responsibilities
·        IT System and Data Sensitivity Classification
·        IT System Inventory and Definition
·        Risk Assessment
Contingency Planning	oCompleted  o In Progress
·        IT Disaster Recovery Planning
·        IT System and Data Backup and Restoration
IT Systems Security	oCompleted  o In Progress
·        IT System Hardening
·        IT Systems Interoperability Security
·        Malicious Code Protection
·        IT Systems Development Life Cycle Security
Logical Access Control	oCompleted  o In Progress
·        Account Management
·        Password Management
·        Remote Access
Data Protection	oCompleted  o In Progress
·        Data Storage Media Protection
·        Encryption
Facilities Security	oCompleted  o In Progress
Personnel Security	oCompleted  o In Progress
·        Access Determination and Control
·        IT Security Awareness and Training
·        Acceptable Use
Threat Management	oCompleted  o In Progress
·        Threat Detection
·        Incident Handling
·        IT Security Monitoring and Logging
IT Asset Management	oCompleted  o In Progress
·        IT Asset Control
·        Software License Management
·        Configuration Management and Change Control
I certify the results of the Contingency Planning and Business Recovery Program and all applicable VCCS Standards.  The final report includes the Business Continuity Plan and the components identified above as outlined in the ITRM Standard SEC501-01.  All supporting documentation is on file in the Information Security Office.
___________________________________________________________
College Name
___________________________________________________________
Preparer’s Signature                                      Date Signed
___________________________________________________________
President’s Signature                                    Date Signed