Home Breadcrumb /  Information Security and Risk Management / Policy and Program Guide

Policy and Program Guide

The Virginia Department of Social Services uses sensitive information, such as personal, financial and tax data daily to serve individuals and families across Virginia. Some of this information is sensitive. It includes personal and financial details. 

This policy explains how we protect that information and what is expected of anyone who uses VDSS systems or data. Keeping information safe helps protect people, maintain trust and ensure services continue without interruption. 

Our Guiding Principles 

We follow these core principles when protecting information: 

  • Information is a valuable resource and must be protected. 
  • Access is limited to people who need it to do their jobs. 
  • Information security supports both our work and our technology. 
  • Security decisions are based on risk and practicality. 
  • Policies guide the work, but leaders carry them out. 
  • Everyone shares responsibility for keeping information safe

Keeping information safe helps: 

  • Protect clients and employees 
  • Maintain public trust 
  • Ensure services remain available 

Information security is a shared responsibility.

Who Must Follow This Policy 

This policy applies to all individuals who use VDSS systems or information, including: 

  • Employees and supervisors 
  • Local department staff 
  • Contractors and subcontractors 
  • Volunteers and interns 
  • Business partners and vendors 

 Our Guiding Principles 

VDSS follows these core principles: 

Information is a valuable asset and must be protected 

  • Access is limited to people who need the information to do their job 
  • Security supports both daily work and technology 
  • Security decisions should be practical and risk-based 
  • Policies guide the work, but teams carry it out 
  • Everyone plays a role in protecting information 

 Your Responsibilities 

If you use VDSS systems or information, you are expected to: 

Follow Required Policies 

  • Following all VDSS security, privacy and acceptable use policies 
  • Completing required security and privacy training on time 
  • Protecting sensitive information you can access 
  • Keeping passwords private and secure 
  • Using encryption when sending or storing sensitive data 
  • Reporting security concerns right away 
  • Sign the Information Security Policy Acknowledgement and Non-Disclosure Agreement before receiving access.
  • Re-acknowledge this agreement each year as part of required training. 

You are not expected to fix problems on your own. Reporting concerns quickly helps limit harm and protect people. 

Complete Required Training

  • New employees must complete security and privacy training within 30 days.
  • All users must complete annual refresher training.
  • Training is based on job role and system access.

Protect Information

  • Use secure methods to store and send sensitive information.
  • Encrypt sensitive data when stored or shared.
  • Never share passwords or login information.
  • Protect paper files and printed records.
  • Keep private conversations private. Do not discuss sensitive cases where others can hear.

Speak Up When Something Goes Wrong

  • Report any suspected or actual security issue right away.
  • You are not expected to fix the problem yourself.
  • Reporting helps protect people and prevent further harm.

What Is Considered Sensitive Information

Sensitive information is any data that could cause harm if it is lost, shared or changed without permission.

This includes:

  • Personal information that can identify someone
  • Federal tax information
  • Confidential information from outside partners
  • Certain internal leadership documents

Sensitive information must always be handled with care to protect privacy and safety.

Personally Identifiable Information

Personally identifiable information includes details that can identify a person, such as:

  • Names and addresses
  • Phone numbers and email addresses
  • Social Security numbers
  • Bank account numbers
  • Birth dates and places
  • Biometric data

This information must be protected at all times.

Federal Tax Information 

Federal Tax Information has special Requirements. 

Key points to know: 

  • Access is limited: Only people with a job-related need may access this information. 
  • It must never be shared or stored without proper protection 
  • Information received directly from a client is not considered Federal Tax Information. 
  • Federal Tax Information must never be altered to bypass security rules. 
  • Systems that store this information are regularly tested for security 

Protection requirements continue even after employment ends. 

 Safeguards and Reviews 

Safeguards help protect taxpayers and maintain trust. 

VDSS regularly reviews how sensitive information is protected. 

These reviews: 

  • May be conducted on-site, remotely or a mix of both  
  • Focus on security controls, not individual or job performance 
  • Help ensure protections remain effective 

Reviews occur three-year cycle as needed to support improvement and accountability.  

 Reporting Security Incidents 

Report security concerns as soon as possible.  

This includes: 

  • Improper sharing of information 
  • Unauthorized access 
  • Lost or stolen devices 
  • Suspicious system activity 
  • Data spills or breaches 

What to do: 

  • Report the issue immediately using approved reporting channels 
  • Share only the necessary details 
  • Use secure methods when sending sensitive information 

Reporting quickly helps protect people and systems. 

Reporting Timelines 

  • Most incidents must be reported within 24 hours. 
  • Incidents involving certain data types may require faster reporting. 

Reports should include basic details and use encrypted methods when sharing sensitive information. 

Laws and Protections 

Several state and federal laws require VDSS to protect personal and tax information. 

Misuse of information can result in: 

  • Disciplinary action 
  • Fines or penalties 
  • Criminal charges in serious cases 

These laws continues to apply after you longer work at VDSS as they exist to protect individuals, not to create fear. 

 Compliance 

VDSS monitors compliance through reviews, audits and inspections. Systems or data may be removed if needed to protect information. 

VDSS checks compliance through: 

  • Reviews and audits 
  • Monitoring systems 
  • Evaluations and inspections 

Compliance helps ensure information stays protected and services continue. 

 Requesting an Exception 

In rare cases, following a policy may cause serious operational challenges. 

When this happens: 

  • A written request may be submitted 
  • The request must explain the reason and how risks will be managed 
  • Approval is required before any exception is used 
  • Denied requests may be appealed  

Exceptions are reviewed carefully to protect people and systems. 

Information security is about protecting people, not assigning blame. Asking questions, following guidance and reporting concerns help keep everyone safe. 

This guide helps everyone: 

  • Understand their role in protecting information 
  • Make safe, informed choices 
  • Report concerns without fear 
  • Support the mission of VDSS 

Security is not about blame. It is about care, awareness and shared responsibility. If you are unsure what to do, reach out. Contact VDSS.Security@dss.virginia.gov.  

This website uses cookies to enhance your browsing experience. By continuing to use our website, you agree to our use of cookies. Please review our web policy for information regarding the data we collect and how we ensure it remains secure.