VA security still in recovery mode
Department officials emphasize progress in enforcing their IT security policies
In February, when someone stole a laptop PC belonging to the Veterans Affairs Department, the consequences were negligible because the department had revamped its information security policies and technologies after a widely publicized laptop theft in 2006.
VA has made measurable progress in strengthening its information security policies, procedures and applications, but advances have come slowly because of VA’s decentralized organization, said Robert Howard, VA’s chief information officer. VA remains in the public eye because of the 2006 laptop incident.
The theft exposed VA to criticism from the public and the Government Accountability Office. GAO, in a September 2007 report, sharply criticized the VA for making only partial progress in adhering to recommendations that GAO and the VA inspector general issued after the theft. That report identified “sustained management commitment and oversight” as a critical need.
Howard said that since the theft, VA has created a comprehensive plan of 400 actions, 40 percent of which the department has performed so far. The actions include establishing policies and directives, procuring more secure software and hardware, and instituting better training. And despite not reaching all the milestones Howard would like the department to achieve, the CIO’s office has direct oversight of about 7,000 IT employees.
“Clearly, [increasing] the centralization of information and information technology within VA has had a positive impact on the protection of sensitive information,” Howard said at a recent event sponsored by AFCEA International’s Washington chapter.
VA has introduced stronger security controls as part of its plan to improve security and comply with directives from the Office of Management and Budget to protect personally identifiable information. The department has encrypted data on all its laptops and required physicians and other partners and contractors who use their personal computers to handle sensitive VA data to encrypt it.
VA published a new handbook, which describes for all managers and employees its information protection policies, processes and procedures to comply with the Federal Information Security Management Act (FISMA) and other federal laws. The handbook includes the National Rules of Behavior, a document that employees must read and sign before they receive access to VA’s systems and sensitive data.
Although the department performed poorly in the latest survey of compliance with FISMA, Howard said he expects that to change this year.
VA’s IG assessed the department’s certification and accreditation of systems security as poor in fiscal 2007.
By Sept. 30, VA plans to finish redesigning its certification and accreditation process to assess the security of its systems, Howard said. The department will switch from a checklist approach to continuous monitoring and security-controls testing.
VA will assess all 600 of its major systems this year. Starting in 2009, VA will certify and accredit one-third of its systems each year, said Adair Martinez, VA’s deputy assistant secretary for information protection and risk management. “That will make certification and accreditation more operational,” she said, adding that VA has put together a team to focus on C&A.
The department also is prioritizing its plan of action and milestones to fix FISMA weaknesses, and it is producing daily reports on the status of its remediation actions. “We have intense efforts going on to turn around personal accountability, but it will take time,” Howard said.
More than 90 percent of VA employees have received security and privacy awareness training, Howard said. By the end of September, the department will complete a departmentwide deployment of the Learning Management System provided under the Office of Personnel Management’s Human Resources Line of Business to track which VA employees and contractors have received security training.
In addition to online training, VA promotes security awareness during an annual computer security week, Martinez said.
VA is also installing new technology that will help employees follow the department’s security policies and procedures. In June, the department will finish installing Microsoft’s rights management system, a complement to its public-key infrastructure, to secure e-mail and documents, said Charles De Sanno, executive director of VA’s Enterprise Infrastructure Engineering and Northeast Operations in New York.
De Sanno’s region has also tested port and device control software, which VA will deploy in all its regions by September. Improvements in secure remote access, including checks for security policy compliance at the department’s Internet gateways, will be completed in July, De Sanno said. And by the end of September, VA expects to deploy Microsoft System Center to create a standardized infrastructure for patch management.