GAO: VA must tighten lax inventory controls

Veterans Affairs: Inadequate Controls over IT Equipment at Selected VA Locations Pose Continuing Risk of Theft, Loss, and Misappropriation

The Veterans Affairs Department risks more theft and loss of information technology equipment -- and the sensitive data it might contain -- because of lax internal controls, the Government Accountability Office said.

In tests of inventory controls at four VA locations, GAO identified 123 IT items that went missing in the past year, including 53 computers that could have stored personally identifiable data.

GAO also found that VA did not enforce policies that require inventories of IT equipment, said McCoy Williams, GAO’s director of financial management and assurance.

“We found an overall lack of accountability for IT equipment,” he said at a hearing of the House Veterans’ Affairs Committee’s Oversight and Investigations Subcommittee and in a report released today.

VA also reported a total of 2,400 missing IT items valued at about $6.4 million in fiscal 2005 and 2006 from those four locations, the GAO report states.

Robert Howard, VA’s chief information officer, said he does not know whether the missing computers contain sensitive data, but there have been no indications of data misuse.

“It’s possible, but I couldn’t say,” he said after the hearing. “I have not found any case of identity theft as a result of any of these [past] incidents. We have monitored them closely.”

GAO examined inventory controls at VA’s headquarters and at medical centers in Washington, Indianapolis and San Diego. In tests of computer hard drives that were being disposed of, GAO found no data that had been certified as sanitized. Some drives have been waiting to be sanitized for several years, Williams said.

Since GAO’s 2004 report on its IT inventory, VA has taken actions to strengthen its controls over IT equipment, including clarifying property management policies and centralizing IT functions under the CIO. But VA has not ensured consistent, effective control over the IT equipment inventory or clearly defined employees’ responsibilities.

“Until these shortcomings are addressed, VA will continue to face major challenges in safeguarding IT equipment and sensitive personal data on this equipment from loss, theft and misappropriation,” Williams said.

But if VA takes the actions detailed in its testimony today, the department could get back on track, he added.

“I think this is a good first start in what I see in the testimony,” Williams said. “The proof will be in the actions.”

Howard agreed with GAO’s findings and said it was vitally important that VA remedy the problems.

“With a single IT authority, VA is now in a better position to improve asset management and have actions under way,” he told lawmakers.

VA uses several systems to collect data on IT assets and is planning to adopt a single system. It recently began using IBM’s Maximo Asset Management software to better track inventory and has issued a request for information to identify software that can capture the more detailed data needed to account for IT assets, such as the presence of personally identifiable information, Howard said. He hopes to introduce additional software capabilities by fall.

VA has located some of the equipment reported missing by the Office of Information and Technology under the previous decentralized IT organization. Howard’s team has reduced the number of missing items to 443 and will soon account for the rest, he said.

A team is working to improve asset management and accountability by developing standard procedures, and VA is preparing to issue a new directive and guidelines.

In February, VA expanded the CIO’s responsibilities to include conducting on-site assessments of IT security, privacy and records management, and the physical security of IT assets. To date, the CIO’s office has conducted 58 assessments.

In accordance with the VA’s new directive, employees are being required to sign receipts for the IT equipment they are assigned. The department has also begun deploying software that will detect and monitor any device that is connected to its networks.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.