GAO: VA data still at risk

Some sensitive data of veterans remains at risk even though the Veterans Affairs Department has begun improvements to improve information security, according to the latest report from the Government Accountability Office.

VA still has not fully put in place most previous GAO recommendations and the department’s inspector general to strengthen information technology security, according to the report.

“Because these recommendations have not yet been implemented, unnecessary risk exists that personal information of veterans and others would be exposed to data tampering, fraud, and inappropriate disclosure,” said Gregory Wilshusen, GAO’s director of information security issues in a report released this week. He also testified this week at a hearing the Senate Veterans Affairs Committee.

VA has plans for correcting weaknesses. However, it has not implemented a comprehensive security management program nor ensured consistent use of information security performance standards, for example, for appraising senior VA executives, the report said.

The department has yet to complete activities to appropriately restrict access to data and networks; ensure only authorized changes and updates to computer programs; and strengthen infrastructure planning. VA also has not hired a chief information security officer, and so it splits responsibility across existing positions. VA also needs to focus on adequate security controls, Wilshusen said.

“Where VA needs additional work is the actual execution of these policies and procedures that will effectively reduce their risk,” he said.

However, the department has enhanced data security by centralizing IT management and authority under the department CIO, Wilshusen said. VA’s centralized approach promises to provide better management and fiscal oversight of IT systems. That approach also has shortcomings; for example, VA has developed a remedial action plan to develop, document or revise policies or programs, but 87 percent of these do not have an established time frame for implementation, the report said.

GAO made 17 recommendations to improve the effectiveness of VA’s IT security efforts, many of which the department said it has underway. For example, VA will finalize shortly its handbook to provide guidance for developing and documenting elements of information security and standards of behavior for employees.

VA has taken key steps early in its IT reorganization and strengthening of information security. Also, a number of VA’s initiatives will be realized in fiscal 2008, said Robert Howard, the department's chief information officer.

VA has encrypted laptops and flash drives. In addition, it recently awarded a contract for port monitoring, which will prevent employees from using an unauthorized flash drive on VA’s network. The department is also instituting rights management to better protect e-mail. By the end of December, each of VA’s facilities will complete an inventory of all of its IT equipment assets and report issues to the CIO.

“This will establish a VA IT baseline for the first time,” Howard said.

In the aftermath of last year’s dramatic breach that put the sensitive data of 26 million veterans at risk, VA Secretary James Nicholson directed tighter security controls and said his goal was to make VA the “gold standard” for federal IT security.

“We hope to be very close by the end of the [2008] fiscal year,” Howard told lawmakers.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.