GAO: VA data still at risk

Some sensitive data of veterans remains at risk even though the Veterans Affairs Department has begun improvements to improve information security, according to the latest report from the Government Accountability Office.

VA still has not fully put in place most previous GAO recommendations and the department’s inspector general to strengthen information technology security, according to the report.

“Because these recommendations have not yet been implemented, unnecessary risk exists that personal information of veterans and others would be exposed to data tampering, fraud, and inappropriate disclosure,” said Gregory Wilshusen, GAO’s director of information security issues in a report released this week. He also testified this week at a hearing the Senate Veterans Affairs Committee.

VA has plans for correcting weaknesses. However, it has not implemented a comprehensive security management program nor ensured consistent use of information security performance standards, for example, for appraising senior VA executives, the report said.

The department has yet to complete activities to appropriately restrict access to data and networks; ensure only authorized changes and updates to computer programs; and strengthen infrastructure planning. VA also has not hired a chief information security officer, and so it splits responsibility across existing positions. VA also needs to focus on adequate security controls, Wilshusen said.

“Where VA needs additional work is the actual execution of these policies and procedures that will effectively reduce their risk,” he said.

However, the department has enhanced data security by centralizing IT management and authority under the department CIO, Wilshusen said. VA’s centralized approach promises to provide better management and fiscal oversight of IT systems. That approach also has shortcomings; for example, VA has developed a remedial action plan to develop, document or revise policies or programs, but 87 percent of these do not have an established time frame for implementation, the report said.

GAO made 17 recommendations to improve the effectiveness of VA’s IT security efforts, many of which the department said it has underway. For example, VA will finalize shortly its handbook to provide guidance for developing and documenting elements of information security and standards of behavior for employees.

VA has taken key steps early in its IT reorganization and strengthening of information security. Also, a number of VA’s initiatives will be realized in fiscal 2008, said Robert Howard, the department's chief information officer.

VA has encrypted laptops and flash drives. In addition, it recently awarded a contract for port monitoring, which will prevent employees from using an unauthorized flash drive on VA’s network. The department is also instituting rights management to better protect e-mail. By the end of December, each of VA’s facilities will complete an inventory of all of its IT equipment assets and report issues to the CIO.

“This will establish a VA IT baseline for the first time,” Howard said.

In the aftermath of last year’s dramatic breach that put the sensitive data of 26 million veterans at risk, VA Secretary James Nicholson directed tighter security controls and said his goal was to make VA the “gold standard” for federal IT security.

“We hope to be very close by the end of the [2008] fiscal year,” Howard told lawmakers.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    OPM nominee plans focus on telework, IT, retirement

    Kiran Ahuja, a veteran of the Office of Personnel Management, told lawmakers that she thinks that the lack of consistent leadership in the top position at OPM has taken a toll on the ability of the agency to complete longer term IT modernization projects.

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

Stay Connected