GAO: VA data still at risk

Some sensitive data of veterans remains at risk even though the Veterans Affairs Department has begun improvements to improve information security, according to the latest report from the Government Accountability Office.

VA still has not fully put in place most previous GAO recommendations and the department’s inspector general to strengthen information technology security, according to the report.

“Because these recommendations have not yet been implemented, unnecessary risk exists that personal information of veterans and others would be exposed to data tampering, fraud, and inappropriate disclosure,” said Gregory Wilshusen, GAO’s director of information security issues in a report released this week. He also testified this week at a hearing the Senate Veterans Affairs Committee.

VA has plans for correcting weaknesses. However, it has not implemented a comprehensive security management program nor ensured consistent use of information security performance standards, for example, for appraising senior VA executives, the report said.

The department has yet to complete activities to appropriately restrict access to data and networks; ensure only authorized changes and updates to computer programs; and strengthen infrastructure planning. VA also has not hired a chief information security officer, and so it splits responsibility across existing positions. VA also needs to focus on adequate security controls, Wilshusen said.

“Where VA needs additional work is the actual execution of these policies and procedures that will effectively reduce their risk,” he said.

However, the department has enhanced data security by centralizing IT management and authority under the department CIO, Wilshusen said. VA’s centralized approach promises to provide better management and fiscal oversight of IT systems. That approach also has shortcomings; for example, VA has developed a remedial action plan to develop, document or revise policies or programs, but 87 percent of these do not have an established time frame for implementation, the report said.

GAO made 17 recommendations to improve the effectiveness of VA’s IT security efforts, many of which the department said it has underway. For example, VA will finalize shortly its handbook to provide guidance for developing and documenting elements of information security and standards of behavior for employees.

VA has taken key steps early in its IT reorganization and strengthening of information security. Also, a number of VA’s initiatives will be realized in fiscal 2008, said Robert Howard, the department's chief information officer.

VA has encrypted laptops and flash drives. In addition, it recently awarded a contract for port monitoring, which will prevent employees from using an unauthorized flash drive on VA’s network. The department is also instituting rights management to better protect e-mail. By the end of December, each of VA’s facilities will complete an inventory of all of its IT equipment assets and report issues to the CIO.

“This will establish a VA IT baseline for the first time,” Howard said.

In the aftermath of last year’s dramatic breach that put the sensitive data of 26 million veterans at risk, VA Secretary James Nicholson directed tighter security controls and said his goal was to make VA the “gold standard” for federal IT security.

“We hope to be very close by the end of the [2008] fiscal year,” Howard told lawmakers.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.