GAO: VA data still at risk

Some sensitive data of veterans remains at risk even though the Veterans Affairs Department has begun improvements to improve information security, according to the latest report from the Government Accountability Office.

VA still has not fully put in place most previous GAO recommendations and the department’s inspector general to strengthen information technology security, according to the report.

“Because these recommendations have not yet been implemented, unnecessary risk exists that personal information of veterans and others would be exposed to data tampering, fraud, and inappropriate disclosure,” said Gregory Wilshusen, GAO’s director of information security issues in a report released this week. He also testified this week at a hearing the Senate Veterans Affairs Committee.

VA has plans for correcting weaknesses. However, it has not implemented a comprehensive security management program nor ensured consistent use of information security performance standards, for example, for appraising senior VA executives, the report said.

The department has yet to complete activities to appropriately restrict access to data and networks; ensure only authorized changes and updates to computer programs; and strengthen infrastructure planning. VA also has not hired a chief information security officer, and so it splits responsibility across existing positions. VA also needs to focus on adequate security controls, Wilshusen said.

“Where VA needs additional work is the actual execution of these policies and procedures that will effectively reduce their risk,” he said.

However, the department has enhanced data security by centralizing IT management and authority under the department CIO, Wilshusen said. VA’s centralized approach promises to provide better management and fiscal oversight of IT systems. That approach also has shortcomings; for example, VA has developed a remedial action plan to develop, document or revise policies or programs, but 87 percent of these do not have an established time frame for implementation, the report said.

GAO made 17 recommendations to improve the effectiveness of VA’s IT security efforts, many of which the department said it has underway. For example, VA will finalize shortly its handbook to provide guidance for developing and documenting elements of information security and standards of behavior for employees.

VA has taken key steps early in its IT reorganization and strengthening of information security. Also, a number of VA’s initiatives will be realized in fiscal 2008, said Robert Howard, the department's chief information officer.

VA has encrypted laptops and flash drives. In addition, it recently awarded a contract for port monitoring, which will prevent employees from using an unauthorized flash drive on VA’s network. The department is also instituting rights management to better protect e-mail. By the end of December, each of VA’s facilities will complete an inventory of all of its IT equipment assets and report issues to the CIO.

“This will establish a VA IT baseline for the first time,” Howard said.

In the aftermath of last year’s dramatic breach that put the sensitive data of 26 million veterans at risk, VA Secretary James Nicholson directed tighter security controls and said his goal was to make VA the “gold standard” for federal IT security.

“We hope to be very close by the end of the [2008] fiscal year,” Howard told lawmakers.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • FCW Perspectives
    human machine interface

    Your agency isn’t ready for AI

    To truly take advantage, government must retool both its data and its infrastructure.

  • Cybersecurity
    secure network (bluebay/Shutterstock.com)

    Federal CISO floats potential for new supply chain regs

    The federal government's top IT security chief and canvassed industry for feedback on how to shape new rules of the road for federal acquisition and procurement.

  • People
    DHS Secretary Kirstjen Nielsen, shown here at her Nov. 8, 2017, confirmation hearing. DHS Photo by Jetta Disco

    DHS chief Nielsen resigns

    Kirstjen Nielsen, the first Homeland Security secretary with a background in cybersecurity, is being replaced on an acting basis by the Customs and Border Protection chief. Her last day is April 10.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.