VA probes employee access to sensitive data

Top officials at the Department of Veterans Affairs recently completed an inventory of all employees who have access to the department’s sensitive data and are analyzing the results. VA Secretary Jim Nicholson ordered the inventory after the May 3 theft of a department laptop PC that contained about 26.5 million records on veterans and active-duty members of the military.

The internal inventory assessed employees’ need for sensitive data and how they accessed the information, such as through paper files, electronic databases or virtual private networks. Nicholson did not say how he plans to use the inventory, but the department will likely winnow the number of VA employees who are authorized to access sensitive data.

Nicholson discussed the VA’s reforms for tightening information security and consolidating information technology programs during a House Veterans’ Affairs Committee hearing. At the June 29 hearing, he announced the recovery of the stolen laptop.

Nicholson has ordered a thorough security review of all VA laptops, including the removal of unauthorized data and a review to determine whether encryption programs are necessary. He asked for recommendations on protecting sensitive data.

“I am convinced that, coming out of a very bad situation, we can make the VA a model for data security in the government and in the country,” Nicholson told the committee.

Despite lawsuits by several veterans groups and grievances filed by labor unions, he said, the VA is moving ahead with steps to tighten internal security, centralize the IT programs of the department’s three administrations and help veterans affected by the data theft. The critics say the VA’s proposed IT centralization plan violates collective bargaining agreements.

Last month, Nicholson established the VA information security program, which will establish standards for accessing VA information systems and require officials to report compliance failures or policy violations immediately. He also ordered annual cybersecurity and privacy awareness training for all VA employees.

Nicholson told the committee that the department has hired an independent special adviser for information security, Richard Romley, a former Maricopa County, Ariz., district attorney.

He also announced that retired Adm. Patrick Dunne is working at the VA as a consultant while awaiting Senate confirmation to become assistant secretary of the Office of Policy, Planning and Preparedness.

The staff shakeup included the resignation of Pedro Cadenas Jr., who was acting deputy assistant secretary for IT. Acting Assistant Secretary Dennis Duffy, who was placed on administrative leave after the data theft, has retired. And the unnamed official whose laptop was stolen from his suburban Maryland home remains on administrative leave, VA spokesman Matthew Burns said.

Alan Paller, director of research at the SANS Institute, said providing the VA CIO with greater authority is very important. But Paller added that Nicholson is between a rock and a hard place because “he’ll never have enough resources to meet the unmeetable [security] requirements” set by Congress and secure the VA’s IT systems.

Meanwhile, the VA’s plan to provide free credit monitoring to veterans affected by the laptop theft, at a projected cost of $160.5 million, is on hold. The department “will make a determination about the proposal once it receives information on the results of the FBI’s more thorough forensic examination of the recovered computer equipment,” Burns said.