GAO: VA data still at risk

Some sensitive data of veterans remains at risk even though the Veterans Affairs Department has begun improvements to improve information security, according to the latest report from the Government Accountability Office.VA still has not fully put in place most previous GAO recommendations and the department’s inspector general to strengthen information technology security, according to the report.“Because these recommendations have not yet been implemented, unnecessary risk exists that personal information of veterans and others would be exposed to data tampering, fraud, and inappropriate disclosure,” said Gregory Wilshusen, GAO’s director of information security issues in a report released this week. He also testified this week at a hearing the Senate Veterans Affairs Committee.VA has plans for correcting weaknesses. However, it has not implemented a comprehensive security management program nor ensured consistent use of information security performance standards, for example, for appraising senior VA executives, the report said.The department has yet to complete activities to appropriately restrict access to data and networks; ensure only authorized changes and updates to computer programs; and strengthen infrastructure planning. VA also has not hired a chief information security officer, and so it splits responsibility across existing positions. VA also needs to focus on adequate security controls, Wilshusen said.“Where VA needs additional work is the actual execution of these policies and procedures that will effectively reduce their risk,” he said.However, the department has enhanced data security by centralizing IT management and authority under the department CIO, Wilshusen said. VA’s centralized approach promises to provide better management and fiscal oversight of IT systems. That approach also has shortcomings; for example, VA has developed a remedial action plan to develop, document or revise policies or programs, but 87 percent of these do not have an established time frame for implementation, the report said.GAO made 17 recommendations to improve the effectiveness of VA’s IT security efforts, many of which the department said it has underway. For example, VA will finalize shortly its handbook to provide guidance for developing and documenting elements of information security and standards of behavior for employees.VA has taken key steps early in its IT reorganization and strengthening of information security. Also, a number of VA’s initiatives will be realized in fiscal 2008, said Robert Howard, the department's chief information officer.VA has encrypted laptops and flash drives. In addition, it recently awarded a contract for port monitoring, which will prevent employees from using an unauthorized flash drive on VA’s network. The department is also instituting rights management to better protect e-mail. By the end of December, each of VA’s facilities will complete an inventory of all of its IT equipment assets and report issues to the CIO.“This will establish a VA IT baseline for the first time,” Howard said.In the aftermath of last year’s dramatic breach that put the sensitive data of 26 million veterans at risk, VA Secretary James Nicholson directed tighter security controls and said his goal was to make VA the “gold standard” for federal IT security.“We hope to be very close by the end of the [2008] fiscal year,” Howard told lawmakers.