VA puts new IT internal affairs unit on fast growth track

Computerworld - WASHINGTON -- The laptop theft that roiled the U.S. Department of Veteran Affairs last year prompted a data security overhaul and an ongoing centralization of the agency's IT operations. And it led to the creation of a fast-growing unit that is charged with keeping an eye on IT at the VA.

The Office of IT Oversight and Compliance, known as ITOC, was formed early this year with just seven employees. It now has a staff of 128 workers and is expected to grow to 165 employees by 2009.

In a memo last February (download PDF), VA Secretary R. James Nicholson gave the ITOC a broad mandate to inspect the agency's IT operations and determine whether they are in compliance with laws and regulations. The ITOC will also act as a first responder within the agency to IT security incidents that require review of privacy and security processes.

Arnaldo Claudio, the ITOC's executive director, offered some insight into his organization on Wednesday in testimony before the House Committee on Veterans' Affairs. Claudio was one of more than a half-dozen witnesses who testified at the hearing, which was held to review the progress of the VA's IT reorganization.

Claudio said the ITOC's goal is to provide "independent, objective and quality oversight and compliance assessment services." The unit's rapid growth in head count "is in itself a success story," he said. "Most government programs take years before they can be stood up and become fully operational."

The ITOC has hired workers from within the private sector as well as the government, according to Claudio. It reports to top IT officials at the VA, including CIO Robert Howard, who also testified at the House hearing.

Prior to the creation of the ITOC, a group called the Review Inspection Division (RID) was tasked with doing  reviews and inspections of IT services within the agency. But it was staffed by only five VA employees plus "a handful of contractors," Claudio said. With a total of 12,000 VA sites to inspect, the RID "was given an impossible task to perform," he added.

Claudio told the committee that the idea for the ITOC was suggested, in part, by Eugene Spafford, a professor at Purdue University and executive director of the school's Center for Education and Research in Information Assurance and Security.

Spafford testified before the House Committee on Veterans' Affairs in June 2006 -- one month after the laptop and a hard drive containing the personal data of 26.5 million veterans and active-duty military personnel were stolen from a VA employee's home in Maryland. In his testimony (download PDF), Spafford pointed out that the VA lacked a centralized point of authority "to ensure that rules, procedures and good practices are instituted and observed."