VA Slow to Strengthen IT Security

Agency has made some gains but still faces data risks, federal auditors say

The U.S. Department of Veterans Affairs still hasn’t adequately addressed many of the internal IT security shortcomings cited following the loss last May of a laptop with personal data on 26.5 million veterans and active-duty personnel, according to federal government and agency auditors.

As a result, sensitive data is still at risk of being accidentally or deliberately misused across the VA, the auditors warned last week at a congressional hearing on the agency’s information and security management processes.

In response, VA Deputy Secretary Gordon Mansfield said the agency is working hard to implement a series of recommended changes and has made “substantial progress in a relatively short time frame.” He acknowledged, though, that the VA has yet to achieve its overall goal of becoming a security role model for other federal agencies.

“We have done a lot of work and come a long way since last May’s major incident occurred,” Mansfield said. “But we still have an awful long way to go.”

The hearing was held by the oversight and investigations subcommittee of the House Committee on Veterans’ Affairs. Rep. Harry Mitchell (D-Ariz.), the subcommittee’s chairman, said the panel originally planned to review the VA’s information security efforts later this year. But the review was accelerated after the VA disclosed last month that a portable hard drive with information on up to 1.8 million veterans and doctors was reported missing from its medical center in Birmingham, Ala., on Jan. 22.

Gregory Wilshusen, director of information security issues at the U.S. Government Accountability Office, said at the hearing that the VA has taken several “important steps” to improve its IT security practices. That includes an ongoing centralization of security functions and personnel under the CIO’s office and the establishment of “a data security corrective plan” to serve as a guideline for some of the security improvements, he said.

But many of those changes have yet to be fully implemented, Wilshusen added. For example, policies for assessing risks and implementing enterprise patch management capabilities haven’t been developed. Nor does the VA have a plan for proactively mitigating known vulnerabilities across all of its systems, he said.

In addition, of the 24 agencies covered under the Federal Information Security Management Act, the VA is the only one that didn’t submit a report for 2006 on its compliance with FISMA to the White House Office of Management and Budget, Wilshusen said.

Need for Accountability

Maureen Regan, counselor to the VA’s inspector general, said at the hearing that there now is a greater awareness of the need for change within the agency. But there is still a lack of effective internal controls and accountability, she added.

An ongoing audit of the VA’s FISMA compliance has shown that none of the 17 security recommendations made in previous reports has been implemented thus far, Regan said. She also said that the inspector general’s office expects to cite “several new high-risk areas,” including remote access and the ability of nonemployees to gain access to sensitive data.

Although 10 months have elapsed since the laptop was stolen from the home of a VA employee, the agency has yet to determine how many of its employees and contractors are using personally owned systems to access VA networks and data, said Regan.

The agency also doesn’t have any way of knowing what data is being downloaded and stored on such devices, she said. In addition, much of the agency’s sensitive data remains unencrypted, as do many e-mail transmissions.

Mansfield pointed to the ongoing centralization of the VA’s IT organization and the establishment of a security operations center as examples of the changes the agency is making. He also noted that at an off-site meeting of senior managers on Feb. 21, VA Secretary R. James Nicholson reiterated his order that all supervisors take responsibility for protecting information.

But progress at the VA has been slow because of the enormous scope of the work involved, Mansfield said. “We still have out there a largely decentralized system,” he said. “It is nonstandardized. So there are no simple fixes.”

Robert Howard, the VA’s assistant secretary for information and technology, said the agency is on track to complete the centralization of all IT operations by July 2008. All software development programs will be shifted to the central IT unit by the start of next month, according to Howard.

Meanwhile, the search is on again to find a chief information security officer, a position that has been vacant since the VA’s former CISO resigned last June. Mansfield said the hiring process has been delayed because a candidate who had been chosen for the job decided to accept another offer at the last minute.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon