Summary
In May 2006, the Department of Veterans Affairs (VA) announced that computer equipment containing personal information on approximately 26.5 million veterans and active duty military personnel had been stolen. Given the importance of information technology (IT) to VA's mission, effective information security controls are critical to maintaining public and veteran confidence in its ability to protect sensitive information. GAO was asked to evaluate (1) whether VA has effectively addressed GAO and VA Office of Inspector General (IG) information security recommendations and (2) actions VA has taken since May 2006 to strengthen its information security practices and secure personal information. To do this, GAO examined security policies and action plans, interviewed pertinent department officials, and conducted testing of encryption software at select VA facilities.
Although VA has made progress, it has not yet fully implemented most of the key GAO and IG recommendations to strengthen its information security practices. Specifically, VA has implemented two GAO recommendations: to develop a process for managing its plan to correct identified weaknesses and to regularly report on progress in updating its security plan to the Secretary. However, it has not fully implemented two other GAO recommendations: to complete a comprehensive security management program and to ensure consistent use of information security performance standards for appraising senior VA executives. In addition, the department has not yet fully implemented 20 of 22 recommendations made by the IG in 2006. For example, VA has not completed activities to appropriately restrict access to data, networks, and department facilities; ensure that only authorized changes and updates to computer programs are made; and strengthen critical infrastructure planning. Because these recommendations have not yet been implemented, unnecessary risk exists that the personal information of veterans and others, such as medical providers, will be exposed to data tampering, fraud, and inappropriate disclosure. Since the May 2006 security incident, VA has continued or begun several major initiatives to strengthen its information security practices and secure personal information within the department, but more remains to be done. These initiatives include continuing efforts begun in October 2005 to reorganize its management structure to provide better oversight and fiscal discipline over its IT systems; developing an action plan to correct identified weaknesses; establishing an information protection program; improving its incident management capability; and establishing an office responsible for oversight of IT within the department. However, implementation shortcomings limit the effectiveness of these initiatives. For example, no documented process exists between the Director of Field Operations and Security and the chief information security officer (CISO) to ensure the effective coordination and implementation of security policies and procedures within the department. In addition, the position of the CISO has been unfilled since June 2006. Although, 39 percent of items in the department's remedial action plan are tasks to develop, document, revise, or update a policy or program, 87 percent of these items have no corresponding task with an established time frame for implementation across the department. VA also did not have clear guidance for identifying devices that require encryption functionality, and it lacked adequate procedures for incident response and notification. Finally, VA's Office of IT Oversight and Compliance lacks a standard methodology and established criteria to ensure that its examination of internal controls is consistent across VA facilities. Until the department addresses recommendations to resolve identified weaknesses and implements the major initiatives it has undertaken, it will have limited assurance that it can protect its systems and information from the unauthorized disclosure, misuse, or loss of personal information of veterans and other personnel.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
Gregory C. Wilshusen
Government Accountability Office: Information Technology
(202) 512-6244
Recommendations for Executive Action
Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should finalize and approve Handbook 6500 to provide guidance for developing, documenting, and implementing the elements of the information security program.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should develop, document, and implement a process for reviewing on a regular basis the performance plans of senior executives to ensure that information security is included as an evaluation element.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should develop, document, and implement a process for the Director of Field Operations and Security and Director of Cyber Security to coordinate with each other on the implementation of IT security policies and procedures throughout the department.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should document clearly defined responsibilities in the organization book for the Director of Field Operations and Security and the Director of Cyber Security for coordinating the implementation of IT security policies and procedures within the department.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should act expeditiously to fill the position of the Chief Information Security Officer.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should revise Directive 6500 to reflect the new IT management structure and to ensure that roles and responsibilities are consistent in all VA IT directives.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should develop, document, and implement procedures for the action plan to ensure that action items are addressed in an effective and timely manner.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should establish tasks with time frames for implementation of policies and procedures in the action plan.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should develop, document, and implement a process to validate the closure of action plan items.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should include in the action plan the activities taken to address GAO recommendations.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should develop, document, and implement clear guidance for identifying devices that require encryption functionality.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should maintain an accurate inventory of all IT equipment that has encryption installed.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should develop and document procedures that include a mechanism for obtaining contact information on individuals whose information is compromised in security incidents.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should conduct an assessment of what constitutes high-risk data for the information located at VA facilities and in information systems.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should develop and document a process for appropriate coordination and mitigation activities based on the assessment above.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should develop, document, and implement a standard methodology and established criteria for evaluating the internal controls at facilities.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should establish a mechanism to track VA's Office of IT Oversight and Compliance recommendations made to facilities and conduct regular follow-up on the status of the recommendations.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
