Patchwork policy can't protect data: VA IG
- By Mary Mosquera
- Jul 12, 2006
The Veterans Affairs Department was incapable of protecting sensitive data because its policies were fragmented across the department, according to a report
issued by the VA Office of Inspector General.
VA did not have adequate policies and procedures to keep personal data from walking out the door when an employee took home sensitive information that was subsequently stolen, the report stated. It also criticized actions of VA senior staff and officials.
Lawmakers have expressed concern over the number of recent data breaches at other agencies, including the Energy and Agriculture Departments, the IRS and Navy. In fact, House Government Reform Committee Chairman Tom Davis (R-Va.) is seeking a picture of the extent of data breaches from all major agencies.
VA reacted slowly in response to the loss of the sensitive personal data in May, and 'information security officials acted with indifference and little sense of urgency,' said inspector general George Opfer.
The report reflects the poor information security environment detailed in numerous recent congressional hearings. VA policies and procedures, such as they were, were not easy to identify and were not current or complete, Opfer added.
VA secretary Jim Nicholson agreed with the report's recommendations and detailed actions he has taken, but the inspector general said that was not enough.
'Although policies implemented by the secretary since the incident are a positive step, more needs to be done to ensure protected information is adequately safeguarded,' Opfer said in the report released yesterday.
Among Opfer's recommendations, VA's Nicholson should:
- Take whatever administration action he considers appropriate concerning individuals involved in the untimely notification of the data loss
- Establish a single, clear VA policy on safeguarding protected information stored or not stored on VA automated systems
- Modify and strengthen mandatory cybersecurity and privacy awareness training
- Ensure that all job descriptions are evaluated and have appropriate and consistent sensitivity level designations for positions that have access to protected information.
For several years, the inspector general has reported major weaknesses with IT security controls. The recurring themes in numerous reports point to the need for a centralized approach to achieve standardization, remediation of identified weaknesses, a clear chain of command and accountability for IT security.
'Each year, we continue to repeat deficiencies and repeat recommendations that remain unimplemented,' Opfer said.
Nicholson has begun centralizing IT management and operations under the department CIO, although software development will remain with the health care, benefits and burial administrations. He said he plans to further centralize all IT development in the future. Significantly, Nicholson also recently delegated all IT security
, including enforcement, to the CIO.
'I will not be satisfied until VA is recognized as the leader in the federal government in information security,' he said in his letter of response to the report.
As a result of the VA and other recent data breaches, Davis and ranking House Government Reform Committee Democrat Rep. Henry Waxman (Calif.) have asked all major federal agencies to provide details about incidents of the loss or compromise of sensitive data since 2003. Lawmakers want a full picture of the information security vulnerabilities across government. Agencies are to report back to the committee by July 24.
Mary Mosquera is a reporter for Federal Computer Week.