This is the accessible text file for GAO report number GAO-07-1019 
entitled 'Information Security: Sustained Management Commitment and 
Oversight are Vital to Resolving Long-standing Weaknesses at the 
Department of Veterans Affairs' which was released on September 19, 
2007. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Requesters: 

United States Government Accountability Office: 

GAO: 

September 2007: 

Information Security: 

Sustained Management Commitment and Oversight Are Vital to Resolving 
Long-standing Weaknesses at the Department of Veterans Affairs: 

VA Information Security: 

GAO-07-1019: 

GAO Highlights: 

Highlights of GAO-07-1019, a report to congressional requesters. 

Why GAO Did This Study: 

In May 2006, the Department of Veterans Affairs (VA) announced that 
computer equipment containing personal information on approximately 
26.5 million veterans and active duty military personnel had been 
stolen. Given the importance of information technology (IT) to VAís 
mission, effective information security controls are critical to 
maintaining public and veteran confidence in its ability to protect 
sensitive information. GAO was asked to evaluate (1) whether VA has 
effectively addressed GAO and VA Office of Inspector General (IG) 
information security recommendations and (2) actions VA has taken since 
May 2006 to strengthen its information security practices and secure 
personal information. To do this, GAO examined security policies and 
action plans, interviewed pertinent department officials, and conducted 
testing of encryption software at select VA facilities. 

What GAO Found: 

Although VA has made progress, it has not yet fully implemented most of 
the key GAO and IG recommendations to strengthen its information 
security practices. Specifically, VA has implemented two GAO 
recommendations: to develop a process for managing its plan to correct 
identified weaknesses and to regularly report on progress in updating 
its security plan to the Secretary. However, it has not fully 
implemented two other GAO recommendations: to complete a comprehensive 
security management program and to ensure consistent use of information 
security performance standards for appraising senior VA executives. In 
addition, the department has not yet fully implemented 20 of 22 
recommendations made by the IG in 2006. For example, VA has not 
completed activities to appropriately restrict access to data, 
networks, and department facilities; ensure that only authorized 
changes and updates to computer programs are made; and strengthen 
critical infrastructure planning. Because these recommendations have 
not yet been implemented, unnecessary risk exists that the personal 
information of veterans and others, such as medical providers, will be 
exposed to data tampering, fraud, and inappropriate disclosure. 

Since the May 2006 security incident, VA has continued or begun several 
major initiatives to strengthen its information security practices and 
secure personal information within the department, but more remains to 
be done. These initiatives include continuing efforts begun in October 
2005 to reorganize its management structure to provide better oversight 
and fiscal discipline over its IT systems; developing an action plan to 
correct identified weaknesses; establishing an information protection 
program; improving its incident management capability; and establishing 
an office responsible for oversight of IT within the department. 
However, implementation shortcomings limit the effectiveness of these 
initiatives. For example, no documented process exists between the 
Director of Field Operations and Security and the chief information 
security officer (CISO) to ensure the effective coordination and 
implementation of security policies and procedures within the 
department. In addition, the position of the CISO has been unfilled 
since June 2006. Although, 39 percent of items in the departmentís 
remedial action plan are tasks to develop, document, revise, or update 
a policy or program, 87 percent of these items have no corresponding 
task with an established time frame for implementation across the 
department. VA also did not have clear guidance for identifying devices 
that require encryption functionality, and it lacked adequate 
procedures for incident response and notification. Finally, VAís Office 
of IT Oversight and Compliance lacks a standard methodology and 
established criteria to ensure that its examination of internal 
controls is consistent across VA facilities. Until the department 
addresses recommendations to resolve identified weaknesses and 
implements the major initiatives it has undertaken, it will have 
limited assurance that it can protect its systems and information from 
the unauthorized disclosure, misuse, or loss of personal information of 
veterans and other personnel. 

What GAO Recommends: 

GAO is making 17 recommendations to the Secretary of Veterans Affairs 
aimed at improving the effectiveness of VAís efforts to strengthen 
information security practices by developing and documenting processes, 
policies, and procedures, and completing the implementation of key 
initiatives. In commenting on a draft of this report, VA stated that it 
generally agreed with the recommendations and has implemented or is 
working to implement them. 

[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-1019]. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Gregory Wilshusen at 
(202) 512-6244 or wilshuseng@gao.gov. 

[End of section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

VA Has Not Fully Implemented GAO and IG Recommendations: 

VA Is Undertaking Several Major Initiatives to Strengthen Information 
Security, but Implementation Has Shortcomings: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: Status of Prior VA IG Recommendations: 

Appendix III: Information on Selected Security Incidents at VA from 
December 2003 to January 2007: 

Appendix IV: Comments from the Department of Veterans Affairs: 

Appendix V: GAO Contact and Staff Acknowledgments: 

Tables: 

Table 1: Number of Incidents by Type Reported to NSOC from January 2003 
to November 2006: 

Table 2: Time Elapsed Between Major Incidents at VA and Notification of 
US-CERT, Secretary, Congress, and Individuals (May 2006 to January 
2007): 

Table 3: Number of Laptops Tested at Select VA Facilities: 

Table 4: Status of 17 VA IG Recommendations Related to FISMA Findings: 

Figure: 

Figure 1: Office of Information and Technology Organization Chart: 

Abbreviations: 

CIO: chief information officer: 

CISO: chief information security officer: 

FISMA: Federal Information Security Management Act: 

NSOC: Network and Security Operations Center: 

IG: Inspector General: 

IT: information technology: 

ITOC: VA's Office of Information Technology Oversight and Compliance: 

OMB: Office of Management and Budget: 

US-CERT: United States Computer Emergency Readiness Team: 

VA: Department of Veterans Affairs: 

VBA: Veterans Benefits Administration: 

VHA: Veterans Health Administration: 

United States Government Accountability Office: 

Washington, DC 20548: 

September 7, 2007: 

Congressional Requesters: 

The mission of the Department of Veterans Affairs (VA) is to promote 
the health, welfare, and dignity of all veterans, in recognition of 
their service to the nation, by ensuring that they receive medical 
care, benefits, social support, and lasting memorials. In providing 
health care and other benefits to veterans and their dependents, the 
department relies on a vast array of computer systems and 
telecommunications networks to support its operations and store 
sensitive information, including personal information on veterans. 

Given the importance of information technology for supporting VA's 
mission--the department expended $1.2 billion in fiscal year 2006 on 
information technology (IT)--successfully securing these systems with 
effective information security controls is critical to the department's 
ability to safeguard its assets and sensitive information.[Footnote 1] 
To assist the department in improving its information security program, 
we and the VA Office of Inspector General (IG) have previously 
recommended that VA take steps to improve its security management 
program, including actions to improve controls to appropriately 
restrict access to data, secure systems and networks, and respond to 
security incidents.[Footnote 2] 

In May 2006, VA initially announced that computer equipment containing 
personally identifiable information on approximately 26.5 million 
veterans and active duty members of the military was stolen from the 
home of a VA employee.[Footnote 3] Until the equipment was recovered, 
veterans did not know whether their information was likely to be 
misused. The security incident highlighted the vulnerability of 
sensitive information on VA's systems to inadvertent or deliberate 
misuse, loss, or improper disclosure. 

This report responds to your request for a review of the department's 
actions to improve information security. Specifically, our objectives 
were to evaluate (1) whether VA has effectively addressed GAO and VA IG 
recommendations and (2) actions VA has taken since the May 2006 
security incident to strengthen its information security practices and 
secure personal information. 

In addressing our objectives, we examined and analyzed agency policies, 
procedures, plans, and artifacts; interviewed key agency and IG 
personnel; and assessed the effectiveness of implemented actions. We 
also performed audit procedures to determine the extent to which VA has 
installed encryption functionality on laptop computers at eight 
locations. We performed our work at VA headquarters in Washington, 
D.C., and at select VA facilities, from November 2006 through August 
2007, in accordance with generally accepted government auditing 
standards. For more details on our objectives, scope, and methodology, 
see appendix I. 

Results in Brief: 

Although VA has made progress, it has not yet fully implemented most of 
the key GAO and IG recommendations to strengthen its information 
security practices. VA has implemented two GAO recommendations: to 
develop a process for managing its action plan to correct identified 
weaknesses and to regularly report to the Secretary on progress in 
updating its security plan. However, it has not fully implemented two 
other GAO recommendations: to complete a comprehensive security 
management program and to ensure consistent use of information security 
performance standards when appraising the department's senior 
executives. In addition, the department has not yet fully implemented 
20 of 22 information security-related recommendations made by the IG in 
2006. For example, VA has not completed critical management activities 
to appropriately restrict access to data, networks, and department 
facilities; ensure that only authorized changes and updates to computer 
programs are made; and strengthen critical infrastructure planning to 
ensure information security requirements are addressed. Because these 
recommendations have not yet been implemented, unnecessary risk exists 
that personal information of veterans and other individuals, such as 
medical providers, will be exposed to data tampering, fraud, and 
inappropriate disclosure. 

Since the May 2006 security incident, VA has begun or continued several 
major initiatives to strengthen information security practices and 
secure personal information within the department, but more remains to 
be done. These initiatives include continuing the department's efforts, 
begun in October 2005, to reorganize its management structure to 
provide better oversight and fiscal discipline over its IT systems; 
developing a remedial action plan; establishing an information 
protection program; improving its incident management capability; and 
establishing an office responsible for oversight and compliance of IT 
within the department. However, although these initiatives have led to 
progress, their implementation has shortcomings. For example, 

* responsibility for managing and implementing the VA security program 
(an essential element for ensuring compliance with the Federal 
Information Security Management Act) is split between separate offices, 
and no documented process exists for the responsible officials to 
coordinate with each other; 

* the position of the chief information security officer has been 
unfilled since June 2006; 

* although numerous action items in the department's remedial action 
plan are tasks to develop, document, revise, or update a policy or 
program, 87 percent of these have no corresponding task with an 
established time frame for implementation across the department; 

* VA does not have clear guidance for identifying devices that require 
encryption functionality; 

* procedures for incident response and notification do not include 
mechanisms for consultation with outside agencies on mitigation 
options; and: 

* the departmental Office of IT Oversight and Compliance lacks a 
standard methodology and established criteria to ensure that its 
examination of internal controls is consistent across VA facilities. 

As a result of such weaknesses, the effectiveness of VA initiatives to 
strengthen information security practices at the department may be 
limited. 

We are making 17 recommendations to the Secretary of Veterans Affairs 
aimed at helping the department to improve the effectiveness of VA's 
efforts to strengthen information security practices, including 
developing and documenting processes, policies, and procedures; fill a 
key position; and completing the implementation of key initiatives. 

In providing written comments on a draft of this report (which are 
reprinted in appendix IV), the Deputy Secretary of Veterans Affairs 
generally agreed with our findings and recommendations. The Deputy 
Secretary stated that VA has already implemented or is working to 
implement all 17 recommendations. 

Background: 

With over 235,000 employees, including physicians, nurses, counselors, 
statisticians, computer specialists, architects, and attorneys, VA is 
the second largest federal department. It carries out its mission 
through three agency organizations--Veterans Health Administration 
(VHA), Veterans Benefits Administration (VBA), and National Cemetery 
Administration--and field facilities throughout the United States. The 
department provides services and benefits through a nationwide network 
of 156 hospitals, 877 outpatient clinics, 136 nursing homes, 43 
residential rehabilitation treatment programs, 207 readjustment 
counseling centers, 57 veterans' benefits regional offices, and 122 
national cemeteries. In carrying out its mission, the department 
depends on IT and telecommunications systems, which process and store 
sensitive information, including personal information on veterans. 

Information security is a critical consideration for any organization 
that depends on information systems and networks to carry out its 
mission or business. It is especially important for government 
agencies, where maintaining the public's trust is essential. The 
dramatic expansion in computer interconnectivity and the expanding use 
of mobile devices and storage media are changing the way our 
government, the nation, and much of the world share information and 
conduct business. Without proper safeguards, enormous risk exists that 
systems, mobile devices, and information are exposed to potential data 
tampering, disruptions in critical operations, fraud, and the 
inappropriate disclosure of sensitive information. 

Recognizing the importance of securing federal systems and data, 
Congress passed the Federal Information Security Management Act (FISMA) 
in December 2002,[Footnote 4] which permanently authorized and 
strengthened the information security program, evaluation, and 
reporting requirements established by earlier legislation (commonly 
known as GISRA, the Government Information Security Reform 
Act).[Footnote 5] FISMA sets forth a comprehensive framework for 
ensuring the effectiveness of information security controls over 
information resources that support federal operations and assets. The 
act requires each agency to develop, document, and implement an 
agencywide information security program for the data and systems that 
support the operations and assets of the agency, using a risk-based 
approach to information security management. According to FISMA, the 
head of each agency has responsibility for delegating to the agency 
chief information officer (CIO) the authority to ensure compliance with 
the security requirements in the act. To carry out the CIO's 
responsibilities in the area, a senior agency official is to be 
designated chief information security officer (CISO). 

Prior GAO and IG Work Related to VA Information Security: 

In June 2002, we reported that VA had not completed actions to 
strengthen its security management program, ensure compliance with 
security policies and procedures, and ensure accountability for 
information security throughout the department.[Footnote 6] We made 
four recommendations to VA: (1) complete a comprehensive security 
management program that included actions related to central security 
management functions, risk assessments, security policies and 
procedures, security awareness, and monitoring and evaluating computer 
controls; (2) develop a process for managing the department's updated 
security plan to remediate identified weaknesses; (3) regularly report 
to the Secretary, or his designee, on progress in implementing VA's 
security plan; and (4) ensure consistent use of information security 
performance standards when appraising the department's senior 
executives. 

Since our report in 2002, VA's IG has made additional recommendations 
addressing serious weaknesses within the department's information 
security controls. In March 2005, the VA IG reported that the 
department had not appropriately restricted access to data, ensured 
that only authorized changes were made to computer programs, ensured 
that backup and recovery plans were adequate to ensure the continuity 
of essential operations, and moved the VA Central Office data center to 
a more appropriate location.[Footnote 7] The IG made a number of 
recommendations to the department to secure patient information and 
data over VA networks, improve application and operating system change 
controls, test continuity of operations plans at national data centers, 
and complete the move of the VA Central Office data center. In its 
annual FISMA report for fiscal year 2005, issued in September 2006, the 
IG carried forward all the recommendations from its prior years' FISMA 
audits. It made recommendations in 17 areas to address all FISMA 
related findings for the fiscal year.[Footnote 8] 

Significant Security Incidents Reported: 

On May 3, 2006, the home of a VA employee was burglarized, resulting in 
the theft of a personally owned laptop computer and external hard drive 
that contained personal information on approximately 26.5 million 
veterans and U.S. military personnel. The external hard drive was not 
encrypted or password protected.[Footnote 9] The Secretary of VA was 
notified of the theft on May 16, 2006, and Congress and veterans were 
notified on May 22, 2006. Notification letters were sent to all 
veterans, and VA announced that free credit monitoring services would 
be offered. 

A number of congressional hearings were held and bills introduced 
related to the protection of veterans' privacy and identity. During 
this time period, many veteran service organizations expressed concerns 
to Congress as to whether VA was capable of safeguarding the personal 
information of veterans. These organizations also expressed doubt over 
whether the department's attempts to correct the weaknesses would be 
effective. 

The stolen computer equipment was recovered on June 28, 2006, and 
forensic testing by the Federal Bureau of Investigation determined that 
the sensitive data files had not been accessed or compromised. After 
the equipment was recovered, the Office of Management and Budget (OMB) 
withdrew its request to Congress for funding for the free credit 
monitoring services because it had concluded that credit monitoring 
services were no longer necessary due to the results of the FBI's 
analysis. Veterans' organizations indicated that the department should 
continue to offer credit monitoring services in order to allay 
veterans' worries regarding the potential of identity theft. As a 
result of the theft, the VA IG issued a report in July 2006 on the 
investigation of the incident and made five recommendations to improve 
VA's policies and procedures for securing sensitive information and 
conducting security awareness training.[Footnote 10] 

Recognizing the concerns of veterans, in December 2006, Congress passed 
the Veterans Benefits, Health Care, and Information Technology Act of 
2006.[Footnote 11] Under the act, the VA's CIO is responsible for 
establishing, maintaining, and monitoring departmentwide information 
security policies, procedures, control techniques, training, and 
inspection requirements as elements of the departmental information 
security program. The act also includes provisions to further protect 
veterans and service members from the misuse of their sensitive 
personal information. In the event of a security incident involving 
personal information, VA is required to conduct a risk analysis, and on 
the basis of the potential for compromise of personal information, the 
department may provide security incident notifications, fraud alerts, 
credit monitoring services, and identity theft insurance. Congress is 
to be informed regarding security incidents involving the loss of 
personal information. 

On January 22, 2007, a security incident at a research facility in 
Birmingham, Alabama, highlighted other potential risks associated with 
the loss of information. The incident involved the loss of information 
on 1.3 million medical providers from the Centers for Medicare & 
Medicaid Services of the Department of Health and Human Services, as 
well as information on 535,000 individuals.[Footnote 12] In its report 
on the Birmingham incident, the VA IG noted that the information 
compromised in the incident could potentially be used to compromise the 
identity of physicians and other health care providers and commit 
Medicare billing fraud.[Footnote 13] VA took action to respond to the 
loss of provider information by requesting the Department of Health and 
Human Services to conduct an independent risk analysis on the provider 
data loss. The risk analysis concluded that there was a high risk that 
the loss of personal information could result in harm to the 
individuals concerned, and the Centers for Medicare & Medicaid Services 
sent a letter to VA on March 28, 2007, requesting that credit 
monitoring services be offered to providers. The department mailed 
notification letters to providers starting on April 17, 2007, and 
offered credit monitoring services. In addition, the Centers for 
Medicare & Medicaid Services indicated that VA might need to take 
additional measures to mitigate any risk of further harm, but it did 
not specify what such action might be or specifically mention Medicare 
fraud. 

VA Has Not Fully Implemented GAO and IG Recommendations: 

Although VA has made progress, it has not yet fully or effectively 
implemented two of four GAO recommendations and has not fully 
implemented 20 of 22 IG recommendations to strengthen its information 
security practices. Because these recommendations have not yet been 
implemented, unnecessary risk exists that personal information of 
veterans and others would be exposed to data tampering, fraud, and 
inappropriate disclosure. 

VA Has Not Implemented Two of Four GAO Recommendations: 

VA has implemented two of our recommendations. However, it has not 
fully implemented two other GAO recommendations. In response to our 
recommendation that it regularly report on progress in updating its 
security plan to the Secretary, the department CIO took immediate steps 
in 2002 to begin briefing the Secretary and Deputy Secretary on a 
regular basis. Regarding our recommendation that it develop a process 
for managing its remedial action plan, VA issued, in May 2006, its IT 
Directive 06-1, which established the Data Security-Assessment and 
Strengthening of Controls Program to remedy weaknesses in managing its 
action plan. It also hired a contractor to develop Web-based tools to 
assist department officials in managing and updating the plan on a 
biweekly basis. 

However, it has not fully implemented our remaining two 
recommendations. First, although it has taken action, VA has not yet 
fully implemented our recommendation to complete a comprehensive 
security management program, including actions related to central 
management functions, security policies and procedures, risk 
assessments, security awareness, and monitoring and evaluating computer 
controls. In August 2006, VA issued Directive 6500, which documented a 
framework for the department's security management program and set 
forth roles and responsibilities for the Secretary, CIO, and CISO to 
ensure compliance with FISMA requirements. VA also developed, 
documented, and implemented security policies and procedures for 
certain central management functions and security awareness training. 
In addition, it implemented a process for tracking the status of 
security weaknesses and analyzing the results of computer security 
reviews using software tools the department had developed. 

As part of implementing the department's security directive (Directive 
6500), VA planned to issue Handbook 6500 to provide guidance for 
developing, documenting, and implementing the elements of the 
information security program. However, it has not finalized and 
approved this handbook, which has been in draft form since March 2005. 
The handbook contains the VA National Rules of Behavior,[Footnote 14] 
as well as key guidance for minimum mandatory security controls, 
performing risk assessments, updating security plans, and planning for 
continuity of operations. This guidance is to be used as VA undertakes 
these activities as part of its preparation for completing the 
recertification and re-accreditation of its systems by August 2008 and 
to comply with provisions of the Veterans Benefits, Health Care, and 
Information Technology Act of 2006. VA officials indicated the handbook 
was close to completion, but they did not provide an estimated time 
frame for completion. Until the handbook is finalized and approved, VA 
cannot be assured that department staff are consistently coordinating 
security functions that are critical to safeguarding its assets and 
sensitive information against potential data tampering, disruptions in 
critical operations, fraud, and the inappropriate disclosure of 
sensitive information. 

Second, VA has not fully implemented our recommendation to ensure 
consistent use of information security performance standards in 
appraising the department's senior executives. In September 2006, VA 
issued a memorandum that required all senior executive performance 
plans, which include performance elements and expectations, to include 
information security as an evaluation element by November 30, 2006. 
According to VA, senior executive performance plans were reviewed by 
human resource officials, and the plans complied with the memorandum. 
However, VA was unable to provide documentation on the performance plan 
reviews or a documented process for regular review of the 
plans.[Footnote 15] As a result, it is unknown whether the department 
can appropriately hold management accountable for information security. 
Until VA develops, documents, and implements a process for reviewing 
the senior executive performance plans on a regular basis to ensure 
that information security is included as an evaluation element, it may 
not have the appropriate management accountability for information 
security. 

VA Has Not Fully Implemented IG Recommendations: 

Although VA has implemented 2 recommendations made by the IG, it has 
not yet fully implemented 20 other IG recommendations. For example, in 
response to the IG's recommendation that the department complete 
actions to relocate and consolidate the Central Office's data center, 
it moved servers and network hardware to other VA locations. Regarding 
the recommendation to research the benefits and costs of deploying 
intrusion prevention systems at all sites, the department began 
installing intrusion prevention systems at all sites. However, the 
department has not completed critical management activities to 
implement 15 of the 17 recommendations made by the IG in September 
2006, which were carried forward from its March 2005 report, to 
appropriately restrict access to data, networks, and VA facilities; 
ensure that only authorized changes and updates to computer programs 
are made; strengthen critical infrastructure planning to ensure 
information security requirements are addressed; and ensure that 
background investigations are conducted on all applicable employees and 
contractors. To begin addressing these recommendations, VA has drafted 
policies and procedures, implemented certain technical solutions, and 
relocated data center servers to new locations at VA facilities. 
However, according to the department's action plan to remediate 
weaknesses, all actions to resolve IG recommendations will not be 
completed until 2009. A detailed description of the actions VA has 
taken or plans to take to address the IG's 17 recommendations can be 
found in appendix II. 

VA has also made some progress in addressing the five recommendations 
from the IG's July 2006 report on the investigation of the May laptop 
theft incident. However, it has not fully implemented corrective 
actions. To begin addressing these recommendations, VA has drafted 
policies and procedures and updated its Cyber Security Awareness 
training course. However, VA is still in the process of finalizing 
standard contracting language to ensure that contractor personnel are 
held to the same standards as department personnel; it is also still 
standardizing all IT position descriptions and ensuring that they are 
evaluated, have proper sensitivity level descriptions, and are 
consistent throughout the department. Until these actions are complete, 
VA has limited assurance that it has the proper safeguards in place to 
adequately protect its sensitive information from inadvertent or 
deliberate misuse, loss, or improper disclosure. 

By Not Fully Implementing GAO and IG Recommendations, VA Leaves 
Personal Information Vulnerable: 

The need to fully implement GAO and IG recommendations to strengthen 
information security practices is underscored by the prevalence of 
security incidents involving the unauthorized disclosure, misuse, or 
loss of personal information of veterans and other individuals, such as 
medical providers. Between December 2003 and April 2006, VA had at 
least 700 reported security incidents involving the loss of personal 
information. For example, one incident in 2003 involved the theft of a 
laptop containing personal information on 100 veterans from the home of 
a VA employee. In 2004, personal computers that contained data on 2,000 
patients were stolen from a locked office in a research facility. In 
2005, information on 897 providers was inappropriately disclosed over 
VA's e-mail system. In addition, in 2006, employee medical records were 
inappropriately accessed by a VA staff member, and a hacker compromised 
a computer system at a medical center supporting 79,000 veterans. All 
these incidents were partially attributable to weaknesses in internal 
controls. 

More recently, additional incidents have occurred that, like the 
earlier incidents, were partially due to weaknesses in the department's 
security controls. In these incidents, which include the May 2006 theft 
of computer equipment from an employee's home (discussed earlier) and 
the theft of equipment from department facilities, millions of people 
had their personal information compromised. Appendix III provides 
details on a selection of incidents that occurred between December 2003 
and January 2007. 

Although VA has made some progress in implementing GAO and IG 
recommendations to resolve these weaknesses in security controls, all 
actions to resolve these recommendations are not planned to be 
implemented until 2009. As a result, VA will be at increased risk that 
systems, mobile devices, and information may be exposed to potential 
data tampering, disruptions in critical operations, fraud, and the 
inappropriate disclosure of sensitive information. 

VA Is Undertaking Several Major Initiatives to Strengthen Information 
Security, but Implementation Has Shortcomings: 

VA has begun or continued several major initiatives since the May 2006 
security incident to strengthen information security practices and 
secure personal information within the department, but more remains to 
be done. Since October 2005, VA has been reorganizing its management 
structure to provide better oversight and fiscal discipline over its IT 
systems, and it has undertaken a series of new initiatives. However, 
shortcomings with the implementation of these initiatives limit their 
effectiveness. For example, although VA has developed a remedial action 
plan that includes tasks to develop, document, revise, or update a 
policy or program, 87 percent of these do not have an established time 
frame for implementation across the department. Unless such 
shortcomings are addressed, these initiatives may not effectively 
strengthen information security practices at the department. 

Realignment of IT Management Structure: 

An effective IT management structure is the starting point for 
coordinating and communicating the continuous cycle of information 
security activities necessary to address current risks on an ongoing 
basis while providing guidance and oversight for the security of the 
entity as a whole. Under FISMA and the Veterans Benefits, Health Care, 
and Information Technology Act of 2006, the CIO ensures compliance with 
requirements of these laws and designates a senior agency information 
security officer or CISO to assist in carrying out his 
responsibilities. One mechanism organizations can adopt to achieve 
effective coordination and communication is to establish a central 
security management office or group to coordinate departmentwide 
security-related activities.[Footnote 16] To ensure that information 
security activities are effective across an organization, an IT 
management structure should also include clearly defined roles and 
responsibilities for all security staff and coordination of 
responsibilities among individual staff. 

The department officially began its effort to provide the CIO with 
greater authority over IT in October 2005 by realigning its management 
organization to a centralized management structure. By July 2006, a 
department contractor began work to assist with the realignment effort. 
According to VA, its goals in moving to a centralized management 
structure were to provide the department better oversight over the 
standardization, compatibility, and interoperability of IT systems, as 
well as better overall fiscal discipline. The Secretary approved the 
department's new IT organization structure in February 2007. The new 
structure includes an Assistant Secretary for Information and 
Technology (who serves as VA's CIO), the CIO's Principal Deputy 
Assistant Secretary, and five Deputy Assistant Secretaries. Five new 
senior leadership positions within the Office of Information and 
Technology were created to assist the CIO in overseeing five core IT 
process areas: cyber security, portfolio management, resource 
management, systems development, and operations. Completion of the 
realignment is scheduled for July 2008.[Footnote 17] 

Under the new IT management structure, responsibility for information 
security functions within the department is divided between two core 
process areas: 

* First, the Director of the Cyber Security Office (part of the 
Information Protection and Risk Management process area) has 
responsibility for developing and maintaining a departmentwide security 
program; overseeing and coordinating security efforts across the 
organization; and managing the development and implementation of 
department security policy, standards, guidelines, and procedures to 
ensure ongoing maintenance of security. The Director of Cyber Security 
is also the designated CISO for the department. 

* Second, the Director of the Field Operations and Security Office 
(part of the Enterprise Operations and Infrastructure process area) is 
responsible for implementing security and privacy policies, validating 
compliance with certification and accreditation requirements, and 
managing facility information security officers. 

In brief, the CISO/Director of Cyber Security is thus responsible for 
managing the departmentwide security program, but the Director of the 
Field Operations and Security is responsible for implementing it. 
Figure 1 shows these two offices within the new management structure. 

Figure 1: Office of Information and Technology Organization Chart: 

[See PDF for image] 

Source: VA. 

Note: DAS = Deputy Assistant Secretary. 

[End of figure] 

Although VA has made significant progress in the realignment of its IT 
management structure, no documented process yet exists for the two 
responsible offices to coordinate with each other in managing and 
implementing a departmentwide security program. VA officials indicated 
that the Director of Cyber Security and the Director of Field 
Operations and Security are communicating about the implementation of 
security policies and procedures within the department. However, this 
communication is not defined as a role or responsibility for either 
position in the new management organization book, nor is there a 
documented process in place to coordinate the management and 
implementation of the security program, both of which are key security 
management practices. As a result, policies or procedures could be 
inconsistently implemented throughout the department. Without a 
consistently implemented departmentwide security program, the CISO 
cannot effectively ensure departmentwide compliance with FISMA. Until 
the process and responsibilities for coordinating the management and 
implementation of IT security policies and procedures throughout the 
department are clearly documented, VA will have limited assurance that 
the management and implementation of security policies and procedures 
are effectively coordinated and communicated. 

In addition, the CISO position is currently unfilled, hindering VA's 
ability to strengthen information security practices and coordinate 
security-related activities within the department. The CISO position 
has been vacant since June 2006, and currently, the CIO is the acting 
CISO of the department. The department has been attempting to fill the 
position of the CISO since October 2006. In addition, the department 
began trying to hire staff for other senior positions in March 2007. VA 
officials have indicated that the process and procedures they are 
required to undertake to hire staff for the positions is quite 
extensive and takes time to complete. Nevertheless, until the position 
of the CISO is filled, the department's ability to strengthen 
information security will continue to be hindered. 

Furthermore, the department's directive on its information security 
program has not been updated to reflect the new IT realignment 
structure for the position of the CISO. Under Directive 6500, the 
Associate Deputy Assistant Secretary for Cyber and Information Security 
is the senior information security officer or CISO. However, under the 
new realignment structure, there is no Associate Deputy Assistant 
Secretary for Cyber and Information Security, and instead the Director 
of Cyber Security is the CISO. VA officials have said that they intend 
to revise the directive to reflect the new management structure, but 
they did not provide an estimated time frame for completion. If roles 
and responsibilities are not updated or consistent in VA's policies and 
directives, then communication and coordination of responsibilities 
among the department's security staff may not be sufficient. 

Development of Action Plan to Remediate Identified Weaknesses: 

Action plans to remediate identified weaknesses help departments to 
identify, assess, prioritize, and monitor progress in correcting 
security weaknesses that are found in information systems. According to 
OMB's revised Circular A-123, Management's Responsibility for Internal 
Control, departments should take timely and effective action to correct 
deficiencies that they have identified through a variety of information 
sources. To accomplish this, remedial action plans should be developed 
for each deficiency, and progress should be tracked for each. 

Following the May 2006 security incident, VA officials began working on 
an action plan to strengthen information security controls at the 
department. Referred to as the Data Security-Assessment and 
Strengthening of Controls Program, the plan was developed over a period 
of several months, and work has been completed on some tasks. By the 
end of January 2007, 20 percent of the items in the action plan had 
been completed, and task owners had been assigned for all items in the 
plan. As of June 1, 2007, the plan had at least 400 items to improve 
security and address weaknesses that the IG has identified at the 
department. 

On a biweekly basis, the action plan is updated with status updates 
provided by the task owners (including the percentage of work completed 
to resolve the item), and a new version of the plan is created. The CIO 
receives a briefing on each new version of the action plan. Once the 
new version is approved by the CIO, the plan is made available to task 
owners and other officials at the department. The CIO has also briefed 
other senior department officials on the plan and action items. 

Although VA's action plan has task owners assigned and is updated 
biweekly, department officials have not ensured that adequate progress 
has been made to resolve items in the plan. First, in more than a third 
of cases, VA has not completed action items by their expected 
completion date. Specifically, VA has extended the completion date at 
least once for 38 percent of the plan items, and it has extended the 
completion date multiple times for 6 percent of the items in the plan. 
The average extension was about 5 months. In addition, 28 percent of 
action items that remained open as of June 1, 2007, had already 
exceeded the scheduled completion date, and over half of the work 
remained to be completed for a majority of those items. These 
extensions and missed deadlines can be attributed in part to VA's not 
developing, documenting, and implementing procedures to ensure that 
action items were addressed in an effective and timely manner. If 
weaknesses are not successfully corrected in a timely manner, VA will 
continue to lack effective security controls to safeguard its assets 
and sensitive information. 

Second, a large portion of VA's approach to correcting identified 
weaknesses has been focused on establishing policies and procedures: 39 
percent of the items in the action plan are to develop and document or 
revise and update a policy, a program, or criteria. However, VA has not 
established action items for implementing these new or changed policies 
and procedures across the department. For 87 percent of action items 
related to policies and procedures, the action plan included no 
corresponding task with an established time frame for departmentwide 
implementation. Developing and documenting policies and procedures are 
just the first two steps in remediating identified weaknesses. If there 
are no implementation tasks with time frames, VA cannot monitor and 
ensure successful implementation. Until VA establishes tasks with time 
frames to implement policies and procedures in the plan, it will not be 
able to successfully manage its planned actions to correct identified 
weaknesses. 

Third, VA does not have a process in place to validate the closure of 
action plan items, that is, to ensure both that task owners have 
completed the activities required to sufficiently address action items 
and also that there is adequate documentation of these activities. 
During our review, we noted the closure of approximately 80 action 
items that included activities such as developing a policy or 
procedure, creating a schedule, deploying security tools, or updating 
software. However, according to the department official responsible for 
managing the plan, upon review of these completed items, VA found a 
number of them lacked support for closing the item (such as 
documentation). This official indicated that VA was developing a 
process to provide validation of closed action plan items, but no 
supporting documentation on the development of this validation process 
had been provided. Until VA develops, documents, and implements a 
process to validate the closure of action plan items, it will not be 
assured that closed action items have been sufficiently addressed. 

Fourth, VA's action plan does not identify the activities it is taking 
to address our recommendations. In November 2006, the VA official in 
charge of managing the plan indicated that although the department had 
not previously identified activities being taken to address our 
recommendations, it would begin to do so. However, as of June 2007, 
these activities had not been identified and tracked in the action 
plan. As a result, VA may not be able to adequately monitor its 
progress in implementing our recommendations to resolve identified 
weaknesses. Until VA identifies the activities it is taking in its 
action plan to address our recommendations, it will have limited 
assurance that progress in implementing those activities is being 
adequately monitored. 

Establishment of Information Protection Program: 

VA has developed its Information Protection Program, which is a phased 
approach to ensuring that the department has the appropriate software 
tools to assist in ensuring the confidentiality, availability, and 
integrity of information. During the first phase, VA installed 
encryption software on laptops across the department, a task completed 
in September 2006. In the second phase, the department is undertaking 
several other information protection initiatives, including improving 
the security of network transmissions and the protection of removable 
storage devices, such as the encryption of thumb drives. These 
initiatives are all currently being developed and documented. 

Encryption of VA Laptops: 

One mechanism to enforce the confidentiality and integrity of critical 
and sensitive information is the use of encryption. Encryption 
transforms plain text into cipher text using a special value known as a 
key and a mathematical process known as an algorithm. According to VA 
Directive 6504, issued in June 2006, approved encryption software must 
be installed if an employee uses VA government-furnished equipment or 
other non-VA equipment in a mobile environment, such as a laptop or PDA 
carried out of a department office or a personal computer in an 
alternative worksite, and the equipment stores personal information. 
The encryption software used must meet Federal Information Processing 
Standard 140.[Footnote 18] 

According to department officials, by September 2006, the department 
had successfully encrypted over 18,000 laptops. The laptops were 
encrypted through a combination of two software encryption products, 
both of which have been certified as complying with the provisions of 
Federal Information Processing Standard 140. Simultaneously, VA 
developed and implemented routine laptop "health checks." These checks 
ensure that all laptops have applied updated security policies, such as 
antivirus software, and will also remove any sensitive information that 
is not authorized to be stored on the laptop. 

Based on the results of our testing, VA consistently implemented 
encryption software at eight VA facilities, with minor 
exceptions.[Footnote 19] At six of the eight facilities, all laptops 
were encrypted in accordance with the directive. At the other two 
facilities, both medical centers, the directive was not implemented in 
a small number of cases. At one medical center, of the 58 laptops 
tested, 3 should have been encrypted according to VA's policy but were 
not. At another medical center, of the 41 laptops tested, 1 laptop was 
not encrypted that should have been. In some of these cases, VHA 
medical center officials noted that the reference in the directive to 
operation in a mobile environment led to ambiguity about which laptops 
were required to be encrypted.[Footnote 20] 

Although our testing showed sound consistency in this encryption 
effort, this and another source of ambiguity in the directive could 
affect the department's success in implementing other planned 
encryption initiatives. Specifically, Directive 6504 did not provide 
explicit guidance on whether to encrypt laptops that were categorized 
as medical devices, which make up a significant portion of the 
population of laptops at VHA facilities.[Footnote 21] At facilities for 
patient care, laptops could be categorized both as equipment that 
operated in a mobile environment (and thus subject to VA's encryption 
directive) and as medical devices (and thus subject to compliance with 
other federal guidance that may interfere with following the encryption 
directive).[Footnote 22] At the two medical centers we visited, which 
each have over 300 laptops, most laptops were considered medical 
devices. When VHA officials contacted the help desk for the encryption 
initiative, they were told that these laptops did not need encryption 
software installed. However, Directive 6504 had not made this clear, 
increasing the challenge to VHA facilities in implementing the 
encryption initiative. Without guidance that takes into consideration 
the environment in which laptops are used in different VA facilities 
and that clearly identifies devices that require encryption 
functionality, VA may not have assurance that all facilities in the 
department will be able to consistently implement encryption 
initiatives for all appropriate devices. 

Finally, the department did not maintain an accurate inventory of all 
laptops that had been encrypted, nor did it have an inventory of all 
laptops within the department. Each VA facility was responsible for 
maintaining an inventory of laptops, including what laptops had been 
encrypted, but the laptop inventories at four of the eight facilities 
we visited were inaccurate. For example, eight laptops listed in the 
inventories were not laptops, but scanners, personal computers or other 
devices. In some cases, the inventory listed a laptop as encrypted, but 
testing revealed that the machine was not encrypted. (The weaknesses 
identified with the inventories of laptops are similar to weaknesses 
identified in a report we recently issued, which noted significant IT 
inventory control weaknesses at VA).[Footnote 23] Because it did not 
maintain an accurate inventory of all equipment that has encryption 
installed, VA may not have adequate assurance that all equipment 
required to be encrypted has been. 

Development of Additional Information Protection Initiatives: 

As part of its phased approach to acquiring appropriate software tools, 
the department is undertaking several information protection 
initiatives. For instance, the department is working to secure network 
transmissions to prevent user identification, passwords, and data from 
being transmitted in clear text. To provide port security and device 
control, VA is establishing access permission lists, audit and 
reporting capabilities, and lists of approved devices. For the 
protection of removable storage media, VA developed and documented 
Directive 6601, which provides guidance for use of removable devices, 
and it is in the process of acquiring encryption software for thumb 
drives, external hard drives, and CD-ROM and DVD drives. VA is also 
acquiring encryption for mobile devices such as Blackberries. In 
addition, the department is establishing a public key infrastructure 
and Internet gateway for secure e-mail transmission and document 
exchange. These initiatives are in varying stages of development and 
have not yet been implemented. 

Improvement of Incident Management Capability: 

Even strong controls may not block all intrusions and misuse, but 
organizations can reduce the risks associated with such events if they 
take prompt steps to detect and respond to them before significant 
damage can be done. In addition, analyses of security incidents can 
pinpoint vulnerabilities that need to be eliminated, provide valuable 
input for risk assessments, help in prioritizing security improvement 
efforts, and be used to illustrate risks and related trends for senior 
management. FISMA requires that agencies develop procedures for 
detecting, reporting, and responding to security incidents. In 
addition, OMB Memo M-06-19 requires agencies to report all incidents 
involving personal identifiable information to the U.S. Computer 
Emergency Readiness Team (US-CERT) within 1 hour of discovering the 
incident.[Footnote 24] 

Incident Detection, Reporting, and Response: 

VA has improved its incident management capability since May 2006 by 
realigning and consolidating two centers with responsibilities for 
incident management, as well as developing and documenting key policies 
and procedures. Following the May 2006 security incident, VA hired a 
contractor to assist its Network Operations Center and Security 
Operations Center in developing plans for improved coordination between 
the two centers and for using a risk management approach to managing 
incidents. As part of its findings, the contractor recommended that the 
two centers be integrated at the regional and enterprise level. In 
February 2007, VA realigned and consolidated the two centers into the 
Network and Security Operations Center (NSOC), which is responsible for 
incident detection or identification, response, and reporting within 
the department. NSOC has also developed and documented a concept of 
operations for incident management and call center procedures, and it 
has developed a new incident report template to assist VA personnel in 
reporting incidents to the center within 1 hour of discovering the 
incident. Senior management officials also receive regular reports on 
security incidents within the department. 

In addition, VA has improved the reporting of incidents involving the 
loss of personal information within the department since the May 2006 
incident. Following the incident, the Secretary issued a memorandum 
requiring all employees to take security and privacy training by June 
30, 2006, as well as sign a statement of commitment and understanding 
regarding the handling of personal information of veterans. An analysis 
of reported incidents from 2003 to 2006 showed a significant increase 
in the reporting of incidents involving the loss of personal 
information to NSOC in 2006, as detailed in table 1. Of the incidents 
reported in 2006, 77 percent were reported after May. 

Table 1: Number of Incidents by Type Reported to NSOC from January 2003 
to November 2006: 

Type of incident involving the loss of personal information: Records 
lost or misplaced; 
2003: 19; 
2004: 58; 
2005: 41; 
2006[A]: 316. 

Type of incident involving the loss of personal information: Records or 
hardware stolen; 
2003: 7; 
2004: 9; 
2005: 14; 
2006[A]: 65. 

Type of incident involving the loss of personal information: Improper 
disposal of records; 
2003: 10; 
2004: 27; 
2005: 10; 
2006[A]: 80. 

Type of incident involving the loss of personal information: 
Unauthorized access; 
2003: 60; 
2004: 120; 
2005: 112; 
2006[A]: 255. 

Type of incident involving the loss of personal information: 
Unencrypted e-mails sent; 
2003: 8; 
2004: 13; 
2005: 16; 
2006[A]: 170. 

Type of incident involving the loss of personal information: Unintended 
disclosure or release; 
2003: 22; 
2004: 48; 
2005: 24; 
2006[A]: 199. 

Type of incident involving the loss of personal information: Total 
number of incidents; 
2003: 126; 
2004: 275; 
2005: 217; 
2006[A]: 1085. 

Source: GAO analysis of VA data on incidents. 

[A] Numbers reported are from January 1, 2006, to November 3, 2006. 

[End of table] 

While the increase in reported incidents shows that the memorandum and 
updated security and privacy training are heightening VA employees' 
awareness of their responsibility to report incidents involving loss of 
personal information, it also indicates that vulnerabilities remain in 
security controls designed to adequately safeguard information. To 
assist the department in improving its analysis of security incident 
data, NSOC merged three incident databases into one to streamline the 
collection of incident data gathered within the department. VA also 
developed a software tool with a Web-based interface (the Formal Event 
Review and Evaluation Tool) to analyze reported incidents and observe 
trends, and began using the tool in April 2007. 

Incident Notification: 

The department has made a notable improvement in its notification of 
major security incidents to US-CERT, the Secretary, and Congress since 
the incidents in May 2006.[Footnote 25] However, the time it took to 
send notification letters to individuals was increased for some 
incidents because VA did not have adequate procedures for incident 
response and notification. Table 2 presents major security incidents 
occurring since May 2006, along with the times taken to make various 
notifications. As the table shows, delays in reporting incidents have 
generally decreased since May 2006. 

Table 2: Time Elapsed Between Major Incidents at VA and Notification of 
US-CERT, Secretary, Congress, and Individuals (May 2006 to January 
2007). 

Security incident: Computer equipment stolen from VA employee home; 
Incident date: May 3, 2006; 
Time taken to report or send notification letter: (in calendar days): 
To US-CERT: 20 days; 
Time taken to report or send notification letter: To VA Secretary: 13 
days; 
Time taken to report or send notification letter: To Congress: 19 days; 
Time taken to report or send notification letter: To individuals: About 
a month[A]. 

Security incident: Backup tape missing; 
Incident date: May 5, 2006; 
Time taken to report or send notification letter: (in calendar days): 
To US-CERT: 42 days; 
Time taken to report or send notification letter: To VA Secretary: 18 
days; 
Time taken to report or send notification letter: To Congress: 55 days; 
Time taken to report or send notification letter: To individuals: 159 
days. 

Security incident: Desktop computer stolen from contractor facility; 
Incident date: August 3, 2006; 
Time taken to report or send notification letter: (in calendar days): 
To US-CERT: Same day; 
Time taken to report or send notification letter: To VA Secretary: 1 
day; 
Time taken to report or send notification letter: To Congress: 1 day; 
Time taken to report or send notification letter: To individuals: 7 
days. 

Security incident: Medical device in New York stolen; 
Incident date: September 6, 2006; 
Time taken to report or send notification letter: (in calendar days): 
To US-CERT: Same day; 
Time taken to report or send notification letter: To VA Secretary: Same 
day; 
Time taken to report or send notification letter: To Congress: Within a 
week; 
Time taken to report or send notification letter: To individuals: 55 
days. 

Security incident: External hard drive stolen at Birmingham facility; 
Incident date: January 22, 2007; 
Time taken to report or send notification letter: (in calendar days): 
To US-CERT: Same day; 
Time taken to report or send notification letter: To VA Secretary: 1 
day; 
Time taken to report or send notification letter: To Congress: 11 days; 
Time taken to report or send notification letter: To individuals: 49 
days (individuals); 
85 days (medical providers). 

Source: GAO analysis of VA data. 

[A] Because of the volume of letters that were sent out, notification 
letters were sent out over a period of time during the month of June 
2006. 

[End of table] 

Coordination with other agencies. In the incident in Birmingham in 
January 2007, medical provider and physician information from the 
Centers for Medicare & Medicaid Services of the Department of Health 
and Human Services was lost, requiring VA to coordinate with this 
department to respond to the incident. At the time of the incident, VA 
had drafted interim procedures for incident response, including 
notifying individuals affected by security incidents.[Footnote 26] 
These draft procedures described steps to be taken to respond to 
incidents involving the loss of information on veterans. However, they 
did not include processes for coordinating incident response and 
mitigation activities with other agencies. This contributed to the fact 
that it took more time to determine the risks to medical providers, who 
were not notified until 85 days after the incident. 

To address the coordination issue, VA revised its interim procedures to 
indicate that incident response teams will work with other federal 
agencies and teams as needed to contract for independent analyses of 
the risk associated with compromise of the particular data involved. In 
March 2007, VA approved these revised interim procedures. However, the 
approved procedures are limited to contracting for risk analyses and do 
not incorporate processes for coordinating with other federal agencies 
on other appropriate mitigation activities. For example, although the 
procedures allow for the offer of credit monitoring to affected 
individuals, they do not address mitigating other types of risks, such 
as potential fraudulent claims for payment under Medicare, which were a 
potential risk for the Birmingham incident. Credit monitoring would not 
address this risk. Other coordination and mitigation activities may be 
needed, such as alerting the Centers for Medicare & Medicaid Services 
to the possibility of fraudulent claims involving specific providers to 
adequately address this potential risk or other risks, different from 
those experienced to date. 

Obtaining up-to-date contact information. VA's procedures for incident 
response and notification do not include mechanisms for obtaining 
contact information on individuals (when necessary), which can also 
cause delays in sending out notification letters to individuals. A VA 
official noted that notification letters to individuals could be 
delayed, depending on whether the department could locate complete 
address information for the affected individuals and on the number of 
letters that must be sent. Such delays occurred in the case of the 
missing backup tape in May 2006 (when 159 days passed before 
notification letters were sent). The data and number of records that 
were on the backup tape were not immediately known, and the address 
information of veterans whose data were compromised in the incident had 
to be researched. Our recent report noted that agencies faced 
challenges in identifying address information for individuals affected 
by security incidents and that mechanisms should be in place to obtain 
contact information on individuals.[Footnote 27] However, VA's draft 
and approved interim procedures do not include a mechanism for 
obtaining such contact information. As a result, the department's 
response to incidents could be delayed when the compromised data do not 
include complete and accurate contact information (or there is 
uncertainty about the data). 

Risk analysis. As mentioned earlier, VA asked the Department of Health 
and Human Services to conduct an independent risk analysis on the 
provider data loss in the January 2007 incident in Birmingham; this 
analysis showed that there was a high risk that the loss of personal 
information could result in harm to the individuals concerned. 
Conducting such risk analyses after incidents is a recommended 
procedure, since appropriate incident response and notification depend 
on determining the level of risk associated with the particular 
information that is compromised.[Footnote 28] In addition, conducting 
periodic risk assessments before an incident occurs facilitates a rapid 
response, by enabling the development of mitigation activities and 
appropriate coordination for potential data losses. Assessments of both 
systems and the information they contain are important, particularly 
information with a high potential risk for inappropriate use or fraud. 
However, VA is still in the process of finalizing and approving its 
guidance for completing risk assessments on VA's systems. As a result, 
the department does not have a current assessment of risk for the 
information located at its facilities and in its information systems, 
which could affect the coordination and mitigation activities that are 
developed by the department to respond to potential data losses. Until 
VA assesses the risk for information located at its facilities and in 
its information systems and uses this assessment to develop and 
document mitigation activities and appropriate coordination for 
potential data losses (particularly high-risk losses), it may not be 
able to adequately address potential risks associated with loss of 
sensitive information at its facilities and on its systems. 

Additional VA actions. VA has taken additional actions to improve 
incident response and notification. In February 2007, VA chartered the 
Incident Resolution Team Structure, a group of officials from 
organizations within the department who are responsible for responding 
to incidents and handling notification requirements at the national, 
regional, and local levels. This action was in response to an OMB 
memorandum issued in September 2006, which recommended that all 
departments and agencies develop a core management group responsible 
for incident response to losses of personal information, as well as a 
response plan for notifying individuals affected by security incidents. 
Roles and responsibilities within the Incident Resolution Team 
Structure are organized according to the level of activity, the nature 
of the incident, and how the incident is categorized based on risk 
levels. VA also uses the Formal Event Review and Evaluation Tool to 
determine what the risk category of a security incident should be, 
based on the severity of the incident. 

VA has also recently developed, with contractor assistance, interim 
regulations for security incident notification, data mining, fraud 
alerts, data breach analysis (that is, risk analysis of security 
incidents), credit monitoring, identity theft insurance, and credit 
protection services, as required under the Veterans Benefits, Health 
Care, and Information Technology Act of 2006. These interim regulations 
were approved by OMB and became effective on June 22, 2007. 

Establishment of Office of IT Oversight and Compliance: 

According to Standards for Internal Control in the Federal 
Government,[Footnote 29] internal controls at agencies should generally 
be designed to ensure that ongoing monitoring occurs in the course of 
normal operations. The methodology for evaluating an agency's internal 
controls should be logical and appropriate and may include assessments 
using checklists or other tools, as well as a review of the control 
design and direct testing of the internal control. The evaluation team 
should develop a plan for the evaluation process to ensure a 
coordinated effort, analyze the results of evaluation against 
established criteria, and ensure that the process is properly 
documented. The agency should also ensure that corrective action is 
taken within established time frames and is followed up on to verify 
implementation. 

In an effort to promote internal controls within VA's computer 
environment, VA has consolidated a number of IT compliance programs 
under one organization, the Office of IT Oversight and Compliance 
(ITOC). This office was established in January 2007. Previously, the 
Review and Inspection Division was responsible for conducting facility 
assessments and validating information entered into a database in 
response to VA's annual FISMA self-assessment survey. The division was 
incorporated into the ITOC, which is now responsible for providing 
independent, objective, and quality oversight and compliance services 
in the areas of cyber security, records management, and privacy. It is 
also responsible for conducting assessments of VA's facilities that (1) 
determine the adequacy of internal controls; (2) investigate compliance 
with laws, policies, and directives from VA and external organizations; 
and (3) ensure that proper safeguards are maintained. The results of 
these assessments are reported directly to the CIO and responsible 
supervisors at the facilities. The ITOC recommends corrective actions 
to remediate identified issues where necessary and also makes available 
a remediation team to assist the facility in addressing any 
recommendations. In January 2007, the ITOC began conducting assessments 
at facilities and by June 2007 had conducted 34 assessments. According 
to the Director of the ITOC, it recently became fully staffed with 127 
personnel and will begin to conduct 12 to 18 assessments per month. VA 
facilities will be assessed every 3 years. 

Although the ITOC was formed to identify security weaknesses and ensure 
compliance with federal law and department policy, its approach to 
conducting assessments does not include basic elements necessary for 
evaluating and monitoring controls. For example, although the ITOC 
developed a checklist to conduct facility assessments,[Footnote 30] it 
did not develop a standard methodology for analysts to use when 
evaluating internal controls against the checklist, or specific 
criteria for each checklist item. As a result, the office lacks a 
process to ensure that its examination of internal controls is 
consistent across VA facilities. In addition, although the Director of 
the ITOC indicated that the assessment team recommendations to 
facilities are tracked in a database, no supporting documentation was 
provided. Further, according to the standards for internal control, 
organizations should follow up to ensure that corrective active is 
taken. However, the ITOC follows up to see if recommendations have been 
implemented only when a site is re-inspected. As a result, the office 
has no timely mechanism in place to ensure that its recommendations 
have been addressed. Until there are a standard methodology and 
established criteria for evaluating internal controls at facilities, as 
well as a mechanism in place to track recommendations and conduct 
regular follow-up on their status, VA will have limited assurance that 
its process for assessing its statutory and regulatory compliance and 
the effectiveness of its internal controls process is adequate and 
consistent across its facilities. 

Conclusions: 

Effective information security controls are critical to securing the 
information systems and information on which VA depends to carry out 
its mission. GAO and IG recommendations to address long-standing 
weaknesses within the department have not yet been fully implemented, 
nor is the implementation of the IG recommendations expected to be 
completed in the near future. Consequently, there is an increased risk 
that personal information of veterans and other individuals, such as 
medical providers, will be exposed to potential data tampering, 
disruptions in critical operations, fraud, and the inappropriate 
disclosure of sensitive information. Until VA addresses recommendations 
to resolve identified weaknesses, it will have limited assurance that 
it can adequately protect its systems and information. 

Although VA has begun or continued several initiatives to strengthen 
information security practices within the department, the shortcomings 
with the implementation of these initiatives could limit their 
effectiveness. If the department develops and documents processes, 
policies, and procedures; fills a key position and completes the 
implementation of major initiatives, then it will help ensure that 
these initiatives strengthen information security practices within the 
department. Sustained management commitment and oversight are vital to 
ensure the effective development, implementation, and monitoring of the 
initiatives that are being undertaken. Such involvement and oversight 
are critical to providing VA with a solid foundation for resolving long-
standing information security weaknesses and continuously managing 
information security risks. 

Recommendations for Executive Action: 

To assist the department in improving its ability to protect its 
information and systems, we are recommending the Secretary of Veterans 
Affairs take the following 17 actions: 

* Finalize and approve Handbook 6500 to provide guidance for 
developing, documenting, and implementing the elements of the 
information security program. 

* Develop, document, and implement a process for reviewing on a regular 
basis the performance plans of senior executives to ensure that 
information security is included as an evaluation element. 

* Develop, document, and implement a process for the Director of Field 
Operations and Security and Director of Cyber Security to coordinate 
with each other on the implementation of IT security policies and 
procedures throughout the department. 

* Document clearly defined responsibilities in the organization book 
for the Director of Field Operations and Security and the Director of 
Cyber Security for coordinating the implementation of IT security 
policies and procedures within the department. 

* Act expeditiously to fill the position of the Chief Information 
Security Officer. 

* Revise Directive 6500 to reflect the new IT management structure and 
to ensure that roles and responsibilities are consistent in all VA IT 
directives. 

* Develop, document, and implement procedures for the action plan to 
ensure that action items are addressed in an effective and timely 
manner. 

* Establish tasks with time frames for implementation of policies and 
procedures in the action plan. 

* Develop, document, and implement a process to validate the closure of 
action plan items. 

* Include in the action plan the activities taken to address GAO 
recommendations. 

* Develop, document, and implement clear guidance for identifying 
devices that require encryption functionality. 

* Maintain an accurate inventory of all IT equipment that has 
encryption installed. 

* Develop and document procedures that include a mechanism for 
obtaining contact information on individuals whose information is 
compromised in security incidents. 

* Conduct an assessment of what constitutes high-risk data for the 
information located at VA facilities and in information systems. 

* Develop and document a process for appropriate coordination and 
mitigation activities based on the assessment above. 

* Develop, document, and implement a standard methodology and 
established criteria for evaluating the internal controls at 
facilities. 

* Establish a mechanism to track ITOC recommendations made to 
facilities and conduct regular follow-up on the status of the 
recommendations. 

Agency Comments and Our Evaluation: 

We received written comments on a draft of this report from the Deputy 
Secretary of Veterans Affairs (these are reprinted in appendix IV). The 
Deputy Secretary generally agreed with our findings and recommendations 
and stated that VA has already implemented or is working to implement 
all 17 recommendations. Additionally, the Deputy Secretary stated that 
the consolidation of all IT operations and maintenance under VA's Chief 
Information Officer will enhance the department's information security 
program, as well as correct long-standing deficiencies.[Footnote 31] 

In his comments, the Deputy Secretary also noted that the 
recommendation related to information security as an evaluation element 
in senior executive performance plans has already been implemented and 
that the recruitment announcement to fill the position of Chief 
Information Security Officer closed on July 27, 2007. He further stated 
that VA's Directive 6500, issued in August 2006, remains valid. 
However, as mentioned in our report, Directive 6500 was not updated to 
reflect the new IT realignment structure that was approved by the 
Secretary in February 2007 and roles and responsibilities should be 
consistent in all department policies and directives. The Deputy 
Secretary also discussed some of the activities that were underway to 
implement our recommendations. 

In the draft report that was provided for comment, we indicated that VA 
had not implemented any of the IG's 22 recommendations to improve 
information security. We have since received new information and have 
updated the report to reflect that VA has now implemented 2 of the 22 
IG recommendations. 

As agreed, unless you publicly announce the contents of this report 
earlier, we plan no further distribution until 30 days from the report 
date. At that time, we are sending copies of this report to interested 
congressional committees; the Secretary of Veterans Affairs; and other 
interested parties. We will also make copies available to others upon 
request. In addition, the report will be available at no charge on the 
GAO Web site at [hyperlink, http://www.gao.gov]. 

If you have any questions regarding this report, please contact me at 
(202) 512-6244 or by e-mail at wilshuseng@gao.gov. Contact points for 
our Offices of Congressional Relations and Public Affairs may be found 
on the last page of this report. Key contributors to this report are 
listed in appendix V. 

Signed by: 

Gregory C. Wilshusen: 
Director, Information Security Issues: 

List of Requesters: 

The Honorable Harry Reid: 
Majority Leader: 
United States Senate: 

The Honorable Daniel K. Akaka: 
Chairman: 
Committee on Veterans' Affairs: 
United States Senate: 

The Honorable Bob Filner: 
Chairman: 
Committee on Veterans' Affairs: 
House of Representatives: 

The Honorable Hillary Rodham Clinton: 
United States Senate: 

The Honorable Byron L. Dorgan: 
United States Senate: 

The Honorable Joseph I. Lieberman: 
United States Senate: 

The Honorable Patty Murray: 
United States Senate: 

The Honorable Barack Obama: 
United States Senate: 

The Honorable John D. Rockefeller IV: 
United States Senate: 

The Honorable Ken Salazar: 
United States Senate: 

The Honorable Charles E. Schumer: 
United States Senate: 

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

Our objectives were to evaluate (1) whether the Department of Veterans 
Affairs (VA) has effectively addressed GAO and VA Office of Inspector 
General (IG) recommendations to strengthen its information security 
practices and (2) actions VA has taken since the May 2006 security 
incident to strengthen its information security practices and secure 
personal information. In doing this work, we analyzed relevant 
documentation including policies, procedures, and plans, and 
interviewed key department officials in Washington, D.C., to identify 
and assess VA's progress in implementing recommendations and federal 
legislation to strengthen its information security practices. We also 
drew on previous GAO reports and testimonies, as well as on expert 
opinion provided in congressional testimony and other sources. We used 
certain applicable federal laws, other requirements, and guidelines, 
including Office of Management and Budget (OMB) memorandums, in 
assessing whether the Department's actions and initiatives can help 
ensure departmental compliance. 

For the first objective, we evaluated VA's actions to address GAO and 
VA IG recommendations, respectively in our 2002 report and in the IG's 
July 2006 and September 2006 reports. To review VA's history of 
implementation efforts, we examined GAO reports, testimony from recent 
congressional hearings made by GAO and IG staff, as well as reports by 
the VA IG. To determine the implementation status of open GAO 
recommendations, we analyzed pertinent security policies, procedures, 
and plans and met with officials from VA to gather information on the 
department's actions to address the recommendations. To determine the 
implementation status of open IG recommendations we met with officials 
from the VA IG Office of Audit to discuss the status of these 
recommendations and met with VA officials to learn what actions had 
been taken or were planned to take to fully address the 
recommendations.[Footnote 32] The VA IG concurred with the status 
information provided. 

For the second objective, we evaluated VA's actions to strengthen its 
information security practices to comply with federal guidance, 
including recent OMB memorandums. We met with department officials to 
gather information on what initiatives VA had undertaken or planned to 
undertake to improve its information security practices. For each 
initiative, we obtained and analyzed supporting documentation and met 
with department officials responsible for the implementation of the 
initiatives to assess the extent to which the department had complied 
with federal requirements and other guidelines. In addition, we also 
performed audit procedures to determine the extent to which VA has 
installed encryption functionality on its laptop computers. Our 
detailed scope and methodology for the laptop encryption testing are 
below. 

Laptop Encryption Testing: 

We examined 248 laptops at eight locations to determine whether 
encryption software had been installed on a selection of laptops as 
indicated by VA. 

Selection of Locations: 

We selected the locations to be visited based on (1) the type of 
facility[Footnote 33] and (2) number of facilities available to be 
tested in a geographic area. We identified different facility types in 
proximity to each other and to GAO offices. Clinics and cemeteries were 
excluded from the selection because the number of laptops at these 
locations would be quite small. We also selected a Research Enhancement 
Award Program location based on an incident in January 2007 involving 
this type of location. On the basis of the criteria listed above, we 
selected the following eight facilities: Baltimore Regional Office, 
Chicago Regional Office, Denver Health Administration Center, Denver 
Regional Office, Denver Research Enhancement Award Program, Hines Data 
Center, Hines Medical Center and the Washington, D.C., Medical Center. 

Selection of Laptops: 

At each location, we obtained an inventory or population of "in use" 
laptops. We examined every laptop in the population that was available 
for review at the Baltimore Regional Office, Chicago Regional Office, 
Denver Research Enhancement Award Program, and the Hines Data Center 
because of the relatively small number of laptops in the population. We 
selected random samples of laptops with the intent of projecting the 
results to each population at the Denver Health Administration Center, 
Denver Regional Office, Hines Medical Center, and Washington, D.C., 
Medical Center.[Footnote 34] 

Testing of Laptops: 

We conducted testing of encryption implementation on laptops at select 
VA facilities to determine whether the department's laptops were in 
compliance with VA Directive 6504 which stated that if a laptop was in 
a mobile environment and contained sensitive information that it be 
encrypted using approved software that is validated against National 
Institute of Standards and Technology standards. We also tested laptops 
at the two medical facilities to see whether the laptops should be 
encrypted according to the facility inventory because multiple 
inventories were received from these locations. In addition, we tested 
the laptops at the two medical facilities to see whether the laptop was 
considered a medical device based on the definition of medical devices 
provided to us by VA. At each location there were a small number of 
laptops that were unavailable to us to be tested. Department officials 
cited several reasons for this, including that the laptop had been 
turned in to be disposed of or discarded according to VA policy, had a 
hard drive failure, or could not be brought in to the site for testing. 
In table 3, the "laptops tested" column represents the number of 
laptops the team was able to test. 

Table 3: Number of Laptops Tested at Select VA Facilities: 

Location: Baltimore Regional Office; 
Laptops in population: 18; 
Laptops tested: 15. 

Location: Chicago Regional Office; 
Laptops in population: 27; 
Laptops tested: 23. 

Location: Denver Health Administration Center; 
Laptops in population: 82; 
Laptops tested: 37. 

Location: Denver Regional Office; 
Laptops in population: 42; 
Laptops tested: 27. 

Location: Denver Research Enhancement Award Program; 
Laptops in population: 25; 
Laptops tested: 21. 

Location: Hines Data Center; 
Laptops in population: 29; 
Laptops tested: 26. 

Location: Hines Medical Center; 
Laptops in population: 313; 
Laptops tested: 41. 

Location: Washington, D.C., Medical Center; 
Laptops in population: 357; 
Laptops tested: 58. 

Location: Total; 
Laptops in population: 893; 
Laptops tested: 248. 

Source: GAO analysis. 

[End of table] 

Analysis of Results: 

For all four locations where every laptop in the population was tested, 
we used the results of our test to determine whether the directive had 
been consistently implemented. For the Denver Health Administration 
Center and the Denver Regional Office, our sample results allowed us to 
estimate with 95 percent confidence that at least 93 percent of the 
laptops would have consistently implemented the directive.[Footnote 35] 
On the basis of these results, we concluded that at these six sites, VA 
had consistently implemented its directive. For the Hines Medical 
Center and the Washington, D.C., Medical Center, the results of our 
tests indicated that VA's directive had not been consistently 
implemented for one laptop and three laptops at these facilities 
respectively. 

We performed our work at VA headquarters in Washington, D.C., and at 
the selected VA facilities listed above, in accordance with generally 
accepted government auditing standards, from November 2006 through 
August 2007. 

[End of section] 

Appendix II: Status of Prior VA IG Recommendations: 

This appendix includes the actions the Department of Veterans Affairs 
(VA) has taken or is planning to take to address 17 recommendations 
related to Federal Information Security Management Act related findings 
made by the VA Office of Inspector General (IG)[Footnote 36] as 
reported to us by the completion of our review in August 2007. 

Table 4: Status of 17 VA IG Recommendations Related to FISMA Findings: 

VA IG recommendations: Implement a centralized information technology 
(IT) management approach; apply appropriate resources; establish, 
clarify, and modify IT policies and procedures pursuant to 
organizational changes; and implement and enforce security controls; 
Status: Open; 
Actions taken or planned: The new organization structure was approved 
by the Secretary in February 2007. Business processes and IT governance 
are to be developed following the approval. VA is also in the process 
of developing policies and procedures for the organizational changes, 
including a department strategic plan, and incorporating security into 
capital planning and investment control processes and information 
security officer management and operating procedures. Of these, the 
majority were supposed to be finished by June 2007 but are still in the 
midst of completion. 

VA IG recommendations: Develop and implement solutions for the 
establishment of a patch management program; 
Status: Open; 
Actions taken or planned: VA will complete its implementation of a 
patch management program by the end of December 2009, including the 
development of a central patch management policy and establishing a 
patch management configuration standard. 

VA IG recommendations: Identify and implement solutions for resolving 
access control vulnerabilities, ensure segregation of duties, remind 
all sites to confirm virus protection files are updated prior to 
authorizing connection to their networks, and resolve all self-reported 
access control weaknesses; 
Status: Open; 
Actions taken or planned: VA is developing criteria for authorizing 
access to IT systems and a directive on access controls, both of which 
are scheduled to be completed in August 2007. VA is also making 
enhancements to its antivirus program, planned to be completed in March 
2008. 

VA IG recommendations: Review and update all applicable position 
descriptions to better describe sensitivity ratings, better document 
employee personnel records and contractor files to include signed 
"Rules of Behavior" instructions, annual certifications of veterans' 
statuses, annual privacy and Health Insurance Portability and 
Accountability Act training certifications, and position sensitivity 
level designations; 
Status: Open; 
Actions taken or planned: VA is refining and standardizing IT position 
descriptions, updating risk designations, and revising the table of 
penalties (includes examples of disciplinary action for violations). Of 
these activities, all have missed their deadline for completion and 
work still remains to be performed. VA will also conduct a review to 
ensure the position descriptions that are being refined and updated are 
consistent across the department. This will be undertaken in October 
2008. 

VA IG recommendations: Timely request the appropriate level of 
background investigations on all applicable employees and contractors. 
Additionally, monitor and ensure timely requests for reinvestigations 
on all applicable employees and contractors; 
Status: Open; 
Actions taken or planned: VA is in the process of completing any 
additional background investigations that may be needed. VA is also 
implementing the use of an Office of Personnel Management-sponsored 
system that will allow electronic completion and submission of all 
personnel investigation forms for completion of the investigations. 
This was scheduled to be completed in May 2007 but work has not yet 
begun on the task. 

VA IG recommendations: Provide the IG with the results of researching 
the benefits and costs of deploying intrusion prevention systems at all 
sites; 
Status: Closed[A]; 
Actions taken or planned: VA is also in the process of installing a 
host-based intrusion prevention system for its servers as both prudent 
and necessary without a cost benefit analysis and that they will be 
replacing intrusion detection system equipment with intrusion 
prevention system equipment. 

VA IG recommendations: Continue efforts to strengthen critical 
infrastructure planning, complete the Infrastructure Protection Plan, 
and ensure infrastructure planning addresses other information security 
requirements; 
Status: Open; 
Actions taken or planned: VA is developing a Critical Infrastructure 
Protection Plan that is planned for completion in January 2008. VA is 
also planning to acquire an IT asset tracking system; utilizing the 
system, it will inventory all IT equipment throughout the department. 
These activities have not yet begun but are scheduled for completion in 
October 2009. 

VA IG recommendations: Collaboratively test Information Technology 
Centers' continuity of operations plans in a joint effort with all 
tenant groups (Veterans Health Administration (VHA), Veterans Benefits 
Administration (VBA), National Cemetery Administration, and other 
program offices) to ensure that backup sites will support all mission 
related operations, and report test results to the IG for further 
review; 
Status: Open; 
Actions taken or planned: The department is currently developing a 
network and security operations center continuity of operations plan 
but the completion deadline of March 2007 has been missed and work 
still remains. VA is also developing a directive for contingency 
planning that is scheduled to be completed in August 2007. 

VA IG recommendations: Address all self-reported deficiencies 
identified as the result of completed certification and accreditation's 
and related review work; 
Status: Open; 
Actions taken or planned: VA is currently in the process of developing 
criteria for system control testing, and this process is scheduled to 
be completed in August 2007. VA is also reviewing its guidance on 
certification and accreditation and will conduct recertification of all 
its systems, including its regional data centers, in the summer of 
2008. 

VA IG recommendations: Determine the extent to which uncertified 
Internet gateways continue to exist, and take actions to terminate and 
upgrade external connections susceptible to inappropriate access; 
Status: Open; 
Actions taken or planned: VA is currently enhancing controls at network 
boundaries, though the completion deadline of June 2007 has been 
missed. It is also developing a process to require authorization prior 
to connecting to non-VA systems that is planned to be completed in 
October 2007. 

VA IG recommendations: Improve configuration management practices by 
identifying, replacing, or justifying the continuance of older 
operating systems that are vulnerable to security breaches; 
Status: Open; 
Actions taken or planned: VA is currently developing criteria for 
documenting and controlling information system changes, and procedures 
for enforcing access restrictions on the ability to change a system. It 
is also upgrading its systems to Windows XP and work is expected to be 
completed by September 2007. The department also plans to develop a 
national change control policy, though work has not yet begun. 

VA IG recommendations: Complete actions to relocate and consolidate VA 
Central Office's Data Center; 
Status: Closed[A]; 
Actions taken or planned: VA completed activities to move and 
consolidate the VA Central Office data center by relocating servers and 
network hardware to other VA locations. 

VA IG recommendations: Develop and implement VA-wide application 
program/operating system change control procedures to ensure consistent 
documentation and authorization practices are deployed at all 
facilities; 
Status: Open; 
Actions taken or planned: VA is currently working on improving 
application and operating system change controls and establishing an 
enterprise change control board. Both activities are planned to be 
completed in December 2007. 

VA IG recommendations: Strengthen physical access controls to correct 
previously reported physical access control deficiencies and develop 
consistent standardized physical access control requirements, policies, 
and guidelines throughout VA; 
Status: Open; 
Actions taken or planned: VA is currently in the process of developing 
a directive for physical and environmental protection; this process is 
planned for completion in August 2007. It is in the process of 
restricting physical access to computer rooms, though work was 
scheduled to be completed in January 2007. 

VA IG recommendations: Reduce wireless security vulnerabilities by 
ensuring sites have an effective and up-to-date methodology to protect 
the interception of wireless signals and accessing the network. 
Additionally, ensure the wireless network is segmented and protected 
from the wired network; 
Status: Open; 
Actions taken or planned: VA is in the process of establishing regular 
update mechanisms for security configuration on those devices, though 
actions were planned for completion by May 2007. VA is also developing 
standards for restricting the use of mobile and portable devices that 
are planned for completion in August 2007. 

VA IG recommendations: Identify and deploy solutions to encrypt 
sensitive data and resolve clear text protocol vulnerabilities; 
Status: Open; 
Actions taken or planned: VA announced that it had encrypted 18,000 
laptops by September 15, 2006. VA is currently developing management 
criteria for public key infrastructure tokens and criteria for revoking 
or changing the tokens and standards for transporting media outside of 
VA, though work was scheduled for completion by July 2007. 

VA IG recommendations: Conduct validation tests in conjunction with 
remediation efforts to ensure all information and data retained in the 
Security Management and Reporting Tool database is accurate, complete, 
and reliable; 
Status: Open; 
Actions taken or planned: VA is currently working to enhance the 
Security Management and Reporting Tool database with modules for 
certification and accreditation, risk management, and reviews and 
inspections, this work was scheduled for completion in June 2007, 
though work remains to be completed. 

Source: GAO analysis of VA action plan. 

[A] The VA IG stated that VA's actions to resolve this recommendation 
are sufficient to close the recommendation. 

[End of table] 

[End of section] 

Appendix III: Information on Selected Security Incidents at VA from 
December 2003 to January 2007: 

The Department of Veterans Affairs (VA) had at least 1500 security 
incidents reported between December 2003 and January 2007 which 
included the loss of personal information. Below is additional 
information on a selection of incidents, including all publicly 
reported incidents subsequent to May 3, 2006, that were reported to the 
department during this period and what actions it took to respond to 
these incidents. These incidents were selected from data obtained from 
VA to provide illustrative examples of the incidents that occurred at 
the department during this period. 

* December 9, 2003: stolen hard drive with data on 100 appellants. A VA 
laptop computer with benefit information on 100 appellants was stolen 
from the home of an employee working at home. As a result, the agency 
office was going to recall all laptop computers and have encryption 
software installed by December 23, 2003. 

* November 24, 2004: unintended disclosure of personal information. A 
public drive on a VA e-mail system permitted entry to folders/files 
containing veterans' personal information (names, Social Security 
numbers, dates of birth, and in some cases personal health information 
such as surgery schedules, diagnosis, status, etc.) by all users after 
computer system changes made. All folders were restricted, and 
individual services were contacted to set up limited access lists. 

* December 6, 2004: two personal computers containing data on 2,000 
patients stolen. Two desktop personal computers were stolen from a 
locked office in a research office of a medical center. One of the 
computers had files containing names, Social Security numbers, next of 
kin, addresses, and phone numbers of approximately 2,000 patients. The 
computers were password protected by the standard VA password system. 
The medical center immediately contacted the agency Privacy Officer for 
guidance. Letters were mailed to all research subjects informing them 
of the computer theft and potential for identity theft. VA enclosed 
letters addressed to three major credit agencies and postage paid 
envelopes. This incident was reported to VA and federal incident 
offices. 

* March 4, 2005: list of 897 providers' Social Security numbers sent 
via e-mail. An individual reported e-mailing a list of 897 providers' 
names and Social Security numbers to a new transcription company. This 
was immediately reported, and the supervisor called the transcription 
company and spoke with the owner and requested that the file be 
destroyed immediately. Notification letters were sent out to all 897 
providers. Disciplinary action was taken against the employee. 

* October 14, 2005: personal computer containing data on 421 patients 
stolen. A personal computer that contained information on 421 patients 
was stolen from a medical center. The information on the computer 
included patients' names; the last four digits of their Social Security 
numbers; and their height, weight, allergies, medications, recent lab 
results, and diagnoses. The agency's Privacy Officer and medical center 
information security officer were notified. The use of credit 
monitoring was investigated, and it was determined that because the 
entire Social Security number was not listed, it would not be necessary 
to use these services at the time. 

* February 2, 2006: inappropriate access of VA staff medical records. A 
VA staff member accessed several coworkers' medical records to find 
date of birth. Employee information was compromised and several records 
were accessed on more than one occasion. No resolution recorded. 

* April 11, 2006: suspected hacker compromised systems with employee's 
assistance. A former VA employee is suspected of hacking into a medical 
center computer system with the assistance of a current employee 
providing rotating administrator passwords. All systems in the medical 
center serving 79,000 veterans were compromised. 

* May 5, 2006: missing backup tape with sensitive information on 7,052 
individuals. An office determined it was missing a backup tape 
containing sensitive information. On June 29, 2006, it was reported 
that approximately 7,052 veterans were affected by the incident. On 
October 11, 2006, notification letters were mailed, and 5,000 veterans 
received credit protection and data breach analysis for 2 years. 

* August 3, 2006: desktop computer with approximately 18,000 patient 
financial records stolen. A desktop computer was stolen from a secured 
area at a contractor facility in Virginia that processes financial 
accounts for VA. The desktop computer was not encrypted. Notification 
letters were mailed and credit monitoring services offered. 

* September 6, 2006: laptop with patient information on an unknown 
number of individuals stolen. A laptop attached to a medical device at 
a VA medical center was stolen. It contained patient information on an 
unknown number of individuals. Notification letters and credit 
protection services were offered to 1,575 patients. 

* January 22, 2007: external hard drive with 535,000 individual records 
and 1.3 million non-VA physician provider records missing or stolen. An 
external hard drive used to store research data with 535,000 individual 
records and 1.3 million non-VA physician provider records was 
discovered missing or stolen from a research facility in Birmingham, 
Alabama. Notification letters were sent to veterans and providers, and 
credit monitoring services were offered to those individuals whose 
records contained personally identifiable information. 

[End of section] 

Appendix IV: Comments from the Department of Veterans Affairs: 

The Deputy Secretary Of Veterans Affairs: 
Washington: 

August 27, 2007: 

Mr. Gregory C. Wilshusen: 
Director: 
Information Security Issues: 
U.S. Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Dear Mr. Wilshusen: 

The Department of Veterans Affairs (VA) has reviewed the Government 
Accountability Office's (GAO) draft report, Information Security: 
Sustained Management Commitment and Oversight Vital to Resolving Long-
Standing Weaknesses at the Department of Veterans Affairs (GAO-07-1019) 
and generally agrees with your findings and concurs with your 
recommendations. The enclosure specifically addresses several of GAO's 
17 recommendations that are already implemented or are well along the 
way to implementation. It also provides technical corrections. 

With regard to VA's continuing efforts to improve its information 
security system, we believe that the Department's information security 
practices, as implemented before the May 2006 incident were legally 
adequate as we noted in our motion for summary judgment in the 
litigation surrounding this incident; further, we believe that VA is 
continuing to implement appropriate administrative, technical, and 
physical safeguards. VA has taken aggressive and proactive measures 
that are, or were at the time, above and beyond legal requirements, 
such as mandating encryption of sensitive data accessed remotely or 
used outside VA facilities. The agency has implemented safeguards that 
are in conformity with the standard of reasonableness endorsed by 
Congress in enacting the Privacy Act, and a failure to employ some 
other method does not demonstrate that the protective measures in place 
were legally inadequate. 

The Assistant Secretary for Information and Technology would welcome 
the opportunity to periodically brief your staff on our progress. I 
believe that the consolidation of all IT operations and maintenance 
under VA's Chief Information Officer will enhance the Department's 
Information Security Program, as well as correct long- standing 
deficiencies.

VA will provide specific comments and implementation plans for each of 
your recommendations when responding to GAO's final report. VA 
appreciates the opportunity to comment on your draft report. 

Sincerely yours, 

Signed by: 

Gordon H. Mansfield: 

Enclosure: 

Department of Veterans Affairs (VA): 
Comments to: 
Government Accountability Office (GAO) Draft Report,: 
Information Security: Sustained Management Commitment and: 
Oversight Vital to Resolving Long-Standing Weaknesses at the: 
Department of Veterans Affairs (GAO-07-1019): 

VA concurs in each of GAO's 17 recommendations. Below are specific 
comments to selected recommendations. 

Of the 17 recommendations for executive action that are listed in the 
report, the second one relating to information security as an 
evaluation element in senior executives performance plans, is already 
implemented. In 2002, the Information Security requirement was 
incorporated into Senior Executive Service (SES) performance 
appraisals. In 2005, it was designated as a critical element. The 
Office of the Assistant Secretary for Human Resources Management and 
Administration, in coordination with the administrations and staff 
offices, will review annually, all SES performance plans, beginning 
with the 2007 Performance Review Board (PRB) process, to ensure and 
document that all SES plans contain the information security element. 
The Office of Executive Resources will maintain the documentation. 

The recruitment announcement to fill the position of Chief Information 
Security Officer (recommendation 5) closed on July 27, 2007. The 
Directive 6500 was issued on August 4, 2006 and remains valid, 
(recommendation 6). The associated Handbook, (recommendation 1), is 
being finalized for submission for Departmental concurrence and 
includes detailed roles and responsibilities of the new organization. 

All other recommendations are in various stages of implementation. For 
example, several activities are underway to implement recommendation 
14, pertaining to conducting an assessment of what constitutes high-
risk data. The Office of the Assistant Secretary for Information and 
Technology has issued a data call to reduce the use of Social Security 
Numbers (SSN) and other personally identifiable information (PII) 
throughout the Department. The call requests that all organizations 
review and update all new and existing Privacy Act System of Records 
Notices (SORN) and all VA forms where PII is collected. Any unnecessary 
collection of either SSNs or PII will be scrutinized and appropriate 
steps will be taken to eliminate the collection of that information. 
Based on the results of item above, VA will implement the second phase 
of this effort, (recommendation 15) and issue policies that will 
mandate permanently reducing the collection of high-risk data located 
throughout the Department. These policies will include annual reviews 
of existing SORNs and VA forms to ensure that changes have not been 
made to those information collections. 

Department of Veterans Affairs (VA): 
Comments to: 
Government Accountability Office (GAO) Draft Report,: 
Information Security: Sustained Management Commitment and: 
Oversight Vital to Resolving Long-Standing Weaknesses at the: 
Department of Veterans Affairs (GAO-07-1019):

(Continued):  

These policies will be communicated to all employees via daily employee 
news feeds and on-line training vehicles. They will also be reinforced 
by the Office of Information and Technology's (OI&T) IT Oversight and 
Compliance Office during the conduct of on-site assessments of IT 
security, privacy and records management practices at VA field 
facilities. 

On pages 12 and 41, GAO states that all 17 recommendations from the FY 
2005 Office of Inspector General (OIG) report have not been 
implemented. Recommendation 12 (Complete actions to relocate and 
consolidate Veterans Affairs Central Office's data center) has been 
implemented. The OIG has informed us that they plan to close this 
recommendation in their FY 2006 Federal Information Security Management 
Act audit report, which is about to go final. 

While the recommendations are directed at the Department level, 
specifically VA's OI&T, following the research security incident of 
January 22, 2007, at a research facility in Birmingham, Alabama, a 
vigorous response was initiated by both OI&T and the Veterans Health 
Administration's (VHA) Office of Research and Development. This effort 
included nationwide certification of all active research protocols for 
compliance with security standards, education of the entire VA research 
community (over 18,000 individuals) to privacy and security 
requirements, and the establishment of regular announced and 
unannounced inspections of research sites by the VHA Office of Research 
Oversight and the OI&T Office of Oversight and Compliance. 

Additionally, OI&T and VHA have worked together with the wider academic 
community and other Federal agencies that support biomedical research 
to create alignment with Federal information security management 
requirements for research that involves veterans. This ongoing process, 
which VA is leading, represents an unprecedented transformation of the 
national biomedical research enterprise and is directed at reducing 
risk of information loss as well as retaining the trust of America's 
veterans in VA's clinical research and educational missions.

[End of section] 

Appendix V: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Gregory C. Wilshusen, (202) 512-6244 or wilshuseng@gao.gov: 

Staff Acknowledgments: 

In addition to the individual named above, key contributions to this 
report were made by Charles Vrabel (Assistant Director), James Ashley, 
Mark Canter, Barbara Collier, Mary Hatcher, Valerie Hopkins, Leena 
Mathew, Jeanne Sung, and Amos Tevelow. 

Footnotes: 

[1] Information security controls include access controls, 
configuration management, segregation of duties, and contingency 
planning. These controls are designed to ensure that access to data is 
appropriately restricted, only authorized changes to computer programs 
are made, computer security duties are segregated, and backup and 
recovery plans are adequate to ensure the continuity of essential 
operations. 

[2] We made recommendations to address weaknesses in June 2002 as part 
of our review of VA's security management program to ensure compliance 
with Government Information Security Reform legislation. In December 
2002, Congress enacted the Federal Information Security Management Act, 
which required each agency to use a risk based approach to develop, 
document, and implement a departmentwide information security program. 
Since our report in 2002, the IG has continued to make recommendations 
to address weaknesses in the department's information security program 
as part of its annual review of the program under the act. 

[3] "Personally identifiable information" refers to any information 
about an individual maintained by an agency, including any information 
that can be used to distinguish or trace an individual's identity, such 
as their name, Social Security number, date and place of birth, 
mother's maiden name, biometric records, etc., or any other personal 
information that is linked or linkable to an individual. 

[4] FISMA, Title III, E-Government Act of 2002, Pub. L. No. 107-347 
(Dec. 17, 2002). 

[5] GISRA was enacted as subtitle G of Title X of the Floyd D. Spence 
National Defense Authorization Act for Fiscal Year 2001, Pub. L. No. 
106-398 (Oct. 30, 2000). GISRA was to expire 2 years after its 
effective date. 

[6] GAO, Veterans Affairs: Sustained Management Attention Is Key to 
Achieving Information Technology Results, GAO-02-703 (Washington, D.C.: 
June 12, 2002). 

[7] Department of Veterans Affairs Office of Inspector General, Audit 
of the Department of Veterans Affairs Information Security Program, 
Report No. 04-00772-122 (Washington, D.C.: Mar. 31, 2005). 

[8] Department of Veterans Affairs Office of Inspector General, FY2005 
Audit of VA Information Security Program, Report No. 05-00055-216 
(Washington, D.C.: Sept. 20, 2006). 

[9] Encryption is used to provide basic data confidentiality and 
integrity for data, by transforming plain text into cipher text using a 
special value known as a key and a mathematical process known as an 
algorithm. 

[10] Department of Veterans Affairs Office of Inspector General, Review 
of Issues Related to the Loss of VA Information Involving the Identity 
of Millions of Veterans, Report No. 06-02238-163 (Washington, D.C.: 
July 11, 2006). 

[11] Veterans Benefits, Health Care, and Information Technology Act of 
2006, Pub. L. No. 109-461 (Dec. 22, 2006). 

[12] This included, among other things, the unique physician 
identification number, Medicare billing number, and physician 
credential code of medical providers. 

[13] Department of Veterans Affairs Office of Inspector General, 
Administrative Investigation Loss of VA Information VA Medical Center 
Birmingham, AL, Report No. 07-01083-157 (Washington, D.C.: June 29, 
2007). 

[14] The VA National Rules of Behavior is a set of department rules 
that describes the responsibilities and behavior of personnel with 
regard to information system usage and is required to be developed 
under the Veterans Benefits, Health Care, and Information Technology 
Act of 2006. 

[15] Such a review process and documentation of it are control 
activities identified in GAO, Standards for Internal Control in the 
Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: November 
1999). 

[16] This is one of the identified activities described in our 1998 
study of security management practices: GAO, Executive Guide: 
Information Security Management--Learning from Leading Organizations, 
GAO/AIMD-98-68 (Washington, D.C.: May 1998). 

[17] We recently recommended that VA improve its management of the 
realignment effort by dedicating an implementation team to manage 
change, expediting development of performance metrics, and establishing 
a schedule for implementing management processes. VA agreed with the 
findings in our report and generally concurred with the 
recommendations. GAO, Veterans Affairs: Continued Focus on Critical 
Success Factors Is Essential to Achieving Information Technology 
Realignment, GAO-07-844 (Washington, D.C.: June 15, 2007). 

[18] Federal Information Processing Standard 140 is published by 
National Institute of Standards and Technology and provides a standard 
that specifies the security requirements that will be satisfied by a 
cryptographic module used by federal agencies. 

[19] See appendix I for more details regarding our methodology for 
testing the implementation of encryption on laptops. Because of the 
scope of our testing of laptop encryption, we could not make a 
determination of the effectiveness of VA's effort to implement VA 
Directive 6504 at all department facilities. 

[20] In contrast, VBA directed that all laptops at each facility be 
encrypted regardless of whether or not they operated in a mobile 
environment. 

[21] VA has since hired a contractor to analyze the relationship 
between the biomedical and IT functions in the devices to improve the 
management of medical devices. 

[22] The Food and Drug Administration's guidance provides that medical 
device software (that is, software that is used as a component or 
accessory of a medical device) must be validated by the manufacturer 
before it can be used. When any change to the software is made, the 
change must be validated; this requirement limits VA's ability to 
encrypt laptops that are considered medical devices. 

[23] GAO, Veterans Affairs: Inadequate Controls over IT Equipment at 
Selected VA Locations Pose Continuing Risk of Theft, Loss, and 
Misappropriation, GAO-07-505 (Washington, D.C.: July 16, 2007), and 
Veterans Affairs: Lack of Accountability and Control Weaknesses over IT 
Equipment at Selected VA Locations, GAO-07-1100T (Washington, D.C.: 
July 24, 2007). 

[24] OMB Memorandum M-06-19, "Reporting Incidents Involving Personally 
Identifiable Information and Incorporating the Cost for Security in 
Agency Information Technology Investments" (July 12, 2006). 

[25] For more details on these incidents at VA, see appendix III. 

[26] VA drafted these interim procedures to comply with the Veterans 
Benefits, Health Care, and Information Technology Act of 2006, which 
required VA to draft regulations for security incident notification and 
publish these in the Federal Register for public comment for 60 days. 
Until the regulation could be finalized, VA followed its interim 
procedures. 

[27] GAO, Privacy: Lessons Learned about Data Breach Notification, GAO-
07-657 (Washington, D.C.: Apr. 30, 2007). 

[28] We and the IG have issued reports that make recommendations for 
conducting risk assessments of high risk data for identity theft and 
determining if credit monitoring services or other appropriate services 
should be offered. See GAO, Privacy: Lessons Learned about Data Breach 
Notification, GAO-07-657 (Washington, D.C.: Apr. 30, 2007); Department 
of Veterans Affairs Office of Inspector General, Administrative 
Investigation Loss of VA Information VA Medical Center Birmingham, AL, 
Report No. 07-01083-157 (Washington, D.C.: June 29, 2007). 

[29] GAO, Standards for Internal Control in the Federal Government, 
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999). GAO also issued a 
management evaluation tool to assist agencies in maintaining or 
implementing effective internal control. See GAO, Internal Control 
Management and Evaluation Tool, GAO-01-1008G (Washington, D.C.: August 
2001). 

[30] The checklist is based on existing National Institute of Standards 
and Technology checklists and incorporates an assessment of internal 
controls and adherence to federal laws and VA policies. 

[31] The Deputy Secretary also stated that VA considers its information 
security practices, as implemented before the May 2006 incident, as 
legally adequate, referring to the Government's response to litigation 
concerning the incident. However, our review did not assess the legal 
adequacy of the Department's safeguards in satisfying the Privacy Act, 
the statute involved in the litigation and to which the Deputy 
Secretary referred. 

[32] The IG evaluated VA's actions in addressing recommendations made 
by the IG as part of their annual FISMA review during fiscal year 2006. 

[33] The types of VA facilities include central and regional offices, 
data centers, medical centers, clinics, Research Enhancement Award 
Program offices, and cemeteries. 

[34] With these probability samples, each laptop had a known, nonzero 
probability of being selected. 

[35] Because we selected a sample of laptops from these locations, our 
results are estimates of the populations and thus are subject to sample 
errors that are associated with samples of this size and type. Our 
confidence in the precision of the results from this sample is 
expressed in 95 percent confidence intervals, which are expected to 
include the actual results in 95 percent of the samples of this type. 

[36] Department of Veterans Affairs Office of Inspector General, FY2005 
Audit of VA Information Security Program, Report No. 05-00055-216 
(Washington, D.C.: Sept. 20, 2006). 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "Subscribe to Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548: 

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400: 

U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Susan Becker, Acting Manager, Beckers@gao.gov (202) 512-4800: 

U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: