Skip to main content

Information Security: Sustained Management Commitment and Oversight Are Vital to Resolving Long-standing Weaknesses at the Department of Veterans Affairs

GAO-07-1019 Published: Sep 07, 2007. Publicly Released: Sep 19, 2007.
Jump To:
Skip to Highlights

Highlights

In May 2006, the Department of Veterans Affairs (VA) announced that computer equipment containing personal information on approximately 26.5 million veterans and active duty military personnel had been stolen. Given the importance of information technology (IT) to VA's mission, effective information security controls are critical to maintaining public and veteran confidence in its ability to protect sensitive information. GAO was asked to evaluate (1) whether VA has effectively addressed GAO and VA Office of Inspector General (IG) information security recommendations and (2) actions VA has taken since May 2006 to strengthen its information security practices and secure personal information. To do this, GAO examined security policies and action plans, interviewed pertinent department officials, and conducted testing of encryption software at select VA facilities.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Veterans Affairs To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should finalize and approve Handbook 6500 to provide guidance for developing, documenting, and implementing the elements of the information security program.
Closed – Implemented
In fiscal year 2008, we verified that VA, in response to our recommendation, has finalized and approved Handbook 6500. This action increases VA's ability to safeguard its assets and sensitive information against potential data tampering, disruptions in critical operations, fraud, and the inappropriate disclosure of sensitive information.
Department of Veterans Affairs To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should develop, document, and implement a process for reviewing on a regular basis the performance plans of senior executives to ensure that information security is included as an evaluation element.
Closed – Implemented
In fiscal year 2011, we verified that VA, in response to our recommendation, has developed, documented, and implemented an annual review process for SES performance plans to ensure that information security elements are incorporated in performance appraisals. VA's Office of Executive Resources maintains documentation for the Performance Review Board.
Department of Veterans Affairs To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should develop, document, and implement a process for the Director of Field Operations and Security and Director of Cyber Security to coordinate with each other on the implementation of IT security policies and procedures throughout the department.
Closed – Implemented
In fiscal year 2008, we verified that VA, in response to our recommendation, has developed, documented, and implemented a process for the Director of Field Operations and Security and Director of Cyber Security to coordinate with each other on the implementation of IT security policies and procedures throughout the department. This action increases VA's ability to consistently implement policies or procedures throughout the department.
Department of Veterans Affairs To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should document clearly defined responsibilities in the organization book for the Director of Field Operations and Security and the Director of Cyber Security for coordinating the implementation of IT security policies and procedures within the department.
Closed – Implemented
In fiscal year 2008, we verified that VA, in response to our recommendation, documented clearly defined responsibilities in the organization book for the Director of Field Operations and Security and the Director of Cyber Security for coordinating the implementation of IT security policies and procedures within the department. This action increases VA's assurance that the management and implementation of security policies and procedures are effectively coordinated and communicated.
Department of Veterans Affairs To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should act expeditiously to fill the position of the Chief Information Security Officer.
Closed – Implemented
In fiscal year 2008, we verified that VA, in response to our recommendation, has filled the position of the CISO. This action increases VA's ability to strengthen information security practices and coordinate security related activities within the department.
Department of Veterans Affairs To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should revise Directive 6500 to reflect the new IT management structure and to ensure that roles and responsibilities are consistent in all VA IT directives.
Closed – Implemented
In fiscal year 2008, we verified that VA, in response to our recommendation, has updated its directive on its information security program to reflect the new IT realignment structure for the position of the CISO. This action increases VA's ability to communicate and coordinate responsibilities among the department's security staff.
Department of Veterans Affairs To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should develop, document, and implement procedures for the action plan to ensure that action items are addressed in an effective and timely manner.
Closed – Implemented
In fiscal year 2010, we verified that VA, in response to our recommendation, has issued a close-out management plan with guidance on addressing action items. In addition, VA has implemented a tracking system to monitor agency progress in closing action items.
Department of Veterans Affairs To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should establish tasks with time frames for implementation of policies and procedures in the action plan.
Closed – Implemented
In fiscal year 2011, we verified that VA, in response to our recommendation, has developed an integrated master schedule, Schedule Management Plan, to establish the tasks and timeframes for implementation of policies and procedures.
Department of Veterans Affairs To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should develop, document, and implement a process to validate the closure of action plan items.
Closed – Implemented
In fiscal year 2011, we verified that VA, in response to our recommendation, has developed a Closeout Management Plan, which documents the methodology for collecting project artifacts and for closing work identified in the integrated master schedule. We also verified that VA has implemented a new application for tracking plans of action and milestones (POA&Ms), the Security Management and Reporting Tool (SMART). SMART allows VA managers to validate the closure of POA&Ms.
Department of Veterans Affairs To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should include in the action plan the activities taken to address GAO recommendations.
Closed – Implemented
In fiscal year 2011, we verified that VA, in response to our recommendation, has implemented a new system for tracking plans of action and milestones (POA&Ms) called the Security Management and Reporting Tool (SMART). SMART documents, as part of each POA&M, the activities taken to address recommendations, including those made by GAO.
Department of Veterans Affairs To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should develop, document, and implement clear guidance for identifying devices that require encryption functionality.
Closed – Implemented
In fiscal year 2010 we verified that VA, in response to our recommendation, has issued Handbook 6500 with explicit guidance on encrypting devices, and the standards that must be met. This action helps ensure that VA has in place guidance for identifying devices that require encryption.
Department of Veterans Affairs To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should maintain an accurate inventory of all IT equipment that has encryption installed.
Closed – Implemented
In fiscal year 2011, we verified that VA, in response to our recommendation, has implemented software to track devices that have encryption installed. The software allows VA to maintain an accurate inventory of all IT equipment that has encryption installed.
Department of Veterans Affairs To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should develop and document procedures that include a mechanism for obtaining contact information on individuals whose information is compromised in security incidents.
Closed – Implemented
In fiscal year 2011, we verified that VA, in response to our recommendation, has developed policy specifying that the Privacy Officer is responsible for identifying individuals whose information has been compromised in security incidents. In addition, VA has developed procedures for obtaining contact information on individuals whose information is compromised in security incidents.
Department of Veterans Affairs To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should conduct an assessment of what constitutes high-risk data for the information located at VA facilities and in information systems.
Closed – Implemented
In fiscal year 2010 we verified that VA, in response to our recommendation, has included in Handbook 6500.3 the standards to be followed in determining what constitutes high-risk data for information located at VA facilities and in information systems. This action helps VA assess the risk of information at its facilities and in its systems.
Department of Veterans Affairs To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should develop and document a process for appropriate coordination and mitigation activities based on the assessment above.
Closed – Implemented
In fiscal year 2010 we verified that VA, in response to our recommendation, has established a processes and guidance for conducting incident response, incident resolution, incident closure, and lessons learned for incidents that involve a data breach. This action strengthens VA's coordination and mitigation activities in responding to security incidents.
Department of Veterans Affairs To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should develop, document, and implement a standard methodology and established criteria for evaluating the internal controls at facilities.
Closed – Implemented
In fiscal year 2011, we verified that VA has established procedures for security control monitoring.
Department of Veterans Affairs To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should establish a mechanism to track VA's Office of IT Oversight and Compliance recommendations made to facilities and conduct regular follow-up on the status of the recommendations.
Closed – Implemented
In fiscal year 2011, we verified that VA's assessment results are reported back to the site and or facility manager for resolution. Additionally, the assessment recommendations are loaded into the Security Management and Reporting Tool as site level Plan of Action and Milestones.

Full Report

GAO Contacts

Office of Public Affairs

Topics

Chief information security officersComputer securityConfidential informationInformation managementInformation securityInformation security managementInformation technologyInternal controlsLaptopsPerformance measuresProgram evaluationRisk assessmentSoftwareVeteransGovernment agency oversightProgram coordinationProgram implementation