Summary
In July 2004, GAO reported that the six Department of Veterans Affairs (VA) medical centers it audited lacked a reliable property control database and had problems with implementation of VA inventory policies and procedures. Fewer than half the items GAO selected for testing could be located. Most of the missing items were information technology (IT ) equipment. Given recent thefts of laptops and data breaches, the requesters were concerned about the adequacy of physical inventory controls over VA IT equipment. GAO was asked to determine (1) the risk of theft, loss, or misappropriation of IT equipment at selected locations; (2) whether selected locations have adequate procedures in place to assure accountability and physical security of IT equipment in the excess property disposal process; and (3) what actions VA management has taken to address identified IT inventory control weaknesses. GAO statistically tested inventory controls at four case study locations.
A weak overall control environment for VA IT equipment at the four locations GAO audited poses a significant security vulnerability to the nation's veterans with regard to sensitive data maintained on this equipment. GAO's Standards for Internal Control in the Federal Government requires agencies to establish physical controls to safeguard vulnerable assets, such as IT equipment, which might be vulnerable to risk of loss, and federal records management law requires federal agencies to record essential transactions. However, GAO found that current VA property management policy does not provide guidance for creating records of inventory transactions as changes occur. GAO also found that policies requiring annual inventories of sensitive items, such as IT equipment; adequate physical security; and immediate reporting of lost and missing items have not been enforced. GAO's statistical tests of physical inventory controls at four VA locations identified a total of 123 missing IT equipment items, including 53 computers that could have stored sensitive data. The lack of user-level accountability and inaccurate records on status, location, and item descriptions make it difficult to determine the extent to which actual theft, loss, or misappropriation may have occurred without detection. GAO also found that the four VA locations reported over 2,400 missing IT equipment items, valued at about $6.4 million, identified during physical inventories performed during fiscal years 2005 and 2006. Missing items were often not reported for several months and, in some cases, several years. It is very difficult to investigate these losses because information on specific events and circumstances at the time of the losses is not known. GAO's limited tests of computer hard drives in the excess property disposal process found hard drives at two of the four case study locations that contained personal information, including veterans' names and Social Security numbers. GAO's tests did not find any remaining data after sanitization procedures were performed. However, weaknesses in physical security at IT storage locations and delays in completing the data sanitization process heighten the risk of data breach. Although VA management has taken some actions to improve controls over IT equipment, including strengthening policies and procedures, improving the overall control environment for sensitive IT equipment will require a renewed focus, oversight, and continued commitment throughout the organization.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
McCoy Williams
Government Accountability Office: Financial Management and Assurance
(202) 516-6906
Recommendations for Executive Action
Recommendation: The Secretary of Veterans Affairs should require that the medical centers and VA headquarters offices we tested and other VA organizations, as appropriate, take the following action to improve accountability of IT equipment inventory and reduce the risk of disclosure of sensitive personal data, medical data, or both. To help minimize the risk of loss, theft, and misappropriation of government IT equipment used in VA operations, the Secretary should revise VA property management policy and procedures to include detailed requirements for what transactions must be recorded to document inventory events and to clearly establish individual responsibility for recording all essential transactions in the property management process.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Veterans Affairs should require that the medical centers and VA headquarters offices we tested and other VA organizations, as appropriate, take the following action to improve accountability of IT equipment inventory and reduce the risk of disclosure of sensitive personal data, medical data, or both. To help minimize the risk of loss, theft, and misappropriation of government IT equipment used in VA operations, the Secretary should revise VA purchase card policy to require purchase card holders to notify property management officials of IT equipment and other property items acquired with government purchase cards at the time the items are received so that they can be recorded in property management systems.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Veterans Affairs should require that the medical centers and VA headquarters offices we tested and other VA organizations, as appropriate, take the following action to improve accountability of IT equipment inventory and reduce the risk of disclosure of sensitive personal data, medical data, or both. To help minimize the risk of loss, theft, and misappropriation of government IT equipment used in VA operations, the Secretary should establish procedures to require specific, individual user-level accountability for IT equipment. In implementing this recommendation, consideration should be given to making the unit head, or a designee, accountable for shared IT equipment.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Veterans Affairs should require that the medical centers and VA headquarters offices we tested and other VA organizations, as appropriate, take the following action to improve accountability of IT equipment inventory and reduce the risk of disclosure of sensitive personal data, medical data, or both. To help minimize the risk of loss, theft, and misappropriation of government IT equipment used in VA operations, the Secretary should enforce user-level accountability and IT coordinator responsibility by taking appropriate disciplinary action, including holding employees financially liable, as appropriate, for lost or missing IT equipment.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Veterans Affairs should require that the medical centers and VA headquarters offices we tested and other VA organizations, as appropriate, take the following action to improve accountability of IT equipment inventory and reduce the risk of disclosure of sensitive personal data, medical data, or both. To help minimize the risk of loss, theft, and misappropriation of government IT equipment used in VA operations, the Secretary should establish specific time frames for finalizing a Report of Survey once an inventory has been completed so that research on missing items is completed expeditiously and does not continue indefinitely without meeting formal reporting requirements.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Veterans Affairs should require that the medical centers and VA headquarters offices we tested and other VA organizations, as appropriate, take the following action to improve accountability of IT equipment inventory and reduce the risk of disclosure of sensitive personal data, medical data, or both. To help minimize the risk of loss, theft, and misappropriation of government IT equipment used in VA operations, the Secretary should establish a mechanism to monitor adherence by the San Diego and Houston medical centers and other VA organizations, as appropriate, to VA policy for performing annual inventories of sensitive items under $5,000, including IT equipment.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Veterans Affairs should require that the medical centers and VA headquarters offices we tested and other VA organizations, as appropriate, take the following action to improve accountability of IT equipment inventory and reduce the risk of disclosure of sensitive personal data, medical data, or both. To help minimize the risk of loss, theft, and misappropriation of government IT equipment used in VA operations, the Secretary should require that information resource management (IRM) and IT Services personnel at the various medical centers be given access to the central property database and be furnished with hand scanners so they can electronically update the property control records, as appropriate, during installation, repair, replacement, and relocation or disposal of IT equipment.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Veterans Affairs should require that the medical centers and VA headquarters offices we tested and other VA organizations, as appropriate, take the following action to improve accountability of IT equipment inventory and reduce the risk of disclosure of sensitive personal data, medical data, or both. To help minimize the risk of loss, theft, and misappropriation of government IT equipment used in VA operations, the Secretary should require physical security personnel to perform inspections of buildings and storage facilities to identify informal and undesignated IT storage locations so that security assessments are performed and corrective actions are implemented, where appropriate.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To assure inventory accuracy and prompt resolution of inventory discrepancies and improve security of IT equipment and any sensitive data stored on that equipment, the Secretary should require the Chief Information Officer (CIO) to establish a formal policy requiring a review of the results of annual inventories to ensure that IT equipment inventory records are properly updated and no blank fields remain.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To assure inventory accuracy and prompt resolution of inventory discrepancies and improve security of IT equipment and any sensitive data stored on that equipment, the Secretary should require the CIO to establish a process for reviewing Reports of Survey for lost, missing, and stolen IT equipment items to identify systemic weaknesses for appropriate corrective action.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To assure inventory accuracy and prompt resolution of inventory discrepancies and improve security of IT equipment and any sensitive data stored on that equipment, the Secretary should require the CIO to establish and implement a policy requiring IRM personnel and IT coordinators to inform physical security officers of the site of all IT equipment storage locations so that these store rooms can be subjected to required inspections.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To assure inventory accuracy and prompt resolution of inventory discrepancies and improve security of IT equipment and any sensitive data stored on that equipment, the Secretary should require the CIO to establish and implement a policy for reviewing the results of physical security inspections of IT equipment storerooms and ensure that needed corrective actions are completed.
Agency Affected: Department of Veterans Affairs
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
