This is the accessible text file for GAO report number GAO-07-1019 entitled 'Information Security: Sustained Management Commitment and Oversight are Vital to Resolving Long-standing Weaknesses at the Department of Veterans Affairs' which was released on September 19, 2007. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: United States Government Accountability Office: GAO: September 2007: Information Security: Sustained Management Commitment and Oversight Are Vital to Resolving Long-standing Weaknesses at the Department of Veterans Affairs: VA Information Security: GAO-07-1019: GAO Highlights: Highlights of GAO-07-1019, a report to congressional requesters. Why GAO Did This Study: In May 2006, the Department of Veterans Affairs (VA) announced that computer equipment containing personal information on approximately 26.5 million veterans and active duty military personnel had been stolen. Given the importance of information technology (IT) to VA’s mission, effective information security controls are critical to maintaining public and veteran confidence in its ability to protect sensitive information. GAO was asked to evaluate (1) whether VA has effectively addressed GAO and VA Office of Inspector General (IG) information security recommendations and (2) actions VA has taken since May 2006 to strengthen its information security practices and secure personal information. To do this, GAO examined security policies and action plans, interviewed pertinent department officials, and conducted testing of encryption software at select VA facilities. What GAO Found: Although VA has made progress, it has not yet fully implemented most of the key GAO and IG recommendations to strengthen its information security practices. Specifically, VA has implemented two GAO recommendations: to develop a process for managing its plan to correct identified weaknesses and to regularly report on progress in updating its security plan to the Secretary. However, it has not fully implemented two other GAO recommendations: to complete a comprehensive security management program and to ensure consistent use of information security performance standards for appraising senior VA executives. In addition, the department has not yet fully implemented 20 of 22 recommendations made by the IG in 2006. For example, VA has not completed activities to appropriately restrict access to data, networks, and department facilities; ensure that only authorized changes and updates to computer programs are made; and strengthen critical infrastructure planning. Because these recommendations have not yet been implemented, unnecessary risk exists that the personal information of veterans and others, such as medical providers, will be exposed to data tampering, fraud, and inappropriate disclosure. Since the May 2006 security incident, VA has continued or begun several major initiatives to strengthen its information security practices and secure personal information within the department, but more remains to be done. These initiatives include continuing efforts begun in October 2005 to reorganize its management structure to provide better oversight and fiscal discipline over its IT systems; developing an action plan to correct identified weaknesses; establishing an information protection program; improving its incident management capability; and establishing an office responsible for oversight of IT within the department. However, implementation shortcomings limit the effectiveness of these initiatives. For example, no documented process exists between the Director of Field Operations and Security and the chief information security officer (CISO) to ensure the effective coordination and implementation of security policies and procedures within the department. In addition, the position of the CISO has been unfilled since June 2006. Although, 39 percent of items in the department’s remedial action plan are tasks to develop, document, revise, or update a policy or program, 87 percent of these items have no corresponding task with an established time frame for implementation across the department. VA also did not have clear guidance for identifying devices that require encryption functionality, and it lacked adequate procedures for incident response and notification. Finally, VA’s Office of IT Oversight and Compliance lacks a standard methodology and established criteria to ensure that its examination of internal controls is consistent across VA facilities. Until the department addresses recommendations to resolve identified weaknesses and implements the major initiatives it has undertaken, it will have limited assurance that it can protect its systems and information from the unauthorized disclosure, misuse, or loss of personal information of veterans and other personnel. What GAO Recommends: GAO is making 17 recommendations to the Secretary of Veterans Affairs aimed at improving the effectiveness of VA’s efforts to strengthen information security practices by developing and documenting processes, policies, and procedures, and completing the implementation of key initiatives. In commenting on a draft of this report, VA stated that it generally agreed with the recommendations and has implemented or is working to implement them. [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-1019]. To view the full product, including the scope and methodology, click on the link above. For more information, contact Gregory Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: VA Has Not Fully Implemented GAO and IG Recommendations: VA Is Undertaking Several Major Initiatives to Strengthen Information Security, but Implementation Has Shortcomings: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope, and Methodology: Appendix II: Status of Prior VA IG Recommendations: Appendix III: Information on Selected Security Incidents at VA from December 2003 to January 2007: Appendix IV: Comments from the Department of Veterans Affairs: Appendix V: GAO Contact and Staff Acknowledgments: Tables: Table 1: Number of Incidents by Type Reported to NSOC from January 2003 to November 2006: Table 2: Time Elapsed Between Major Incidents at VA and Notification of US-CERT, Secretary, Congress, and Individuals (May 2006 to January 2007): Table 3: Number of Laptops Tested at Select VA Facilities: Table 4: Status of 17 VA IG Recommendations Related to FISMA Findings: Figure: Figure 1: Office of Information and Technology Organization Chart: Abbreviations: CIO: chief information officer: CISO: chief information security officer: FISMA: Federal Information Security Management Act: NSOC: Network and Security Operations Center: IG: Inspector General: IT: information technology: ITOC: VA's Office of Information Technology Oversight and Compliance: OMB: Office of Management and Budget: US-CERT: United States Computer Emergency Readiness Team: VA: Department of Veterans Affairs: VBA: Veterans Benefits Administration: VHA: Veterans Health Administration: United States Government Accountability Office: Washington, DC 20548: September 7, 2007: Congressional Requesters: The mission of the Department of Veterans Affairs (VA) is to promote the health, welfare, and dignity of all veterans, in recognition of their service to the nation, by ensuring that they receive medical care, benefits, social support, and lasting memorials. In providing health care and other benefits to veterans and their dependents, the department relies on a vast array of computer systems and telecommunications networks to support its operations and store sensitive information, including personal information on veterans. Given the importance of information technology for supporting VA's mission--the department expended $1.2 billion in fiscal year 2006 on information technology (IT)--successfully securing these systems with effective information security controls is critical to the department's ability to safeguard its assets and sensitive information.[Footnote 1] To assist the department in improving its information security program, we and the VA Office of Inspector General (IG) have previously recommended that VA take steps to improve its security management program, including actions to improve controls to appropriately restrict access to data, secure systems and networks, and respond to security incidents.[Footnote 2] In May 2006, VA initially announced that computer equipment containing personally identifiable information on approximately 26.5 million veterans and active duty members of the military was stolen from the home of a VA employee.[Footnote 3] Until the equipment was recovered, veterans did not know whether their information was likely to be misused. The security incident highlighted the vulnerability of sensitive information on VA's systems to inadvertent or deliberate misuse, loss, or improper disclosure. This report responds to your request for a review of the department's actions to improve information security. Specifically, our objectives were to evaluate (1) whether VA has effectively addressed GAO and VA IG recommendations and (2) actions VA has taken since the May 2006 security incident to strengthen its information security practices and secure personal information. In addressing our objectives, we examined and analyzed agency policies, procedures, plans, and artifacts; interviewed key agency and IG personnel; and assessed the effectiveness of implemented actions. We also performed audit procedures to determine the extent to which VA has installed encryption functionality on laptop computers at eight locations. We performed our work at VA headquarters in Washington, D.C., and at select VA facilities, from November 2006 through August 2007, in accordance with generally accepted government auditing standards. For more details on our objectives, scope, and methodology, see appendix I. Results in Brief: Although VA has made progress, it has not yet fully implemented most of the key GAO and IG recommendations to strengthen its information security practices. VA has implemented two GAO recommendations: to develop a process for managing its action plan to correct identified weaknesses and to regularly report to the Secretary on progress in updating its security plan. However, it has not fully implemented two other GAO recommendations: to complete a comprehensive security management program and to ensure consistent use of information security performance standards when appraising the department's senior executives. In addition, the department has not yet fully implemented 20 of 22 information security-related recommendations made by the IG in 2006. For example, VA has not completed critical management activities to appropriately restrict access to data, networks, and department facilities; ensure that only authorized changes and updates to computer programs are made; and strengthen critical infrastructure planning to ensure information security requirements are addressed. Because these recommendations have not yet been implemented, unnecessary risk exists that personal information of veterans and other individuals, such as medical providers, will be exposed to data tampering, fraud, and inappropriate disclosure. Since the May 2006 security incident, VA has begun or continued several major initiatives to strengthen information security practices and secure personal information within the department, but more remains to be done. These initiatives include continuing the department's efforts, begun in October 2005, to reorganize its management structure to provide better oversight and fiscal discipline over its IT systems; developing a remedial action plan; establishing an information protection program; improving its incident management capability; and establishing an office responsible for oversight and compliance of IT within the department. However, although these initiatives have led to progress, their implementation has shortcomings. For example, * responsibility for managing and implementing the VA security program (an essential element for ensuring compliance with the Federal Information Security Management Act) is split between separate offices, and no documented process exists for the responsible officials to coordinate with each other; * the position of the chief information security officer has been unfilled since June 2006; * although numerous action items in the department's remedial action plan are tasks to develop, document, revise, or update a policy or program, 87 percent of these have no corresponding task with an established time frame for implementation across the department; * VA does not have clear guidance for identifying devices that require encryption functionality; * procedures for incident response and notification do not include mechanisms for consultation with outside agencies on mitigation options; and: * the departmental Office of IT Oversight and Compliance lacks a standard methodology and established criteria to ensure that its examination of internal controls is consistent across VA facilities. As a result of such weaknesses, the effectiveness of VA initiatives to strengthen information security practices at the department may be limited. We are making 17 recommendations to the Secretary of Veterans Affairs aimed at helping the department to improve the effectiveness of VA's efforts to strengthen information security practices, including developing and documenting processes, policies, and procedures; fill a key position; and completing the implementation of key initiatives. In providing written comments on a draft of this report (which are reprinted in appendix IV), the Deputy Secretary of Veterans Affairs generally agreed with our findings and recommendations. The Deputy Secretary stated that VA has already implemented or is working to implement all 17 recommendations. Background: With over 235,000 employees, including physicians, nurses, counselors, statisticians, computer specialists, architects, and attorneys, VA is the second largest federal department. It carries out its mission through three agency organizations--Veterans Health Administration (VHA), Veterans Benefits Administration (VBA), and National Cemetery Administration--and field facilities throughout the United States. The department provides services and benefits through a nationwide network of 156 hospitals, 877 outpatient clinics, 136 nursing homes, 43 residential rehabilitation treatment programs, 207 readjustment counseling centers, 57 veterans' benefits regional offices, and 122 national cemeteries. In carrying out its mission, the department depends on IT and telecommunications systems, which process and store sensitive information, including personal information on veterans. Information security is a critical consideration for any organization that depends on information systems and networks to carry out its mission or business. It is especially important for government agencies, where maintaining the public's trust is essential. The dramatic expansion in computer interconnectivity and the expanding use of mobile devices and storage media are changing the way our government, the nation, and much of the world share information and conduct business. Without proper safeguards, enormous risk exists that systems, mobile devices, and information are exposed to potential data tampering, disruptions in critical operations, fraud, and the inappropriate disclosure of sensitive information. Recognizing the importance of securing federal systems and data, Congress passed the Federal Information Security Management Act (FISMA) in December 2002,[Footnote 4] which permanently authorized and strengthened the information security program, evaluation, and reporting requirements established by earlier legislation (commonly known as GISRA, the Government Information Security Reform Act).[Footnote 5] FISMA sets forth a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets. The act requires each agency to develop, document, and implement an agencywide information security program for the data and systems that support the operations and assets of the agency, using a risk-based approach to information security management. According to FISMA, the head of each agency has responsibility for delegating to the agency chief information officer (CIO) the authority to ensure compliance with the security requirements in the act. To carry out the CIO's responsibilities in the area, a senior agency official is to be designated chief information security officer (CISO). Prior GAO and IG Work Related to VA Information Security: In June 2002, we reported that VA had not completed actions to strengthen its security management program, ensure compliance with security policies and procedures, and ensure accountability for information security throughout the department.[Footnote 6] We made four recommendations to VA: (1) complete a comprehensive security management program that included actions related to central security management functions, risk assessments, security policies and procedures, security awareness, and monitoring and evaluating computer controls; (2) develop a process for managing the department's updated security plan to remediate identified weaknesses; (3) regularly report to the Secretary, or his designee, on progress in implementing VA's security plan; and (4) ensure consistent use of information security performance standards when appraising the department's senior executives. Since our report in 2002, VA's IG has made additional recommendations addressing serious weaknesses within the department's information security controls. In March 2005, the VA IG reported that the department had not appropriately restricted access to data, ensured that only authorized changes were made to computer programs, ensured that backup and recovery plans were adequate to ensure the continuity of essential operations, and moved the VA Central Office data center to a more appropriate location.[Footnote 7] The IG made a number of recommendations to the department to secure patient information and data over VA networks, improve application and operating system change controls, test continuity of operations plans at national data centers, and complete the move of the VA Central Office data center. In its annual FISMA report for fiscal year 2005, issued in September 2006, the IG carried forward all the recommendations from its prior years' FISMA audits. It made recommendations in 17 areas to address all FISMA related findings for the fiscal year.[Footnote 8] Significant Security Incidents Reported: On May 3, 2006, the home of a VA employee was burglarized, resulting in the theft of a personally owned laptop computer and external hard drive that contained personal information on approximately 26.5 million veterans and U.S. military personnel. The external hard drive was not encrypted or password protected.[Footnote 9] The Secretary of VA was notified of the theft on May 16, 2006, and Congress and veterans were notified on May 22, 2006. Notification letters were sent to all veterans, and VA announced that free credit monitoring services would be offered. A number of congressional hearings were held and bills introduced related to the protection of veterans' privacy and identity. During this time period, many veteran service organizations expressed concerns to Congress as to whether VA was capable of safeguarding the personal information of veterans. These organizations also expressed doubt over whether the department's attempts to correct the weaknesses would be effective. The stolen computer equipment was recovered on June 28, 2006, and forensic testing by the Federal Bureau of Investigation determined that the sensitive data files had not been accessed or compromised. After the equipment was recovered, the Office of Management and Budget (OMB) withdrew its request to Congress for funding for the free credit monitoring services because it had concluded that credit monitoring services were no longer necessary due to the results of the FBI's analysis. Veterans' organizations indicated that the department should continue to offer credit monitoring services in order to allay veterans' worries regarding the potential of identity theft. As a result of the theft, the VA IG issued a report in July 2006 on the investigation of the incident and made five recommendations to improve VA's policies and procedures for securing sensitive information and conducting security awareness training.[Footnote 10] Recognizing the concerns of veterans, in December 2006, Congress passed the Veterans Benefits, Health Care, and Information Technology Act of 2006.[Footnote 11] Under the act, the VA's CIO is responsible for establishing, maintaining, and monitoring departmentwide information security policies, procedures, control techniques, training, and inspection requirements as elements of the departmental information security program. The act also includes provisions to further protect veterans and service members from the misuse of their sensitive personal information. In the event of a security incident involving personal information, VA is required to conduct a risk analysis, and on the basis of the potential for compromise of personal information, the department may provide security incident notifications, fraud alerts, credit monitoring services, and identity theft insurance. Congress is to be informed regarding security incidents involving the loss of personal information. On January 22, 2007, a security incident at a research facility in Birmingham, Alabama, highlighted other potential risks associated with the loss of information. The incident involved the loss of information on 1.3 million medical providers from the Centers for Medicare & Medicaid Services of the Department of Health and Human Services, as well as information on 535,000 individuals.[Footnote 12] In its report on the Birmingham incident, the VA IG noted that the information compromised in the incident could potentially be used to compromise the identity of physicians and other health care providers and commit Medicare billing fraud.[Footnote 13] VA took action to respond to the loss of provider information by requesting the Department of Health and Human Services to conduct an independent risk analysis on the provider data loss. The risk analysis concluded that there was a high risk that the loss of personal information could result in harm to the individuals concerned, and the Centers for Medicare & Medicaid Services sent a letter to VA on March 28, 2007, requesting that credit monitoring services be offered to providers. The department mailed notification letters to providers starting on April 17, 2007, and offered credit monitoring services. In addition, the Centers for Medicare & Medicaid Services indicated that VA might need to take additional measures to mitigate any risk of further harm, but it did not specify what such action might be or specifically mention Medicare fraud. VA Has Not Fully Implemented GAO and IG Recommendations: Although VA has made progress, it has not yet fully or effectively implemented two of four GAO recommendations and has not fully implemented 20 of 22 IG recommendations to strengthen its information security practices. Because these recommendations have not yet been implemented, unnecessary risk exists that personal information of veterans and others would be exposed to data tampering, fraud, and inappropriate disclosure. VA Has Not Implemented Two of Four GAO Recommendations: VA has implemented two of our recommendations. However, it has not fully implemented two other GAO recommendations. In response to our recommendation that it regularly report on progress in updating its security plan to the Secretary, the department CIO took immediate steps in 2002 to begin briefing the Secretary and Deputy Secretary on a regular basis. Regarding our recommendation that it develop a process for managing its remedial action plan, VA issued, in May 2006, its IT Directive 06-1, which established the Data Security-Assessment and Strengthening of Controls Program to remedy weaknesses in managing its action plan. It also hired a contractor to develop Web-based tools to assist department officials in managing and updating the plan on a biweekly basis. However, it has not fully implemented our remaining two recommendations. First, although it has taken action, VA has not yet fully implemented our recommendation to complete a comprehensive security management program, including actions related to central management functions, security policies and procedures, risk assessments, security awareness, and monitoring and evaluating computer controls. In August 2006, VA issued Directive 6500, which documented a framework for the department's security management program and set forth roles and responsibilities for the Secretary, CIO, and CISO to ensure compliance with FISMA requirements. VA also developed, documented, and implemented security policies and procedures for certain central management functions and security awareness training. In addition, it implemented a process for tracking the status of security weaknesses and analyzing the results of computer security reviews using software tools the department had developed. As part of implementing the department's security directive (Directive 6500), VA planned to issue Handbook 6500 to provide guidance for developing, documenting, and implementing the elements of the information security program. However, it has not finalized and approved this handbook, which has been in draft form since March 2005. The handbook contains the VA National Rules of Behavior,[Footnote 14] as well as key guidance for minimum mandatory security controls, performing risk assessments, updating security plans, and planning for continuity of operations. This guidance is to be used as VA undertakes these activities as part of its preparation for completing the recertification and re-accreditation of its systems by August 2008 and to comply with provisions of the Veterans Benefits, Health Care, and Information Technology Act of 2006. VA officials indicated the handbook was close to completion, but they did not provide an estimated time frame for completion. Until the handbook is finalized and approved, VA cannot be assured that department staff are consistently coordinating security functions that are critical to safeguarding its assets and sensitive information against potential data tampering, disruptions in critical operations, fraud, and the inappropriate disclosure of sensitive information. Second, VA has not fully implemented our recommendation to ensure consistent use of information security performance standards in appraising the department's senior executives. In September 2006, VA issued a memorandum that required all senior executive performance plans, which include performance elements and expectations, to include information security as an evaluation element by November 30, 2006. According to VA, senior executive performance plans were reviewed by human resource officials, and the plans complied with the memorandum. However, VA was unable to provide documentation on the performance plan reviews or a documented process for regular review of the plans.[Footnote 15] As a result, it is unknown whether the department can appropriately hold management accountable for information security. Until VA develops, documents, and implements a process for reviewing the senior executive performance plans on a regular basis to ensure that information security is included as an evaluation element, it may not have the appropriate management accountability for information security. VA Has Not Fully Implemented IG Recommendations: Although VA has implemented 2 recommendations made by the IG, it has not yet fully implemented 20 other IG recommendations. For example, in response to the IG's recommendation that the department complete actions to relocate and consolidate the Central Office's data center, it moved servers and network hardware to other VA locations. Regarding the recommendation to research the benefits and costs of deploying intrusion prevention systems at all sites, the department began installing intrusion prevention systems at all sites. However, the department has not completed critical management activities to implement 15 of the 17 recommendations made by the IG in September 2006, which were carried forward from its March 2005 report, to appropriately restrict access to data, networks, and VA facilities; ensure that only authorized changes and updates to computer programs are made; strengthen critical infrastructure planning to ensure information security requirements are addressed; and ensure that background investigations are conducted on all applicable employees and contractors. To begin addressing these recommendations, VA has drafted policies and procedures, implemented certain technical solutions, and relocated data center servers to new locations at VA facilities. However, according to the department's action plan to remediate weaknesses, all actions to resolve IG recommendations will not be completed until 2009. A detailed description of the actions VA has taken or plans to take to address the IG's 17 recommendations can be found in appendix II. VA has also made some progress in addressing the five recommendations from the IG's July 2006 report on the investigation of the May laptop theft incident. However, it has not fully implemented corrective actions. To begin addressing these recommendations, VA has drafted policies and procedures and updated its Cyber Security Awareness training course. However, VA is still in the process of finalizing standard contracting language to ensure that contractor personnel are held to the same standards as department personnel; it is also still standardizing all IT position descriptions and ensuring that they are evaluated, have proper sensitivity level descriptions, and are consistent throughout the department. Until these actions are complete, VA has limited assurance that it has the proper safeguards in place to adequately protect its sensitive information from inadvertent or deliberate misuse, loss, or improper disclosure. By Not Fully Implementing GAO and IG Recommendations, VA Leaves Personal Information Vulnerable: The need to fully implement GAO and IG recommendations to strengthen information security practices is underscored by the prevalence of security incidents involving the unauthorized disclosure, misuse, or loss of personal information of veterans and other individuals, such as medical providers. Between December 2003 and April 2006, VA had at least 700 reported security incidents involving the loss of personal information. For example, one incident in 2003 involved the theft of a laptop containing personal information on 100 veterans from the home of a VA employee. In 2004, personal computers that contained data on 2,000 patients were stolen from a locked office in a research facility. In 2005, information on 897 providers was inappropriately disclosed over VA's e-mail system. In addition, in 2006, employee medical records were inappropriately accessed by a VA staff member, and a hacker compromised a computer system at a medical center supporting 79,000 veterans. All these incidents were partially attributable to weaknesses in internal controls. More recently, additional incidents have occurred that, like the earlier incidents, were partially due to weaknesses in the department's security controls. In these incidents, which include the May 2006 theft of computer equipment from an employee's home (discussed earlier) and the theft of equipment from department facilities, millions of people had their personal information compromised. Appendix III provides details on a selection of incidents that occurred between December 2003 and January 2007. Although VA has made some progress in implementing GAO and IG recommendations to resolve these weaknesses in security controls, all actions to resolve these recommendations are not planned to be implemented until 2009. As a result, VA will be at increased risk that systems, mobile devices, and information may be exposed to potential data tampering, disruptions in critical operations, fraud, and the inappropriate disclosure of sensitive information. VA Is Undertaking Several Major Initiatives to Strengthen Information Security, but Implementation Has Shortcomings: VA has begun or continued several major initiatives since the May 2006 security incident to strengthen information security practices and secure personal information within the department, but more remains to be done. Since October 2005, VA has been reorganizing its management structure to provide better oversight and fiscal discipline over its IT systems, and it has undertaken a series of new initiatives. However, shortcomings with the implementation of these initiatives limit their effectiveness. For example, although VA has developed a remedial action plan that includes tasks to develop, document, revise, or update a policy or program, 87 percent of these do not have an established time frame for implementation across the department. Unless such shortcomings are addressed, these initiatives may not effectively strengthen information security practices at the department. Realignment of IT Management Structure: An effective IT management structure is the starting point for coordinating and communicating the continuous cycle of information security activities necessary to address current risks on an ongoing basis while providing guidance and oversight for the security of the entity as a whole. Under FISMA and the Veterans Benefits, Health Care, and Information Technology Act of 2006, the CIO ensures compliance with requirements of these laws and designates a senior agency information security officer or CISO to assist in carrying out his responsibilities. One mechanism organizations can adopt to achieve effective coordination and communication is to establish a central security management office or group to coordinate departmentwide security-related activities.[Footnote 16] To ensure that information security activities are effective across an organization, an IT management structure should also include clearly defined roles and responsibilities for all security staff and coordination of responsibilities among individual staff. The department officially began its effort to provide the CIO with greater authority over IT in October 2005 by realigning its management organization to a centralized management structure. By July 2006, a department contractor began work to assist with the realignment effort. According to VA, its goals in moving to a centralized management structure were to provide the department better oversight over the standardization, compatibility, and interoperability of IT systems, as well as better overall fiscal discipline. The Secretary approved the department's new IT organization structure in February 2007. The new structure includes an Assistant Secretary for Information and Technology (who serves as VA's CIO), the CIO's Principal Deputy Assistant Secretary, and five Deputy Assistant Secretaries. Five new senior leadership positions within the Office of Information and Technology were created to assist the CIO in overseeing five core IT process areas: cyber security, portfolio management, resource management, systems development, and operations. Completion of the realignment is scheduled for July 2008.[Footnote 17] Under the new IT management structure, responsibility for information security functions within the department is divided between two core process areas: * First, the Director of the Cyber Security Office (part of the Information Protection and Risk Management process area) has responsibility for developing and maintaining a departmentwide security program; overseeing and coordinating security efforts across the organization; and managing the development and implementation of department security policy, standards, guidelines, and procedures to ensure ongoing maintenance of security. The Director of Cyber Security is also the designated CISO for the department. * Second, the Director of the Field Operations and Security Office (part of the Enterprise Operations and Infrastructure process area) is responsible for implementing security and privacy policies, validating compliance with certification and accreditation requirements, and managing facility information security officers. In brief, the CISO/Director of Cyber Security is thus responsible for managing the departmentwide security program, but the Director of the Field Operations and Security is responsible for implementing it. Figure 1 shows these two offices within the new management structure. Figure 1: Office of Information and Technology Organization Chart: [See PDF for image] Source: VA. Note: DAS = Deputy Assistant Secretary. [End of figure] Although VA has made significant progress in the realignment of its IT management structure, no documented process yet exists for the two responsible offices to coordinate with each other in managing and implementing a departmentwide security program. VA officials indicated that the Director of Cyber Security and the Director of Field Operations and Security are communicating about the implementation of security policies and procedures within the department. However, this communication is not defined as a role or responsibility for either position in the new management organization book, nor is there a documented process in place to coordinate the management and implementation of the security program, both of which are key security management practices. As a result, policies or procedures could be inconsistently implemented throughout the department. Without a consistently implemented departmentwide security program, the CISO cannot effectively ensure departmentwide compliance with FISMA. Until the process and responsibilities for coordinating the management and implementation of IT security policies and procedures throughout the department are clearly documented, VA will have limited assurance that the management and implementation of security policies and procedures are effectively coordinated and communicated. In addition, the CISO position is currently unfilled, hindering VA's ability to strengthen information security practices and coordinate security-related activities within the department. The CISO position has been vacant since June 2006, and currently, the CIO is the acting CISO of the department. The department has been attempting to fill the position of the CISO since October 2006. In addition, the department began trying to hire staff for other senior positions in March 2007. VA officials have indicated that the process and procedures they are required to undertake to hire staff for the positions is quite extensive and takes time to complete. Nevertheless, until the position of the CISO is filled, the department's ability to strengthen information security will continue to be hindered. Furthermore, the department's directive on its information security program has not been updated to reflect the new IT realignment structure for the position of the CISO. Under Directive 6500, the Associate Deputy Assistant Secretary for Cyber and Information Security is the senior information security officer or CISO. However, under the new realignment structure, there is no Associate Deputy Assistant Secretary for Cyber and Information Security, and instead the Director of Cyber Security is the CISO. VA officials have said that they intend to revise the directive to reflect the new management structure, but they did not provide an estimated time frame for completion. If roles and responsibilities are not updated or consistent in VA's policies and directives, then communication and coordination of responsibilities among the department's security staff may not be sufficient. Development of Action Plan to Remediate Identified Weaknesses: Action plans to remediate identified weaknesses help departments to identify, assess, prioritize, and monitor progress in correcting security weaknesses that are found in information systems. According to OMB's revised Circular A-123, Management's Responsibility for Internal Control, departments should take timely and effective action to correct deficiencies that they have identified through a variety of information sources. To accomplish this, remedial action plans should be developed for each deficiency, and progress should be tracked for each. Following the May 2006 security incident, VA officials began working on an action plan to strengthen information security controls at the department. Referred to as the Data Security-Assessment and Strengthening of Controls Program, the plan was developed over a period of several months, and work has been completed on some tasks. By the end of January 2007, 20 percent of the items in the action plan had been completed, and task owners had been assigned for all items in the plan. As of June 1, 2007, the plan had at least 400 items to improve security and address weaknesses that the IG has identified at the department. On a biweekly basis, the action plan is updated with status updates provided by the task owners (including the percentage of work completed to resolve the item), and a new version of the plan is created. The CIO receives a briefing on each new version of the action plan. Once the new version is approved by the CIO, the plan is made available to task owners and other officials at the department. The CIO has also briefed other senior department officials on the plan and action items. Although VA's action plan has task owners assigned and is updated biweekly, department officials have not ensured that adequate progress has been made to resolve items in the plan. First, in more than a third of cases, VA has not completed action items by their expected completion date. Specifically, VA has extended the completion date at least once for 38 percent of the plan items, and it has extended the completion date multiple times for 6 percent of the items in the plan. The average extension was about 5 months. In addition, 28 percent of action items that remained open as of June 1, 2007, had already exceeded the scheduled completion date, and over half of the work remained to be completed for a majority of those items. These extensions and missed deadlines can be attributed in part to VA's not developing, documenting, and implementing procedures to ensure that action items were addressed in an effective and timely manner. If weaknesses are not successfully corrected in a timely manner, VA will continue to lack effective security controls to safeguard its assets and sensitive information. Second, a large portion of VA's approach to correcting identified weaknesses has been focused on establishing policies and procedures: 39 percent of the items in the action plan are to develop and document or revise and update a policy, a program, or criteria. However, VA has not established action items for implementing these new or changed policies and procedures across the department. For 87 percent of action items related to policies and procedures, the action plan included no corresponding task with an established time frame for departmentwide implementation. Developing and documenting policies and procedures are just the first two steps in remediating identified weaknesses. If there are no implementation tasks with time frames, VA cannot monitor and ensure successful implementation. Until VA establishes tasks with time frames to implement policies and procedures in the plan, it will not be able to successfully manage its planned actions to correct identified weaknesses. Third, VA does not have a process in place to validate the closure of action plan items, that is, to ensure both that task owners have completed the activities required to sufficiently address action items and also that there is adequate documentation of these activities. During our review, we noted the closure of approximately 80 action items that included activities such as developing a policy or procedure, creating a schedule, deploying security tools, or updating software. However, according to the department official responsible for managing the plan, upon review of these completed items, VA found a number of them lacked support for closing the item (such as documentation). This official indicated that VA was developing a process to provide validation of closed action plan items, but no supporting documentation on the development of this validation process had been provided. Until VA develops, documents, and implements a process to validate the closure of action plan items, it will not be assured that closed action items have been sufficiently addressed. Fourth, VA's action plan does not identify the activities it is taking to address our recommendations. In November 2006, the VA official in charge of managing the plan indicated that although the department had not previously identified activities being taken to address our recommendations, it would begin to do so. However, as of June 2007, these activities had not been identified and tracked in the action plan. As a result, VA may not be able to adequately monitor its progress in implementing our recommendations to resolve identified weaknesses. Until VA identifies the activities it is taking in its action plan to address our recommendations, it will have limited assurance that progress in implementing those activities is being adequately monitored. Establishment of Information Protection Program: VA has developed its Information Protection Program, which is a phased approach to ensuring that the department has the appropriate software tools to assist in ensuring the confidentiality, availability, and integrity of information. During the first phase, VA installed encryption software on laptops across the department, a task completed in September 2006. In the second phase, the department is undertaking several other information protection initiatives, including improving the security of network transmissions and the protection of removable storage devices, such as the encryption of thumb drives. These initiatives are all currently being developed and documented. Encryption of VA Laptops: One mechanism to enforce the confidentiality and integrity of critical and sensitive information is the use of encryption. Encryption transforms plain text into cipher text using a special value known as a key and a mathematical process known as an algorithm. According to VA Directive 6504, issued in June 2006, approved encryption software must be installed if an employee uses VA government-furnished equipment or other non-VA equipment in a mobile environment, such as a laptop or PDA carried out of a department office or a personal computer in an alternative worksite, and the equipment stores personal information. The encryption software used must meet Federal Information Processing Standard 140.[Footnote 18] According to department officials, by September 2006, the department had successfully encrypted over 18,000 laptops. The laptops were encrypted through a combination of two software encryption products, both of which have been certified as complying with the provisions of Federal Information Processing Standard 140. Simultaneously, VA developed and implemented routine laptop "health checks." These checks ensure that all laptops have applied updated security policies, such as antivirus software, and will also remove any sensitive information that is not authorized to be stored on the laptop. Based on the results of our testing, VA consistently implemented encryption software at eight VA facilities, with minor exceptions.[Footnote 19] At six of the eight facilities, all laptops were encrypted in accordance with the directive. At the other two facilities, both medical centers, the directive was not implemented in a small number of cases. At one medical center, of the 58 laptops tested, 3 should have been encrypted according to VA's policy but were not. At another medical center, of the 41 laptops tested, 1 laptop was not encrypted that should have been. In some of these cases, VHA medical center officials noted that the reference in the directive to operation in a mobile environment led to ambiguity about which laptops were required to be encrypted.[Footnote 20] Although our testing showed sound consistency in this encryption effort, this and another source of ambiguity in the directive could affect the department's success in implementing other planned encryption initiatives. Specifically, Directive 6504 did not provide explicit guidance on whether to encrypt laptops that were categorized as medical devices, which make up a significant portion of the population of laptops at VHA facilities.[Footnote 21] At facilities for patient care, laptops could be categorized both as equipment that operated in a mobile environment (and thus subject to VA's encryption directive) and as medical devices (and thus subject to compliance with other federal guidance that may interfere with following the encryption directive).[Footnote 22] At the two medical centers we visited, which each have over 300 laptops, most laptops were considered medical devices. When VHA officials contacted the help desk for the encryption initiative, they were told that these laptops did not need encryption software installed. However, Directive 6504 had not made this clear, increasing the challenge to VHA facilities in implementing the encryption initiative. Without guidance that takes into consideration the environment in which laptops are used in different VA facilities and that clearly identifies devices that require encryption functionality, VA may not have assurance that all facilities in the department will be able to consistently implement encryption initiatives for all appropriate devices. Finally, the department did not maintain an accurate inventory of all laptops that had been encrypted, nor did it have an inventory of all laptops within the department. Each VA facility was responsible for maintaining an inventory of laptops, including what laptops had been encrypted, but the laptop inventories at four of the eight facilities we visited were inaccurate. For example, eight laptops listed in the inventories were not laptops, but scanners, personal computers or other devices. In some cases, the inventory listed a laptop as encrypted, but testing revealed that the machine was not encrypted. (The weaknesses identified with the inventories of laptops are similar to weaknesses identified in a report we recently issued, which noted significant IT inventory control weaknesses at VA).[Footnote 23] Because it did not maintain an accurate inventory of all equipment that has encryption installed, VA may not have adequate assurance that all equipment required to be encrypted has been. Development of Additional Information Protection Initiatives: As part of its phased approach to acquiring appropriate software tools, the department is undertaking several information protection initiatives. For instance, the department is working to secure network transmissions to prevent user identification, passwords, and data from being transmitted in clear text. To provide port security and device control, VA is establishing access permission lists, audit and reporting capabilities, and lists of approved devices. For the protection of removable storage media, VA developed and documented Directive 6601, which provides guidance for use of removable devices, and it is in the process of acquiring encryption software for thumb drives, external hard drives, and CD-ROM and DVD drives. VA is also acquiring encryption for mobile devices such as Blackberries. In addition, the department is establishing a public key infrastructure and Internet gateway for secure e-mail transmission and document exchange. These initiatives are in varying stages of development and have not yet been implemented. Improvement of Incident Management Capability: Even strong controls may not block all intrusions and misuse, but organizations can reduce the risks associated with such events if they take prompt steps to detect and respond to them before significant damage can be done. In addition, analyses of security incidents can pinpoint vulnerabilities that need to be eliminated, provide valuable input for risk assessments, help in prioritizing security improvement efforts, and be used to illustrate risks and related trends for senior management. FISMA requires that agencies develop procedures for detecting, reporting, and responding to security incidents. In addition, OMB Memo M-06-19 requires agencies to report all incidents involving personal identifiable information to the U.S. Computer Emergency Readiness Team (US-CERT) within 1 hour of discovering the incident.[Footnote 24] Incident Detection, Reporting, and Response: VA has improved its incident management capability since May 2006 by realigning and consolidating two centers with responsibilities for incident management, as well as developing and documenting key policies and procedures. Following the May 2006 security incident, VA hired a contractor to assist its Network Operations Center and Security Operations Center in developing plans for improved coordination between the two centers and for using a risk management approach to managing incidents. As part of its findings, the contractor recommended that the two centers be integrated at the regional and enterprise level. In February 2007, VA realigned and consolidated the two centers into the Network and Security Operations Center (NSOC), which is responsible for incident detection or identification, response, and reporting within the department. NSOC has also developed and documented a concept of operations for incident management and call center procedures, and it has developed a new incident report template to assist VA personnel in reporting incidents to the center within 1 hour of discovering the incident. Senior management officials also receive regular reports on security incidents within the department. In addition, VA has improved the reporting of incidents involving the loss of personal information within the department since the May 2006 incident. Following the incident, the Secretary issued a memorandum requiring all employees to take security and privacy training by June 30, 2006, as well as sign a statement of commitment and understanding regarding the handling of personal information of veterans. An analysis of reported incidents from 2003 to 2006 showed a significant increase in the reporting of incidents involving the loss of personal information to NSOC in 2006, as detailed in table 1. Of the incidents reported in 2006, 77 percent were reported after May. Table 1: Number of Incidents by Type Reported to NSOC from January 2003 to November 2006: Type of incident involving the loss of personal information: Records lost or misplaced; 2003: 19; 2004: 58; 2005: 41; 2006[A]: 316. Type of incident involving the loss of personal information: Records or hardware stolen; 2003: 7; 2004: 9; 2005: 14; 2006[A]: 65. Type of incident involving the loss of personal information: Improper disposal of records; 2003: 10; 2004: 27; 2005: 10; 2006[A]: 80. Type of incident involving the loss of personal information: Unauthorized access; 2003: 60; 2004: 120; 2005: 112; 2006[A]: 255. Type of incident involving the loss of personal information: Unencrypted e-mails sent; 2003: 8; 2004: 13; 2005: 16; 2006[A]: 170. Type of incident involving the loss of personal information: Unintended disclosure or release; 2003: 22; 2004: 48; 2005: 24; 2006[A]: 199. Type of incident involving the loss of personal information: Total number of incidents; 2003: 126; 2004: 275; 2005: 217; 2006[A]: 1085. Source: GAO analysis of VA data on incidents. [A] Numbers reported are from January 1, 2006, to November 3, 2006. [End of table] While the increase in reported incidents shows that the memorandum and updated security and privacy training are heightening VA employees' awareness of their responsibility to report incidents involving loss of personal information, it also indicates that vulnerabilities remain in security controls designed to adequately safeguard information. To assist the department in improving its analysis of security incident data, NSOC merged three incident databases into one to streamline the collection of incident data gathered within the department. VA also developed a software tool with a Web-based interface (the Formal Event Review and Evaluation Tool) to analyze reported incidents and observe trends, and began using the tool in April 2007. Incident Notification: The department has made a notable improvement in its notification of major security incidents to US-CERT, the Secretary, and Congress since the incidents in May 2006.[Footnote 25] However, the time it took to send notification letters to individuals was increased for some incidents because VA did not have adequate procedures for incident response and notification. Table 2 presents major security incidents occurring since May 2006, along with the times taken to make various notifications. As the table shows, delays in reporting incidents have generally decreased since May 2006. Table 2: Time Elapsed Between Major Incidents at VA and Notification of US-CERT, Secretary, Congress, and Individuals (May 2006 to January 2007). Security incident: Computer equipment stolen from VA employee home; Incident date: May 3, 2006; Time taken to report or send notification letter: (in calendar days): To US-CERT: 20 days; Time taken to report or send notification letter: To VA Secretary: 13 days; Time taken to report or send notification letter: To Congress: 19 days; Time taken to report or send notification letter: To individuals: About a month[A]. Security incident: Backup tape missing; Incident date: May 5, 2006; Time taken to report or send notification letter: (in calendar days): To US-CERT: 42 days; Time taken to report or send notification letter: To VA Secretary: 18 days; Time taken to report or send notification letter: To Congress: 55 days; Time taken to report or send notification letter: To individuals: 159 days. Security incident: Desktop computer stolen from contractor facility; Incident date: August 3, 2006; Time taken to report or send notification letter: (in calendar days): To US-CERT: Same day; Time taken to report or send notification letter: To VA Secretary: 1 day; Time taken to report or send notification letter: To Congress: 1 day; Time taken to report or send notification letter: To individuals: 7 days. Security incident: Medical device in New York stolen; Incident date: September 6, 2006; Time taken to report or send notification letter: (in calendar days): To US-CERT: Same day; Time taken to report or send notification letter: To VA Secretary: Same day; Time taken to report or send notification letter: To Congress: Within a week; Time taken to report or send notification letter: To individuals: 55 days. Security incident: External hard drive stolen at Birmingham facility; Incident date: January 22, 2007; Time taken to report or send notification letter: (in calendar days): To US-CERT: Same day; Time taken to report or send notification letter: To VA Secretary: 1 day; Time taken to report or send notification letter: To Congress: 11 days; Time taken to report or send notification letter: To individuals: 49 days (individuals); 85 days (medical providers). Source: GAO analysis of VA data. [A] Because of the volume of letters that were sent out, notification letters were sent out over a period of time during the month of June 2006. [End of table] Coordination with other agencies. In the incident in Birmingham in January 2007, medical provider and physician information from the Centers for Medicare & Medicaid Services of the Department of Health and Human Services was lost, requiring VA to coordinate with this department to respond to the incident. At the time of the incident, VA had drafted interim procedures for incident response, including notifying individuals affected by security incidents.[Footnote 26] These draft procedures described steps to be taken to respond to incidents involving the loss of information on veterans. However, they did not include processes for coordinating incident response and mitigation activities with other agencies. This contributed to the fact that it took more time to determine the risks to medical providers, who were not notified until 85 days after the incident. To address the coordination issue, VA revised its interim procedures to indicate that incident response teams will work with other federal agencies and teams as needed to contract for independent analyses of the risk associated with compromise of the particular data involved. In March 2007, VA approved these revised interim procedures. However, the approved procedures are limited to contracting for risk analyses and do not incorporate processes for coordinating with other federal agencies on other appropriate mitigation activities. For example, although the procedures allow for the offer of credit monitoring to affected individuals, they do not address mitigating other types of risks, such as potential fraudulent claims for payment under Medicare, which were a potential risk for the Birmingham incident. Credit monitoring would not address this risk. Other coordination and mitigation activities may be needed, such as alerting the Centers for Medicare & Medicaid Services to the possibility of fraudulent claims involving specific providers to adequately address this potential risk or other risks, different from those experienced to date. Obtaining up-to-date contact information. VA's procedures for incident response and notification do not include mechanisms for obtaining contact information on individuals (when necessary), which can also cause delays in sending out notification letters to individuals. A VA official noted that notification letters to individuals could be delayed, depending on whether the department could locate complete address information for the affected individuals and on the number of letters that must be sent. Such delays occurred in the case of the missing backup tape in May 2006 (when 159 days passed before notification letters were sent). The data and number of records that were on the backup tape were not immediately known, and the address information of veterans whose data were compromised in the incident had to be researched. Our recent report noted that agencies faced challenges in identifying address information for individuals affected by security incidents and that mechanisms should be in place to obtain contact information on individuals.[Footnote 27] However, VA's draft and approved interim procedures do not include a mechanism for obtaining such contact information. As a result, the department's response to incidents could be delayed when the compromised data do not include complete and accurate contact information (or there is uncertainty about the data). Risk analysis. As mentioned earlier, VA asked the Department of Health and Human Services to conduct an independent risk analysis on the provider data loss in the January 2007 incident in Birmingham; this analysis showed that there was a high risk that the loss of personal information could result in harm to the individuals concerned. Conducting such risk analyses after incidents is a recommended procedure, since appropriate incident response and notification depend on determining the level of risk associated with the particular information that is compromised.[Footnote 28] In addition, conducting periodic risk assessments before an incident occurs facilitates a rapid response, by enabling the development of mitigation activities and appropriate coordination for potential data losses. Assessments of both systems and the information they contain are important, particularly information with a high potential risk for inappropriate use or fraud. However, VA is still in the process of finalizing and approving its guidance for completing risk assessments on VA's systems. As a result, the department does not have a current assessment of risk for the information located at its facilities and in its information systems, which could affect the coordination and mitigation activities that are developed by the department to respond to potential data losses. Until VA assesses the risk for information located at its facilities and in its information systems and uses this assessment to develop and document mitigation activities and appropriate coordination for potential data losses (particularly high-risk losses), it may not be able to adequately address potential risks associated with loss of sensitive information at its facilities and on its systems. Additional VA actions. VA has taken additional actions to improve incident response and notification. In February 2007, VA chartered the Incident Resolution Team Structure, a group of officials from organizations within the department who are responsible for responding to incidents and handling notification requirements at the national, regional, and local levels. This action was in response to an OMB memorandum issued in September 2006, which recommended that all departments and agencies develop a core management group responsible for incident response to losses of personal information, as well as a response plan for notifying individuals affected by security incidents. Roles and responsibilities within the Incident Resolution Team Structure are organized according to the level of activity, the nature of the incident, and how the incident is categorized based on risk levels. VA also uses the Formal Event Review and Evaluation Tool to determine what the risk category of a security incident should be, based on the severity of the incident. VA has also recently developed, with contractor assistance, interim regulations for security incident notification, data mining, fraud alerts, data breach analysis (that is, risk analysis of security incidents), credit monitoring, identity theft insurance, and credit protection services, as required under the Veterans Benefits, Health Care, and Information Technology Act of 2006. These interim regulations were approved by OMB and became effective on June 22, 2007. Establishment of Office of IT Oversight and Compliance: According to Standards for Internal Control in the Federal Government,[Footnote 29] internal controls at agencies should generally be designed to ensure that ongoing monitoring occurs in the course of normal operations. The methodology for evaluating an agency's internal controls should be logical and appropriate and may include assessments using checklists or other tools, as well as a review of the control design and direct testing of the internal control. The evaluation team should develop a plan for the evaluation process to ensure a coordinated effort, analyze the results of evaluation against established criteria, and ensure that the process is properly documented. The agency should also ensure that corrective action is taken within established time frames and is followed up on to verify implementation. In an effort to promote internal controls within VA's computer environment, VA has consolidated a number of IT compliance programs under one organization, the Office of IT Oversight and Compliance (ITOC). This office was established in January 2007. Previously, the Review and Inspection Division was responsible for conducting facility assessments and validating information entered into a database in response to VA's annual FISMA self-assessment survey. The division was incorporated into the ITOC, which is now responsible for providing independent, objective, and quality oversight and compliance services in the areas of cyber security, records management, and privacy. It is also responsible for conducting assessments of VA's facilities that (1) determine the adequacy of internal controls; (2) investigate compliance with laws, policies, and directives from VA and external organizations; and (3) ensure that proper safeguards are maintained. The results of these assessments are reported directly to the CIO and responsible supervisors at the facilities. The ITOC recommends corrective actions to remediate identified issues where necessary and also makes available a remediation team to assist the facility in addressing any recommendations. In January 2007, the ITOC began conducting assessments at facilities and by June 2007 had conducted 34 assessments. According to the Director of the ITOC, it recently became fully staffed with 127 personnel and will begin to conduct 12 to 18 assessments per month. VA facilities will be assessed every 3 years. Although the ITOC was formed to identify security weaknesses and ensure compliance with federal law and department policy, its approach to conducting assessments does not include basic elements necessary for evaluating and monitoring controls. For example, although the ITOC developed a checklist to conduct facility assessments,[Footnote 30] it did not develop a standard methodology for analysts to use when evaluating internal controls against the checklist, or specific criteria for each checklist item. As a result, the office lacks a process to ensure that its examination of internal controls is consistent across VA facilities. In addition, although the Director of the ITOC indicated that the assessment team recommendations to facilities are tracked in a database, no supporting documentation was provided. Further, according to the standards for internal control, organizations should follow up to ensure that corrective active is taken. However, the ITOC follows up to see if recommendations have been implemented only when a site is re-inspected. As a result, the office has no timely mechanism in place to ensure that its recommendations have been addressed. Until there are a standard methodology and established criteria for evaluating internal controls at facilities, as well as a mechanism in place to track recommendations and conduct regular follow-up on their status, VA will have limited assurance that its process for assessing its statutory and regulatory compliance and the effectiveness of its internal controls process is adequate and consistent across its facilities. Conclusions: Effective information security controls are critical to securing the information systems and information on which VA depends to carry out its mission. GAO and IG recommendations to address long-standing weaknesses within the department have not yet been fully implemented, nor is the implementation of the IG recommendations expected to be completed in the near future. Consequently, there is an increased risk that personal information of veterans and other individuals, such as medical providers, will be exposed to potential data tampering, disruptions in critical operations, fraud, and the inappropriate disclosure of sensitive information. Until VA addresses recommendations to resolve identified weaknesses, it will have limited assurance that it can adequately protect its systems and information. Although VA has begun or continued several initiatives to strengthen information security practices within the department, the shortcomings with the implementation of these initiatives could limit their effectiveness. If the department develops and documents processes, policies, and procedures; fills a key position and completes the implementation of major initiatives, then it will help ensure that these initiatives strengthen information security practices within the department. Sustained management commitment and oversight are vital to ensure the effective development, implementation, and monitoring of the initiatives that are being undertaken. Such involvement and oversight are critical to providing VA with a solid foundation for resolving long- standing information security weaknesses and continuously managing information security risks. Recommendations for Executive Action: To assist the department in improving its ability to protect its information and systems, we are recommending the Secretary of Veterans Affairs take the following 17 actions: * Finalize and approve Handbook 6500 to provide guidance for developing, documenting, and implementing the elements of the information security program. * Develop, document, and implement a process for reviewing on a regular basis the performance plans of senior executives to ensure that information security is included as an evaluation element. * Develop, document, and implement a process for the Director of Field Operations and Security and Director of Cyber Security to coordinate with each other on the implementation of IT security policies and procedures throughout the department. * Document clearly defined responsibilities in the organization book for the Director of Field Operations and Security and the Director of Cyber Security for coordinating the implementation of IT security policies and procedures within the department. * Act expeditiously to fill the position of the Chief Information Security Officer. * Revise Directive 6500 to reflect the new IT management structure and to ensure that roles and responsibilities are consistent in all VA IT directives. * Develop, document, and implement procedures for the action plan to ensure that action items are addressed in an effective and timely manner. * Establish tasks with time frames for implementation of policies and procedures in the action plan. * Develop, document, and implement a process to validate the closure of action plan items. * Include in the action plan the activities taken to address GAO recommendations. * Develop, document, and implement clear guidance for identifying devices that require encryption functionality. * Maintain an accurate inventory of all IT equipment that has encryption installed. * Develop and document procedures that include a mechanism for obtaining contact information on individuals whose information is compromised in security incidents. * Conduct an assessment of what constitutes high-risk data for the information located at VA facilities and in information systems. * Develop and document a process for appropriate coordination and mitigation activities based on the assessment above. * Develop, document, and implement a standard methodology and established criteria for evaluating the internal controls at facilities. * Establish a mechanism to track ITOC recommendations made to facilities and conduct regular follow-up on the status of the recommendations. Agency Comments and Our Evaluation: We received written comments on a draft of this report from the Deputy Secretary of Veterans Affairs (these are reprinted in appendix IV). The Deputy Secretary generally agreed with our findings and recommendations and stated that VA has already implemented or is working to implement all 17 recommendations. Additionally, the Deputy Secretary stated that the consolidation of all IT operations and maintenance under VA's Chief Information Officer will enhance the department's information security program, as well as correct long-standing deficiencies.[Footnote 31] In his comments, the Deputy Secretary also noted that the recommendation related to information security as an evaluation element in senior executive performance plans has already been implemented and that the recruitment announcement to fill the position of Chief Information Security Officer closed on July 27, 2007. He further stated that VA's Directive 6500, issued in August 2006, remains valid. However, as mentioned in our report, Directive 6500 was not updated to reflect the new IT realignment structure that was approved by the Secretary in February 2007 and roles and responsibilities should be consistent in all department policies and directives. The Deputy Secretary also discussed some of the activities that were underway to implement our recommendations. In the draft report that was provided for comment, we indicated that VA had not implemented any of the IG's 22 recommendations to improve information security. We have since received new information and have updated the report to reflect that VA has now implemented 2 of the 22 IG recommendations. As agreed, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time, we are sending copies of this report to interested congressional committees; the Secretary of Veterans Affairs; and other interested parties. We will also make copies available to others upon request. In addition, the report will be available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. If you have any questions regarding this report, please contact me at (202) 512-6244 or by e-mail at wilshuseng@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributors to this report are listed in appendix V. Signed by: Gregory C. Wilshusen: Director, Information Security Issues: List of Requesters: The Honorable Harry Reid: Majority Leader: United States Senate: The Honorable Daniel K. Akaka: Chairman: Committee on Veterans' Affairs: United States Senate: The Honorable Bob Filner: Chairman: Committee on Veterans' Affairs: House of Representatives: The Honorable Hillary Rodham Clinton: United States Senate: The Honorable Byron L. Dorgan: United States Senate: The Honorable Joseph I. Lieberman: United States Senate: The Honorable Patty Murray: United States Senate: The Honorable Barack Obama: United States Senate: The Honorable John D. Rockefeller IV: United States Senate: The Honorable Ken Salazar: United States Senate: The Honorable Charles E. Schumer: United States Senate: [End of section] Appendix I: Objectives, Scope, and Methodology: Our objectives were to evaluate (1) whether the Department of Veterans Affairs (VA) has effectively addressed GAO and VA Office of Inspector General (IG) recommendations to strengthen its information security practices and (2) actions VA has taken since the May 2006 security incident to strengthen its information security practices and secure personal information. In doing this work, we analyzed relevant documentation including policies, procedures, and plans, and interviewed key department officials in Washington, D.C., to identify and assess VA's progress in implementing recommendations and federal legislation to strengthen its information security practices. We also drew on previous GAO reports and testimonies, as well as on expert opinion provided in congressional testimony and other sources. We used certain applicable federal laws, other requirements, and guidelines, including Office of Management and Budget (OMB) memorandums, in assessing whether the Department's actions and initiatives can help ensure departmental compliance. For the first objective, we evaluated VA's actions to address GAO and VA IG recommendations, respectively in our 2002 report and in the IG's July 2006 and September 2006 reports. To review VA's history of implementation efforts, we examined GAO reports, testimony from recent congressional hearings made by GAO and IG staff, as well as reports by the VA IG. To determine the implementation status of open GAO recommendations, we analyzed pertinent security policies, procedures, and plans and met with officials from VA to gather information on the department's actions to address the recommendations. To determine the implementation status of open IG recommendations we met with officials from the VA IG Office of Audit to discuss the status of these recommendations and met with VA officials to learn what actions had been taken or were planned to take to fully address the recommendations.[Footnote 32] The VA IG concurred with the status information provided. For the second objective, we evaluated VA's actions to strengthen its information security practices to comply with federal guidance, including recent OMB memorandums. We met with department officials to gather information on what initiatives VA had undertaken or planned to undertake to improve its information security practices. For each initiative, we obtained and analyzed supporting documentation and met with department officials responsible for the implementation of the initiatives to assess the extent to which the department had complied with federal requirements and other guidelines. In addition, we also performed audit procedures to determine the extent to which VA has installed encryption functionality on its laptop computers. Our detailed scope and methodology for the laptop encryption testing are below. Laptop Encryption Testing: We examined 248 laptops at eight locations to determine whether encryption software had been installed on a selection of laptops as indicated by VA. Selection of Locations: We selected the locations to be visited based on (1) the type of facility[Footnote 33] and (2) number of facilities available to be tested in a geographic area. We identified different facility types in proximity to each other and to GAO offices. Clinics and cemeteries were excluded from the selection because the number of laptops at these locations would be quite small. We also selected a Research Enhancement Award Program location based on an incident in January 2007 involving this type of location. On the basis of the criteria listed above, we selected the following eight facilities: Baltimore Regional Office, Chicago Regional Office, Denver Health Administration Center, Denver Regional Office, Denver Research Enhancement Award Program, Hines Data Center, Hines Medical Center and the Washington, D.C., Medical Center. Selection of Laptops: At each location, we obtained an inventory or population of "in use" laptops. We examined every laptop in the population that was available for review at the Baltimore Regional Office, Chicago Regional Office, Denver Research Enhancement Award Program, and the Hines Data Center because of the relatively small number of laptops in the population. We selected random samples of laptops with the intent of projecting the results to each population at the Denver Health Administration Center, Denver Regional Office, Hines Medical Center, and Washington, D.C., Medical Center.[Footnote 34] Testing of Laptops: We conducted testing of encryption implementation on laptops at select VA facilities to determine whether the department's laptops were in compliance with VA Directive 6504 which stated that if a laptop was in a mobile environment and contained sensitive information that it be encrypted using approved software that is validated against National Institute of Standards and Technology standards. We also tested laptops at the two medical facilities to see whether the laptops should be encrypted according to the facility inventory because multiple inventories were received from these locations. In addition, we tested the laptops at the two medical facilities to see whether the laptop was considered a medical device based on the definition of medical devices provided to us by VA. At each location there were a small number of laptops that were unavailable to us to be tested. Department officials cited several reasons for this, including that the laptop had been turned in to be disposed of or discarded according to VA policy, had a hard drive failure, or could not be brought in to the site for testing. In table 3, the "laptops tested" column represents the number of laptops the team was able to test. Table 3: Number of Laptops Tested at Select VA Facilities: Location: Baltimore Regional Office; Laptops in population: 18; Laptops tested: 15. Location: Chicago Regional Office; Laptops in population: 27; Laptops tested: 23. Location: Denver Health Administration Center; Laptops in population: 82; Laptops tested: 37. Location: Denver Regional Office; Laptops in population: 42; Laptops tested: 27. Location: Denver Research Enhancement Award Program; Laptops in population: 25; Laptops tested: 21. Location: Hines Data Center; Laptops in population: 29; Laptops tested: 26. Location: Hines Medical Center; Laptops in population: 313; Laptops tested: 41. Location: Washington, D.C., Medical Center; Laptops in population: 357; Laptops tested: 58. Location: Total; Laptops in population: 893; Laptops tested: 248. Source: GAO analysis. [End of table] Analysis of Results: For all four locations where every laptop in the population was tested, we used the results of our test to determine whether the directive had been consistently implemented. For the Denver Health Administration Center and the Denver Regional Office, our sample results allowed us to estimate with 95 percent confidence that at least 93 percent of the laptops would have consistently implemented the directive.[Footnote 35] On the basis of these results, we concluded that at these six sites, VA had consistently implemented its directive. For the Hines Medical Center and the Washington, D.C., Medical Center, the results of our tests indicated that VA's directive had not been consistently implemented for one laptop and three laptops at these facilities respectively. We performed our work at VA headquarters in Washington, D.C., and at the selected VA facilities listed above, in accordance with generally accepted government auditing standards, from November 2006 through August 2007. [End of section] Appendix II: Status of Prior VA IG Recommendations: This appendix includes the actions the Department of Veterans Affairs (VA) has taken or is planning to take to address 17 recommendations related to Federal Information Security Management Act related findings made by the VA Office of Inspector General (IG)[Footnote 36] as reported to us by the completion of our review in August 2007. Table 4: Status of 17 VA IG Recommendations Related to FISMA Findings: VA IG recommendations: Implement a centralized information technology (IT) management approach; apply appropriate resources; establish, clarify, and modify IT policies and procedures pursuant to organizational changes; and implement and enforce security controls; Status: Open; Actions taken or planned: The new organization structure was approved by the Secretary in February 2007. Business processes and IT governance are to be developed following the approval. VA is also in the process of developing policies and procedures for the organizational changes, including a department strategic plan, and incorporating security into capital planning and investment control processes and information security officer management and operating procedures. Of these, the majority were supposed to be finished by June 2007 but are still in the midst of completion. VA IG recommendations: Develop and implement solutions for the establishment of a patch management program; Status: Open; Actions taken or planned: VA will complete its implementation of a patch management program by the end of December 2009, including the development of a central patch management policy and establishing a patch management configuration standard. VA IG recommendations: Identify and implement solutions for resolving access control vulnerabilities, ensure segregation of duties, remind all sites to confirm virus protection files are updated prior to authorizing connection to their networks, and resolve all self-reported access control weaknesses; Status: Open; Actions taken or planned: VA is developing criteria for authorizing access to IT systems and a directive on access controls, both of which are scheduled to be completed in August 2007. VA is also making enhancements to its antivirus program, planned to be completed in March 2008. VA IG recommendations: Review and update all applicable position descriptions to better describe sensitivity ratings, better document employee personnel records and contractor files to include signed "Rules of Behavior" instructions, annual certifications of veterans' statuses, annual privacy and Health Insurance Portability and Accountability Act training certifications, and position sensitivity level designations; Status: Open; Actions taken or planned: VA is refining and standardizing IT position descriptions, updating risk designations, and revising the table of penalties (includes examples of disciplinary action for violations). Of these activities, all have missed their deadline for completion and work still remains to be performed. VA will also conduct a review to ensure the position descriptions that are being refined and updated are consistent across the department. This will be undertaken in October 2008. VA IG recommendations: Timely request the appropriate level of background investigations on all applicable employees and contractors. Additionally, monitor and ensure timely requests for reinvestigations on all applicable employees and contractors; Status: Open; Actions taken or planned: VA is in the process of completing any additional background investigations that may be needed. VA is also implementing the use of an Office of Personnel Management-sponsored system that will allow electronic completion and submission of all personnel investigation forms for completion of the investigations. This was scheduled to be completed in May 2007 but work has not yet begun on the task. VA IG recommendations: Provide the IG with the results of researching the benefits and costs of deploying intrusion prevention systems at all sites; Status: Closed[A]; Actions taken or planned: VA is also in the process of installing a host-based intrusion prevention system for its servers as both prudent and necessary without a cost benefit analysis and that they will be replacing intrusion detection system equipment with intrusion prevention system equipment. VA IG recommendations: Continue efforts to strengthen critical infrastructure planning, complete the Infrastructure Protection Plan, and ensure infrastructure planning addresses other information security requirements; Status: Open; Actions taken or planned: VA is developing a Critical Infrastructure Protection Plan that is planned for completion in January 2008. VA is also planning to acquire an IT asset tracking system; utilizing the system, it will inventory all IT equipment throughout the department. These activities have not yet begun but are scheduled for completion in October 2009. VA IG recommendations: Collaboratively test Information Technology Centers' continuity of operations plans in a joint effort with all tenant groups (Veterans Health Administration (VHA), Veterans Benefits Administration (VBA), National Cemetery Administration, and other program offices) to ensure that backup sites will support all mission related operations, and report test results to the IG for further review; Status: Open; Actions taken or planned: The department is currently developing a network and security operations center continuity of operations plan but the completion deadline of March 2007 has been missed and work still remains. VA is also developing a directive for contingency planning that is scheduled to be completed in August 2007. VA IG recommendations: Address all self-reported deficiencies identified as the result of completed certification and accreditation's and related review work; Status: Open; Actions taken or planned: VA is currently in the process of developing criteria for system control testing, and this process is scheduled to be completed in August 2007. VA is also reviewing its guidance on certification and accreditation and will conduct recertification of all its systems, including its regional data centers, in the summer of 2008. VA IG recommendations: Determine the extent to which uncertified Internet gateways continue to exist, and take actions to terminate and upgrade external connections susceptible to inappropriate access; Status: Open; Actions taken or planned: VA is currently enhancing controls at network boundaries, though the completion deadline of June 2007 has been missed. It is also developing a process to require authorization prior to connecting to non-VA systems that is planned to be completed in October 2007. VA IG recommendations: Improve configuration management practices by identifying, replacing, or justifying the continuance of older operating systems that are vulnerable to security breaches; Status: Open; Actions taken or planned: VA is currently developing criteria for documenting and controlling information system changes, and procedures for enforcing access restrictions on the ability to change a system. It is also upgrading its systems to Windows XP and work is expected to be completed by September 2007. The department also plans to develop a national change control policy, though work has not yet begun. VA IG recommendations: Complete actions to relocate and consolidate VA Central Office's Data Center; Status: Closed[A]; Actions taken or planned: VA completed activities to move and consolidate the VA Central Office data center by relocating servers and network hardware to other VA locations. VA IG recommendations: Develop and implement VA-wide application program/operating system change control procedures to ensure consistent documentation and authorization practices are deployed at all facilities; Status: Open; Actions taken or planned: VA is currently working on improving application and operating system change controls and establishing an enterprise change control board. Both activities are planned to be completed in December 2007. VA IG recommendations: Strengthen physical access controls to correct previously reported physical access control deficiencies and develop consistent standardized physical access control requirements, policies, and guidelines throughout VA; Status: Open; Actions taken or planned: VA is currently in the process of developing a directive for physical and environmental protection; this process is planned for completion in August 2007. It is in the process of restricting physical access to computer rooms, though work was scheduled to be completed in January 2007. VA IG recommendations: Reduce wireless security vulnerabilities by ensuring sites have an effective and up-to-date methodology to protect the interception of wireless signals and accessing the network. Additionally, ensure the wireless network is segmented and protected from the wired network; Status: Open; Actions taken or planned: VA is in the process of establishing regular update mechanisms for security configuration on those devices, though actions were planned for completion by May 2007. VA is also developing standards for restricting the use of mobile and portable devices that are planned for completion in August 2007. VA IG recommendations: Identify and deploy solutions to encrypt sensitive data and resolve clear text protocol vulnerabilities; Status: Open; Actions taken or planned: VA announced that it had encrypted 18,000 laptops by September 15, 2006. VA is currently developing management criteria for public key infrastructure tokens and criteria for revoking or changing the tokens and standards for transporting media outside of VA, though work was scheduled for completion by July 2007. VA IG recommendations: Conduct validation tests in conjunction with remediation efforts to ensure all information and data retained in the Security Management and Reporting Tool database is accurate, complete, and reliable; Status: Open; Actions taken or planned: VA is currently working to enhance the Security Management and Reporting Tool database with modules for certification and accreditation, risk management, and reviews and inspections, this work was scheduled for completion in June 2007, though work remains to be completed. Source: GAO analysis of VA action plan. [A] The VA IG stated that VA's actions to resolve this recommendation are sufficient to close the recommendation. [End of table] [End of section] Appendix III: Information on Selected Security Incidents at VA from December 2003 to January 2007: The Department of Veterans Affairs (VA) had at least 1500 security incidents reported between December 2003 and January 2007 which included the loss of personal information. Below is additional information on a selection of incidents, including all publicly reported incidents subsequent to May 3, 2006, that were reported to the department during this period and what actions it took to respond to these incidents. These incidents were selected from data obtained from VA to provide illustrative examples of the incidents that occurred at the department during this period. * December 9, 2003: stolen hard drive with data on 100 appellants. A VA laptop computer with benefit information on 100 appellants was stolen from the home of an employee working at home. As a result, the agency office was going to recall all laptop computers and have encryption software installed by December 23, 2003. * November 24, 2004: unintended disclosure of personal information. A public drive on a VA e-mail system permitted entry to folders/files containing veterans' personal information (names, Social Security numbers, dates of birth, and in some cases personal health information such as surgery schedules, diagnosis, status, etc.) by all users after computer system changes made. All folders were restricted, and individual services were contacted to set up limited access lists. * December 6, 2004: two personal computers containing data on 2,000 patients stolen. Two desktop personal computers were stolen from a locked office in a research office of a medical center. One of the computers had files containing names, Social Security numbers, next of kin, addresses, and phone numbers of approximately 2,000 patients. The computers were password protected by the standard VA password system. The medical center immediately contacted the agency Privacy Officer for guidance. Letters were mailed to all research subjects informing them of the computer theft and potential for identity theft. VA enclosed letters addressed to three major credit agencies and postage paid envelopes. This incident was reported to VA and federal incident offices. * March 4, 2005: list of 897 providers' Social Security numbers sent via e-mail. An individual reported e-mailing a list of 897 providers' names and Social Security numbers to a new transcription company. This was immediately reported, and the supervisor called the transcription company and spoke with the owner and requested that the file be destroyed immediately. Notification letters were sent out to all 897 providers. Disciplinary action was taken against the employee. * October 14, 2005: personal computer containing data on 421 patients stolen. A personal computer that contained information on 421 patients was stolen from a medical center. The information on the computer included patients' names; the last four digits of their Social Security numbers; and their height, weight, allergies, medications, recent lab results, and diagnoses. The agency's Privacy Officer and medical center information security officer were notified. The use of credit monitoring was investigated, and it was determined that because the entire Social Security number was not listed, it would not be necessary to use these services at the time. * February 2, 2006: inappropriate access of VA staff medical records. A VA staff member accessed several coworkers' medical records to find date of birth. Employee information was compromised and several records were accessed on more than one occasion. No resolution recorded. * April 11, 2006: suspected hacker compromised systems with employee's assistance. A former VA employee is suspected of hacking into a medical center computer system with the assistance of a current employee providing rotating administrator passwords. All systems in the medical center serving 79,000 veterans were compromised. * May 5, 2006: missing backup tape with sensitive information on 7,052 individuals. An office determined it was missing a backup tape containing sensitive information. On June 29, 2006, it was reported that approximately 7,052 veterans were affected by the incident. On October 11, 2006, notification letters were mailed, and 5,000 veterans received credit protection and data breach analysis for 2 years. * August 3, 2006: desktop computer with approximately 18,000 patient financial records stolen. A desktop computer was stolen from a secured area at a contractor facility in Virginia that processes financial accounts for VA. The desktop computer was not encrypted. Notification letters were mailed and credit monitoring services offered. * September 6, 2006: laptop with patient information on an unknown number of individuals stolen. A laptop attached to a medical device at a VA medical center was stolen. It contained patient information on an unknown number of individuals. Notification letters and credit protection services were offered to 1,575 patients. * January 22, 2007: external hard drive with 535,000 individual records and 1.3 million non-VA physician provider records missing or stolen. An external hard drive used to store research data with 535,000 individual records and 1.3 million non-VA physician provider records was discovered missing or stolen from a research facility in Birmingham, Alabama. Notification letters were sent to veterans and providers, and credit monitoring services were offered to those individuals whose records contained personally identifiable information. [End of section] Appendix IV: Comments from the Department of Veterans Affairs: The Deputy Secretary Of Veterans Affairs: Washington: August 27, 2007: Mr. Gregory C. Wilshusen: Director: Information Security Issues: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Wilshusen: The Department of Veterans Affairs (VA) has reviewed the Government Accountability Office's (GAO) draft report, Information Security: Sustained Management Commitment and Oversight Vital to Resolving Long- Standing Weaknesses at the Department of Veterans Affairs (GAO-07-1019) and generally agrees with your findings and concurs with your recommendations. The enclosure specifically addresses several of GAO's 17 recommendations that are already implemented or are well along the way to implementation. It also provides technical corrections. With regard to VA's continuing efforts to improve its information security system, we believe that the Department's information security practices, as implemented before the May 2006 incident were legally adequate as we noted in our motion for summary judgment in the litigation surrounding this incident; further, we believe that VA is continuing to implement appropriate administrative, technical, and physical safeguards. VA has taken aggressive and proactive measures that are, or were at the time, above and beyond legal requirements, such as mandating encryption of sensitive data accessed remotely or used outside VA facilities. The agency has implemented safeguards that are in conformity with the standard of reasonableness endorsed by Congress in enacting the Privacy Act, and a failure to employ some other method does not demonstrate that the protective measures in place were legally inadequate. The Assistant Secretary for Information and Technology would welcome the opportunity to periodically brief your staff on our progress. I believe that the consolidation of all IT operations and maintenance under VA's Chief Information Officer will enhance the Department's Information Security Program, as well as correct long- standing deficiencies. VA will provide specific comments and implementation plans for each of your recommendations when responding to GAO's final report. VA appreciates the opportunity to comment on your draft report. Sincerely yours, Signed by: Gordon H. Mansfield: Enclosure: Department of Veterans Affairs (VA): Comments to: Government Accountability Office (GAO) Draft Report,: Information Security: Sustained Management Commitment and: Oversight Vital to Resolving Long-Standing Weaknesses at the: Department of Veterans Affairs (GAO-07-1019): VA concurs in each of GAO's 17 recommendations. Below are specific comments to selected recommendations. Of the 17 recommendations for executive action that are listed in the report, the second one relating to information security as an evaluation element in senior executives performance plans, is already implemented. In 2002, the Information Security requirement was incorporated into Senior Executive Service (SES) performance appraisals. In 2005, it was designated as a critical element. The Office of the Assistant Secretary for Human Resources Management and Administration, in coordination with the administrations and staff offices, will review annually, all SES performance plans, beginning with the 2007 Performance Review Board (PRB) process, to ensure and document that all SES plans contain the information security element. The Office of Executive Resources will maintain the documentation. The recruitment announcement to fill the position of Chief Information Security Officer (recommendation 5) closed on July 27, 2007. The Directive 6500 was issued on August 4, 2006 and remains valid, (recommendation 6). The associated Handbook, (recommendation 1), is being finalized for submission for Departmental concurrence and includes detailed roles and responsibilities of the new organization. All other recommendations are in various stages of implementation. For example, several activities are underway to implement recommendation 14, pertaining to conducting an assessment of what constitutes high- risk data. The Office of the Assistant Secretary for Information and Technology has issued a data call to reduce the use of Social Security Numbers (SSN) and other personally identifiable information (PII) throughout the Department. The call requests that all organizations review and update all new and existing Privacy Act System of Records Notices (SORN) and all VA forms where PII is collected. Any unnecessary collection of either SSNs or PII will be scrutinized and appropriate steps will be taken to eliminate the collection of that information. Based on the results of item above, VA will implement the second phase of this effort, (recommendation 15) and issue policies that will mandate permanently reducing the collection of high-risk data located throughout the Department. These policies will include annual reviews of existing SORNs and VA forms to ensure that changes have not been made to those information collections. Department of Veterans Affairs (VA): Comments to: Government Accountability Office (GAO) Draft Report,: Information Security: Sustained Management Commitment and: Oversight Vital to Resolving Long-Standing Weaknesses at the: Department of Veterans Affairs (GAO-07-1019): (Continued): These policies will be communicated to all employees via daily employee news feeds and on-line training vehicles. They will also be reinforced by the Office of Information and Technology's (OI&T) IT Oversight and Compliance Office during the conduct of on-site assessments of IT security, privacy and records management practices at VA field facilities. On pages 12 and 41, GAO states that all 17 recommendations from the FY 2005 Office of Inspector General (OIG) report have not been implemented. Recommendation 12 (Complete actions to relocate and consolidate Veterans Affairs Central Office's data center) has been implemented. The OIG has informed us that they plan to close this recommendation in their FY 2006 Federal Information Security Management Act audit report, which is about to go final. While the recommendations are directed at the Department level, specifically VA's OI&T, following the research security incident of January 22, 2007, at a research facility in Birmingham, Alabama, a vigorous response was initiated by both OI&T and the Veterans Health Administration's (VHA) Office of Research and Development. This effort included nationwide certification of all active research protocols for compliance with security standards, education of the entire VA research community (over 18,000 individuals) to privacy and security requirements, and the establishment of regular announced and unannounced inspections of research sites by the VHA Office of Research Oversight and the OI&T Office of Oversight and Compliance. Additionally, OI&T and VHA have worked together with the wider academic community and other Federal agencies that support biomedical research to create alignment with Federal information security management requirements for research that involves veterans. This ongoing process, which VA is leading, represents an unprecedented transformation of the national biomedical research enterprise and is directed at reducing risk of information loss as well as retaining the trust of America's veterans in VA's clinical research and educational missions. [End of section] Appendix V: GAO Contact and Staff Acknowledgments: GAO Contact: Gregory C. Wilshusen, (202) 512-6244 or wilshuseng@gao.gov: Staff Acknowledgments: In addition to the individual named above, key contributions to this report were made by Charles Vrabel (Assistant Director), James Ashley, Mark Canter, Barbara Collier, Mary Hatcher, Valerie Hopkins, Leena Mathew, Jeanne Sung, and Amos Tevelow. Footnotes: [1] Information security controls include access controls, configuration management, segregation of duties, and contingency planning. These controls are designed to ensure that access to data is appropriately restricted, only authorized changes to computer programs are made, computer security duties are segregated, and backup and recovery plans are adequate to ensure the continuity of essential operations. [2] We made recommendations to address weaknesses in June 2002 as part of our review of VA's security management program to ensure compliance with Government Information Security Reform legislation. In December 2002, Congress enacted the Federal Information Security Management Act, which required each agency to use a risk based approach to develop, document, and implement a departmentwide information security program. Since our report in 2002, the IG has continued to make recommendations to address weaknesses in the department's information security program as part of its annual review of the program under the act. [3] "Personally identifiable information" refers to any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual's identity, such as their name, Social Security number, date and place of birth, mother's maiden name, biometric records, etc., or any other personal information that is linked or linkable to an individual. [4] FISMA, Title III, E-Government Act of 2002, Pub. L. No. 107-347 (Dec. 17, 2002). [5] GISRA was enacted as subtitle G of Title X of the Floyd D. Spence National Defense Authorization Act for Fiscal Year 2001, Pub. L. No. 106-398 (Oct. 30, 2000). GISRA was to expire 2 years after its effective date. [6] GAO, Veterans Affairs: Sustained Management Attention Is Key to Achieving Information Technology Results, GAO-02-703 (Washington, D.C.: June 12, 2002). [7] Department of Veterans Affairs Office of Inspector General, Audit of the Department of Veterans Affairs Information Security Program, Report No. 04-00772-122 (Washington, D.C.: Mar. 31, 2005). [8] Department of Veterans Affairs Office of Inspector General, FY2005 Audit of VA Information Security Program, Report No. 05-00055-216 (Washington, D.C.: Sept. 20, 2006). [9] Encryption is used to provide basic data confidentiality and integrity for data, by transforming plain text into cipher text using a special value known as a key and a mathematical process known as an algorithm. [10] Department of Veterans Affairs Office of Inspector General, Review of Issues Related to the Loss of VA Information Involving the Identity of Millions of Veterans, Report No. 06-02238-163 (Washington, D.C.: July 11, 2006). [11] Veterans Benefits, Health Care, and Information Technology Act of 2006, Pub. L. No. 109-461 (Dec. 22, 2006). [12] This included, among other things, the unique physician identification number, Medicare billing number, and physician credential code of medical providers. [13] Department of Veterans Affairs Office of Inspector General, Administrative Investigation Loss of VA Information VA Medical Center Birmingham, AL, Report No. 07-01083-157 (Washington, D.C.: June 29, 2007). [14] The VA National Rules of Behavior is a set of department rules that describes the responsibilities and behavior of personnel with regard to information system usage and is required to be developed under the Veterans Benefits, Health Care, and Information Technology Act of 2006. [15] Such a review process and documentation of it are control activities identified in GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999). [16] This is one of the identified activities described in our 1998 study of security management practices: GAO, Executive Guide: Information Security Management--Learning from Leading Organizations, GAO/AIMD-98-68 (Washington, D.C.: May 1998). [17] We recently recommended that VA improve its management of the realignment effort by dedicating an implementation team to manage change, expediting development of performance metrics, and establishing a schedule for implementing management processes. VA agreed with the findings in our report and generally concurred with the recommendations. GAO, Veterans Affairs: Continued Focus on Critical Success Factors Is Essential to Achieving Information Technology Realignment, GAO-07-844 (Washington, D.C.: June 15, 2007). [18] Federal Information Processing Standard 140 is published by National Institute of Standards and Technology and provides a standard that specifies the security requirements that will be satisfied by a cryptographic module used by federal agencies. [19] See appendix I for more details regarding our methodology for testing the implementation of encryption on laptops. Because of the scope of our testing of laptop encryption, we could not make a determination of the effectiveness of VA's effort to implement VA Directive 6504 at all department facilities. [20] In contrast, VBA directed that all laptops at each facility be encrypted regardless of whether or not they operated in a mobile environment. [21] VA has since hired a contractor to analyze the relationship between the biomedical and IT functions in the devices to improve the management of medical devices. [22] The Food and Drug Administration's guidance provides that medical device software (that is, software that is used as a component or accessory of a medical device) must be validated by the manufacturer before it can be used. When any change to the software is made, the change must be validated; this requirement limits VA's ability to encrypt laptops that are considered medical devices. [23] GAO, Veterans Affairs: Inadequate Controls over IT Equipment at Selected VA Locations Pose Continuing Risk of Theft, Loss, and Misappropriation, GAO-07-505 (Washington, D.C.: July 16, 2007), and Veterans Affairs: Lack of Accountability and Control Weaknesses over IT Equipment at Selected VA Locations, GAO-07-1100T (Washington, D.C.: July 24, 2007). [24] OMB Memorandum M-06-19, "Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments" (July 12, 2006). [25] For more details on these incidents at VA, see appendix III. [26] VA drafted these interim procedures to comply with the Veterans Benefits, Health Care, and Information Technology Act of 2006, which required VA to draft regulations for security incident notification and publish these in the Federal Register for public comment for 60 days. Until the regulation could be finalized, VA followed its interim procedures. [27] GAO, Privacy: Lessons Learned about Data Breach Notification, GAO- 07-657 (Washington, D.C.: Apr. 30, 2007). [28] We and the IG have issued reports that make recommendations for conducting risk assessments of high risk data for identity theft and determining if credit monitoring services or other appropriate services should be offered. See GAO, Privacy: Lessons Learned about Data Breach Notification, GAO-07-657 (Washington, D.C.: Apr. 30, 2007); Department of Veterans Affairs Office of Inspector General, Administrative Investigation Loss of VA Information VA Medical Center Birmingham, AL, Report No. 07-01083-157 (Washington, D.C.: June 29, 2007). [29] GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999). GAO also issued a management evaluation tool to assist agencies in maintaining or implementing effective internal control. See GAO, Internal Control Management and Evaluation Tool, GAO-01-1008G (Washington, D.C.: August 2001). [30] The checklist is based on existing National Institute of Standards and Technology checklists and incorporates an assessment of internal controls and adherence to federal laws and VA policies. [31] The Deputy Secretary also stated that VA considers its information security practices, as implemented before the May 2006 incident, as legally adequate, referring to the Government's response to litigation concerning the incident. However, our review did not assess the legal adequacy of the Department's safeguards in satisfying the Privacy Act, the statute involved in the litigation and to which the Deputy Secretary referred. [32] The IG evaluated VA's actions in addressing recommendations made by the IG as part of their annual FISMA review during fiscal year 2006. [33] The types of VA facilities include central and regional offices, data centers, medical centers, clinics, Research Enhancement Award Program offices, and cemeteries. [34] With these probability samples, each laptop had a known, nonzero probability of being selected. [35] Because we selected a sample of laptops from these locations, our results are estimates of the populations and thus are subject to sample errors that are associated with samples of this size and type. Our confidence in the precision of the results from this sample is expressed in 95 percent confidence intervals, which are expected to include the actual results in 95 percent of the samples of this type. [36] Department of Veterans Affairs Office of Inspector General, FY2005 Audit of VA Information Security Program, Report No. 05-00055-216 (Washington, D.C.: Sept. 20, 2006). GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "Subscribe to Updates." Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office: 441 G Street NW, Room LM: Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Susan Becker, Acting Manager, Beckers@gao.gov (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: