Information Security:

Sustained Management Commitment and Oversight Are Vital to Resolving Long-standing Weaknesses at the Department of Veterans Affairs

GAO-07-1019: Published: Sep 7, 2007. Publicly Released: Sep 19, 2007.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

In May 2006, the Department of Veterans Affairs (VA) announced that computer equipment containing personal information on approximately 26.5 million veterans and active duty military personnel had been stolen. Given the importance of information technology (IT) to VA's mission, effective information security controls are critical to maintaining public and veteran confidence in its ability to protect sensitive information. GAO was asked to evaluate (1) whether VA has effectively addressed GAO and VA Office of Inspector General (IG) information security recommendations and (2) actions VA has taken since May 2006 to strengthen its information security practices and secure personal information. To do this, GAO examined security policies and action plans, interviewed pertinent department officials, and conducted testing of encryption software at select VA facilities.

Although VA has made progress, it has not yet fully implemented most of the key GAO and IG recommendations to strengthen its information security practices. Specifically, VA has implemented two GAO recommendations: to develop a process for managing its plan to correct identified weaknesses and to regularly report on progress in updating its security plan to the Secretary. However, it has not fully implemented two other GAO recommendations: to complete a comprehensive security management program and to ensure consistent use of information security performance standards for appraising senior VA executives. In addition, the department has not yet fully implemented 20 of 22 recommendations made by the IG in 2006. For example, VA has not completed activities to appropriately restrict access to data, networks, and department facilities; ensure that only authorized changes and updates to computer programs are made; and strengthen critical infrastructure planning. Because these recommendations have not yet been implemented, unnecessary risk exists that the personal information of veterans and others, such as medical providers, will be exposed to data tampering, fraud, and inappropriate disclosure. Since the May 2006 security incident, VA has continued or begun several major initiatives to strengthen its information security practices and secure personal information within the department, but more remains to be done. These initiatives include continuing efforts begun in October 2005 to reorganize its management structure to provide better oversight and fiscal discipline over its IT systems; developing an action plan to correct identified weaknesses; establishing an information protection program; improving its incident management capability; and establishing an office responsible for oversight of IT within the department. However, implementation shortcomings limit the effectiveness of these initiatives. For example, no documented process exists between the Director of Field Operations and Security and the chief information security officer (CISO) to ensure the effective coordination and implementation of security policies and procedures within the department. In addition, the position of the CISO has been unfilled since June 2006. Although, 39 percent of items in the department's remedial action plan are tasks to develop, document, revise, or update a policy or program, 87 percent of these items have no corresponding task with an established time frame for implementation across the department. VA also did not have clear guidance for identifying devices that require encryption functionality, and it lacked adequate procedures for incident response and notification. Finally, VA's Office of IT Oversight and Compliance lacks a standard methodology and established criteria to ensure that its examination of internal controls is consistent across VA facilities. Until the department addresses recommendations to resolve identified weaknesses and implements the major initiatives it has undertaken, it will have limited assurance that it can protect its systems and information from the unauthorized disclosure, misuse, or loss of personal information of veterans and other personnel.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should finalize and approve Handbook 6500 to provide guidance for developing, documenting, and implementing the elements of the information security program.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In fiscal year 2008, we verified that VA, in response to our recommendation, has finalized and approved Handbook 6500. This action increases VA's ability to safeguard its assets and sensitive information against potential data tampering, disruptions in critical operations, fraud, and the inappropriate disclosure of sensitive information.

    Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should develop, document, and implement a process for reviewing on a regular basis the performance plans of senior executives to ensure that information security is included as an evaluation element.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In fiscal year 2011, we verified that VA, in response to our recommendation, has developed, documented, and implemented an annual review process for SES performance plans to ensure that information security elements are incorporated in performance appraisals. VA's Office of Executive Resources maintains documentation for the Performance Review Board.

    Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should develop, document, and implement a process for the Director of Field Operations and Security and Director of Cyber Security to coordinate with each other on the implementation of IT security policies and procedures throughout the department.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In fiscal year 2008, we verified that VA, in response to our recommendation, has developed, documented, and implemented a process for the Director of Field Operations and Security and Director of Cyber Security to coordinate with each other on the implementation of IT security policies and procedures throughout the department. This action increases VA's ability to consistently implement policies or procedures throughout the department.

    Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should document clearly defined responsibilities in the organization book for the Director of Field Operations and Security and the Director of Cyber Security for coordinating the implementation of IT security policies and procedures within the department.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In fiscal year 2008, we verified that VA, in response to our recommendation, documented clearly defined responsibilities in the organization book for the Director of Field Operations and Security and the Director of Cyber Security for coordinating the implementation of IT security policies and procedures within the department. This action increases VA's assurance that the management and implementation of security policies and procedures are effectively coordinated and communicated.

    Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should act expeditiously to fill the position of the Chief Information Security Officer.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In fiscal year 2008, we verified that VA, in response to our recommendation, has filled the position of the CISO. This action increases VA's ability to strengthen information security practices and coordinate security related activities within the department.

    Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should revise Directive 6500 to reflect the new IT management structure and to ensure that roles and responsibilities are consistent in all VA IT directives.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In fiscal year 2008, we verified that VA, in response to our recommendation, has updated its directive on its information security program to reflect the new IT realignment structure for the position of the CISO. This action increases VA's ability to communicate and coordinate responsibilities among the department's security staff.

    Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should develop, document, and implement procedures for the action plan to ensure that action items are addressed in an effective and timely manner.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In fiscal year 2010, we verified that VA, in response to our recommendation, has issued a close-out management plan with guidance on addressing action items. In addition, VA has implemented a tracking system to monitor agency progress in closing action items.

    Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should establish tasks with time frames for implementation of policies and procedures in the action plan.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In fiscal year 2011, we verified that VA, in response to our recommendation, has developed an integrated master schedule, Schedule Management Plan, to establish the tasks and timeframes for implementation of policies and procedures.

    Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should develop, document, and implement a process to validate the closure of action plan items.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In fiscal year 2011, we verified that VA, in response to our recommendation, has developed a Closeout Management Plan, which documents the methodology for collecting project artifacts and for closing work identified in the integrated master schedule. We also verified that VA has implemented a new application for tracking plans of action and milestones (POA&Ms), the Security Management and Reporting Tool (SMART). SMART allows VA managers to validate the closure of POA&Ms.

    Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should include in the action plan the activities taken to address GAO recommendations.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In fiscal year 2011, we verified that VA, in response to our recommendation, has implemented a new system for tracking plans of action and milestones (POA&Ms) called the Security Management and Reporting Tool (SMART). SMART documents, as part of each POA&M, the activities taken to address recommendations, including those made by GAO.

    Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should develop, document, and implement clear guidance for identifying devices that require encryption functionality.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In fiscal year 2010 we verified that VA, in response to our recommendation, has issued Handbook 6500 with explicit guidance on encrypting devices, and the standards that must be met. This action helps ensure that VA has in place guidance for identifying devices that require encryption.

    Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should maintain an accurate inventory of all IT equipment that has encryption installed.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In fiscal year 2011, we verified that VA, in response to our recommendation, has implemented software to track devices that have encryption installed. The software allows VA to maintain an accurate inventory of all IT equipment that has encryption installed.

    Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should develop and document procedures that include a mechanism for obtaining contact information on individuals whose information is compromised in security incidents.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In fiscal year 2011, we verified that VA, in response to our recommendation, has developed policy specifying that the Privacy Officer is responsible for identifying individuals whose information has been compromised in security incidents. In addition, VA has developed procedures for obtaining contact information on individuals whose information is compromised in security incidents.

    Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should conduct an assessment of what constitutes high-risk data for the information located at VA facilities and in information systems.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In fiscal year 2010 we verified that VA, in response to our recommendation, has included in Handbook 6500.3 the standards to be followed in determining what constitutes high-risk data for information located at VA facilities and in information systems. This action helps VA assess the risk of information at its facilities and in its systems.

    Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should develop and document a process for appropriate coordination and mitigation activities based on the assessment above.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In fiscal year 2010 we verified that VA, in response to our recommendation, has established a processes and guidance for conducting incident response, incident resolution, incident closure, and lessons learned for incidents that involve a data breach. This action strengthens VA's coordination and mitigation activities in responding to security incidents.

    Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should develop, document, and implement a standard methodology and established criteria for evaluating the internal controls at facilities.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In fiscal year 2011, we verified that VA has established procedures for security control monitoring.

    Recommendation: To assist the department in improving its ability to protect its information and systems, the Secretary of Veterans Affairs should establish a mechanism to track VA's Office of IT Oversight and Compliance recommendations made to facilities and conduct regular follow-up on the status of the recommendations.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In fiscal year 2011, we verified that VA's assessment results are reported back to the site and or facility manager for resolution. Additionally, the assessment recommendations are loaded into the Security Management and Reporting Tool as site level Plan of Action and Milestones.

    Jul 14, 2014

    Jun 23, 2014

    Jun 18, 2014

    Jun 10, 2014

    Jun 9, 2014

    Jun 3, 2014

    May 13, 2014

    Apr 22, 2014

    Apr 9, 2014

    Looking for more? Browse all our products here