Sustained Management Commitment and Oversight Are Essential to Completing Information Technology Realignment and Strengthening Information Security
GAO-07-1264T, Sep 26, 2007
The Department of Veterans Affairs (VA) has encountered numerous challenges in managing its information technology (IT) and securing its information systems. In October 2005, the department initiated a realignment of its IT program to provide greater authority and accountability over its resources. The May 2006 security incident highlighted the need for additional actions to secure personal information maintained in the department's systems. In this testimony, GAO discusses its recent reporting on VA's realignment effort as well as actions to improve security over its information systems. To prepare this testimony, GAO reviewed its past work on the realignment and on information security, and it updated and supplemented its analysis with interviews of VA officials.
VA has fully addressed two of six critical success factors GAO identified as essential to a successful transformation, but it has yet to fully address the other four, and it has not kept to its scheduled timelines for implementing new management processes that are the foundation of the realignment. That is, the department has ensured commitment from top leadership and established a governance structure to manage resources, both of which are critical success factors. However, the department continues to operate without a single, dedicated implementation team to manage the realignment; such a dedicated team is important to oversee the further implementation of the realignment, which is not expected to be complete until July 2008. Other challenges to the success of the realignment include delays in staffing and in implementing improved IT management processes that are to address long-standing weaknesses. The department has not kept pace with its schedule for implementing these processes, having missed its original scheduled time frames. Unless VA dedicates a team to oversee the further implementation of the realignment, including defining and establishing the processes that will enable the department to address its IT management weaknesses, it risks delaying or missing the potential benefits of the realignment. VA has begun or continued several major initiatives to strengthen information security practices and secure personally identifiable information within the department, but more remains to be done. These initiatives include continuing the department's efforts to reorganize its management structure; developing a remedial action plan; establishing an information protection program; improving its incident management capability; and establishing an office responsible for oversight and compliance of IT within the department. However, although these initiatives have led to progress, their implementation has shortcomings. For example, although the management structure for information security has changed under the realignment, improved security management processes have not yet been completely developed and implemented, and responsibility for the department's information security functions is divided between two organizations, with no documented process for the two offices to coordinate with each other. In addition, VA has made limited progress in implementing prior security recommendations made by GAO and the department's Inspector General, having yet to implement 22 of 26 recommendations. Until the department addresses shortcomings in its major security initiatives and implements prior recommendations, it will have limited assurance that it can protect its systems and information from the unauthorized disclosure, misuse, or loss of personally identifiable information.