Veterans Affairs:

Inadequate Controls over IT Equipment at Selected VA Locations Pose Continuing Risk of Theft, Loss, and Misappropriation

GAO-07-505: Published: Jul 16, 2007. Publicly Released: Jul 24, 2007.

Additional Materials:

Contact:

Beryl H. Davis
(202) 516-6906
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

In July 2004, GAO reported that the six Department of Veterans Affairs (VA) medical centers it audited lacked a reliable property control database and had problems with implementation of VA inventory policies and procedures. Fewer than half the items GAO selected for testing could be located. Most of the missing items were information technology (IT ) equipment. Given recent thefts of laptops and data breaches, the requesters were concerned about the adequacy of physical inventory controls over VA IT equipment. GAO was asked to determine (1) the risk of theft, loss, or misappropriation of IT equipment at selected locations; (2) whether selected locations have adequate procedures in place to assure accountability and physical security of IT equipment in the excess property disposal process; and (3) what actions VA management has taken to address identified IT inventory control weaknesses. GAO statistically tested inventory controls at four case study locations.

A weak overall control environment for VA IT equipment at the four locations GAO audited poses a significant security vulnerability to the nation's veterans with regard to sensitive data maintained on this equipment. GAO's Standards for Internal Control in the Federal Government requires agencies to establish physical controls to safeguard vulnerable assets, such as IT equipment, which might be vulnerable to risk of loss, and federal records management law requires federal agencies to record essential transactions. However, GAO found that current VA property management policy does not provide guidance for creating records of inventory transactions as changes occur. GAO also found that policies requiring annual inventories of sensitive items, such as IT equipment; adequate physical security; and immediate reporting of lost and missing items have not been enforced. GAO's statistical tests of physical inventory controls at four VA locations identified a total of 123 missing IT equipment items, including 53 computers that could have stored sensitive data. The lack of user-level accountability and inaccurate records on status, location, and item descriptions make it difficult to determine the extent to which actual theft, loss, or misappropriation may have occurred without detection. GAO also found that the four VA locations reported over 2,400 missing IT equipment items, valued at about $6.4 million, identified during physical inventories performed during fiscal years 2005 and 2006. Missing items were often not reported for several months and, in some cases, several years. It is very difficult to investigate these losses because information on specific events and circumstances at the time of the losses is not known. GAO's limited tests of computer hard drives in the excess property disposal process found hard drives at two of the four case study locations that contained personal information, including veterans' names and Social Security numbers. GAO's tests did not find any remaining data after sanitization procedures were performed. However, weaknesses in physical security at IT storage locations and delays in completing the data sanitization process heighten the risk of data breach. Although VA management has taken some actions to improve controls over IT equipment, including strengthening policies and procedures, improving the overall control environment for sensitive IT equipment will require a renewed focus, oversight, and continued commitment throughout the organization.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: The Secretary of Veterans Affairs should require that the medical centers and VA headquarters offices we tested and other VA organizations, as appropriate, take the following action to improve accountability of IT equipment inventory and reduce the risk of disclosure of sensitive personal data, medical data, or both. To help minimize the risk of loss, theft, and misappropriation of government IT equipment used in VA operations, the Secretary should revise VA property management policy and procedures to include detailed requirements for what transactions must be recorded to document inventory events and to clearly establish individual responsibility for recording all essential transactions in the property management process.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In response to our recommendation, as of July 2008, VA had completed actions to revise property management policies and procedures concerning the recording of inventory events. Specifically, VA's Assistant Secretary for Management and the CIO worked together to revise property management policy in VA Handbook 7002, Logistics Management Procedures. Among other things, Handbook 7002 specified required steps for recording of key inventory events, including the recording of IT equipment information upon receipt, changes in item status, and turn-in and disposal. In addition, on July 3, 2008, the Assistant Secretary for Management mandated early implementation of Handbook 7002. In July 2008, we followed up on this issue and reported in Continued Action Needed to Reduce IT Equipment Losses and Correct Control Weaknesses (GAO-08-918), that this recommendation was fully implemented. By implementing our recommendation to revise VA property management policies and procedures concerning the recording of inventory events, VA has improved its accountability over IT equipment and helped safeguard those assets from theft, loss, and misappropriation.

    Recommendation: The Secretary of Veterans Affairs should require that the medical centers and VA headquarters offices we tested and other VA organizations, as appropriate, take the following action to improve accountability of IT equipment inventory and reduce the risk of disclosure of sensitive personal data, medical data, or both. To help minimize the risk of loss, theft, and misappropriation of government IT equipment used in VA operations, the Secretary should revise VA purchase card policy to require purchase card holders to notify property management officials of IT equipment and other property items acquired with government purchase cards at the time the items are received so that they can be recorded in property management systems.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In response to our recommendation, as of July 2008, VA had completed actions to revise purchase card policy. VA's Assistant Secretary for Management and the CIO worked together to revise property management policy in a new VA Handbook 7002, Logistics Management Procedures. This Handbook requires purchase cardholders to notify the property officer of IT equipment acquired with the purchase card so that these items may be recorded in the property management system. In July 2008, we followed up on this issue and found that this recommendation was fully implemented. By implementing GAO's recommendation to revise VA purchase card policy to require purchase card holders to notify property management officials of IT equipment purchases, VA has improved its accountability over IT equipment and helped safeguard those assets from theft, loss, and misappropriation.

    Recommendation: The Secretary of Veterans Affairs should require that the medical centers and VA headquarters offices we tested and other VA organizations, as appropriate, take the following action to improve accountability of IT equipment inventory and reduce the risk of disclosure of sensitive personal data, medical data, or both. To help minimize the risk of loss, theft, and misappropriation of government IT equipment used in VA operations, the Secretary should establish procedures to require specific, individual user-level accountability for IT equipment. In implementing this recommendation, consideration should be given to making the unit head, or a designee, accountable for shared IT equipment.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In response to our recommendation, as of July 2008, VA had completed actions to establish new procedures for handling IT equipment. VA's Assistant Secretary for Management and the CIO worked together to revise property management policy in VA Handbook 7002, Logistics Management Procedures. In particular, VA Handbook 7002 established procedures to require specific, individual user-level accountability for IT equipment, including requiring employees to sign for IT equipment assigned exclusively for individual use and department heads or service chiefs to sign for shared IT equipment. In July 2008, we followed up on this issue and reported that this recommendation was fully implemented. By implementing GAO's recommendation to establish procedures to require specific, individual user-level accountability for IT equipment, VA has improved its accountability over IT equipment and helped safeguard those assets from theft, loss, and misappropriation.

    Recommendation: The Secretary of Veterans Affairs should require that the medical centers and VA headquarters offices we tested and other VA organizations, as appropriate, take the following action to improve accountability of IT equipment inventory and reduce the risk of disclosure of sensitive personal data, medical data, or both. To help minimize the risk of loss, theft, and misappropriation of government IT equipment used in VA operations, the Secretary should enforce user-level accountability and IT coordinator responsibility by taking appropriate disciplinary action, including holding employees financially liable, as appropriate, for lost or missing IT equipment.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In response to our recommendation, as of July 2008, VA had completed actions to enforce user-level accountability, including enhanced provisions for disciplinary actions, for lost or missing IT equipment. VA's Assistant Secretary for Management and the CIO worked together to revise property management policy in VA Handbook 7002, Logistics Management Procedures. In July 2008, we followed up on this issue and reported that this recommendation was fully implemented. VA provided several fiscal year 2008 examples of bills sent to VA personnel for lost and damaged IT equipment items. By implementing GAO's recommendation to enforce user-level accountability and appropriate disciplinary actions for lost or missing IT equipment, VA has improved its accountability over IT equipment inventory and helped safeguard those assets from theft, loss, and misappropriation.

    Recommendation: The Secretary of Veterans Affairs should require that the medical centers and VA headquarters offices we tested and other VA organizations, as appropriate, take the following action to improve accountability of IT equipment inventory and reduce the risk of disclosure of sensitive personal data, medical data, or both. To help minimize the risk of loss, theft, and misappropriation of government IT equipment used in VA operations, the Secretary should establish specific time frames for finalizing a Report of Survey once an inventory has been completed so that research on missing items is completed expeditiously and does not continue indefinitely without meeting formal reporting requirements.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In response to our recommendation, as of July 2008, VA had completed actions to establish specific time frames for finalizing Reports of Survey related to the loss, damage, or destruction of government property. VA's Assistant Secretary for Management and the CIO worked together to revise property management policy in VA Handbook 7002, Logistics Management Procedures. Handbook 7002 now requires the Report of Survey process to be completed within 60 days. In July 2008, we followed up on this issue and reported that this recommendation was fully implemented. By implementing our recommendation to establish specific timeframes for completing a Report of Survey, VA has improved its accountability over IT equipment and helped safeguard those assets from theft, loss, and misappropriation.

    Recommendation: The Secretary of Veterans Affairs should require that the medical centers and VA headquarters offices we tested and other VA organizations, as appropriate, take the following action to improve accountability of IT equipment inventory and reduce the risk of disclosure of sensitive personal data, medical data, or both. To help minimize the risk of loss, theft, and misappropriation of government IT equipment used in VA operations, the Secretary should establish a mechanism to monitor adherence by the San Diego and Houston medical centers and other VA organizations, as appropriate, to VA policy for performing annual inventories of sensitive items under $5,000, including IT equipment.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In response to our recommendation, as of July 2008, VA had completed actions to establish a mechanism to monitor VA policy for performing annual inventories of sensitive items. VA established the Office of Information Technology Oversight and Compliance in February 2007, responsible for reviewing centers' compliance with established VA policy. VA also established a tiger team in May 2007, which reviewed the results of the VA-wide 2007 physical inventory of IT equipment. In July 2008, we followed up on this issue and reported that this recommendation was fully implemented. By implementing our recommendation to establish a mechanism to monitor VA policy for performing annual inventories of sensitive items, VA has improved its accountability over IT equipment and helped safeguard those assets from theft, loss, and misappropriation.

    Recommendation: The Secretary of Veterans Affairs should require that the medical centers and VA headquarters offices we tested and other VA organizations, as appropriate, take the following action to improve accountability of IT equipment inventory and reduce the risk of disclosure of sensitive personal data, medical data, or both. To help minimize the risk of loss, theft, and misappropriation of government IT equipment used in VA operations, the Secretary should require that information resource management (IRM) and IT Services personnel at the various medical centers be given access to the central property database and be furnished with hand scanners so they can electronically update the property control records, as appropriate, during installation, repair, replacement, and relocation or disposal of IT equipment.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In response to our recommendation, as of July 2008, VA granted OIT personnel access to the central property database (AEMS/MERS). Furthermore, in March 2011, VA reported that OI&IT personnel had been furnished with hand scanners to be used to scan equipment during routine maintenance. By implementing our recommendation to require that IRM and IT Services personnel at the various medical centers be given access to the central property database and be furnished with hand scanners, VA improved accountability of IT equipment and helped safeguard those assets from theft, loss, and misappropriation.

    Recommendation: The Secretary of Veterans Affairs should require that the medical centers and VA headquarters offices we tested and other VA organizations, as appropriate, take the following action to improve accountability of IT equipment inventory and reduce the risk of disclosure of sensitive personal data, medical data, or both. To help minimize the risk of loss, theft, and misappropriation of government IT equipment used in VA operations, the Secretary should require physical security personnel to perform inspections of buildings and storage facilities to identify informal and undesignated IT storage locations so that security assessments are performed and corrective actions are implemented, where appropriate.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In response to our recommendation, as of July 2008, VA had completed actions to implement new physical security inspection procedures. In September 2007, VA established Handbook 6500, Information Security Program, requiring that the Information Security Officer conduct and document physical security reviews as part of the annual review of the system security plan to help analyze any new or existing physical security vulnerabilities. In July 2008, we followed up on this issue and reported that this recommendation was fully implemented. By implementing our recommendation to implement new physical security inspection procedures, VA has improved its accountability over IT equipment and helped safeguard those assets from theft, loss, and misappropriation.

    Recommendation: To assure inventory accuracy and prompt resolution of inventory discrepancies and improve security of IT equipment and any sensitive data stored on that equipment, the Secretary should require the Chief Information Officer (CIO) to establish a formal policy requiring a review of the results of annual inventories to ensure that IT equipment inventory records are properly updated and no blank fields remain.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In response to our recommendation, as of July 2008, VA had completed actions to establish a formal policy requiring a review of the results of annual inventories. VA's Assistant Secretary for Management and the CIO worked together to revise property management policy in a new VA Handbook 7002, Logistics Management Procedures. This revised policy requires the accountable officer to ensure that property records have been updated correctly at the completion of each physical inventory and that no blank fields remain. In July 2008, we followed up on this issue and reported that this recommendation was fully implemented. By implementing our recommendation to ensure that property records have been updated correctly at the completion of each physical inventory, VA has improved its accountability over IT equipment and helped safeguard those assets from theft, loss, and misappropriation.

    Recommendation: To assure inventory accuracy and prompt resolution of inventory discrepancies and improve security of IT equipment and any sensitive data stored on that equipment, the Secretary should require the CIO to establish a process for reviewing Reports of Survey for lost, missing, and stolen IT equipment items to identify systemic weaknesses for appropriate corrective action.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In July 2011, the Department of Veterans Affairs (VA) implemented a Reports of Survey (ROS) registry website to replace the manual entry of ROS in spreadsheets. Users enter data about the missing IT equipment such as the item description, serial number, and acquisition cost. The website allows the officials responsible for ROS oversight to review summary reports in their area of responsibility for such items as the total number of ROS on time, completed, and late, and the average number of days to process an ROS. The report also lets the official review ROS by facilities and to review each ROS individually. In addition, VA has also established a process to review the ROS during the monthly Information Technology Asset Advisory Group (ITAAG) meetings. The ITAAG reviews the ROS website for trends, including losses of high dollar items or facilities with a large number of lost, missing, or stolen IT items. By implementing a ROS registry website and having the ITAAG review ROS website information on a monthly basis, VA established a process for reviewing ROS for lost, missing, and stolen IT equipment items to identify systemic weaknesses for appropriate corrective action.

    Recommendation: To assure inventory accuracy and prompt resolution of inventory discrepancies and improve security of IT equipment and any sensitive data stored on that equipment, the Secretary should require the CIO to establish and implement a policy requiring IRM personnel and IT coordinators to inform physical security officers of the site of all IT equipment storage locations so that these store rooms can be subjected to required inspections.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In response to our recommendation, as of July 2008, VA had completed actions to establish and implement a policy requiring IRM personnel and IT coordinators to inform physical security officers of the site of all IT equipment storage locations. VA's Assistant Secretary for Management and the CIO worked together to revise property management policy in VA Handbook 7002, Logistics Management Procedures. VA Handbook 7002 requires that facilities' Security Management Committees (SMC) develop local strategic security plans as guides to identify physical and procedural security needs. Handbook 7002 requires the IT custodial officer to provide the facility information security officer a list of all IT storage areas and that access to IT equipment storage areas be provided to facility security personnel for use in performing regular inspections. In July 2008, we followed up on this issue and reported that this recommendation was fully implemented. By implementing our recommendation to establish and implement a policy requiring IRM personnel and IT coordinators to inform physical security officers of the site of all IT equipment storage locations, VA has improved its accountability over IT equipment and helped safeguard those assets from theft, loss, and misappropriation.

    Recommendation: To assure inventory accuracy and prompt resolution of inventory discrepancies and improve security of IT equipment and any sensitive data stored on that equipment, the Secretary should require the CIO to establish and implement a policy for reviewing the results of physical security inspections of IT equipment storerooms and ensure that needed corrective actions are completed.

    Agency Affected: Department of Veterans Affairs

    Status: Closed - Implemented

    Comments: In response to our recommendation, as of July 2008, VA had completed actions to establish and implement a policy for reviewing the results of physical security inspections and ensure that needed corrective actions are completed. VA's Assistant Secretary for Management and the CIO worked together to revise property management policy in VA Handbook 7002, Logistics Management Procedures. VA Handbook 7002 provides that the IT custodial officer is to coordinate with the Security Management Committee to develop a plan to address IT-related security requirements identified in the strategic security plan. The Handbook also requires the IT custodial officer to develop a plan to address all corrective actions identified in the Report of Physical Security Inspection of IT Equipment Store Rooms within 10 days of receipt of the report from security personnel. In July 2008, we followed up on this issue and reported that this recommendation was fully implemented. By implementing our recommendation to establish and implement a policy for reviewing the results of physical security inspections and ensure that needed corrective actions are completed, VA has improved its accountability over IT equipment and helped safeguard those assets from theft, loss, and misappropriation.

    Apr 9, 2014

    Mar 25, 2014

    Mar 5, 2014

    Feb 27, 2014

    Jan 15, 2014

    Jan 14, 2014

    Jan 13, 2014

    Dec 3, 2013

    Nov 13, 2013

    Oct 31, 2013

    Looking for more? Browse all our products here