Skip to main content

Veterans Affairs: Inadequate Controls over IT Equipment at Selected VA Locations Pose Continuing Risk of Theft, Loss, and Misappropriation

GAO-07-505 Published: Jul 16, 2007. Publicly Released: Jul 24, 2007.
Jump To:
Skip to Highlights

Highlights

In July 2004, GAO reported that the six Department of Veterans Affairs (VA) medical centers it audited lacked a reliable property control database and had problems with implementation of VA inventory policies and procedures. Fewer than half the items GAO selected for testing could be located. Most of the missing items were information technology (IT ) equipment. Given recent thefts of laptops and data breaches, the requesters were concerned about the adequacy of physical inventory controls over VA IT equipment. GAO was asked to determine (1) the risk of theft, loss, or misappropriation of IT equipment at selected locations; (2) whether selected locations have adequate procedures in place to assure accountability and physical security of IT equipment in the excess property disposal process; and (3) what actions VA management has taken to address identified IT inventory control weaknesses. GAO statistically tested inventory controls at four case study locations.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Veterans Affairs The Secretary of Veterans Affairs should require that the medical centers and VA headquarters offices we tested and other VA organizations, as appropriate, take the following action to improve accountability of IT equipment inventory and reduce the risk of disclosure of sensitive personal data, medical data, or both. To help minimize the risk of loss, theft, and misappropriation of government IT equipment used in VA operations, the Secretary should revise VA property management policy and procedures to include detailed requirements for what transactions must be recorded to document inventory events and to clearly establish individual responsibility for recording all essential transactions in the property management process.
Closed – Implemented
In response to our recommendation, as of July 2008, VA had completed actions to revise property management policies and procedures concerning the recording of inventory events. Specifically, VA's Assistant Secretary for Management and the CIO worked together to revise property management policy in VA Handbook 7002, Logistics Management Procedures. Among other things, Handbook 7002 specified required steps for recording of key inventory events, including the recording of IT equipment information upon receipt, changes in item status, and turn-in and disposal. In addition, on July 3, 2008, the Assistant Secretary for Management mandated early implementation of Handbook 7002. In July 2008, we followed up on this issue and reported in Continued Action Needed to Reduce IT Equipment Losses and Correct Control Weaknesses (GAO-08-918), that this recommendation was fully implemented. By implementing our recommendation to revise VA property management policies and procedures concerning the recording of inventory events, VA has improved its accountability over IT equipment and helped safeguard those assets from theft, loss, and misappropriation.
Department of Veterans Affairs The Secretary of Veterans Affairs should require that the medical centers and VA headquarters offices we tested and other VA organizations, as appropriate, take the following action to improve accountability of IT equipment inventory and reduce the risk of disclosure of sensitive personal data, medical data, or both. To help minimize the risk of loss, theft, and misappropriation of government IT equipment used in VA operations, the Secretary should revise VA purchase card policy to require purchase card holders to notify property management officials of IT equipment and other property items acquired with government purchase cards at the time the items are received so that they can be recorded in property management systems.
Closed – Implemented
In response to our recommendation, as of July 2008, VA had completed actions to revise purchase card policy. VA's Assistant Secretary for Management and the CIO worked together to revise property management policy in a new VA Handbook 7002, Logistics Management Procedures. This Handbook requires purchase cardholders to notify the property officer of IT equipment acquired with the purchase card so that these items may be recorded in the property management system. In July 2008, we followed up on this issue and found that this recommendation was fully implemented. By implementing GAO's recommendation to revise VA purchase card policy to require purchase card holders to notify property management officials of IT equipment purchases, VA has improved its accountability over IT equipment and helped safeguard those assets from theft, loss, and misappropriation.
Department of Veterans Affairs The Secretary of Veterans Affairs should require that the medical centers and VA headquarters offices we tested and other VA organizations, as appropriate, take the following action to improve accountability of IT equipment inventory and reduce the risk of disclosure of sensitive personal data, medical data, or both. To help minimize the risk of loss, theft, and misappropriation of government IT equipment used in VA operations, the Secretary should establish procedures to require specific, individual user-level accountability for IT equipment. In implementing this recommendation, consideration should be given to making the unit head, or a designee, accountable for shared IT equipment.
Closed – Implemented
In response to our recommendation, as of July 2008, VA had completed actions to establish new procedures for handling IT equipment. VA's Assistant Secretary for Management and the CIO worked together to revise property management policy in VA Handbook 7002, Logistics Management Procedures. In particular, VA Handbook 7002 established procedures to require specific, individual user-level accountability for IT equipment, including requiring employees to sign for IT equipment assigned exclusively for individual use and department heads or service chiefs to sign for shared IT equipment. In July 2008, we followed up on this issue and reported that this recommendation was fully implemented. By implementing GAO's recommendation to establish procedures to require specific, individual user-level accountability for IT equipment, VA has improved its accountability over IT equipment and helped safeguard those assets from theft, loss, and misappropriation.
Department of Veterans Affairs The Secretary of Veterans Affairs should require that the medical centers and VA headquarters offices we tested and other VA organizations, as appropriate, take the following action to improve accountability of IT equipment inventory and reduce the risk of disclosure of sensitive personal data, medical data, or both. To help minimize the risk of loss, theft, and misappropriation of government IT equipment used in VA operations, the Secretary should enforce user-level accountability and IT coordinator responsibility by taking appropriate disciplinary action, including holding employees financially liable, as appropriate, for lost or missing IT equipment.
Closed – Implemented
In response to our recommendation, as of July 2008, VA had completed actions to enforce user-level accountability, including enhanced provisions for disciplinary actions, for lost or missing IT equipment. VA's Assistant Secretary for Management and the CIO worked together to revise property management policy in VA Handbook 7002, Logistics Management Procedures. In July 2008, we followed up on this issue and reported that this recommendation was fully implemented. VA provided several fiscal year 2008 examples of bills sent to VA personnel for lost and damaged IT equipment items. By implementing GAO's recommendation to enforce user-level accountability and appropriate disciplinary actions for lost or missing IT equipment, VA has improved its accountability over IT equipment inventory and helped safeguard those assets from theft, loss, and misappropriation.
Department of Veterans Affairs The Secretary of Veterans Affairs should require that the medical centers and VA headquarters offices we tested and other VA organizations, as appropriate, take the following action to improve accountability of IT equipment inventory and reduce the risk of disclosure of sensitive personal data, medical data, or both. To help minimize the risk of loss, theft, and misappropriation of government IT equipment used in VA operations, the Secretary should establish specific time frames for finalizing a Report of Survey once an inventory has been completed so that research on missing items is completed expeditiously and does not continue indefinitely without meeting formal reporting requirements.
Closed – Implemented
In response to our recommendation, as of July 2008, VA had completed actions to establish specific time frames for finalizing Reports of Survey related to the loss, damage, or destruction of government property. VA's Assistant Secretary for Management and the CIO worked together to revise property management policy in VA Handbook 7002, Logistics Management Procedures. Handbook 7002 now requires the Report of Survey process to be completed within 60 days. In July 2008, we followed up on this issue and reported that this recommendation was fully implemented. By implementing our recommendation to establish specific timeframes for completing a Report of Survey, VA has improved its accountability over IT equipment and helped safeguard those assets from theft, loss, and misappropriation.
Department of Veterans Affairs The Secretary of Veterans Affairs should require that the medical centers and VA headquarters offices we tested and other VA organizations, as appropriate, take the following action to improve accountability of IT equipment inventory and reduce the risk of disclosure of sensitive personal data, medical data, or both. To help minimize the risk of loss, theft, and misappropriation of government IT equipment used in VA operations, the Secretary should establish a mechanism to monitor adherence by the San Diego and Houston medical centers and other VA organizations, as appropriate, to VA policy for performing annual inventories of sensitive items under $5,000, including IT equipment.
Closed – Implemented
In response to our recommendation, as of July 2008, VA had completed actions to establish a mechanism to monitor VA policy for performing annual inventories of sensitive items. VA established the Office of Information Technology Oversight and Compliance in February 2007, responsible for reviewing centers' compliance with established VA policy. VA also established a tiger team in May 2007, which reviewed the results of the VA-wide 2007 physical inventory of IT equipment. In July 2008, we followed up on this issue and reported that this recommendation was fully implemented. By implementing our recommendation to establish a mechanism to monitor VA policy for performing annual inventories of sensitive items, VA has improved its accountability over IT equipment and helped safeguard those assets from theft, loss, and misappropriation.
Department of Veterans Affairs The Secretary of Veterans Affairs should require that the medical centers and VA headquarters offices we tested and other VA organizations, as appropriate, take the following action to improve accountability of IT equipment inventory and reduce the risk of disclosure of sensitive personal data, medical data, or both. To help minimize the risk of loss, theft, and misappropriation of government IT equipment used in VA operations, the Secretary should require that information resource management (IRM) and IT Services personnel at the various medical centers be given access to the central property database and be furnished with hand scanners so they can electronically update the property control records, as appropriate, during installation, repair, replacement, and relocation or disposal of IT equipment.
Closed – Implemented
In response to our recommendation, as of July 2008, VA granted OIT personnel access to the central property database (AEMS/MERS). Furthermore, in March 2011, VA reported that OI&IT personnel had been furnished with hand scanners to be used to scan equipment during routine maintenance. By implementing our recommendation to require that IRM and IT Services personnel at the various medical centers be given access to the central property database and be furnished with hand scanners, VA improved accountability of IT equipment and helped safeguard those assets from theft, loss, and misappropriation.
Department of Veterans Affairs The Secretary of Veterans Affairs should require that the medical centers and VA headquarters offices we tested and other VA organizations, as appropriate, take the following action to improve accountability of IT equipment inventory and reduce the risk of disclosure of sensitive personal data, medical data, or both. To help minimize the risk of loss, theft, and misappropriation of government IT equipment used in VA operations, the Secretary should require physical security personnel to perform inspections of buildings and storage facilities to identify informal and undesignated IT storage locations so that security assessments are performed and corrective actions are implemented, where appropriate.
Closed – Implemented
In response to our recommendation, as of July 2008, VA had completed actions to implement new physical security inspection procedures. In September 2007, VA established Handbook 6500, Information Security Program, requiring that the Information Security Officer conduct and document physical security reviews as part of the annual review of the system security plan to help analyze any new or existing physical security vulnerabilities. In July 2008, we followed up on this issue and reported that this recommendation was fully implemented. By implementing our recommendation to implement new physical security inspection procedures, VA has improved its accountability over IT equipment and helped safeguard those assets from theft, loss, and misappropriation.
Department of Veterans Affairs To assure inventory accuracy and prompt resolution of inventory discrepancies and improve security of IT equipment and any sensitive data stored on that equipment, the Secretary should require the Chief Information Officer (CIO) to establish a formal policy requiring a review of the results of annual inventories to ensure that IT equipment inventory records are properly updated and no blank fields remain.
Closed – Implemented
In response to our recommendation, as of July 2008, VA had completed actions to establish a formal policy requiring a review of the results of annual inventories. VA's Assistant Secretary for Management and the CIO worked together to revise property management policy in a new VA Handbook 7002, Logistics Management Procedures. This revised policy requires the accountable officer to ensure that property records have been updated correctly at the completion of each physical inventory and that no blank fields remain. In July 2008, we followed up on this issue and reported that this recommendation was fully implemented. By implementing our recommendation to ensure that property records have been updated correctly at the completion of each physical inventory, VA has improved its accountability over IT equipment and helped safeguard those assets from theft, loss, and misappropriation.
Department of Veterans Affairs To assure inventory accuracy and prompt resolution of inventory discrepancies and improve security of IT equipment and any sensitive data stored on that equipment, the Secretary should require the CIO to establish a process for reviewing Reports of Survey for lost, missing, and stolen IT equipment items to identify systemic weaknesses for appropriate corrective action.
Closed – Implemented
In July 2011, the Department of Veterans Affairs (VA) implemented a Reports of Survey (ROS) registry website to replace the manual entry of ROS in spreadsheets. Users enter data about the missing IT equipment such as the item description, serial number, and acquisition cost. The website allows the officials responsible for ROS oversight to review summary reports in their area of responsibility for such items as the total number of ROS on time, completed, and late, and the average number of days to process an ROS. The report also lets the official review ROS by facilities and to review each ROS individually. In addition, VA has also established a process to review the ROS during the monthly Information Technology Asset Advisory Group (ITAAG) meetings. The ITAAG reviews the ROS website for trends, including losses of high dollar items or facilities with a large number of lost, missing, or stolen IT items. By implementing a ROS registry website and having the ITAAG review ROS website information on a monthly basis, VA established a process for reviewing ROS for lost, missing, and stolen IT equipment items to identify systemic weaknesses for appropriate corrective action.
Department of Veterans Affairs To assure inventory accuracy and prompt resolution of inventory discrepancies and improve security of IT equipment and any sensitive data stored on that equipment, the Secretary should require the CIO to establish and implement a policy requiring IRM personnel and IT coordinators to inform physical security officers of the site of all IT equipment storage locations so that these store rooms can be subjected to required inspections.
Closed – Implemented
In response to our recommendation, as of July 2008, VA had completed actions to establish and implement a policy requiring IRM personnel and IT coordinators to inform physical security officers of the site of all IT equipment storage locations. VA's Assistant Secretary for Management and the CIO worked together to revise property management policy in VA Handbook 7002, Logistics Management Procedures. VA Handbook 7002 requires that facilities' Security Management Committees (SMC) develop local strategic security plans as guides to identify physical and procedural security needs. Handbook 7002 requires the IT custodial officer to provide the facility information security officer a list of all IT storage areas and that access to IT equipment storage areas be provided to facility security personnel for use in performing regular inspections. In July 2008, we followed up on this issue and reported that this recommendation was fully implemented. By implementing our recommendation to establish and implement a policy requiring IRM personnel and IT coordinators to inform physical security officers of the site of all IT equipment storage locations, VA has improved its accountability over IT equipment and helped safeguard those assets from theft, loss, and misappropriation.
Department of Veterans Affairs To assure inventory accuracy and prompt resolution of inventory discrepancies and improve security of IT equipment and any sensitive data stored on that equipment, the Secretary should require the CIO to establish and implement a policy for reviewing the results of physical security inspections of IT equipment storerooms and ensure that needed corrective actions are completed.
Closed – Implemented
In response to our recommendation, as of July 2008, VA had completed actions to establish and implement a policy for reviewing the results of physical security inspections and ensure that needed corrective actions are completed. VA's Assistant Secretary for Management and the CIO worked together to revise property management policy in VA Handbook 7002, Logistics Management Procedures. VA Handbook 7002 provides that the IT custodial officer is to coordinate with the Security Management Committee to develop a plan to address IT-related security requirements identified in the strategic security plan. The Handbook also requires the IT custodial officer to develop a plan to address all corrective actions identified in the Report of Physical Security Inspection of IT Equipment Store Rooms within 10 days of receipt of the report from security personnel. In July 2008, we followed up on this issue and reported that this recommendation was fully implemented. By implementing our recommendation to establish and implement a policy for reviewing the results of physical security inspections and ensure that needed corrective actions are completed, VA has improved its accountability over IT equipment and helped safeguard those assets from theft, loss, and misappropriation.

Full Report

GAO Contacts

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

AccountabilityEquipment inventoriesFederal property managementInformation technologyInternal controlsInventory controlInventory control systemsPhysical securityProperty and supply managementProperty lossesRecords managementRisk assessmentVeterans hospitalsPolicies and procedures