Veterans Affairs: Leadership Needed to Address Information	 
Security Weaknesses and Privacy Issues (14-JUN-06, GAO-06-866T). 
                                                                 
The recent information security breach at the Department of	 
Veterans Affairs (VA), in which personal data on millions of	 
veterans were compromised, has highlighted the importance of the 
department's security weaknesses, as well as the ability of	 
federal agencies to protect personal information. Robust federal 
security programs are critically important to properly protect	 
this information and the privacy of individuals. GAO was asked to
testify on VA's information security program, ways that agencies 
can prevent improper disclosures of personal information, and	 
issues concerning notifications of privacy breaches. In preparing
this testimony, GAO drew on its previous reports and testimonies,
as well as on expert opinion provided in congressional testimony 
and other sources.						 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-06-866T					        
    ACCNO:   A55527						        
  TITLE:     Veterans Affairs: Leadership Needed to Address	      
Information Security Weaknesses and Privacy Issues		 
     DATE:   06/14/2006 
  SUBJECT:   Computer security					 
	     Information disclosure				 
	     Information leaking				 
	     Information security				 
	     Information security management			 
	     Right of privacy					 
	     Veterans						 
	     Internal controls					 
	     System vulnerabilities				 
	     Personal information				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-06-866T

   

     * [1]Results in Brief
     * [2]Background

          * [3]Key Laws Govern Agency Security and Privacy Practices
          * [4]Interest in Data Breach Notification Legislation Has Increas

     * [5]VA's Information Security Is Weak

          * [6]VA's Information Security Weaknesses Are Long Standing
          * [7]VA's Efforts to Address Information Security Weaknesses Have

     * [8]Agencies Can Take Steps to Reduce the Likelihood That Person

          * [9]Conduct Privacy Impact Assessments
          * [10]Employ Measures to Prevent Inadvertent Data Breaches

     * [11]Public Notification of Data Breaches Has Clear Benefits as W

          * [12]Concerns Have Been Raised About the Criteria for Issuing Not
          * [13]Effective Notices Should Provide Useful Information and Be E

     * [14]Contacts and Acknowledgments
     * [15]Attachment 1: Selected GAO Products

          * [16]Products Related to VA Information Security
          * [17]Products Related to Privacy Issues

     * [18]Attachment 2. Chronology of Information Security Weaknesses
     * [19]PDF6-Ordering Information.pdf

          * [20]Order by Mail or Phone

     * [21]PDF6-Ordering Information.pdf

          * [22]Order by Mail or Phone

                 United States Government Accountability Office

Testimony

GAO

Before the Committee on Veterans' Affairs, House of Representatives

For Release on Delivery Expected at time 10:30 a.m. EDT

                                VETERANS AFFAIRS

June 14, 2006

Leadership Needed to Address Information Security Weaknesses and Privacy Issues

Statement of Linda D. Koontz
Director, Information Management Issues

and

Gregory C. Wilshusen
Director, Information Security Issues

  GAO-06-866T

VETERANS AFFAIRS

Leadership Needed to Address Information Security Weaknesses and Privacy
Issues

  What GAO Found

For many years, significant concerns have been raised about VA's
information security--particularly its lack of a robust information
security program, which is vital to avoiding the compromise of government
information, including sensitive personal information. Both GAO and the
department's inspector general have reported recurring weaknesses in such
areas as access controls, physical security, and segregation of
incompatible duties. The department has taken steps to address these
weaknesses, but these have not been sufficient to establish a
comprehensive information security program. For example, it is still
developing plans to complete a security incident response program to
monitor suspicious activity and cyber alerts, events, and incidents.
Without an established and implemented security program, the department
will continue to have major challenges in protecting its information and
information systems from security breaches such as the one it recently
experienced.

In addition to establishing robust security programs, agencies can take a
number of actions to help guard against the possibility that databases of
personally identifiable information are inadvertently compromised. A key
step is to develop a privacy impact assessment--an analysis of how
personal information is collected, stored, shared, and managed--whenever
information technology is used to process personal information. In
addition, agencies can take more specific practical measures aimed at
preventing data breaches, including limiting the collection of personal
information, limiting the time that such data are retained, limiting
access to personal information and training personnel accordingly, and
considering the use of technological controls such as encryption when data
need to be stored on portable devices.

When data breaches do occur, notification of those affected and/or the
public has clear benefits, allowing people the opportunity to protect
themselves from identity theft. Although existing laws do not require
agencies to notify the public of data breaches, such notification is
consistent with agencies' responsibility to inform individuals about how
their information is being accessed and used, and it promotes
accountability for privacy protection. That said, care is needed in
defining appropriate criteria for triggering notification. Notices should
be coordinated with law enforcement to avoid impeding ongoing
investigations, and in order to be effective, notices should be easy to
understand. Because of the possible adverse impact of a compromise of
personal information, it is critical that people fully understand the
threat and their options for addressing it.

Strong leadership, sustained management commitment and effort, disciplined
processes, and consistent oversight will be needed for VA to address its
persistent, long-standing control weaknesses.

                 United States Government Accountability Office

*** End of document. ***