Information Security: Leadership Needed to Address Weaknesses and
Privacy Issues at Veterans Affairs (20-JUN-06, GAO-06-897T).	 
                                                                 
The recent information security breach at the Department of	 
Veterans Affairs (VA), in which personal data on millions of	 
veterans were compromised, has highlighted the importance of the 
department's security weaknesses, as well as the ability of	 
federal agencies to protect personal information. Robust federal 
security programs are critically important to properly protect	 
this information and the privacy of individuals. GAO was asked to
testify on VA's information security program, ways that agencies 
can prevent improper disclosures of personal information, and	 
issues concerning notifications of privacy breaches. In preparing
this testimony, GAO drew on its previous reports and testimonies,
as well as on expert opinion provided in congressional testimony 
and other sources.						 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-06-897T					        
    ACCNO:   A55740						        
  TITLE:     Information Security: Leadership Needed to Address       
Weaknesses and Privacy Issues at Veterans Affairs		 
     DATE:   06/20/2006 
  SUBJECT:   Computer security					 
	     Information disclosure				 
	     Information leaking				 
	     Information security				 
	     Information security management			 
	     Internal controls					 
	     Right of privacy					 
	     System vulnerabilities				 
	     Veterans						 
	     Personal information				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-06-897T

     

     * Results in Brief
     * Background
          * Key Laws Govern Agency Security and Privacy Practices
          * Interest in Data Breach Notification Legislation Has Increas
     * VA's Information Security Is Weak
          * VA's Information Security Weaknesses Are Long Standing
          * VA's Efforts to Address Information Security Weaknesses Have
     * Agencies Can Take Steps to Reduce the Likelihood That Person
          * Conduct Privacy Impact Assessments
          * Employ Measures to Prevent Inadvertent Data Breaches
     * Public Notification of Data Breaches Has Clear Benefits as W
          * Concerns Have Been Raised About the Criteria for Issuing Not
          * Effective Notices Should Provide Useful Information and Be E
     * Contacts and Acknowledgments
     * Attachment 1: Selected GAO Products
          * Products Related to VA Information Security
          * Products Related to Privacy Issues
     * Attachment 2. Chronology of Information Security Weaknesses
     * PDF6-Ordering Information.pdf
          * Order by Mail or Phone

Messers. Chairmen and Members of the Subcommittees:

Thank you for inviting us to participate in today's hearing on information
security and privacy at the Department of Veterans Affairs (VA). For many
years, we have identified information security as a governmentwide
high-risk issue1 and emphasized its criticality for protecting the
government's information assets. The recent security breach at VA,
involving the loss of personal data on millions of veterans, also raises
important questions about the protection of personally identifiable
information.2

Today we will first address VA's information security program, including
weaknesses reported by us and others, as well as actions that VA has taken
to address past recommendations in this area. We will then discuss
potential measures that federal agencies can take to help limit the
likelihood of personal information being compromised. Finally, we will
highlight key benefits and challenges associated with effectively
notifying the public about security breaches.

To describe VA's information security weaknesses, we reviewed our previous
work in this area, as well as reports by VA's inspector general (IG) and
others. To determine the implementation status of our open
recommendations, we analyzed VA documentation and met with officials from
VA, including security and IG officials. To address measures that agencies
can take to help limit the likelihood of personal information being
compromised, we identified and summarized issues raised by experts in
congressional testimony and in our previous reports, including our recent
work regarding the federal government's use of personal information from
companies known as information resellers.3 To identify benefits and
challenges associated with effectively notifying the public about security
breaches, we reviewed our previous work in this area. We conducted the
work for our previous reports in accordance with generally accepted
government auditing standards. To provide additional information on our
previous work related to VA security issues and to privacy, we have
included, as an attachment, a list of pertinent GAO publications.

1 GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.: January
2005) and Information Security: Weaknesses Persist at Federal Agencies
Despite Progress Made in Implementing Related Statutory Requirements,
GAO-05-552 (Washington, D.C.: July 15, 2005).

2 For purposes of this testimony, the term personal information
encompasses all information associated with an individual, including both
identifiable and nonidentifying information. Personally identifiable
information, which can be used to locate or identify an individual,
includes such things as names, aliases, and Social Security numbers.
Nonidentifying personal information includes such things as age,
education, finances, criminal history, physical attributes, and gender.

                                Results in Brief

Significant concerns have been raised over the years about VA's
information security-particularly its lack of a robust information
security program, which is vital to avoiding the compromise of government
information. We have previously reported on wide-ranging deficiencies in
VA's information security controls.4 For example, the department lacked
effective controls to prevent individuals from gaining unauthorized access
to VA systems and sensitive information, and it had not consistently
provided adequate physical security for its computer facilities, assigned
duties in a manner that segregated incompatible functions, controlled
changes to its operating systems, or updated and tested its disaster
recovery plans. These deficiencies existed, in part, because VA had not
fully implemented key components of a comprehensive, integrated
information security program. Although VA has taken steps to implement
components of its security program, its efforts have not been sufficient
to effectively protect its information and information systems. As a
result, sensitive information, including personally identifiable
information, remains vulnerable to inadvertent or deliberate misuse, loss,
or improper disclosure, as the recent breach demonstrates.

3 GAO, Personal Information: Agency and Reseller Adherence to Key Privacy
Principles, GAO-06-421 (Washington: D.C.: Apr. 4, 2006).

4 See attachment 1.

In addition to establishing a robust information security program,
agencies can take a number of actions to help protect personally
identifiable information from compromise. A key step is to develop a
privacy impact assessment-an analysis of how personal information is
collected, stored, shared, and managed in a federal information
system-whenever information technology is used to process personal
information. In addition, specific practical measures aimed at preventing
inadvertent data breaches include limiting the collection of personal
information, limiting data retention, limiting access to personal
information and training personnel accordingly, and considering the use of
technological controls such as encryption when data need to be stored on
portable devices.

When data breaches do occur, notification to the individuals affected
and/or the public has clear benefits, allowing people the opportunity to
take steps to protect themselves against the dangers of identity theft. It
is also consistent with agencies' responsibility to inform individuals
about how their information is being accessed and used, and promotes
accountability for its protection. If agencies are required to report
security breaches to the public, care will be needed to develop
appropriate criteria for incidents that require notification. Care is also
needed to ensure that notices are useful and easy to understand, so that
they are effective in alerting individuals to actions they may want to
take to minimize the risk of identity theft.

We have made recommendations previously to VA regarding information
security and to the Office of Management and Budget (OMB) and agencies
regarding privacy issues, including the conduct of privacy impact
assessments. In addition, we have previously testified that the Congress
should consider setting specific reporting requirements for agencies as
part of its consideration of security breach legislation. Further, the
Congress should consider requiring OMB to provide guidance to agencies on
how to develop and issue security breach notices to affected individuals.

                                   Background

Since the early 1990s, increasing computer interconnectivity-most notably
growth in the use of the Internet-has revolutionized the way that our
government, our nation, and much of the world communicate and conduct
business. The benefits have been enormous, but without proper safeguards
in the form of appropriate information security, this widespread
interconnectivity also poses significant risks to the government's
computer systems and the critical operations and infrastructures they
support.

In prior reviews we have repeatedly identified weaknesses in almost all
areas of information security controls at major federal agencies,
including VA, and we have identified information security as a high risk
area across the federal government since 1997. In July 2005, we reported
that pervasive weaknesses in the 24 major agencies' information security
policies and practices threatened the integrity, confidentiality, and
availability of federal information and information systems.5 As we
reported, although federal agencies showed improvement in addressing
information security, they also continued to have significant control
weaknesses that put federal operations and assets at risk of inadvertent
or deliberate misuse, financial information at risk of unauthorized
modification or destruction, sensitive information at risk of
inappropriate disclosure, and critical operations at risk of disruption.
These weaknesses existed primarily because agencies had not yet fully
implemented strong information security programs, as required by the
Federal Information Security Management Act (FISMA).

The significance of these weaknesses led us to conclude in the audit of
the federal government's fiscal year 2005 financial statements6 that
information security was a material weakness.7 Our audits also identified
instances of similar types of weaknesses in nonfinancial systems.
Weaknesses continued to be reported in each of the major areas of general
controls: that is, the policies, procedures, and technical controls that
apply to all or a large segment of an entity's information systems and
help ensure their proper operation.8

5 GAO, Information Security: Weaknesses Persist at Federal Agencies
Despite Progress Made in Implementing Related Statutory Requirements,
GAO-05-552 (Washington, D.C.: July 15, 2005).

6 U.S. Department of the Treasury, Financial Report of the United States
Government 2005 (Washington, D.C.: 2005).

To fully understand the significance of the weaknesses we identified, it
is necessary to link them to the risks they present to federal operations
and assets. Virtually all federal operations are supported by automated
systems and electronic data, without which agencies would find it
difficult, if not impossible, to carry out their missions and account for
their resources. The following examples show the broad array of federal
operations and assets placed at risk by information security weaknesses:

           0M Resources, such as federal payments and collections, could be
           lost or stolen.
           0M Computer resources could be used for unauthorized purposes or
           to launch attacks on others.
           0M Personal information, such as taxpayer data, social security
           records, and medical records, and proprietary business information
           could be inappropriately disclosed, browsed, or copied for
           purposes of identity theft, industrial espionage, or other types
           of crime.
           0M Critical operations, such as those supporting national defense
           and emergency services, could be disrupted.
           0M Data could be modified or destroyed for purposes of fraud,
           theft of assets, or disruption.
           0M Agency missions could be undermined by embarrassing incidents
           that result in diminished confidence in their ability to conduct
           operations and fulfill their fiduciary responsibilities. The
           potential disclosure of personal information raiseid

           the fraudulent use of another person's identifying
           information-such as Social Security number, date of birth, or
           mother's maiden name-to establish credit, run up debt, or take
           over existing financial accounts. According to identity theft
           experts, individuals whose identities have been stolen can spend
           months or yearsthousands of dollars clearing their names. Some
           individuals have lost job opportunities, been refused loans, or
           even been arrested focrimes they did not commit as a result of
           identity theft. The FederTrade Commission (FTC) reported in 2005
           that identity theft represented about 40 percent of all the
           consumer fraud complaints it received during each of the last 3
           calendar years. Beyond thserious issues surrounding identity
           theft, the unauthorized disclosure of personal information also
           represents a breach of individuals' privacy rights to have control
           over their own information and to be aware of who has access to
           this informaturity and Privacy Practices

7 A material weakness is a condition that precludes the entity's internal
control from providing reasonable assurance that misstatements, losses, or
noncompliance that is material in relation to the financial statements or
to stewardship information would be prevented or detected on a timely
basis.

8 The main areas of general controls are an agencywide security program,
access controls, software change controls, segregation of duties, and
continuity of operations planning.

Federal agencies are subject to security and privacy laws aimed in part at
preventing security breach

enable identity theft. FISMA is the primary l

information in the context of securing federal agency informatioand
information systems. The act defines federal requirements fosecuring
information and information systems that support federalagency operations
and assets.9 Under FISMA, agencies are requiredto provide sufficient
safeguards to cost-effectively protect their information and information
systems from unauthorized access, usedisclosure, disruption, modification,
or destruction, including controls necessary to preserve authorized
restrictions on access and disclosure (and thus to protect personal
privacy, among other things). The act requires each agency to develop,
document, and implement an agencywide information security program to
prosecurity for the information and information systems that supportthe
operations and assets of the agency, including those provided ormanaged by
another agency, contractor, or other source. FISMA describes a
comprehensive information security pr

9 FISMA, Title III, E-Government Act of 2002, Pub. L. 107-347 (Dec. 17,
2002).

periodic assessments of the risk an

           modification, or destruction of information or information
           systems; risk-based policies and procedures that cost-effectively
           reduce risto an acceptable level and ensure that security is
           addressed
           throughout the life cycle of each information system; security
           awareness training for agency personnel, including contractors and
           other users of information systems th
           operations and assets of the agency; periodic testing and
           evaluation of the effectiveness of information security policies,
           procedures, and pra
           0M a process for planning, implementing, evaluating, and
           documentingremedial action to address any deficiencies th
           and milestones; and procedures for detecting, reporting, and
           responding to security incidents.
           In particulaa

           (1) confidentiality, which is the risk associated with
           unauthorizeddisclosure of the information; (2) integrity, the risk
           of unauthorized modification or destruction of the information;
           and (3) availability, which is the risk of disruption of access to
           or use of information. Thus, each agency should assess the risk
           associated with personal data held by the agency and develop
           appropriate protections. The agency can use this risk assessment
           to determine the appropriate controls (operational, technical, and
           managerial) th

           will reduce the risk to an acceptably low level. For examplagency
           assesses the confidentiality risk of the personal informationas
           high, the agency could create control mechanisms to help protethe
           data from unauthorized disclosure. Besides appropriate
           policies,these controls would include access controls and
           monitoring systems: Access con

           grant employees the authority to read or modify only the
           information the employees need to perform their duties. In
           additionaccess controls can limit the activities that an employee
           cperform on data. For example, an employee may be given the right
           to read data, but not to modify or copy it. Assignment of
           rightpermissions must be carefully considered to avoid giving
           users unnecessary access to sensitive files and directories. To
           ensure that controls are, in fact, implemented and that no
           violations have occurred, agencies need to monitor co
           security policies and investigate security violations. It is
           crucidetermine what, when, and by whom specific actions are taken
           on a system. Organizations accomplish this by implementing system
           or security software that provides an audit trail that they can
           use to determine the source of a transaction or attempted
           transaction andto monitor users' activities. The way in which
           organizations configure system or security software determines the
           nature and extent of information that can be provided by the audit
           trail. effective, organizations should configure their software to
           collect and maintain audit trails that are sufficient to track
           security events. A comprehensive security program of the type
           described is a p

           held by agencies. In addition, agencies are subject to
           requiremspecifically related to personal privacy protection, which
           come primarily from two laws, the Privacy Act of 1974 and the
           E-Government Act of 2002. The Privacy Act places lim

           of records. The act describes a "record" as any item,
           collectgrouping of information about an individual that is
           maintained by anagency and contains his or her name or another
           personal identifier.It also defines "system of records" as a group
           of records under the control of any agency from which information
           is retrieved by the name of the individual or by an individual
           identifier. The Privacy Acrequires that when agencies establish or
           make changes to a systemof records, they must notify the public by
           a "system-of-records notice": that is, a notice in the Federal
           Register identifying, among other things, the type of data
           collected, the types of individuals about whom information is
           collected, the intended "routine" uses odata, and procedures that
           individuals can use to review and corrpersonal information.10
           Among other provisions, the act also requires agencies to define
           and limit themselves to specific predefined purposes. The
           provisions of the Privacy Act are consistent with and largebased
           on a

           of personal information, known as the Fair Information
           Practices,which have been widely adopted as a standard benchmark
           for evaluating the adequacy of privacy protections; they include
           such principles as openness (keeping the public informed about
           privpolicies and practices) and accountability (those controlling
           the collection or use of personal information should be
           accountable fortaking steps to ensure the implementation of these
           principles). The E-Government Act of 2002 strives to enhance
           protection for

           requiring that agencies conduct privacy impact assessments (PIAPIA
           is an analysis of how personal information is collected, stshared,
           and managed in a federal system. More specifically, according to
           OMB guidance,12 a PIA is to (1) ensure that handling conforms to
           applicable legal, regulatory, and policy requiremregarding
           privacy; (2) determine the risks and effects of
           collectingmaintaining, and disseminating information in
           identifiable form in an electronic information system; and (3)
           examine and evaluate protections and alternative processes for
           handling information to mitigate potential privacy risks. To the
           extent that PIAs are madepublicly available,13 they provide
           explanations to the public about such things as the information
           that will be collected, why it is beincollected, how it is to be
           used, and how the system and data will bmaintained and protected.

10 Under the Privacy Act of 1974, the term "routine use" means (with
respect to the disclosure of a record) the use of such a record for a
purpose that is compatible with the purpose for which it was collected. 5
U.S.C. S: 552a(a)(7).

11 These principles were first proposed in 1973 by a U.S. government
advisory committee; they were intended to address what the committee
termed a poor level of protection afforded to privacy under contemporary
law. Congress used the committee's final report as a basis for crafting
the Privacy Act of 1974. See U.S. Department of Health, Education, and
Welfare, Records, Computers and the Rights of Citizens: Report of the
Secretary's Advisory Committee on Automated Personal Data Systems
(Washington, D.C.: July 1973).

12 Office of Management and Budget, OMB Guidance for Implementing the
Privacy Provisions of the E-Government Act of 2002, M-03-22 (Washington,
D.C.: Sept. 26, 2003).

Federal laws to date have not required breaches to the public,14 although breac

important role in the context of security breaches in the private sector.
For example, requirements of California state law led ChoicePoint, a large
information reseller,15 to notify its customera security breach in
February 2005. Since the ChoicePoint notification, bills were introduced
in at least 44 states and enacted in at least 2916 that require some form
of notification upon abreach. A numbe

incidents at other firms. In March 2005, the House Subcommittee
onCommerce, Trade, and Consumer Protection of the House Energyand Commerce
Committee held a hearing entitled "Protecting Consumers' Data: Policy
Issues Raised by ChoicePoint," which focused on potential remedies for
security and privacy concernregarding information resellers. Similar
hearings were held by thHouse Energy and Commerce Committee and by the
U.S. Senate Committee on Commerce, Science, and Transportation in spring
2005. Severa

13 The E-Government Act requires agencies, if practicable, to make privacy
impact assessments publicly available through agency Web sites,
publication in the Federal Register, or by other means. Pub. L. 107-347,
S: 208(b)(1)(B)(iii).

14 At least one agency has developed its own requirement for breach
notification. Specifically, the Department of Defense instituted a policy
in July 2005 requiring notification to affected individuals when protected
personal information is lost, stolen, or compromised.

15 Information resellers are companies that collect information, including
personal information about consumers, from a wide variety of sources for
the purpose of reselling such information to their customers, which
include both private-sector businesses and government agencies. For
additional information, see GAO-06-421 .

16 States that have enacted breach notification laws include Arizona,
Arkansas, Colorado, Connecticut, Delaware, Florida, Georgia, Idaho,
Illinois, Indiana, Kansas, Louisiana, Maine, Minnesota, Montana, Nebraska,
Nevada, New Jersey, New York, North Carolina, North Dakota, Ohio,
Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Washington, and
Wisconsin.

national requirement for companies that maintain personal information to
notify the public of security breaches. In May 20DATA was amended to also
require federal agencies to notifcitizens and residents of the United
States whose personal information is acquired by an unauthorized person as
a result osecurity breach. Other bills under consideration also
includagencies. For example, the Notification of Risk to Personal Data
Act18 would require federal agencies as well as any "persons engaged in
interstate commerce" to disclose security breaches involving unauthorized
acquisition of personal data.

                       Our previous repoweaknesses in VA

the Veterans Benefits Administration. Although the departtaken steps to
address these weaknesses, they have not been sufficient to fully implement
a comprehensive, integrated information security program and to fully
protect VA's informaand information systems. As a result, these remain at
risk.

17 H.R. 4127; introduced by Representative Clifford B. Stearns on October
25, 2005.

18 S. 751; introduced by Senator Dianne Feinstein on April 11, 2005.

VA's Information Security Weaknesses Are Long Standing

In carrying out its mission of providing health care and benefits to
veterans, VA relies on a vast array of computer systems and
telecommunications networks to support its operations and store sensitive
information, including personal information on veterans. VA's networks are
highly interconnected, its systems support many users, and the department
has increasingly moved to more interactive, Web-based services to better
meet the needs of its customers. Effectively securing these computer
systems and networks is critical to the department's ability to safeguard
its assets, maintain the confidentiality of sensitive veterans' health and
disability benefits information, and ensure the integrity of its financial
data.

In this complex IT environment, VA has faced long-standing challenges in
achieving effective information security across the department. Our
reviews19 identified wide-ranging, often recurring deficiencies in the
department's information security controls (attachment 2 provides further
detail on our reports and the areas of weakness they discuss). Examples of
areas of deficiency include the following.

           0M Access authority was not appropriately controlled. A basic
           management objective for any organization is to protect the
           resources that support its critical operations from unauthorized
           access. Electronic access controls are intended to prevent, limit,
           and detect unauthorized access to computing resources, programs,
           and information and include controls related to user accounts and
           passwords, user rights and file permissions, logging and
           monitoring of security-relevant events, and network management.
           Inadequate controls diminish the reliability of computerized
           information and increase the risk of unauthorized disclosure,
           modification, and destruction of sensitive information and
           disruption of service.

           However, VA had not established effective electronic access
           controls to prevent individuals from gaining unauthorized access
           to its systems and sensitive data, as the following examples
           illustrate:

                        0M User accounts and passwords: In 1998, many user
                        accounts at four VA medical centers and data centers
                        had weaknesses including passwords that could be
                        easily guessed, null passwords, and passwords that
                        were set to never expire. We also found numerous
                        instances where medical and data center staff members
                        were sharing user IDs and passwords.
                        0M User rights and permissions: We reported in 2000
                        that three VA health care systems were not ensuring
                        that user accounts with broad access to financial and
                        sensitive veteran information had proper
                        authorization for such access, and were not reviewing
                        these accounts to determine if their level of access
                        remained appropriate.
                        0M Logging and monitoring of security-related events:
                        In 1998, VA did not have any departmentwide guidance
                        for monitoring both successful and unsuccessful
                        attempts to access system files containing key
                        financial information or sensitive veteran data, and
                        none of the medical and data centers we visited were
                        actively monitoring network access activity. In 1999,
                        we found that one data center was monitoring failed
                        access attempts, but was not monitoring successful
                        accesses to sensitive data and resources for unusual
                        or suspicious activity.
                        0M Network management: In 2000, we reported that one
                        of the health care systems we visited had not
                        configured a network parameter to effectively prevent
                        unauthorized access to a network system; this same
                        health care system had also failed to keep its
                        network system software up to date.

           0M Physical security controls were inadequate. Physical security
           controls are important for protecting computer facilities and
           resources from espionage, sabotage, damage, and theft. These
           controls restrict physical access to computer resources, usually
           by limiting access to the buildings and rooms in which the
           resources are housed and by periodically reviewing the access
           granted, in order to ensure that access continues to be
           appropriate. VA had weaknesses in the physical security for its
           computer facilities. For example, in our 1998 and 2000 reports, we
           stated that none of the VA facilities we visited were adequately
           controlling access to their computer rooms. In addition, in 1998
           we reported that sensitive equipment at two facilities was not
           adequately protected, increasthe risk of disruption to computer
           operations or network communications. E
           duties. Segregation of duties refers to the policies, procedures,
           aorganizational structures that help ensure that one individual
           cannotindependently control all key aspects of a process or
           computer-related operation. Dividing duties among two or more
           individualorganizational groups diminishes the likelihood that
           errors and wrongful acts will go undetected, because the
           activities of one individual or group will serve as a check on the
           activities of the other. We determined that VA did not assign
           employee duties anresponsibilities in a manner that segregated
           incompatible functionamong individuals or groups of individuals.
           For example, in 1998 we reported that some system programmers also
           had security administrator privileges, giving them the ability to
           eliminateevidence of their activity in the system. In 2000, we
           reported thattwo VA health care systems allowed some employees to
           request, approve, and receive medical items without management
           approvaviolating both basic segregation of duties principles and
           VA policy; in addition, no mitigating controls were found to alert
           management of purchases made in this manner. S
           implemented. It is important to ensure that only authorized tested
           systems are placed in operation. To ensure that changes to systems
           are necessary, work as intended, and do not result in the loss of
           data or program integrity, such changes should be documented,
           authorized, tested, and independently reviewfound that VA did not
           adequately control changes to its operating systems. For example,
           in 1998 we reported that one VA data centerhad not established
           detailed written procedures or formal guidance for modifying
           operating system software, for approving and testing operating
           system software changes, or for implementing these changes. The
           data center had made more than 100 system softwchanges during
           fiscal year 1997, but none of the changes included evidence of
           testing, independent review, or acceptance. We reportein 2000 that
           two VA health care systems had not established procedures for
           periodically reviewing changes to standard application programs to
           ensure that only authorized programwas implemented.  S
           protecting data and programs from misuse, organizations must
           ensure that they are adequately prepared to cope with a loss of
           operational capability due to earthquakes, fires, accidents,
           saboor any other disruption. An essential element in preparing for
           such catastrophes is an up-to-date, detailed, and fully tested
           service continuity plan. Such a plan is critical for helping to
           ensure thatinformation system operations and data can be promptly
           restorethe event of a disaster. We reported that VA had not
           completed or tested service continuity plans for several systems.
           For example, in1998 we reported that one VA data center had 17
           individual disaster recovery plans covering various segments of
           the organization, but it did not have an overall document that
           integrated the 17 separate plans and defined the roles and
           responsibilities for the disaster recovery teams. In 2000, we
           determined that the service continuplans for two of the three
           health care systems we visited did not include critical elements
           such as detailed recovery procedures, provisions for restoring
           mission-critical systems, and a list of keycontacts; in addition,
           none of the health care systems we visited were fully testing
           their service continuity plans. T

           key components of a comprehensive computer security program.
           Specifically, VA's computer security efforts lacked

                        0M regular, periodic assessments of risk;
                        0M security policies and procedures that a
                        VA's interconnected environment; an ongoing security
                        monitoring pro
                        investigate unauthorized, unusual, or suspicious
                        access aand
                        0M a process to measure, test, and report on the
                        continued effectiveness of computer system, network,
                        and process controls.

           As a result, we made a number of recommendations in 2002 that were
           aimed at improving VA's security management.20 Among the primary
           elements of these recommendations were that (1) VA centralize its
           security management functions and (2) it perform other actions to
           establish an information security program, including actions
           related to risk assessments, security policies and procedures,
           security awareness, and monitoring and evaluating computer
           controls.21

19 Attachment 1 includes a list of our products related to IT
vulnerabilities at VA.

VA's Efforts to Address Information Security Weaknesses Have Been Limited

The department has taken steps to address the weaknesses that we
described, but these have not been sufficient to fully implement a
comprehensive information security program.22 Examples of actions that VA
has taken and still needs to take include the following:

           0M Central security management function: The department realigned
           its information technology resources to place administration and
           field office security functions more directly under the oversight
           of the department's CIO, consolidating all administration-level
           cyber security functions under the department's cyber security
           office. In addition, to provide greater management accountability
           for information security, the Secretary instituted information
           security standards for members of the department's senior
           executive service. The cyber security officer organized his office
           to focus more directly on critical elements of information
           security control, and he updated the department's security
           management plan and information security policies and procedures.
           However, the department still needed to develop policy and
           guidance to ensure (1) authority and independence for security
           officers and (2) departmentwide coordination of security
           functions.
           0M Periodic risk assessments: VA is implementing a commercial tool
           to identify the level of risk associated with system changes and
           also to conduct information security risk assessments. It also
           created a methodology that establishes minimum requirements for
           such risk assessments. However, it has not yet completed its risk
           assessment policy and guidance. VA reported that such guidance was
           forthcoming as part of an overarching information system security
           certification and accreditation policy that was to be developed
           during 2006. Without these elements, VA cannot be assured that it
           is appropriately performing risk assessments departmentwide.
           0M Security policies and procedures: VA's cyber security officer
           reported that VA has action ongoing to develop a process for
           collecting and tracking performance data, ensuring management
           action when needed, and providing independent validation of
           reported issues. VA also has ongoing efforts in the area of
           detecting, reporting, and responding to security incidents. For
           example, it established network intrusion prevention capability at
           its four enterprise gateways. It is also developing strategic and
           tactical plans to complete a security incident response program to
           monitor suspicious activity and cyber alerts, events, and
           incidents. However, these plans are not complete.
           0M Security awareness: VA has taken steps to improve security
           awareness training. It holds an annual department information
           security conference, and it has developed a Web portal for
           security training, policy, and procedures, as well as a security
           awareness course that VA employees are required to review
           annually. However, VA has not demonstrated that it has a process
           to ensure compliance.
           0M Monitoring and evaluating computer controls: VA established a
           process to better monitor and evaluate computer controls by
           tracking the status of security weaknesses, corrective actions
           taken, and independent validations of corrective actions through a
           software data base.23 However, more remains to be done in tFor
           example, although certain components of VA reported vulnerability
           and penetration testing to evaluate controls on internand external
           access to VA systems, to

           Since our last report in 2002, VA's IG and independent auditors
           continued to report serious weaknesses with the department's
           information security controls. The auditors' report on
           internacontrols,24 prepared at the completion of VA's 2005
           financial statement audit, identified weaknesses related to access
           control, segregation of duties, change control, and service
           continuity-a of weaknesses that are virtually identical to those
           we identified years earlier. The department's FY 2005 Annual
           Performance aAccountability Report states that the IG determined
           that many information system security vulnerabilities reported in
           nationaaudits from 2001 through 2004 remain unresolved, despite
           the department's actions to implement IG recommendations in
           preaudits. The IG also reported specific security weaknesses and
           vulnerabilities at 45 of 60 VA health care facilities and 11 of 21
           VA regional offices where security issues were reviewed, placing
           VA at risk that sensitive data may be exposed to unauthorized
           acceimproper disclosure, among other things. As a result, the IG
           determined that weaknesses in VA's i

           In response to the IG's findings, the department indicates thaare
           being implemented to address the material weakness in information
           security. According to the department, it has maximilimited
           resources to make significant improvement in its overall security
           posture in the near term by prioritizing FISMA re

           Despite these actions, the department has not fully implemented
           the key elements of a comprehensive security management program,
           and its efforts have not been sufficient to effectively protect
           its information systems and information, including personally
           identifiable information, from unauthorized disclosure, misuse, or
           loss.

20 GAO, Veterans Affairs: Sustained Management Attention Is Key to
Achieving Information Technology Results, GAO-02-703 (Washington, D.C.:
June 12, 2002).

21 We based our recommendations on guidance and practices provided in GAO,
Federal Information System Controls Audit Manual, GAO/AIMD-12.19.6
(Washington, D.C.: January 1999); Information Security Management:
Learning from Leading Organizations, GAO/AIMD-98-68 (Washington, D.C.: May
1998); Information Security Risk Assessment: Practices of Leading
Organizations, GAO/AIMD-00-33 (Washington, D. C.: November 1999); and
Chief Information Officer Council, Federal Information Technology Security
Assessment Framework (Washington, D.C.: Nov. 28, 2000). FISMA (passed in
late 2002) and associated guidance are generally consistent with this
earlier guidance.

22 This result is also reflected in the department's failing grade in the
annual report card on computer security that is issued by the House
Government Reform Committee: Computer Security Report Card (Washington,
D.C.: Mar. 16, 2006).

23 VA's Security Management and Reporting Tool (SMART).

24 The auditor's report is included in VA's FY 2005 Annual Performance and
Accountability Report.

  Agencies Can Take Steps to Reduce the Likelihood That Personal Data Will Be
                                  Compromised

In addition to establishing a robust information security program,
agencies can take other actions to help guard against the possibility that
personal information they maintain is inadvertently compromised. These
include conducting privacy impact assessments and taking other practical
measures.

Conduct Privacy Impact Assessments

It is important that agencies identify the specific instances in which
they collect and maintain personal information and proactively assess the
means they intend to use to protect this information. This can be done
most effectively through the development of privacy impact assessments
(PIAs), which, as previously mentioned, are required by the E-Government
Act of 2002 when agencies use information technology to process personal
information. PIAs are important because they serve as a tool for agencies
to fully consider the privacy implications of planned systems and data
collections before those systems and collections have been fully
implemented, when it may be relatively easy to make critical adjustments.

In prior work we have found that agencies do not always conduct PIAs as
they are required. For example, our review of selected data mining efforts
at federal agencies25 determined that PIAs were not always being done in
full compliance with OMB guidance. Similarly, as identified in our work on
federal agency use of information resellers,26 few PIAs were being
developed for systems or programs that made use of information reseller
data, because officials did not believe they were required. Complete
assessments are an important tool for agencies to identify areas of
noncompliance with federal privacy laws, evaluate risks arising from
electronic collection and maintenance of information about individuals,
and evaluate protections or alternative processes needed to mitigate the
risks identified. Agencies that do not take all the steps required to
protect the privacy of personal information risk the improper exposure or
alteration of such information. We recommended that the agencies
responsible for the data mining efforts we reviewed complete or revise
PIAs as needed and make them available to the public. We also recommended
that OMB revise its guidance to clarify the applicability of the E-Gov
Act's PIA requirement to the use of personal information from resellers.
OMB stated that it would discuss its guidance with agency senior officials
for privacy to determine whether additional guidance concerning reseller
data was needed.

25 GAO, Data Mining: Agencies Have Taken Key Steps to Protect Privacy in
Selected Efforts, but Significant Compliance Issues Remain, GAO-05-866
(Washington, D.C.: Aug. 15, 2005).

Employ Measures to Prevent Inadvertent Data Breaches

Besides strategic approaches such as establishing an information security
program and conducting PIAs, agencies can consider a range of specific
practical measures for protecting the privacy and security of personal
information. Several that may be of particular value in preventing
inadvertent data breaches include the following:

Limit collection of personal information. One item to be analyzed as part
of a PIA is the extent to which an agency needs to collect personal
information in order to meet the requirements of a specific application.
Limiting the collection of personal information, among other things,
serves to limit the opportunity for that information to be compromised.
For example, key identifying information-such as Social Security
numbers-may not be needed for many agency applications that have databases
of other personal information. Limiting the collection of personal
information is also one of the fair information practices, which are
fundamental to the Privacy Act and to good privacy practice in general.

26 GAO-06-421 , pp. 59-61.

Limit data retention. Closely related to limiting data collection is
limiting retention. Retaining personal data longer than needed by an
agency or statutorily required adds to the risk that the data will be
compromised. In discussing data retention, California's Office of Privacy
Protection recently reported an example in which a university experienced
a security breach that exposed 15-year-old data, including Social Security
numbers. The university subsequently reviewed its policies and decided to
shorten the retention period for certain types of information.27 As part
of their PIAs, federal agencies can make decisions up front about how long
they plan to retain personal data, aiming to retain the data for as brief
a period as necessary.

Limit access to personal information and train personnel accordingly. Only
individuals with a need to access agency databases of personal information
should have such access, and controls should be in place to monitor that
access. Further, agencies can implement technological controls to prevent
personal data from being readily transferred to unauthorized systems or
media, such as laptop computers, discs, or other electronic storage
devices. Security training, which is required for all federal employees
under FISMA, can include training on the risks of exposing personal data
to potential identity theft, thus helping to reduce the likelihood of data
being exposed inadvertently.

Consider using technological controls such as encryption when data need to
be stored on portable devices. In certain instances, agencies may find it
necessary to enable employees to have access to personal data on portable
devices such as laptop computers. As discussed, this should be minimized.
However, when absolutely necessary, the risk that such data could be
exposed to unauthorized individuals can be reduced by using technological
controls such as encryption, which significantly limits the ability of
such individuals to gain access to the data. Although encrypting data adds
to the operational burden on authorized individuals, who must enter pass
codes or use other authentication means to convert the data into readable
text, it can provide reasonable assurance that stolen or lost computer
equipment will not result in personal data being compromised, as occurred
in the recent incident at VA. A decision about whether to use encryption
would logically be made as an element of the PIA process and an agency's
broader information security program.

27 State of California Department of Consumer Affairs, Recommended
Practices on Notice of Security Breach Involving Personal Information
(April 2006), p. 6.

While these suggestions do not amount to a complete prescription for
protecting personal data, they are key elements of an agency's strategy
for reducing the risks that could lead to identity theft.

 Public Notification of Data Breaches Has Clear Benefits as Well as Challenges

In the event a data breach does occur, agencies must respond quickly in
order to minimize the potential harm associated with identity theft. The
chairman of the Federal Trade Commission  has testified that the
Commission believes that if a security breach creates a significant risk
of identity theft or other related harm, affected consumers should be
notified.28 The Federal Trade Commission has also reported that the
overall cost of an incident of identity theft, as well as the harm to the
victims, is significantly smaller if the misuse of the victim's personal
information is discovered quickly.29

Applicable laws such as the Privacy Act currently do not require agencies
to notify individuals of security breaches involving their personal
information; however, doing so allows those affected the opportunity to
take steps to protect themselves against the dangers of identity theft.
For example, California's data breach notification law is credited with
bringing to the public's notice large data breaches within the private
sector, such as those involving ChoicePoint and LexisNexis last year.
Arguably, the California law may have mitigated the risk of identity theft
to affected individuals by keeping them informed about data breaches and
thus enabling them to take steps such as contacting credit bureaus to have
fraud alerts placed on their credit files, obtaining copies of their
credit reports, scrutinizing their monthly financial account statements,
and taking other steps to protect themselves.

28 Federal Trade Commission, Prepared Statement of the Federal Trade
Commission Before the Committee on Commerce, Science, and Transportation,
U.S. Senate, on Data Breaches and Identity Theft (Washington, D.C.: June
16, 2005), p. 10.

29 Synovate, Federal Trade Commission Identity Theft Survey Report
(McLean, Va.: September 2003).

Breach notification is also important in that it can help an organization
address key privacy rights of individuals, in accordance with the fair
information practices mentioned earlier. Breach notification is one way
that organizations-either in the private sector or the government-can
follow the openness principle and meet their responsibility for keeping
the public informed of how their personal information is being used and
who has access to it. Equally important, notification is consistent with
the principle that those controlling the collection or use of personal
information should be accountable for taking steps to ensure the
implementation of the other principles, such as use limitation and
security safeguards. Public disclosure of data breaches is a key step in
ensuring that organizations are held accountable for the protection of
personal information.

Concerns Have Been Raised About the Criteria for Issuing Notices to the Public

Although the principle of notifying affected individuals (or the public)
about data breaches has clear benefits, determining the specifics of when
and how an agency should issue such notifications presents challenges,
particularly in determining the specific criteria for incidents that merit
notification. In congressional testimony, the Federal Trade Commission30
raised concerns about the threshold at which consumers should be notified
of a breach, cautioning that too strict a standard could have several
negative effects. First, notification of a breach when there is little or
no risk of harm might create unnecessary concern and confusion. Second, a
surfeit of notices, resulting from notification criteria that are too
strict, could render all such notices less effective, because consumers
could become numb to them and fail to act when risks are truly
significant. Finally, the costs to both individuals and business are not
insignificant and may be worth considering. FTC points out that, in
response to a security breach notification, a consumer may cancel credit
cards, contact credit bureaus to place fraud alerts on credit files, or
obtain a new driver's license number. These actions could be
time-consuming for the individual and costly for the companies involved.
Given these potential negative effects, care is clearly needed in defining
appropriate criteria for required breach notifications.

30 Federal Trade Commission, Prepared Statement on Data Breaches and
Identity Theft, p. 10.

While care needs to be taken to avoid requiring agencies to notify the
public of trivial security incidents, concerns have also been raised about
setting criteria that are too open-ended or that rely too heavily on the
discretion of the affected organization. Some public advocacy groups have
cautioned that notification criteria that are too weak would give
companies an incentive not to disclose potentially harmful breaches, and
the same concern would apply to federal agencies. In congressional
testimony last year, the executive director of the Center for Democracy
and Technology argued that if an entity is not certain whether a breach
warrants notification, it should be able to consult with the Federal Trade
Commission.31 He went on to suggest that a two-tiered system may be
desirable, with notice to the Federal Trade Commission of all breaches of
personal data and notice to consumers where there is a potential risk of
identity theft. The Center for Democracy and Technology's comments
regarding the Federal Trade Commission were aimed at commercial entities
such as information resellers. A different entity-such as OMB, which is
responsible for overseeing security and privacy within the federal
government-might be more appropriate to take on a parallel role with
respect to federal agencies.

31 Center for Democracy and Technology, Securing Electronic Personal Data:
Striking a Balance between Privacy and Commercial and Government Use
(Washington, D.C.: Apr. 13, 2005), p. 7.

Effective Notices Should Provide Useful Information and Be Easy to Understand

Once a determination has been made that a public notice is to be issued,
care must be taken to ensure that it does its job effectively. Designing
useful, easy-to-understand notices has been cited as a challenge in other
areas where privacy notices are required by law, such as in the financial
industry-where businesses are required by the Gramm-Leach-Bliley Act to
send notices to consumers about their privacy practices-and in the federal
government, which is required by the Privacy Act to issue public notices
in the Federal Register about its systems of records containing personal
information. For example, as noted during a public workshop hosted by the
Department of Homeland Security's Privacy Office, designing
easy-to-understand consumer financial privacy notices to meet Gramm-Leach
Bliley Act requirements has been challenging. Officials from the FTC and
Office of the Comptroller of the Currency described widespread criticism
of these notices-that they were unexpected, too long, filled with
legalese, and not understandable.

If an agency is to notify people of a data breach, it should do so in such
a way that they understand the nature of the threat and what steps need to
be taken to protect themselves against identity theft. In connection with
its state law requiring security breach notifications, the California
Office of Privacy Protection has published recommended practices for
designing and issuing security breach notices.32 The office recommends
that such notifications include, among other things,

           0M a general description of what happened;
           0M the type of personal information that was involved;
           0M what steps have been taken to prevent further unauthorized
           acquisition of personal information;
           0M the types of assistance to be provided to individuals, such as
           a toll-free contact telephone number for additional information
           and assistance;
           0M information on what individuals can do to protect themselves
           from identity theft, including contact information for the three
           credit reporting agencies; and
           0M information on where individuals can obtain additional
           information on protection against identity theft, such as the
           Federal Trade Commission's Identity Theft Web site (
           www.consumer.gov/idtheft ).

           The California Office of Privacy Protection also recommends making
           notices clear, conspicuous, and helpful by using clear, simple
           language and avoiding jargon, and it suggests avoiding using a
           standardized format to mitigate the risk that the public will
           become complacent about the process.

           The Federal Trade Commission has issued guidance to businesses on
           notifying individuals of data breaches that reiterates several key
           elements of effective notification-describing clearly what is
           known about the data compromise, explaining what responses may be
           appropriate for the type of information taken, and providing
           information and contacts regarding identity theft in general. The
           Commission also suggests providing contact information for the law
           enforcement officer working on the case, as well as encouraging
           individuals who discover that their information has been misused
           to file a complaint with the Commission.33

           Both the state of California and the Federal Trade Commission
           recommend consulting with cognizant law-enforcement officers about
           an incident before issuing notices to the public. In some cases,
           early notification or disclosure of certain facts about an
           incident could hamper a law enforcement investigation. For
           example, an otherwise unknowing thief could learn of the potential
           value of data stored on a laptop computer that was originally
           stolen purely for the value of the hardware. Thus it is
           recommended that organizations consult with law enforcement
           regarding the timing and content of notifications. However, law
           enforcement investigations should not necessarily result in
           lengthy delays in notification. California's guidance states that
           it should not be necessary for a law enforcement agency to
           complete an investigation before notification can be given.

           When providing notifications to the public, organizations should
           consider how to ensure that these are easily understood. Various
           techniques have been suggested to promote comprehension, including
           the concept of "layering."34 Layering involves providing only the
           most important summary facts up front-often in a graphical
           format-followed by one or more lengthier, more narrative versions
           in order to ensure that all information is communicated that needs
           to be. Multilayering may be an option to achieving an
           easy-to-understand notice that is still complete. Similarly,
           providing context to the notice (explaining to consumers why they
           are receiving the notice and what to do with it) has been found to
           promote comprehension,35 as did visual design elements such as a
           tabular format, large and legible fonts, appropriate white space,
           and simple headings.

           Although these techniques were developed for other kinds of
           notices, they can be applied to those informing the public of data
           breaches. For example, a multilayered security breach notice could
           include a brief description of the nature of the security breach,
           the potential threat to victims of the incident, and measures to
           be taken to protect against identity theft. The notice could
           provide additional details about the incident as an attachment or
           by providing links to additional information. This would
           accomplish the purpose of communicating the key details in a brief
           format, while still providing complete information to those who
           require it. Given that people may be adversely affected by a
           compromise of their personal information, it is critical that they
           fully understand the nature of the threat and the options they
           have to address it.

           In summary, the recent security breach at VA has highlighted the
           importance of implementing effective information security
           practices. Long-standing information security control weaknesses
           at VA have placed its information systems and information,
           including personally identifiable information, at increased risk
           of misuse and unauthorized disclosure. Although VA has taken steps
           to mitigate previously reported weaknesses, it has not implemented
           a comprehensive, integrated information security program, which it
           needs in order to effectively manage risks on an ongoing basis.
           Much work remains to be done. Only through strong leadership,
           sustained management commitment and effort, disciplined processes,
           and consistent oversight can VA address its persistent,
           long-standing control weaknesses.

           To reduce the likelihood of experiencing such breaches, agencies
           can take a number of actions that can help guard against the
           possibility that databases of personally identifiable information
           are inadvertently compromised: strategically, they should ensure
           that a robust information security program is in place and that
           PIAs are developed. More specific practical measures aimed at
           preventing inadvertent data breaches include limiting the
           collection of personal information, limiting data retention,
           limiting access to personal information and training personnel
           accordingly, and considering using technological controls such as
           encryption when data need to be stored on mobile devices.

           Nevertheless, data breaches can still occur at any time, and when
           they do, notification to the individuals affected and/or the
           public has clear benefits, allowing people the opportunity to take
           steps to protect themselves against the dangers of identity theft.
           Care is needed in defining appropriate criteria if agencies are to
           be required to report security breaches to the public. Further,
           care is also needed to ensure that notices are useful and easy to
           understand, so that they are effective in alerting individuals to
           actions they may want to take to minimize the risk of identity
           theft.

           We have previously testified that as Congress considers
           legislation requiring agencies to notify individuals or the public
           about security breaches, it should ensure that specific criteria
           are defined for incidents that merit public notification. It may
           want to consider creating a two-tier reporting requirement, in
           which all security breaches are reported to OMB, and affected
           individuals are notified only of incidents involving significant
           risk. Further, Congress should consider requiring OMB to provide
           guidance to agencies on how to develop and issue security breach
           notices to the public.

           Messers. Chairmen, this concludes our testimony today. We would be
           happy to answer any questions you or other members of the
           committee may have.

32 State of California, Recommended Practices on Notice of Security
Breach.

33 Federal Trade Commission, Information Compromise and the Risk of
Identity Theft: Guidance for Your Business (Washington, D.C.: June 2004).

34 This concept was discussed during a recent public workshop on
"Transparency and Accountability: The Use of Personal Information within
the Government," hosted by the DHS Privacy Office.

35 At the DHS workshop, panelists from the Federal Trade Commission and
the Office of the Comptroller of the Currency presented these findings of
an interagency research project on design of easy-to-understand consumer
financial privacy notices. Kleimann Communication Group, Inc., Evolution
of a Prototype Financial Privacy Notice: A Report on the Form Development
Project (Feb. 28, 2006).

                          Contacts and Acknowledgments

If you have any questions concerning this testimony, please contact Linda
Koontz, Director, Information Management, at (202) 512-6240,
[email protected] , or Gregory Wilshusen, Director, Information Security, at
(202) 512-6244, [email protected] . Other individuals who made key
contributions include Idris Adjerid, Barbara Collier, William Cook, John
de Ferrari, Valerie Hopkins, Suzanne Lightman, Barbara Oliver, David
Plocher, Jamie Pressman, J. Michael Resser, and Charles Vrabel.

                      Attachment 1: Selected GAO Products

Products Related to VA Information Security

Information Systems: VA Computer Control Weaknesses Increase Risk of
Fraud, Misuse, and Improper Disclosure. GAO/AIMD-98-175 . Washington,
D.C.: September 23, 1998.

VA Information Systems: The Austin Automation Center Has Made Progress in
Improving Information System Controls. GAO/AIMD-99-161 . Washington, D.C.:
June 8, 1999.

Information Systems: The Status of Computer Security at the Department of
Veterans Affairs. GAO/AIMD-00-5 . Washington, D.C.: October 4, 1999.

VA Systems Security: Information System Controls at the North Texas Health
Care System. GAO/AIMD-00-52R . Washington, D.C.: February 1, 2000.

VA Systems Security: Information System Controls at the New Mexico VA
Health Care System. GAO/AIMD-00-88R . Washington, D.C.: March 24, 2000.

VA Systems Security: Information System Controls at the VA Maryland Health
Care System. GAO/AIMD-117R . Washington, D.C.: April 19, 2000.

Information Technology: Update on VA Actions to Implement Critical
Reforms. GAO/T-AIMD-00-74 . Washington, D.C.: May 11, 2000.

VA Information Systems: Computer Security Weaknesses Persist at the
Veterans Health Administration. GAO/AIMD-00-232 . Washington, D.C.:
September 8, 2000.

Major Management Challenges and Program Risks: Department of Veterans
Affairs. GAO-01-255 . Washington, D.C.: January 2001.

VA Information Technology: Important Initiatives Begun, Yet Serious
Vulnerabilities Persist. GAO-01-550T . Washington, D.C.: April 4, 2001.

VA Information Technology: Progress Made, but Continued Management
Attention is Key to Achieving Results. GAO-02-369T . Washington, D.C.:
March 13, 2002.

Veterans Affairs: Subcommittee Post-Hearing Questions Concerning the
Department's Management of Information Technology. GAO-02-561R .
Washington, D.C.: April 5, 2002.

Veterans Affairs: Sustained Management Attention is Key to Achieving
Information Technology Results. GAO-02-703 . Washington, D.C.: June 12,
2002.

VA Information Technology: Management Making Important Progress in
Addressing Key Challenges. GAO-02-1054T . Washington, D.C.: September 26,
2002.

Information Security: Weaknesses Persist at Federal Agencies Despite
Progress Made in Implementing Related Statutory Requirements. GAO-05-552 .
Washington, D.C.: July 15, 2005.

Products Related to Privacy Issues

Privacy: Key Challenges Facing Federal Agencies. GAO-06-777T . Washington,
D.C.: May 17, 2006.

Personal Information: Agencies and Resellers Vary in Providing Privacy
Protections. GAO-06-609T . Washington, D.C.: April 4, 2006.

Personal Information: Agency and Reseller Adherence to Key Privacy
Principles. GAO-06-421 . Washington, D.C.: April 4, 2006.

Data Mining: Agencies Have Taken Key Steps to Protect Privacy in Selected
Efforts, but Significant Compliance Issues Remain. GAO-05-866 .
Washington, D.C.: August 15, 2005.

Aviation Security: Transportation Security Administration Did Not Fully
Disclose Uses of Personal Information during Secure Flight Program Testing
in Initial Privacy Notices, but Has Recently Taken Steps to More Fully
Inform the Public. GAO-05-864R . Washington, D.C.: July 22, 2005.

Identity Theft: Some Outreach Efforts to Promote Awareness of New Consumer
Rights are Under Way. GAO-05-710 . Washington, D.C.: June 30, 2005.

Electronic Government: Federal Agencies Have Made Progress Implementing
the E-Government Act of 2002. GAO-05-12 . Washington, D.C.: December 10,
2004.

Social Security Numbers: Governments Could Do More to Reduce Display in
Public Records and on Identity Cards. GAO-05-59 . Washington, D.C.:
November 9, 2004.

Federal Chief Information Officers: Responsibilities, Reporting
Relationships, Tenure, and Challenges, GAO-04-823 . Washington, D.C.: July
21, 2004.

Data Mining: Federal Efforts Cover a Wide Range of Uses, GAO-04-548 .
Washington, D.C.: May 4, 2004.

Privacy Act: OMB Leadership Needed to Improve Agency Compliance.
GAO-03-304 . Washington, D.C.: June 30, 2003.

Data Mining: Results and Challenges for Government Programs, Audits, and
Investigations. GAO-03-591T . Washington, D.C.: March 25, 2003.

Technology Assessment: Using Biometrics for Border Security. GAO-03-174 .
Washington, D.C.: November 15, 2002.

Information Management: Selected Agencies' Handling of Personal
Information. GAO-02-1058 . Washington, D.C.: September 30, 2002.

Identity Theft: Greater Awareness and Use of Existing Data Are Needed.
GAO-02-766 . Washington, D.C.: June 28, 2002.

Social Security Numbers: Government Benefits from SSN Use but Could
Provide Better Safeguards. GAO-02-352 . Washington, D.C.: May 31, 2002.

 Attachment 2. Chronology of Information Security Weaknesses Identified by GAO

Notes: Hines is a suburb of Chicago.

Full citations are provided in attachment 1.

(310579)

www.gao.gov/cgi-bin/getrpt?GAO-06-897T.

To view the full product, including the scope

and methodology, click on the link above.

For more information, contact Gregory Wilshusen at (202) 512-6244 or
[email protected].

Highlights of GAO-06-897T , a testimony before the Subcommittees on
Disability Assistance and Memorial Affairs and on Economic Opportunity,
Committee on Veterans' Affairs, House of Representatives

June 202006

INFORMATIONSECURITY

Leadership Needed to Address Weaknesses and Privacy Issues at Veterans
Affairs

The recent information security breach at the Department of Veterans
Affairs (VA), in which personal data on millions of veterans were
compromised, has highlighted the importance of the department's security
weaknesses, as well as the ability of federal agencies to protect personal
information. Robust federal security programs are critically important to
properly protect this information and the privacy of individuals.

GAO was asked to testify on VA's information security program, ways that
agencies can prevent improper disclosures of personal information, and
issues concerning notifications of privacy breaches. In preparing this
testimony, GAO drew on its previous reports and testimonies, as well as on
expert opinion provided in congressional testimony and other sources.

What GAO Recommends

To ensure that security and privacy issues are adequately addressed, GAO
has made recommendations previously to VA and other agencies on
implementing federal privacy and security laws.

In addition, GAO has previously testified that in considering security
breach notification legislation, the Congress should consider setting
specific reporting requirements for agencies.

For many years, significant concerns have been raised about VA's
information security-particularly its lack of a robust information
security program, which is vital to avoiding the compromise of government
information, including sensitive personal information. GAO and the
department's inspector general have reported recurring weaknesses
throughout VA, including the Veterans Benefits Administration, in such
areas as access controls, physical security, and segregation of
incompatible duties. The department has taken steps to address these
weaknesses, but these have not been sufficient to establish a
comprehensive information security program. For example, it is still
developing plans to complete a security incident response program to
monitor suspicious activity and cyber alerts, events, and incidents.
Without an established and implemented security program, the department
will continue to have major challenges in protecting its information and
information systems from security breaches such as the one it recently
experienced.

In addition to establishing robust security programs, agencies can take a
number of actions to help guard against the possibility that databases of
personally identifiable information are inadvertently compromised. A key
step is to develop a privacy impact assessment-an analysis of how personal
information is collected, stored, shared, and managed-whenever information
technology is used to process personal information. In addition, agencies
can take more specific practical measures aimed at preventing data
breaches, including limiting the collection of personal information,
limiting the time that such data are retained, limiting access to personal
information and training personnel accordingly, and considering the use of
technological controls such as encryption when data need to be stored on
portable devices.

When data breaches do occur, notification of those affected and/or the
public has clear benefits, allowing people the opportunity to protect
themselves from identity theft. Although existing laws do not require
agencies to notify the public of data breaches, such notification is
consistent with agencies' responsibility to inform individuals about how
their information is being accessed and used, and it promotes
accountability for privacy protection. That said, care is needed in
defining appropriate criteria for triggering notification. Notices should
be coordinated with law enforcement to avoid impeding ongoing
investigations, and in order to be effective, notices should be easy to
understand. Because of the possible adverse impact of a compromise of
personal information, it is critical that people fully understand the
threat and their options for addressing it.

Strong leadership, sustained management commitment and effort, disciplined
processes, and consistent oversight will be needed for VA to address its
persistent, long-standing control weaknesses.

United States Government Accountability Office

GAO

Testimony

Before the Subcommittees on Disability Assistance and Memorial Affairs and
on Economic Opportunity, Committee on Veterans' Affairs,House of
Representatives

For Release on Delivery

Expected at time 10:00 a.m. EDT June 20, 2006

INFORMATION SECURITY

Leadership Needed to Address Weaknesses and Privacy Issues at Veterans
Affairs

Statement of Linda D. Koontz

Director, Information Management Issues

and

Gregory C. Wilshusen

Director, Information Security Issues

GAO-06-897T

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

GAO's Mission

The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts newly
released reports, testimony, and correspondence on its Web site. To have
GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."

Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

To Report Fraud, Waste, and Abuse in Federal Programs

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: [email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470

Congressional Relations

Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548

Public Affairs

Paul Anderson, Managing Director, [email protected] (202) 512-4800 U.S.
Government Accountability Office, 441 G Street NW, Room 7149 Washington,
D.C. 20548
*** End of document. ***