Information Security: Sustained Management Commitment and	 
Oversight Are Vital to Resolving Long-standing Weaknesses at the 
Department of Veterans Affairs (07-SEP-07, GAO-07-1019).	 
                                                                 
In May 2006, the Department of Veterans Affairs (VA) announced	 
that computer equipment containing personal information on	 
approximately 26.5 million veterans and active duty military	 
personnel had been stolen. Given the importance of information	 
technology (IT) to VA's mission, effective information security  
controls are critical to maintaining public and veteran 	 
confidence in its ability to protect sensitive information. GAO  
was asked to evaluate (1) whether VA has effectively addressed	 
GAO and VA Office of Inspector General (IG) information security 
recommendations and (2) actions VA has taken since May 2006 to	 
strengthen its information security practices and secure personal
information. To do this, GAO examined security policies and	 
action plans, interviewed pertinent department officials, and	 
conducted testing of encryption software at select VA facilities.
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-07-1019					        
    ACCNO:   A75907						        
  TITLE:     Information Security: Sustained Management Commitment and
Oversight Are Vital to Resolving Long-standing Weaknesses at the 
Department of Veterans Affairs					 
     DATE:   09/07/2007 
  SUBJECT:   Chief information security officers		 
	     Computer security					 
	     Confidential information				 
	     Information management				 
	     Information security				 
	     Information security management			 
	     Information technology				 
	     Internal controls					 
	     Laptops						 
	     Performance measures				 
	     Program evaluation 				 
	     Risk assessment					 
	     Software						 
	     Veterans						 
	     Government agency oversight			 
	     Program coordination				 
	     Program implementation				 
	     VA Information Technology Program			 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-07-1019

   

     * [1]Results in Brief
     * [2]Background

          * [3]Prior GAO and IG Work Related to VA Information Security
          * [4]Significant Security Incidents Reported

     * [5]VA Has Not Fully Implemented GAO and IG Recommendations

          * [6]VA Has Not Implemented Two of Four GAO Recommendations
          * [7]VA Has Not Fully Implemented IG Recommendations
          * [8]By Not Fully Implementing GAO and IG Recommendations, VA Lea

     * [9]VA Is Undertaking Several Major Initiatives to Strengthen In

          * [10]Realignment of IT Management Structure
          * [11]Development of Action Plan to Remediate Identified Weaknesse
          * [12]Establishment of Information Protection Program

               * [13]Encryption of VA Laptops

          * [14]Development of Additional Information Protection Initiatives
          * [15]Improvement of Incident Management Capability

               * [16]Incident Detection, Reporting, and Response
               * [17]Incident Notification

          * [18]Establishment of Office of IT Oversight and Compliance

     * [19]Conclusions
     * [20]Recommendations for Executive Action
     * [21]Agency Comments and Our Evaluation

          * [22]Laptop Encryption Testing

               * [23]Selection of Locations
               * [24]Selection of Laptops
               * [25]Testing of Laptops
               * [26]Analysis of Results

     * [27]GAO Contact
     * [28]Staff Acknowledgments
     * [29]GAO's Mission
     * [30]Obtaining Copies of GAO Reports and Testimony

          * [31]Order by Mail or Phone

     * [32]To Report Fraud, Waste, and Abuse in Federal Programs
     * [33]Congressional Relations
     * [34]Public Affairs

Report to Congressional Requesters

United States Government Accountability Office

GAO

September 2007

INFORMATION SECURITY

Sustained Management Commitment and Oversight Are Vital to Resolving
Long-standing Weaknesses at the Department of Veterans Affairs

GAO-07-1019

Contents

Letter 1

Results in Brief 2
Background 4
VA Has Not Fully Implemented GAO and IG Recommendations 8
VA Is Undertaking Several Major Initiatives to Strengthen Information
Security, but Implementation Has Shortcomings 12
Conclusions 28
Recommendations for Executive Action 28
Agency Comments and Our Evaluation 30
Appendix I Objectives, Scope, and Methodology 33
Appendix II Status of Prior VA IG Recommendations 37
Appendix III Information on Selected Security Incidents at VA from
December 2003 to January 2007 40
Appendix IV Comments from the Department of Veterans Affairs 43
Appendix V GAO Contact and Staff Acknowledgments 47

Tables

Table 1: Number of Incidents by Type Reported to NSOC from January 2003 to
November 2006 22
Table 2: Time Elapsed Between Major Incidents at VA and Notification of
US-CERT, Secretary, Congress, and Individuals (May 2006 to January 2007)
23
Table 3: Number of Laptops Tested at Select VA Facilities 35
Table 4: Status of 17 VA IG Recommendations Related to FISMA Findings 37

Figure

Figure 1: Office of Information and Technology Organization Chart 14

Abbreviations

CIO chief information officer
CISO chief information security officer
FISMA Federal Information Security Management Act
NSOC Network and Security Operations Center
IG Inspector General
IT information technology
ITOC VA's Office of Information Technology Oversight and Compliance
OMB Office of Management and Budget
US-CERT United States Computer Emergency Readiness Team
VA Department of Veterans Affairs
VBA Veterans Benefits Administration
VHA Veterans Health Administration

This is a work of the U.S. government and is not subject to copyright
protection in the United States. The published product may be reproduced
and distributed in its entirety without further permission from GAO.
However, because this work may contain copyrighted images or other
material, permission from the copyright holder may be necessary if you
wish to reproduce this material separately.

United States Government Accountability Office
Washington, DC 20548

September 7, 2007

Congressional Requesters

The mission of the Department of Veterans Affairs (VA) is to promote the
health, welfare, and dignity of all veterans, in recognition of their
service to the nation, by ensuring that they receive medical care,
benefits, social support, and lasting memorials. In providing health care
and other benefits to veterans and their dependents, the department relies
on a vast array of computer systems and telecommunications networks to
support its operations and store sensitive information, including personal
information on veterans.

Given the importance of information technology for supporting VA's
mission--the department expended $1.2 billion in fiscal year 2006 on
information technology (IT)--successfully securing these systems with
effective information security controls is critical to the department's
ability to safeguard its assets and sensitive information. ^1 To assist
the department in improving its information security program, we and the
VA Office of Inspector General (IG) have previously recommended that VA
take steps to improve its security management program, including actions
to improve controls to appropriately restrict access to data, secure
systems and networks, and respond to security incidents.^2

In May 2006, VA initially announced that computer equipment containing
personally identifiable information on approximately 26.5 million veterans
and active duty members of the military was stolen from the home of a VA
employee. ^3 Until the equipment was recovered, veterans did not know
whether their information was likely to be misused. The security incident
highlighted the vulnerability of sensitive information on VA's systems to
inadvertent or deliberate misuse, loss, or improper disclosure.

^1Information security controls include access controls, configuration
management, segregation of duties, and contingency planning. These
controls are designed to ensure that access to data is appropriately
restricted, only authorized changes to computer programs are made,
computer security duties are segregated, and backup and recovery plans are
adequate to ensure the continuity of essential operations.

^2We made recommendations to address weaknesses in June 2002 as part of
our review of VA's security management program to ensure compliance with
Government Information Security Reform legislation. In December 2002,
Congress enacted the Federal Information Security Management Act, which
required each agency to use a risk based approach to develop, document,
and implement a departmentwide information security program. Since our
report in 2002, the IG has continued to make recommendations to address
weaknesses in the department's information security program as part of its
annual review of the program under the act.

This report responds to your request for a review of the department's
actions to improve information security. Specifically, our objectives were
to evaluate (1) whether VA has effectively addressed GAO and VA IG
recommendations and (2) actions VA has taken since the May 2006 security
incident to strengthen its information security practices and secure
personal information.

In addressing our objectives, we examined and analyzed agency policies,
procedures, plans, and artifacts; interviewed key agency and IG personnel;
and assessed the effectiveness of implemented actions. We also performed
audit procedures to determine the extent to which VA has installed
encryption functionality on laptop computers at eight locations. We
performed our work at VA headquarters in Washington, D.C., and at select
VA facilities, from November 2006 through August 2007, in accordance with
generally accepted government auditing standards. For more details on our
objectives, scope, and methodology, see appendix I.

Results in Brief

Although VA has made progress, it has not yet fully implemented most of
the key GAO and IG recommendations to strengthen its information security
practices. VA has implemented two GAO recommendations: to develop a
process for managing its action plan to correct identified weaknesses and
to regularly report to the Secretary on progress in updating its security
plan. However, it has not fully implemented two other GAO recommendations:
to complete a comprehensive security management program and to ensure
consistent use of information security performance standards when
appraising the department's senior executives. In addition, the department
has not yet fully implemented 20 of 22 information security-related
recommendations made by the IG in 2006. For example, VA has not completed
critical management activities to appropriately restrict access to data,
networks, and department facilities; ensure that only authorized changes
and updates to computer programs are made; and strengthen critical
infrastructure planning to ensure information security requirements are
addressed. Because these recommendations have not yet been implemented,
unnecessary risk exists that personal information of veterans and other
individuals, such as medical providers, will be exposed to data tampering,
fraud, and inappropriate disclosure.

^3"Personally identifiable information" refers to any information about an
individual maintained by an agency, including any information that can be
used to distinguish or trace an individual's identity, such as their name,
Social Security number, date and place of birth, mother's maiden name,
biometric records, etc., or any other personal information that is linked
or linkable to an individual.

Since the May 2006 security incident, VA has begun or continued several
major initiatives to strengthen information security practices and secure
personal information within the department, but more remains to be done.
These initiatives include continuing the department's efforts, begun in
October 2005, to reorganize its management structure to provide better
oversight and fiscal discipline over its IT systems; developing a remedial
action plan; establishing an information protection program; improving its
incident management capability; and establishing an office responsible for
oversight and compliance of IT within the department. However, although
these initiatives have led to progress, their implementation has
shortcomings. For example,

           o responsibility for managing and implementing the VA security
           program (an essential element for ensuring compliance with the
           Federal Information Security Management Act) is split between
           separate offices, and no documented process exists for the
           responsible officials to coordinate with each other;

           o the position of the chief information security officer has been
           unfilled since June 2006;

           o although numerous action items in the department's remedial
           action plan are tasks to develop, document, revise, or update a
           policy or program, 87 percent of these have no corresponding task
           with an established time frame for implementation across the
           department;

           o VA does not have clear guidance for identifying devices that
           require encryption functionality;

           o procedures for incident response and notification do not include
           mechanisms for consultation with outside agencies on mitigation
           options; and

           o the departmental Office of IT Oversight and Compliance lacks a
           standard methodology and established criteria to ensure that its
           examination of internal controls is consistent across VA
           facilities.

As a result of such weaknesses, the effectiveness of VA initiatives to
strengthen information security practices at the department may be
limited.

We are making 17 recommendations to the Secretary of Veterans Affairs
aimed at helping the department to improve the effectiveness of VA's
efforts to strengthen information security practices, including developing
and documenting processes, policies, and procedures; fill a key position;
and completing the implementation of key initiatives.

In providing written comments on a draft of this report (which are
reprinted in appendix IV), the Deputy Secretary of Veterans Affairs
generally agreed with our findings and recommendations. The Deputy
Secretary stated that VA has already implemented or is working to
implement all 17 recommendations.

Background

With over 235,000 employees, including physicians, nurses, counselors,
statisticians, computer specialists, architects, and attorneys, VA is the
second largest federal department. It carries out its mission through
three agency organizations--Veterans Health Administration (VHA), Veterans
Benefits Administration (VBA), and National Cemetery Administration--and
field facilities throughout the United States. The department provides
services and benefits through a nationwide network of 156 hospitals, 877
outpatient clinics, 136 nursing homes, 43 residential rehabilitation
treatment programs, 207 readjustment counseling centers, 57 veterans'
benefits regional offices, and 122 national cemeteries. In carrying out
its mission, the department depends on IT and telecommunications systems,
which process and store sensitive information, including personal
information on veterans.

Information security is a critical consideration for any organization that
depends on information systems and networks to carry out its mission or
business. It is especially important for government agencies, where
maintaining the public's trust is essential. The dramatic expansion in
computer interconnectivity and the expanding use of mobile devices and
storage media are changing the way our government, the nation, and much of
the world share information and conduct business. Without proper
safeguards, enormous risk exists that systems, mobile devices, and
information are exposed to potential data tampering, disruptions in
critical operations, fraud, and the inappropriate disclosure of sensitive
information.

Recognizing the importance of securing federal systems and data, Congress
passed the Federal Information Security Management Act (FISMA) in December
2002,^4 which permanently authorized and strengthened the information
security program, evaluation, and reporting requirements established by
earlier legislation (commonly known as GISRA, the Government Information
Security Reform Act).^5 FISMA sets forth a comprehensive framework for
ensuring the effectiveness of information security controls over
information resources that support federal operations and assets. The act
requires each agency to develop, document, and implement an agencywide
information security program for the data and systems that support the
operations and assets of the agency, using a risk-based approach to
information security management. According to FISMA, the head of each
agency has responsibility for delegating to the agency chief information
officer (CIO) the authority to ensure compliance with the security
requirements in the act. To carry out the CIO's responsibilities in the
area, a senior agency official is to be designated chief information
security officer (CISO).

Prior GAO and IG Work Related to VA Information Security

In June 2002, we reported that VA had not completed actions to strengthen
its security management program, ensure compliance with security policies
and procedures, and ensure accountability for information security
throughout the department.^6 We made four recommendations to VA: (1)
complete a comprehensive security management program that included actions
related to central security management functions, risk assessments,
security policies and procedures, security awareness, and monitoring and
evaluating computer controls; (2) develop a process for managing the
department's updated security plan to remediate identified weaknesses; (3)
regularly report to the Secretary, or his designee, on progress in
implementing VA's security plan; and (4) ensure consistent use of
information security performance standards when appraising the
department's senior executives.

^4FISMA, Title III, E-Government Act of 2002, Pub. L. No. 107-347 (Dec.
17, 2002).

^5GISRA was enacted as subtitle G of Title X of the Floyd D. Spence
National Defense Authorization Act for Fiscal Year 2001, Pub. L. No.
106-398 (Oct. 30, 2000). GISRA was to expire 2 years after its effective
date.

^6GAO, Veterans Affairs: Sustained Management Attention Is Key to
Achieving Information Technology Results, [35]GAO-02-703 (Washington,
D.C.: June 12, 2002).

Since our report in 2002, VA's IG has made additional recommendations
addressing serious weaknesses within the department's information security
controls. In March 2005, the VA IG reported that the department had not
appropriately restricted access to data, ensured that only authorized
changes were made to computer programs, ensured that backup and recovery
plans were adequate to ensure the continuity of essential operations, and
moved the VA Central Office data center to a more appropriate location.^7
The IG made a number of recommendations to the department to secure
patient information and data over VA networks, improve application and
operating system change controls, test continuity of operations plans at
national data centers, and complete the move of the VA Central Office data
center. In its annual FISMA report for fiscal year 2005, issued in
September 2006, the IG carried forward all the recommendations from its
prior years' FISMA audits. It made recommendations in 17 areas to address
all FISMA related findings for the fiscal year.^8

Significant Security Incidents Reported

On May 3, 2006, the home of a VA employee was burglarized, resulting in
the theft of a personally owned laptop computer and external hard drive
that contained personal information on approximately 26.5 million veterans
and U.S. military personnel. The external hard drive was not encrypted or
password protected. ^9 The Secretary of VA was notified of the theft on
May 16, 2006, and Congress and veterans were notified on May 22, 2006.
Notification letters were sent to all veterans, and VA announced that free
credit monitoring services would be offered.

A number of congressional hearings were held and bills introduced related
to the protection of veterans' privacy and identity. During this time
period, many veteran service organizations expressed concerns to Congress
as to whether VA was capable of safeguarding the personal information of
veterans. These organizations also expressed doubt over whether the
department's attempts to correct the weaknesses would be effective.

^7Department of Veterans Affairs Office of Inspector General, Audit of the
Department of Veterans Affairs Information Security Program, Report No.
04-00772-122 (Washington, D.C.: Mar. 31, 2005).

^8Department of Veterans Affairs Office of Inspector General, FY2005 Audit
of VA Information Security Program, Report No. 05-00055-216 (Washington,
D.C.: Sept. 20, 2006).

^9Encryption is used to provide basic data confidentiality and integrity
for data, by transforming plain text into cipher text using a special
value known as a key and a mathematical process known as an algorithm.

The stolen computer equipment was recovered on June 28, 2006, and forensic
testing by the Federal Bureau of Investigation determined that the
sensitive data files had not been accessed or compromised. After the
equipment was recovered, the Office of Management and Budget (OMB)
withdrew its request to Congress for funding for the free credit
monitoring services because it had concluded that credit monitoring
services were no longer necessary due to the results of the FBI's
analysis. Veterans' organizations indicated that the department should
continue to offer credit monitoring services in order to allay veterans'
worries regarding the potential of identity theft. As a result of the
theft, the VA IG issued a report in July 2006 on the investigation of the
incident and made five recommendations to improve VA's policies and
procedures for securing sensitive information and conducting security
awareness training.^10

Recognizing the concerns of veterans, in December 2006, Congress passed
the Veterans Benefits, Health Care, and Information Technology Act of
2006.^11 Under the act, the VA's CIO is responsible for establishing,
maintaining, and monitoring departmentwide information security policies,
procedures, control techniques, training, and inspection requirements as
elements of the departmental information security program. The act also
includes provisions to further protect veterans and service members from
the misuse of their sensitive personal information. In the event of a
security incident involving personal information, VA is required to
conduct a risk analysis, and on the basis of the potential for compromise
of personal information, the department may provide security incident
notifications, fraud alerts, credit monitoring services, and identity
theft insurance. Congress is to be informed regarding security incidents
involving the loss of personal information.

^10Department of Veterans Affairs Office of Inspector General, Review of
Issues Related to the Loss of VA Information Involving the Identity of
Millions of Veterans, Report No. 06-02238-163 (Washington, D.C.: July 11,
2006).

^11Veterans Benefits, Health Care, and Information Technology Act of 2006,
Pub. L. No. 109-461 (Dec. 22, 2006).

On January 22, 2007, a security incident at a research facility in
Birmingham, Alabama, highlighted other potential risks associated with the
loss of information. The incident involved the loss of information on 1.3
million medical providers from the Centers for Medicare & Medicaid
Services of the Department of Health and Human Services, as well as
information on 535,000 individuals. ^12 In its report on the Birmingham
incident, the VA IG noted that the information compromised in the incident
could potentially be used to compromise the identity of physicians and
other health care providers and commit Medicare billing fraud.^13 VA took
action to respond to the loss of provider information by requesting the
Department of Health and Human Services to conduct an independent risk
analysis on the provider data loss. The risk analysis concluded that there
was a high risk that the loss of personal information could result in harm
to the individuals concerned, and the Centers for Medicare & Medicaid
Services sent a letter to VA on March 28, 2007, requesting that credit
monitoring services be offered to providers. The department mailed
notification letters to providers starting on April 17, 2007, and offered
credit monitoring services. In addition, the Centers for Medicare &
Medicaid Services indicated that VA might need to take additional measures
to mitigate any risk of further harm, but it did not specify what such
action might be or specifically mention Medicare fraud.

VA Has Not Fully Implemented GAO and IG Recommendations

Although VA has made progress, it has not yet fully or effectively
implemented two of four GAO recommendations and has not fully implemented
20 of 22 IG recommendations to strengthen its information security
practices. Because these recommendations have not yet been implemented,
unnecessary risk exists that personal information of veterans and others
would be exposed to data tampering, fraud, and inappropriate disclosure.

VA Has Not Implemented Two of Four GAO Recommendations

VA has implemented two of our recommendations. However, it has not fully
implemented two other GAO recommendations. In response to our
recommendation that it regularly report on progress in updating its
security plan to the Secretary, the department CIO took immediate steps in
2002 to begin briefing the Secretary and Deputy Secretary on a regular
basis. Regarding our recommendation that it develop a process for managing
its remedial action plan, VA issued, in May 2006, its IT Directive 06-1,
which established the Data Security-Assessment and Strengthening of
Controls Program to remedy weaknesses in managing its action plan. It also
hired a contractor to develop Web-based tools to assist department
officials in managing and updating the plan on a biweekly basis.

^12This included, among other things, the unique physician identification
number, Medicare billing number, and physician credential code of medical
providers.

^13Department of Veterans Affairs Office of Inspector General,
Administrative Investigation Loss of VA Information VA Medical Center
Birmingham, AL, Report No. 07-01083-157 (Washington, D.C.: June 29, 2007).

However, it has not fully implemented our remaining two recommendations.
First, although it has taken action, VA has not yet fully implemented our
recommendation to complete a comprehensive security management program,
including actions related to central management functions, security
policies and procedures, risk assessments, security awareness, and
monitoring and evaluating computer controls. In August 2006, VA issued
Directive 6500, which documented a framework for the department's security
management program and set forth roles and responsibilities for the
Secretary, CIO, and CISO to ensure compliance with FISMA requirements. VA
also developed, documented, and implemented security policies and
procedures for certain central management functions and security awareness
training. In addition, it implemented a process for tracking the status of
security weaknesses and analyzing the results of computer security reviews
using software tools the department had developed.

As part of implementing the department's security directive (Directive
6500), VA planned to issue Handbook 6500 to provide guidance for
developing, documenting, and implementing the elements of the information
security program. However, it has not finalized and approved this
handbook, which has been in draft form since March 2005. The handbook
contains the VA National Rules of Behavior,^14 as well as key guidance for
minimum mandatory security controls, performing risk assessments, updating
security plans, and planning for continuity of operations. This guidance
is to be used as VA undertakes these activities as part of its preparation
for completing the recertification and re-accreditation of its systems by
August 2008 and to comply with provisions of the Veterans Benefits, Health
Care, and Information Technology Act of 2006. VA officials indicated the
handbook was close to completion, but they did not provide an estimated
time frame for completion. Until the handbook is finalized and approved,
VA cannot be assured that department staff are consistently coordinating
security functions that are critical to safeguarding its assets and
sensitive information against potential data tampering, disruptions in
critical operations, fraud, and the inappropriate disclosure of sensitive
information.

^14The VA National Rules of Behavior is a set of department rules that
describes the responsibilities and behavior of personnel with regard to
information system usage and is required to be developed under the
Veterans Benefits, Health Care, and Information Technology Act of 2006.

Second, VA has not fully implemented our recommendation to ensure
consistent use of information security performance standards in appraising
the department's senior executives. In September 2006, VA issued a
memorandum that required all senior executive performance plans, which
include performance elements and expectations, to include information
security as an evaluation element by November 30, 2006. According to VA,
senior executive performance plans were reviewed by human resource
officials, and the plans complied with the memorandum. However, VA was
unable to provide documentation on the performance plan reviews or a
documented process for regular review of the plans.^15 As a result, it is
unknown whether the department can appropriately hold management
accountable for information security. Until VA develops, documents, and
implements a process for reviewing the senior executive performance plans
on a regular basis to ensure that information security is included as an
evaluation element, it may not have the appropriate management
accountability for information security.

VA Has Not Fully Implemented IG Recommendations

Although VA has implemented 2 recommendations made by the IG, it has not
yet fully implemented 20 other IG recommendations. For example, in
response to the IG's recommendation that the department complete actions
to relocate and consolidate the Central Office's data center, it moved
servers and network hardware to other VA locations. Regarding the
recommendation to research the benefits and costs of deploying intrusion
prevention systems at all sites, the department began installing intrusion
prevention systems at all sites. However, the department has not completed
critical management activities to implement 15 of the 17 recommendations
made by the IG in September 2006, which were carried forward from its
March 2005 report, to appropriately restrict access to data, networks, and
VA facilities; ensure that only authorized changes and updates to computer
programs are made; strengthen critical infrastructure planning to ensure
information security requirements are addressed; and ensure that
background investigations are conducted on all applicable employees and
contractors. To begin addressing these recommendations, VA has drafted
policies and procedures, implemented certain technical solutions, and
relocated data center servers to new locations at VA facilities. However,
according to the department's action plan to remediate weaknesses, all
actions to resolve IG recommendations will not be completed until 2009. A
detailed description of the actions VA has taken or plans to take to
address the IG's 17 recommendations can be found in appendix II.

^15Such a review process and documentation of it are control activities
identified in GAO, Standards for Internal Control in the Federal
Government, [36]GAO/AIMD-00-21 .3.1 (Washington, D.C.: November 1999).

VA has also made some progress in addressing the five recommendations from
the IG's July 2006 report on the investigation of the May laptop theft
incident. However, it has not fully implemented corrective actions. To
begin addressing these recommendations, VA has drafted policies and
procedures and updated its Cyber Security Awareness training course.
However, VA is still in the process of finalizing standard contracting
language to ensure that contractor personnel are held to the same
standards as department personnel; it is also still standardizing all IT
position descriptions and ensuring that they are evaluated, have proper
sensitivity level descriptions, and are consistent throughout the
department. Until these actions are complete, VA has limited assurance
that it has the proper safeguards in place to adequately protect its
sensitive information from inadvertent or deliberate misuse, loss, or
improper disclosure.

By Not Fully Implementing GAO and IG Recommendations, VA Leaves Personal
Information Vulnerable

The need to fully implement GAO and IG recommendations to strengthen
information security practices is underscored by the prevalence of
security incidents involving the unauthorized disclosure, misuse, or loss
of personal information of veterans and other individuals, such as medical
providers. Between December 2003 and April 2006, VA had at least 700
reported security incidents involving the loss of personal information.
For example, one incident in 2003 involved the theft of a laptop
containing personal information on 100 veterans from the home of a VA
employee. In 2004, personal computers that contained data on 2,000
patients were stolen from a locked office in a research facility. In 2005,
information on 897 providers was inappropriately disclosed over VA's
e-mail system. In addition, in 2006, employee medical records were
inappropriately accessed by a VA staff member, and a hacker compromised a
computer system at a medical center supporting 79,000 veterans. All these
incidents were partially attributable to weaknesses in internal controls.

More recently, additional incidents have occurred that, like the earlier
incidents, were partially due to weaknesses in the department's security
controls. In these incidents, which include the May 2006 theft of computer
equipment from an employee's home (discussed earlier) and the theft of
equipment from department facilities, millions of people had their
personal information compromised. Appendix III provides details on a
selection of incidents that occurred between December 2003 and January
2007.

Although VA has made some progress in implementing GAO and IG
recommendations to resolve these weaknesses in security controls, all
actions to resolve these recommendations are not planned to be implemented
until 2009. As a result, VA will be at increased risk that systems, mobile
devices, and information may be exposed to potential data tampering,
disruptions in critical operations, fraud, and the inappropriate
disclosure of sensitive information.

VA Is Undertaking Several Major Initiatives to Strengthen Information Security,
but Implementation Has Shortcomings

VA has begun or continued several major initiatives since the May 2006
security incident to strengthen information security practices and secure
personal information within the department, but more remains to be done.
Since October 2005, VA has been reorganizing its management structure to
provide better oversight and fiscal discipline over its IT systems, and it
has undertaken a series of new initiatives. However, shortcomings with the
implementation of these initiatives limit their effectiveness. For
example, although VA has developed a remedial action plan that includes
tasks to develop, document, revise, or update a policy or program, 87
percent of these do not have an established time frame for implementation
across the department. Unless such shortcomings are addressed, these
initiatives may not effectively strengthen information security practices
at the department.

Realignment of IT Management Structure

An effective IT management structure is the starting point for
coordinating and communicating the continuous cycle of information
security activities necessary to address current risks on an ongoing basis
while providing guidance and oversight for the security of the entity as a
whole. Under FISMA and the Veterans Benefits, Health Care, and Information
Technology Act of 2006, the CIO ensures compliance with requirements of
these laws and designates a senior agency information security officer or
CISO to assist in carrying out his responsibilities. One mechanism
organizations can adopt to achieve effective coordination and
communication is to establish a central security management office or
group to coordinate departmentwide security-related activities.^16 To
ensure that information security activities are effective across an
organization, an IT management structure should also include clearly
defined roles and responsibilities for all security staff and coordination
of responsibilities among individual staff.

The department officially began its effort to provide the CIO with greater
authority over IT in October 2005 by realigning its management
organization to a centralized management structure. By July 2006, a
department contractor began work to assist with the realignment effort.
According to VA, its goals in moving to a centralized management structure
were to provide the department better oversight over the standardization,
compatibility, and interoperability of IT systems, as well as better
overall fiscal discipline. The Secretary approved the department's new IT
organization structure in February 2007. The new structure includes an
Assistant Secretary for Information and Technology (who serves as VA's
CIO), the CIO's Principal Deputy Assistant Secretary, and five Deputy
Assistant Secretaries. Five new senior leadership positions within the
Office of Information and Technology were created to assist the CIO in
overseeing five core IT process areas: cyber security, portfolio
management, resource management, systems development, and operations.
Completion of the realignment is scheduled for July 2008.^17

Under the new IT management structure, responsibility for information
security functions within the department is divided between two core
process areas:

^16This is one of the identified activities described in our 1998 study of
security management practices: GAO, Executive Guide: Information Security
Management--Learning from Leading Organizations, [37]GAO/AIMD-98-68
(Washington, D.C.: May 1998).

^17We recently recommended that VA improve its management of the
realignment effort by dedicating an implementation team to manage change,
expediting development of performance metrics, and establishing a schedule
for implementing management processes. VA agreed with the findings in our
report and generally concurred with the recommendations. GAO, Veterans
Affairs: Continued Focus on Critical Success Factors Is Essential to
Achieving Information Technology Realignment, [38]GAO-07-844 (Washington,
D.C.: June 15, 2007).

           o First, the Director of the Cyber Security Office (part of the
           Information Protection and Risk Management process area) has
           responsibility for developing and maintaining a departmentwide
           security program; overseeing and coordinating security efforts
           across the organization; and managing the development and
           implementation of department security policy, standards,
           guidelines, and procedures to ensure ongoing maintenance of
           security. The Director of Cyber Security is also the designated
           CISO for the department.
           o Second, the Director of the Field Operations and Security Office
           (part of the Enterprise Operations and Infrastructure process
           area) is responsible for implementing security and privacy
           policies, validating compliance with certification and
           accreditation requirements, and managing facility information
           security officers.

In brief, the CISO/Director of Cyber Security is thus responsible for
managing the departmentwide security program, but the Director of the
Field Operations and Security is responsible for implementing it. Figure 1
shows these two offices within the new management structure.

Figure 1: Office of Information and Technology Organization Chart

Note: DAS = Deputy Assistant Secretary.

Although VA has made significant progress in the realignment of its IT
management structure, no documented process yet exists for the two
responsible offices to coordinate with each other in managing and
implementing a departmentwide security program. VA officials indicated
that the Director of Cyber Security and the Director of Field Operations
and Security are communicating about the implementation of security
policies and procedures within the department. However, this communication
is not defined as a role or responsibility for either position in the new
management organization book, nor is there a documented process in place
to coordinate the management and implementation of the security program,
both of which are key security management practices. As a result, policies
or procedures could be inconsistently implemented throughout the
department. Without a consistently implemented departmentwide security
program, the CISO cannot effectively ensure departmentwide compliance with
FISMA. Until the process and responsibilities for coordinating the
management and implementation of IT security policies and procedures
throughout the department are clearly documented, VA will have limited
assurance that the management and implementation of security policies and
procedures are effectively coordinated and communicated.

In addition, the CISO position is currently unfilled, hindering VA's
ability to strengthen information security practices and coordinate
security-related activities within the department. The CISO position has
been vacant since June 2006, and currently, the CIO is the acting CISO of
the department. The department has been attempting to fill the position of
the CISO since October 2006. In addition, the department began trying to
hire staff for other senior positions in March 2007. VA officials have
indicated that the process and procedures they are required to undertake
to hire staff for the positions is quite extensive and takes time to
complete. Nevertheless, until the position of the CISO is filled, the
department's ability to strengthen information security will continue to
be hindered.

Furthermore, the department's directive on its information security
program has not been updated to reflect the new IT realignment structure
for the position of the CISO. Under Directive 6500, the Associate Deputy
Assistant Secretary for Cyber and Information Security is the senior
information security officer or CISO. However, under the new realignment
structure, there is no Associate Deputy Assistant Secretary for Cyber and
Information Security, and instead the Director of Cyber Security is the
CISO. VA officials have said that they intend to revise the directive to
reflect the new management structure, but they did not provide an
estimated time frame for completion. If roles and responsibilities are not
updated or consistent in VA's policies and directives, then communication
and coordination of responsibilities among the department's security staff
may not be sufficient.

Development of Action Plan to Remediate Identified Weaknesses

Action plans to remediate identified weaknesses help departments to
identify, assess, prioritize, and monitor progress in correcting security
weaknesses that are found in information systems. According to OMB's
revised Circular A-123, Management's Responsibility for Internal Control,
departments should take timely and effective action to correct
deficiencies that they have identified through a variety of information
sources. To accomplish this, remedial action plans should be developed for
each deficiency, and progress should be tracked for each.

Following the May 2006 security incident, VA officials began working on an
action plan to strengthen information security controls at the department.
Referred to as the Data Security-Assessment and Strengthening of Controls
Program, the plan was developed over a period of several months, and work
has been completed on some tasks. By the end of January 2007, 20 percent
of the items in the action plan had been completed, and task owners had
been assigned for all items in the plan. As of June 1, 2007, the plan had
at least 400 items to improve security and address weaknesses that the IG
has identified at the department.

On a biweekly basis, the action plan is updated with status updates
provided by the task owners (including the percentage of work completed to
resolve the item), and a new version of the plan is created. The CIO
receives a briefing on each new version of the action plan. Once the new
version is approved by the CIO, the plan is made available to task owners
and other officials at the department. The CIO has also briefed other
senior department officials on the plan and action items.

Although VA's action plan has task owners assigned and is updated
biweekly, department officials have not ensured that adequate progress has
been made to resolve items in the plan. First, in more than a third of
cases, VA has not completed action items by their expected completion
date. Specifically, VA has extended the completion date at least once for
38 percent of the plan items, and it has extended the completion date
multiple times for 6 percent of the items in the plan. The average
extension was about 5 months. In addition, 28 percent of action items that
remained open as of June 1, 2007, had already exceeded the scheduled
completion date, and over half of the work remained to be completed for a
majority of those items. These extensions and missed deadlines can be
attributed in part to VA's not developing, documenting, and implementing
procedures to ensure that action items were addressed in an effective and
timely manner. If weaknesses are not successfully corrected in a timely
manner, VA will continue to lack effective security controls to safeguard
its assets and sensitive information.

Second, a large portion of VA's approach to correcting identified
weaknesses has been focused on establishing policies and procedures: 39
percent of the items in the action plan are to develop and document or
revise and update a policy, a program, or criteria. However, VA has not
established action items for implementing these new or changed policies
and procedures across the department. For 87 percent of action items
related to policies and procedures, the action plan included no
corresponding task with an established time frame for departmentwide
implementation. Developing and documenting policies and procedures are
just the first two steps in remediating identified weaknesses. If there
are no implementation tasks with time frames, VA cannot monitor and ensure
successful implementation. Until VA establishes tasks with time frames to
implement policies and procedures in the plan, it will not be able to
successfully manage its planned actions to correct identified weaknesses.

Third, VA does not have a process in place to validate the closure of
action plan items, that is, to ensure both that task owners have completed
the activities required to sufficiently address action items and also that
there is adequate documentation of these activities. During our review, we
noted the closure of approximately 80 action items that included
activities such as developing a policy or procedure, creating a schedule,
deploying security tools, or updating software. However, according to the
department official responsible for managing the plan, upon review of
these completed items, VA found a number of them lacked support for
closing the item (such as documentation). This official indicated that VA
was developing a process to provide validation of closed action plan
items, but no supporting documentation on the development of this
validation process had been provided. Until VA develops, documents, and
implements a process to validate the closure of action plan items, it will
not be assured that closed action items have been sufficiently addressed.

Fourth, VA's action plan does not identify the activities it is taking to
address our recommendations. In November 2006, the VA official in charge
of managing the plan indicated that although the department had not
previously identified activities being taken to address our
recommendations, it would begin to do so. However, as of June 2007, these
activities had not been identified and tracked in the action plan. As a
result, VA may not be able to adequately monitor its progress in
implementing our recommendations to resolve identified weaknesses. Until
VA identifies the activities it is taking in its action plan to address
our recommendations, it will have limited assurance that progress in
implementing those activities is being adequately monitored.

Establishment of Information Protection Program

VA has developed its Information Protection Program, which is a phased
approach to ensuring that the department has the appropriate software
tools to assist in ensuring the confidentiality, availability, and
integrity of information. During the first phase, VA installed encryption
software on laptops across the department, a task completed in September
2006. In the second phase, the department is undertaking several other
information protection initiatives, including improving the security of
network transmissions and the protection of removable storage devices,
such as the encryption of thumb drives. These initiatives are all
currently being developed and documented.

  Encryption of VA Laptops

One mechanism to enforce the confidentiality and integrity of critical and
sensitive information is the use of encryption. Encryption transforms
plain text into cipher text using a special value known as a key and a
mathematical process known as an algorithm. According to VA Directive
6504, issued in June 2006, approved encryption software must be installed
if an employee uses VA government-furnished equipment or other non-VA
equipment in a mobile environment, such as a laptop or PDA carried out of
a department office or a personal computer in an alternative worksite, and
the equipment stores personal information. The encryption software used
must meet Federal Information Processing Standard 140.^18

According to department officials, by September 2006, the department had
successfully encrypted over 18,000 laptops. The laptops were encrypted
through a combination of two software encryption products, both of which
have been certified as complying with the provisions of Federal
Information Processing Standard 140. Simultaneously, VA developed and
implemented routine laptop "health checks." These checks ensure that all
laptops have applied updated security policies, such as antivirus
software, and will also remove any sensitive information that is not
authorized to be stored on the laptop.

Based on the results of our testing, VA consistently implemented
encryption software at eight VA facilities, with minor exceptions.^19 At
six of the eight facilities, all laptops were encrypted in accordance with
the directive. At the other two facilities, both medical centers, the
directive was not implemented in a small number of cases. At one medical
center, of the 58 laptops tested, 3 should have been encrypted according
to VA's policy but were not. At another medical center, of the 41 laptops
tested, 1 laptop was not encrypted that should have been. In some of these
cases, VHA medical center officials noted that the reference in the
directive to operation in a mobile environment led to ambiguity about
which laptops were required to be encrypted.^20

^18Federal Information Processing Standard 140 is published by National
Institute of Standards and Technology and provides a standard that
specifies the security requirements that will be satisfied by a
cryptographic module used by federal agencies.

^19See appendix I for more details regarding our methodology for testing
the implementation of encryption on laptops. Because of the scope of our
testing of laptop encryption, we could not make a determination of the
effectiveness of VA's effort to implement VA Directive 6504 at all
department facilities.

Although our testing showed sound consistency in this encryption effort,
this and another source of ambiguity in the directive could affect the
department's success in implementing other planned encryption initiatives.
Specifically, Directive 6504 did not provide explicit guidance on whether
to encrypt laptops that were categorized as medical devices, which make up
a significant portion of the population of laptops at VHA facilities.^21
At facilities for patient care, laptops could be categorized both as
equipment that operated in a mobile environment (and thus subject to VA's
encryption directive) and as medical devices (and thus subject to
compliance with other federal guidance that may interfere with following
the encryption directive).^22 At the two medical centers we visited, which
each have over 300 laptops, most laptops were considered medical devices.
When VHA officials contacted the help desk for the encryption initiative,
they were told that these laptops did not need encryption software
installed. However, Directive 6504 had not made this clear, increasing the
challenge to VHA facilities in implementing the encryption initiative.
Without guidance that takes into consideration the environment in which
laptops are used in different VA facilities and that clearly identifies
devices that require encryption functionality, VA may not have assurance
that all facilities in the department will be able to consistently
implement encryption initiatives for all appropriate devices.

^20In contrast, VBA directed that all laptops at each facility be
encrypted regardless of whether or not they operated in a mobile
environment.

^21VA has since hired a contractor to analyze the relationship between the
biomedical and IT functions in the devices to improve the management of
medical devices.

^22The Food and Drug Administration's guidance provides that medical
device software (that is, software that is used as a component or
accessory of a medical device) must be validated by the manufacturer
before it can be used. When any change to the software is made, the change
must be validated; this requirement limits VA's ability to encrypt laptops
that are considered medical devices.

Finally, the department did not maintain an accurate inventory of all
laptops that had been encrypted, nor did it have an inventory of all
laptops within the department. Each VA facility was responsible for
maintaining an inventory of laptops, including what laptops had been
encrypted, but the laptop inventories at four of the eight facilities we
visited were inaccurate. For example, eight laptops listed in the
inventories were not laptops, but scanners, personal computers or other
devices. In some cases, the inventory listed a laptop as encrypted, but
testing revealed that the machine was not encrypted. (The weaknesses
identified with the inventories of laptops are similar to weaknesses
identified in a report we recently issued, which noted significant IT
inventory control weaknesses at VA).^23 Because it did not maintain an
accurate inventory of all equipment that has encryption installed, VA may
not have adequate assurance that all equipment required to be encrypted
has been.

Development of Additional Information Protection Initiatives

As part of its phased approach to acquiring appropriate software tools,
the department is undertaking several information protection initiatives.
For instance, the department is working to secure network transmissions to
prevent user identification, passwords, and data from being transmitted in
clear text. To provide port security and device control, VA is
establishing access permission lists, audit and reporting capabilities,
and lists of approved devices. For the protection of removable storage
media, VA developed and documented Directive 6601, which provides guidance
for use of removable devices, and it is in the process of acquiring
encryption software for thumb drives, external hard drives, and CD-ROM and
DVD drives. VA is also acquiring encryption for mobile devices such as
Blackberries. In addition, the department is establishing a public key
infrastructure and Internet gateway for secure e-mail transmission and
document exchange. These initiatives are in varying stages of development
and have not yet been implemented.

Improvement of Incident Management Capability

Even strong controls may not block all intrusions and misuse, but
organizations can reduce the risks associated with such events if they
take prompt steps to detect and respond to them before significant damage
can be done. In addition, analyses of security incidents can pinpoint
vulnerabilities that need to be eliminated, provide valuable input for
risk assessments, help in prioritizing security improvement efforts, and
be used to illustrate risks and related trends for senior management.
FISMA requires that agencies develop procedures for detecting, reporting,
and responding to security incidents. In addition, OMB Memo M-06-19
requires agencies to report all incidents involving personal identifiable
information to the U.S. Computer Emergency Readiness Team (US-CERT) within
1 hour of discovering the incident.^24

23GAO, Veterans Affairs: Inadequate Controls over IT Equipment at Selected
VA Locations Pose Continuing Risk of Theft, Loss, and Misappropriation,
[39]GAO-07-505 (Washington, D.C.: July 16, 2007), and Veterans Affairs:
Lack of Accountability and Control Weaknesses over IT Equipment at
Selected VA Locations, [40]GAO-07-1100T (Washington, D.C.: July 24, 2007).

  Incident Detection, Reporting, and Response

VA has improved its incident management capability since May 2006 by
realigning and consolidating two centers with responsibilities for
incident management, as well as developing and documenting key policies
and procedures. Following the May 2006 security incident, VA hired a
contractor to assist its Network Operations Center and Security Operations
Center in developing plans for improved coordination between the two
centers and for using a risk management approach to managing incidents. As
part of its findings, the contractor recommended that the two centers be
integrated at the regional and enterprise level. In February 2007, VA
realigned and consolidated the two centers into the Network and Security
Operations Center (NSOC), which is responsible for incident detection or
identification, response, and reporting within the department. NSOC has
also developed and documented a concept of operations for incident
management and call center procedures, and it has developed a new incident
report template to assist VA personnel in reporting incidents to the
center within 1 hour of discovering the incident. Senior management
officials also receive regular reports on security incidents within the
department.

In addition, VA has improved the reporting of incidents involving the loss
of personal information within the department since the May 2006 incident.
Following the incident, the Secretary issued a memorandum requiring all
employees to take security and privacy training by June 30, 2006, as well
as sign a statement of commitment and understanding regarding the handling
of personal information of veterans. An analysis of reported incidents
from 2003 to 2006 showed a significant increase in the reporting of
incidents involving the loss of personal information to NSOC in 2006, as
detailed in table 1. Of the incidents reported in 2006, 77 percent were
reported after May.

^24OMB Memorandum M-06-19, "Reporting Incidents Involving Personally
Identifiable Information and Incorporating the Cost for Security in Agency
Information Technology Investments" (July 12, 2006).

Table 1: Number of Incidents by Type Reported to NSOC from January 2003 to
November 2006

Type of incident involving the loss of personal                            
information                                          2003 2004 2005 2006^a 
Records lost or misplaced                              19   58   41    316 
Records or hardware stolen                              7    9   14     65 
Improper disposal of records                           10   27   10     80 
Unauthorized access                                    60  120  112    255 
Unencrypted e-mails sent                                8   13   16    170 
Unintended disclosure or release                       22   48   24    199 
Total number of incidents                             126  275  217   1085 

Source: GAO analysis of VA data on incidents.

^aNumbers reported are from January 1, 2006, to November 3, 2006.

While the increase in reported incidents shows that the memorandum and
updated security and privacy training are heightening VA employees'
awareness of their responsibility to report incidents involving loss of
personal information, it also indicates that vulnerabilities remain in
security controls designed to adequately safeguard information. To assist
the department in improving its analysis of security incident data, NSOC
merged three incident databases into one to streamline the collection of
incident data gathered within the department. VA also developed a software
tool with a Web-based interface (the Formal Event Review and Evaluation
Tool) to analyze reported incidents and observe trends, and began using
the tool in April 2007.

  Incident Notification

The department has made a notable improvement in its notification of major
security incidents to US-CERT, the Secretary, and Congress since the
incidents in May 2006.^25 However, the time it took to send notification
letters to individuals was increased for some incidents because VA did not
have adequate procedures for incident response and notification. Table 2
presents major security incidents occurring since May 2006, along with the
times taken to make various notifications. As the table shows, delays in
reporting incidents have generally decreased since May 2006.

^25For more details on these incidents at VA, see appendix III.

Table 2: Time Elapsed Between Major Incidents at VA and Notification of
US-CERT, Secretary, Congress, and Individuals (May 2006 to January 2007).

                             Time taken to report or send notification letter
                                       
                                            (in calendar days)
Security      Incident    To        To VA      To                          
incident      date        US-CERT   Secretary  Congress  To individuals    
Computer      May 3, 2006 20 days   13 days    19 days   About a month^a   
equipment                                                                  
stolen from                                                                
VA employee                                                                
home                                                                       
Backup tape   May 5, 2006 42 days   18 days    55 days   159 days          
missing                                                                    
Desktop       August 3,   Same day  1 day      1 day     7 days            
computer      2006                                                         
stolen from                                                                
contractor                                                                 
facility                                                                   
Medical       September   Same day  Same day   Within a  55 days           
device in New 6, 2006                          week                        
York stolen                                                                
External hard January 22, Same day  1 day      11 days   49 days           
drive stolen  2007                                       (individuals); 85 
at Birmingham                                            days (medical     
facility                                                 providers)        

Source: GAO analysis of VA data.

^aBecause of the volume of letters that were sent out, notification
letters were sent out over a period of time during the month of June 2006.

Coordination with other agencies. In the incident in Birmingham in January
2007, medical provider and physician information from the Centers for
Medicare & Medicaid Services of the Department of Health and Human
Services was lost, requiring VA to coordinate with this department to
respond to the incident. At the time of the incident, VA had drafted
interim procedures for incident response, including notifying individuals
affected by security incidents.^26 These draft procedures described steps
to be taken to respond to incidents involving the loss of information on
veterans. However, they did not include processes for coordinating
incident response and mitigation activities with other agencies. This
contributed to the fact that it took more time to determine the risks to
medical providers, who were not notified until 85 days after the incident.

^26VA drafted these interim procedures to comply with the Veterans
Benefits, Health Care, and Information Technology Act of 2006, which
required VA to draft regulations for security incident notification and
publish these in the Federal Register for public comment for 60 days.
Until the regulation could be finalized, VA followed its interim
procedures.

To address the coordination issue, VA revised its interim procedures to
indicate that incident response teams will work with other federal
agencies and teams as needed to contract for independent analyses of the
risk associated with compromise of the particular data involved. In March
2007, VA approved these revised interim procedures. However, the approved
procedures are limited to contracting for risk analyses and do not
incorporate processes for coordinating with other federal agencies on
other appropriate mitigation activities. For example, although the
procedures allow for the offer of credit monitoring to affected
individuals, they do not address mitigating other types of risks, such as
potential fraudulent claims for payment under Medicare, which were a
potential risk for the Birmingham incident. Credit monitoring would not
address this risk. Other coordination and mitigation activities may be
needed, such as alerting the Centers for Medicare & Medicaid Services to
the possibility of fraudulent claims involving specific providers to
adequately address this potential risk or other risks, different from
those experienced to date.

Obtaining up-to-date contact information. VA's procedures for incident
response and notification do not include mechanisms for obtaining contact
information on individuals (when necessary), which can also cause delays
in sending out notification letters to individuals. A VA official noted
that notification letters to individuals could be delayed, depending on
whether the department could locate complete address information for the
affected individuals and on the number of letters that must be sent. Such
delays occurred in the case of the missing backup tape in May 2006 (when
159 days passed before notification letters were sent). The data and
number of records that were on the backup tape were not immediately known,
and the address information of veterans whose data were compromised in the
incident had to be researched. Our recent report noted that agencies faced
challenges in identifying address information for individuals affected by
security incidents and that mechanisms should be in place to obtain
contact information on individuals.^27 However, VA's draft and approved
interim procedures do not include a mechanism for obtaining such contact
information. As a result, the department's response to incidents could be
delayed when the compromised data do not include complete and accurate
contact information (or there is uncertainty about the data).

^27GAO, Privacy: Lessons Learned about Data Breach Notification,
[41]GAO-07-657 (Washington, D.C.: Apr. 30, 2007).

Risk analysis. As mentioned earlier, VA asked the Department of Health and
Human Services to conduct an independent risk analysis on the provider
data loss in the January 2007 incident in Birmingham; this analysis showed
that there was a high risk that the loss of personal information could
result in harm to the individuals concerned. Conducting such risk analyses
after incidents is a recommended procedure, since appropriate incident
response and notification depend on determining the level of risk
associated with the particular information that is compromised.^28 In
addition, conducting periodic risk assessments before an incident occurs
facilitates a rapid response, by enabling the development of mitigation
activities and appropriate coordination for potential data losses.
Assessments of both systems and the information they contain are
important, particularly information with a high potential risk for
inappropriate use or fraud. However, VA is still in the process of
finalizing and approving its guidance for completing risk assessments on
VA's systems. As a result, the department does not have a current
assessment of risk for the information located at its facilities and in
its information systems, which could affect the coordination and
mitigation activities that are developed by the department to respond to
potential data losses. Until VA assesses the risk for information located
at its facilities and in its information systems and uses this assessment
to develop and document mitigation activities and appropriate coordination
for potential data losses (particularly high-risk losses), it may not be
able to adequately address potential risks associated with loss of
sensitive information at its facilities and on its systems.

Additional VA actions. VA has taken additional actions to improve incident
response and notification. In February 2007, VA chartered the Incident
Resolution Team Structure, a group of officials from organizations within
the department who are responsible for responding to incidents and
handling notification requirements at the national, regional, and local
levels. This action was in response to an OMB memorandum issued in
September 2006, which recommended that all departments and agencies
develop a core management group responsible for incident response to
losses of personal information, as well as a response plan for notifying
individuals affected by security incidents. Roles and responsibilities
within the Incident Resolution Team Structure are organized according to
the level of activity, the nature of the incident, and how the incident is
categorized based on risk levels. VA also uses the Formal Event Review and
Evaluation Tool to determine what the risk category of a security incident
should be, based on the severity of the incident.

^28We and the IG have issued reports that make recommendations for
conducting risk assessments of high risk data for identity theft and
determining if credit monitoring services or other appropriate services
should be offered. See GAO, Privacy: Lessons Learned about Data Breach
Notification, [42]GAO-07-657 (Washington, D.C.: Apr. 30, 2007); Department
of Veterans Affairs Office of Inspector General, Administrative
Investigation Loss of VA Information VA Medical Center Birmingham, AL,
Report No. 07-01083-157 (Washington, D.C.: June 29, 2007).

VA has also recently developed, with contractor assistance, interim
regulations for security incident notification, data mining, fraud alerts,
data breach analysis (that is, risk analysis of security incidents),
credit monitoring, identity theft insurance, and credit protection
services, as required under the Veterans Benefits, Health Care, and
Information Technology Act of 2006. These interim regulations were
approved by OMB and became effective on June 22, 2007.

Establishment of Office of IT Oversight and Compliance

According to Standards for Internal Control in the Federal Government,^29
internal controls at agencies should generally be designed to ensure that
ongoing monitoring occurs in the course of normal operations. The
methodology for evaluating an agency's internal controls should be logical
and appropriate and may include assessments using checklists or other
tools, as well as a review of the control design and direct testing of the
internal control. The evaluation team should develop a plan for the
evaluation process to ensure a coordinated effort, analyze the results of
evaluation against established criteria, and ensure that the process is
properly documented. The agency should also ensure that corrective action
is taken within established time frames and is followed up on to verify
implementation.

In an effort to promote internal controls within VA's computer
environment, VA has consolidated a number of IT compliance programs under
one organization, the Office of IT Oversight and Compliance (ITOC). This
office was established in January 2007. Previously, the Review and
Inspection Division was responsible for conducting facility assessments
and validating information entered into a database in response to VA's
annual FISMA self-assessment survey. The division was incorporated into
the ITOC, which is now responsible for providing independent, objective,
and quality oversight and compliance services in the areas of cyber
security, records management, and privacy. It is also responsible for
conducting assessments of VA's facilities that (1) determine the adequacy
of internal controls; (2) investigate compliance with laws, policies, and
directives from VA and external organizations; and (3) ensure that proper
safeguards are maintained. The results of these assessments are reported
directly to the CIO and responsible supervisors at the facilities. The
ITOC recommends corrective actions to remediate identified issues where
necessary and also makes available a remediation team to assist the
facility in addressing any recommendations. In January 2007, the ITOC
began conducting assessments at facilities and by June 2007 had conducted
34 assessments. According to the Director of the ITOC, it recently became
fully staffed with 127 personnel and will begin to conduct 12 to 18
assessments per month. VA facilities will be assessed every 3 years.

^29GAO, Standards for Internal Control in the Federal Government,
[43]GAO/AIMD-00-21 .3.1 (Washington, D.C.: November 1999). GAO also issued
a management evaluation tool to assist agencies in maintaining or
implementing effective internal control. See GAO, Internal Control
Management and Evaluation Tool, [44]GAO-01-1008G (Washington, D.C.: August
2001).

Although the ITOC was formed to identify security weaknesses and ensure
compliance with federal law and department policy, its approach to
conducting assessments does not include basic elements necessary for
evaluating and monitoring controls. For example, although the ITOC
developed a checklist to conduct facility assessments, ^30 it did not
develop a standard methodology for analysts to use when evaluating
internal controls against the checklist, or specific criteria for each
checklist item. As a result, the office lacks a process to ensure that its
examination of internal controls is consistent across VA facilities. In
addition, although the Director of the ITOC indicated that the assessment
team recommendations to facilities are tracked in a database, no
supporting documentation was provided. Further, according to the standards
for internal control, organizations should follow up to ensure that
corrective active is taken. However, the ITOC follows up to see if
recommendations have been implemented only when a site is re-inspected. As
a result, the office has no timely mechanism in place to ensure that its
recommendations have been addressed. Until there are a standard
methodology and established criteria for evaluating internal controls at
facilities, as well as a mechanism in place to track recommendations and
conduct regular follow-up on their status, VA will have limited assurance
that its process for assessing its statutory and regulatory compliance and
the effectiveness of its internal controls process is adequate and
consistent across its facilities.

^30The checklist is based on existing National Institute of Standards and
Technology checklists and incorporates an assessment of internal controls
and adherence to federal laws and VA policies.

Conclusions

Effective information security controls are critical to securing the
information systems and information on which VA depends to carry out its
mission. GAO and IG recommendations to address long-standing weaknesses
within the department have not yet been fully implemented, nor is the
implementation of the IG recommendations expected to be completed in the
near future. Consequently, there is an increased risk that personal
information of veterans and other individuals, such as medical providers,
will be exposed to potential data tampering, disruptions in critical
operations, fraud, and the inappropriate disclosure of sensitive
information. Until VA addresses recommendations to resolve identified
weaknesses, it will have limited assurance that it can adequately protect
its systems and information.

Although VA has begun or continued several initiatives to strengthen
information security practices within the department, the shortcomings
with the implementation of these initiatives could limit their
effectiveness. If the department develops and documents processes,
policies, and procedures; fills a key position and completes the
implementation of major initiatives, then it will help ensure that these
initiatives strengthen information security practices within the
department. Sustained management commitment and oversight are vital to
ensure the effective development, implementation, and monitoring of the
initiatives that are being undertaken. Such involvement and oversight are
critical to providing VA with a solid foundation for resolving
long-standing information security weaknesses and continuously managing
information security risks.

Recommendations for Executive Action

To assist the department in improving its ability to protect its
information and systems, we are recommending the Secretary of Veterans
Affairs take the following 17 actions:

           o Finalize and approve Handbook 6500 to provide guidance for
           developing, documenting, and implementing the elements of the
           information security program.
           o Develop, document, and implement a process for reviewing on a
           regular basis the performance plans of senior executives to ensure
           that information security is included as an evaluation element.

           o Develop, document, and implement a process for the Director of
           Field Operations and Security and Director of Cyber Security to
           coordinate with each other on the implementation of IT security
           policies and procedures throughout the department.

           o Document clearly defined responsibilities in the organization
           book for the Director of Field Operations and Security and the
           Director of Cyber Security for coordinating the implementation of
           IT security policies and procedures within the department.

           o Act expeditiously to fill the position of the Chief Information
           Security Officer.

           o Revise Directive 6500 to reflect the new IT management structure
           and to ensure that roles and responsibilities are consistent in
           all VA IT directives.

           o Develop, document, and implement procedures for the action plan
           to ensure that action items are addressed in an effective and
           timely manner.

           o Establish tasks with time frames for implementation of policies
           and procedures in the action plan.

           o Develop, document, and implement a process to validate the
           closure of action plan items.

           o Include in the action plan the activities taken to address GAO
           recommendations.

           o Develop, document, and implement clear guidance for identifying
           devices that require encryption functionality.

           o Maintain an accurate inventory of all IT equipment that has
           encryption installed.

           o Develop and document procedures that include a mechanism for
           obtaining contact information on individuals whose information is
           compromised in security incidents.

           o Conduct an assessment of what constitutes high-risk data for the
           information located at VA facilities and in information systems.

           o Develop and document a process for appropriate coordination and
           mitigation activities based on the assessment above.

           o Develop, document, and implement a standard methodology and
           established criteria for evaluating the internal controls at
           facilities.

           o Establish a mechanism to track ITOC recommendations made to
           facilities and conduct regular follow-up on the status of the
           recommendations.

Agency Comments and Our Evaluation

We received written comments on a draft of this report from the Deputy
Secretary of Veterans Affairs (these are reprinted in appendix IV). The
Deputy Secretary generally agreed with our findings and recommendations
and stated that VA has already implemented or is working to implement all
17 recommendations. Additionally, the Deputy Secretary stated that the
consolidation of all IT operations and maintenance under VA's Chief
Information Officer will enhance the department's information security
program, as well as correct long-standing deficiencies.^31

In his comments, the Deputy Secretary also noted that the recommendation
related to information security as an evaluation element in senior
executive performance plans has already been implemented and that the
recruitment announcement to fill the position of Chief Information
Security Officer closed on July 27, 2007. He further stated that VA's
Directive 6500, issued in August 2006, remains valid. However, as
mentioned in our report, Directive 6500 was not updated to reflect the new
IT realignment structure that was approved by the Secretary in February
2007 and roles and responsibilities should be consistent in all department
policies and directives. The Deputy Secretary also discussed some of the
activities that were underway to implement our recommendations.

^31The Deputy Secretary also stated that VA considers its information
security practices, as implemented before the May 2006 incident, as
legally adequate, referring to the Government's response to litigation
concerning the incident. However, our review did not assess the legal
adequacy of the Department's safeguards in satisfying the Privacy Act, the
statute involved in the litigation and to which the Deputy Secretary
referred.

In the draft report that was provided for comment, we indicated that VA
had not implemented any of the IG's 22 recommendations to improve
information security. We have since received new information and have
updated the report to reflect that VA has now implemented 2 of the 22 IG
recommendations.

As agreed, unless you publicly announce the contents of this report
earlier, we plan no further distribution until 30 days from the report
date. At that time, we are sending copies of this report to interested
congressional committees; the Secretary of Veterans Affairs; and other
interested parties. We will also make copies available to others upon
request. In addition, the report will be available at no charge on the GAO
Web site at [45]www.gao.gov .

If you have any questions regarding this report, please contact me at
(202) 512-6244 or by e-mail at [email protected]. Contact points for our
Offices of Congressional Relations and Public Affairs may be found on the
last page of this report. Key contributors to this report are listed in
appendix V.

Gregory C. Wilshusen
Director, Information Security Issues

List of Requesters

The Honorable Harry Reid
Majority Leader
United States Senate

The Honorable Daniel K. Akaka
Chairman
Committee on Veterans' Affairs
United States Senate

The Honorable Bob Filner
Chairman
Committee on Veterans' Affairs
House of Representatives

The Honorable Hillary Rodham Clinton
United States Senate

The Honorable Byron L. Dorgan
United States Senate

The Honorable Joseph I. Lieberman
United States Senate

The Honorable Patty Murray
United States Senate

The Honorable Barack Obama
United States Senate

The Honorable John D. Rockefeller IV
United States Senate

The Honorable Ken Salazar
United States Senate

The Honorable Charles E. Schumer
United States Senate

Appendix I: Objectives, Scope, and Methodology

Our objectives were to evaluate (1) whether the Department of Veterans
Affairs (VA) has effectively addressed GAO and VA Office of Inspector
General (IG) recommendations to strengthen its information security
practices and (2) actions VA has taken since the May 2006 security
incident to strengthen its information security practices and secure
personal information. In doing this work, we analyzed relevant
documentation including policies, procedures, and plans, and interviewed
key department officials in Washington, D.C., to identify and assess VA's
progress in implementing recommendations and federal legislation to
strengthen its information security practices. We also drew on previous
GAO reports and testimonies, as well as on expert opinion provided in
congressional testimony and other sources. We used certain applicable
federal laws, other requirements, and guidelines, including Office of
Management and Budget (OMB) memorandums, in assessing whether the
Department's actions and initiatives can help ensure departmental
compliance.

For the first objective, we evaluated VA's actions to address GAO and VA
IG recommendations, respectively in our 2002 report and in the IG's July
2006 and September 2006 reports. To review VA's history of implementation
efforts, we examined GAO reports, testimony from recent congressional
hearings made by GAO and IG staff, as well as reports by the VA IG. To
determine the implementation status of open GAO recommendations, we
analyzed pertinent security policies, procedures, and plans and met with
officials from VA to gather information on the department's actions to
address the recommendations. To determine the implementation status of
open IG recommendations we met with officials from the VA IG Office of
Audit to discuss the status of these recommendations and met with VA
officials to learn what actions had been taken or were planned to take to
fully address the recommendations.^1 The VA IG concurred with the status
information provided.

For the second objective, we evaluated VA's actions to strengthen its
information security practices to comply with federal guidance, including
recent OMB memorandums. We met with department officials to gather
information on what initiatives VA had undertaken or planned to undertake
to improve its information security practices. For each initiative, we
obtained and analyzed supporting documentation and met with department
officials responsible for the implementation of the initiatives to assess
the extent to which the department had complied with federal requirements
and other guidelines. In addition, we also performed audit procedures to
determine the extent to which VA has installed encryption functionality on
its laptop computers. Our detailed scope and methodology for the laptop
encryption testing are below.

^1The IG evaluated VA's actions in addressing recommendations made by the
IG as part of their annual FISMA review during fiscal year 2006.

Laptop Encryption Testing

We examined 248 laptops at eight locations to determine whether encryption
software had been installed on a selection of laptops as indicated by VA.

  Selection of Locations

We selected the locations to be visited based on (1) the type of
facility^2 and (2) number of facilities available to be tested in a
geographic area. We identified different facility types in proximity to
each other and to GAO offices. Clinics and cemeteries were excluded from
the selection because the number of laptops at these locations would be
quite small. We also selected a Research Enhancement Award Program
location based on an incident in January 2007 involving this type of
location. On the basis of the criteria listed above, we selected the
following eight facilities: Baltimore Regional Office, Chicago Regional
Office, Denver Health Administration Center, Denver Regional Office,
Denver Research Enhancement Award Program, Hines Data Center, Hines
Medical Center and the Washington, D.C., Medical Center.

  Selection of Laptops

At each location, we obtained an inventory or population of "in use"
laptops. We examined every laptop in the population that was available for
review at the Baltimore Regional Office, Chicago Regional Office, Denver
Research Enhancement Award Program, and the Hines Data Center because of
the relatively small number of laptops in the population. We selected
random samples of laptops with the intent of projecting the results to
each population at the Denver Health Administration Center, Denver
Regional Office, Hines Medical Center, and Washington, D.C., Medical
Center.^3

2The types of VA facilities include central and regional offices, data
centers, medical centers, clinics, Research Enhancement Award Program
offices, and cemeteries.

^3With these probability samples, each laptop had a known, nonzero
probability of being selected.

  Testing of Laptops

We conducted testing of encryption implementation on laptops at select VA
facilities to determine whether the department's laptops were in
compliance with VA Directive 6504 which stated that if a laptop was in a
mobile environment and contained sensitive information that it be
encrypted using approved software that is validated against National
Institute of Standards and Technology standards. We also tested laptops at
the two medical facilities to see whether the laptops should be encrypted
according to the facility inventory because multiple inventories were
received from these locations. In addition, we tested the laptops at the
two medical facilities to see whether the laptop was considered a medical
device based on the definition of medical devices provided to us by VA. At
each location there were a small number of laptops that were unavailable
to us to be tested. Department officials cited several reasons for this,
including that the laptop had been turned in to be disposed of or
discarded according to VA policy, had a hard drive failure, or could not
be brought in to the site for testing. In table 3, the "laptops tested"
column represents the number of laptops the team was able to test.

Table 3: Number of Laptops Tested at Select VA Facilities

Location                              Laptops in population Laptops tested 
Baltimore Regional Office                                18             15 
Chicago Regional Office                                  27             23 
Denver Health Administration Center                      82             37 
Denver Regional Office                                   42             27 
Denver Research Enhancement Award                        25             21 
Program                                                                    
Hines Data Center                                        29             26 
Hines Medical Center                                    313             41 
Washington, D.C., Medical Center                        357             58 
Total                                                   893            248 

Source: GAO analysis.

  Analysis of Results

For all four locations where every laptop in the population was tested, we
used the results of our test to determine whether the directive had been
consistently implemented. For the Denver Health Administration Center and
the Denver Regional Office, our sample results allowed us to estimate with
95 percent confidence that at least 93 percent of the laptops would have
consistently implemented the directive.^4 On the basis of these results,
we concluded that at these six sites, VA had consistently implemented its
directive. For the Hines Medical Center and the Washington, D.C., Medical
Center, the results of our tests indicated that VA's directive had not
been consistently implemented for one laptop and three laptops at these
facilities respectively.

We performed our work at VA headquarters in Washington, D.C., and at the
selected VA facilities listed above, in accordance with generally accepted
government auditing standards, from November 2006 through August 2007.

^4Because we selected a sample of laptops from these locations, our
results are estimates of the populations and thus are subject to sample
errors that are associated with samples of this size and type. Our
confidence in the precision of the results from this sample is expressed
in 95 percent confidence intervals, which are expected to include the
actual results in 95 percent of the samples of this type.

Appendix II: Status of Prior VA IG Recommendations

This appendix includes the actions the Department of Veterans Affairs (VA)
has taken or is planning to take to address 17 recommendations related to
Federal Information Security Management Act related findings made by the
VA Office of Inspector General (IG)^1 as reported to us by the completion
of our review in August 2007.

Table 4: Status of 17 VA IG Recommendations Related to FISMA Findings

VA IG recommendations         Status   Actions taken or planned            
Implement a centralized       Open     The new organization structure was  
information technology (IT)            approved by the Secretary in        
management approach; apply             February 2007. Business processes   
appropriate resources;                 and IT governance are to be         
establish, clarify, and                developed following the approval.   
modify IT policies and                 VA is also in the process of        
procedures pursuant to                 developing policies and procedures  
organizational changes; and            for the organizational changes,     
implement and enforce                  including a department strategic    
security controls.                     plan, and incorporating security    
                                          into capital planning and           
                                          investment control processes and    
                                          information security officer        
                                          management and operating            
                                          procedures. Of these, the majority  
                                          were supposed to be finished by     
                                          June 2007 but are still in the      
                                          midst of completion.                
Develop and implement         Open     VA will complete its implementation 
solutions for the                      of a patch management program by    
establishment of a patch               the end of December 2009, including 
management program.                    the development of a central patch  
                                          management policy and establishing  
                                          a patch management configuration    
                                          standard.                           
Identify and implement        Open     VA is developing criteria for       
solutions for resolving                authorizing access to IT systems    
access control                         and a directive on access controls, 
vulnerabilities, ensure                both of which are scheduled to be   
segregation of duties, remind          completed in August 2007. VA is     
all sites to confirm virus             also making enhancements to its     
protection files are updated           antivirus program, planned to be    
prior to authorizing                   completed in March 2008.            
connection to their networks,                                              
and resolve all self-reported                                              
access control weaknesses.                                                 
Review and update all         Open     VA is refining and standardizing IT 
applicable position                    position descriptions, updating     
descriptions to better                 risk designations, and revising the 
describe sensitivity ratings,          table of penalties (includes        
better document employee               examples of disciplinary action for 
personnel records and                  violations). Of these activities,   
contractor files to include            all have missed their deadline for  
signed "Rules of Behavior"             completion and work still remains   
instructions, annual                   to be performed. VA will also       
certifications of veterans'            conduct a review to ensure the      
statuses, annual privacy and           position descriptions that are      
Health Insurance Portability           being refined and updated are       
and Accountability Act                 consistent across the department.   
training certifications, and           This will be undertaken in October  
position sensitivity level             2008.                               
designations.                                                              
Timely request the            Open     VA is in the process of completing  
appropriate level of                   any additional background           
background investigations on           investigations that may be needed.  
all applicable employees and           VA is also implementing the use of  
contractors. Additionally,             an Office of Personnel              
monitor and ensure timely              Management-sponsored system that    
requests for reinvestigations          will allow electronic completion    
on all applicable employees            and submission of all personnel     
and contractors.                       investigation forms for completion  
                                          of the investigations. This was     
                                          scheduled to be completed in May    
                                          2007 but work has not yet begun on  
                                          the task.                           
Provide the IG with the       Closed^a VA is also in the process of        
results of researching the             installing a host-based intrusion   
benefits and costs of                  prevention system for its servers   
deploying intrusion                    as both prudent and necessary       
prevention systems at all              without a cost benefit analysis and 
sites.                                 that they will be replacing         
                                          intrusion detection system          
                                          equipment with intrusion prevention 
                                          system equipment.                   
Continue efforts to           Open     VA is developing a Critical         
strengthen critical                    Infrastructure Protection Plan that 
infrastructure planning,               is planned for completion in        
complete the Infrastructure            January 2008. VA is also planning   
Protection Plan, and ensure            to acquire an IT asset tracking     
infrastructure planning                system; utilizing the system, it    
addresses other information            will inventory all IT equipment     
security requirements.                 throughout the department. These    
                                          activities have not yet begun but   
                                          are scheduled for completion in     
                                          October 2009.                       
Collaboratively test          Open     The department is currently         
Information Technology                 developing a network and security   
Centers' continuity of                 operations center continuity of     
operations plans in a joint            operations plan but the completion  
effort with all tenant groups          deadline of March 2007 has been     
(Veterans Health                       missed and work still remains. VA   
Administration (VHA),                  is also developing a directive for  
Veterans Benefits                      contingency planning that is        
Administration (VBA),                  scheduled to be completed in August 
National Cemetery                      2007.                               
Administration, and other                                                  
program offices) to ensure                                                 
that backup sites will                                                     
support all mission related                                                
operations, and report test                                                
results to the IG for further                                              
review.                                                                    
Address all self-reported     Open     VA is currently in the process of   
deficiencies identified as             developing criteria for system      
the result of completed                control testing, and this process   
certification and                      is scheduled to be completed in     
accreditation's and related            August 2007. VA is also reviewing   
review work.                           its guidance on certification and   
                                          accreditation and will conduct      
                                          recertification of all its systems, 
                                          including its regional data         
                                          centers, in the summer of 2008.     
Determine the extent to which Open     VA is currently enhancing controls  
uncertified Internet gateways          at network boundaries, though the   
continue to exist, and take            completion deadline of June 2007    
actions to terminate and               has been missed. It is also         
upgrade external connections           developing a process to require     
susceptible to inappropriate           authorization prior to connecting   
access.                                to non-VA systems that is planned   
                                          to be completed in October 2007.    
Improve configuration         Open     VA is currently developing criteria 
management practices by                for documenting and controlling     
identifying, replacing, or             information system changes, and     
justifying the continuance of          procedures for enforcing access     
older operating systems that           restrictions on the ability to      
are vulnerable to security             change a system. It is also         
breaches.                              upgrading its systems to Windows XP 
                                          and work is expected to be          
                                          completed by September 2007. The    
                                          department also plans to develop a  
                                          national change control policy,     
                                          though work has not yet begun.      
Complete actions to relocate  Closed^a VA completed activities to move and 
and consolidate VA Central             consolidate the VA Central Office   
Office's Data Center.                  data center by relocating servers   
                                          and network hardware to other VA    
                                          locations.                          
Develop and implement VA-wide Open     VA is currently working on          
application program/operating          improving application and operating 
system change control                  system change controls and          
procedures to ensure                   establishing an enterprise change   
consistent documentation and           control board. Both activities are  
authorization practices are            planned to be completed in December 
deployed at all facilities.            2007.                               
Strengthen physical access    Open     VA is currently in the process of   
controls to correct                    developing a directive for physical 
previously reported physical           and environmental protection; this  
access control deficiencies            process is planned for completion   
and develop consistent                 in August 2007. It is in the        
standardized physical access           process of restricting physical     
control requirements,                  access to computer rooms, though    
policies, and guidelines               work was scheduled to be completed  
throughout VA.                         in January 2007.                    
Reduce wireless security      Open     VA is in the process of             
vulnerabilities by ensuring            establishing regular update         
sites have an effective and            mechanisms for security             
up-to-date methodology to              configuration on those devices,     
protect the interception of            though actions were planned for     
wireless signals and                   completion by May 2007. VA is also  
accessing the network.                 developing standards for            
Additionally, ensure the               restricting the use of mobile and   
wireless network is segmented          portable devices that are planned   
and protected from the wired           for completion in August 2007.      
network.                                                                   
Identify and deploy solutions Open     VA announced that it had encrypted  
to encrypt sensitive data and          18,000 laptops by September 15,     
resolve clear text protocol            2006. VA is currently developing    
vulnerabilities.                       management criteria for public key  
                                          infrastructure tokens and criteria  
                                          for revoking or changing the tokens 
                                          and standards for transporting      
                                          media outside of VA, though work    
                                          was scheduled for completion by     
                                          July 2007.                          
Conduct validation tests in   Open     VA is currently working to enhance  
conjunction with remediation           the Security Management and         
efforts to ensure all                  Reporting Tool database with        
information and data retained          modules for certification and       
in the Security Management             accreditation, risk management, and 
and Reporting Tool database            reviews and inspections, this work  
is accurate, complete, and             was scheduled for completion in     
reliable.                              June 2007, though work remains to   
                                          be completed.                       

Source: GAO analysis of VA action plan.

aThe VA IG stated that VA's actions to resolve this recommendation are
sufficient to close the recommendation.

^1Department of Veterans Affairs Office of Inspector General, FY2005 Audit
of VA Information Security Program, Report No. 05-00055-216 (Washington,
D.C.: Sept. 20, 2006).

Appendix III: Information on Selected Security Incidents at VA from
December 2003 to January 2007

The Department of Veterans Affairs (VA) had at least 1500 security
incidents reported between December 2003 and January 2007 which included
the loss of personal information. Below is additional information on a
selection of incidents, including all publicly reported incidents
subsequent to May 3, 2006, that were reported to the department during
this period and what actions it took to respond to these incidents. These
incidents were selected from data obtained from VA to provide illustrative
examples of the incidents that occurred at the department during this
period.

           o December 9, 2003: stolen hard drive with data on 100 appellants.
           A VA laptop computer with benefit information on 100 appellants
           was stolen from the home of an employee working at home. As a
           result, the agency office was going to recall all laptop computers
           and have encryption software installed by December 23, 2003.

           o November 24, 2004: unintended disclosure of personal
           information. A public drive on a VA e-mail system permitted entry
           to folders/files containing veterans' personal information (names,
           Social Security numbers, dates of birth, and in some cases
           personal health information such as surgery schedules, diagnosis,
           status, etc.) by all users after computer system changes made. All
           folders were restricted, and individual services were contacted to
           set up limited access lists.

           o December 6, 2004: two personal computers containing data on
           2,000 patients stolen. Two desktop personal computers were stolen
           from a locked office in a research office of a medical center. One
           of the computers had files containing names, Social Security
           numbers, next of kin, addresses, and phone numbers of
           approximately 2,000 patients. The computers were password
           protected by the standard VA password system. The medical center
           immediately contacted the agency Privacy Officer for guidance.
           Letters were mailed to all research subjects informing them of the
           computer theft and potential for identity theft. VA enclosed
           letters addressed to three major credit agencies and postage paid
           envelopes. This incident was reported to VA and federal incident
           offices.

           o March 4, 2005: list of 897 providers' Social Security numbers
           sent via e-mail. An individual reported e-mailing a list of 897
           providers' names and Social Security numbers to a new
           transcription company. This was immediately reported, and the
           supervisor called the transcription company and spoke with the
           owner and requested that the file be destroyed immediately.
           Notification letters were sent out to all 897 providers.
           Disciplinary action was taken against the employee.
           o October 14, 2005: personal computer containing data on 421
           patients stolen. A personal computer that contained information on
           421 patients was stolen from a medical center. The information on
           the computer included patients' names; the last four digits of
           their Social Security numbers; and their height, weight,
           allergies, medications, recent lab results, and diagnoses. The
           agency's Privacy Officer and medical center information security
           officer were notified. The use of credit monitoring was
           investigated, and it was determined that because the entire Social
           Security number was not listed, it would not be necessary to use
           these services at the time.

           o February 2, 2006: inappropriate access of VA staff medical
           records. A VA staff member accessed several coworkers' medical
           records to find date of birth. Employee information was
           compromised and several records were accessed on more than one
           occasion. No resolution recorded.

           o April 11, 2006: suspected hacker compromised systems with
           employee's assistance. A former VA employee is suspected of
           hacking into a medical center computer system with the assistance
           of a current employee providing rotating administrator passwords.
           All systems in the medical center serving 79,000 veterans were
           compromised.

           o May 5, 2006: missing backup tape with sensitive information on
           7,052 individuals. An office determined it was missing a backup
           tape containing sensitive information. On June 29, 2006, it was
           reported that approximately 7,052 veterans were affected by the
           incident. On October 11, 2006, notification letters were mailed,
           and 5,000 veterans received credit protection and data breach
           analysis for 2 years.

           o August 3, 2006: desktop computer with approximately 18,000
           patient financial records stolen. A desktop computer was stolen
           from a secured area at a contractor facility in Virginia that
           processes financial accounts for VA. The desktop computer was not
           encrypted. Notification letters were mailed and credit monitoring
           services offered.

           o September 6, 2006: laptop with patient information on an unknown
           number of individuals stolen. A laptop attached to a medical
           device at a VA medical center was stolen. It contained patient
           information on an unknown number of individuals. Notification
           letters and credit protection services were offered to 1,575
           patients.

           o January 22, 2007: external hard drive with 535,000 individual
           records and 1.3 million non-VA physician provider records missing
           or stolen. An external hard drive used to store research data with
           535,000 individual records and 1.3 million non-VA physician
           provider records was discovered missing or stolen from a research
           facility in Birmingham, Alabama. Notification letters were sent to
           veterans and providers, and credit monitoring services were
           offered to those individuals whose records contained personally
           identifiable information.

Appendix IV: Comments from the Department of Veterans Affairs

Appendix V: GAO Contact and Staff Acknowledgments

GAO Contact

Gregory C. Wilshusen, (202) 512-6244 or [email protected]

Staff Acknowledgments

In addition to the individual named above, key contributions to this
report were made by Charles Vrabel (Assistant Director), James Ashley,
Mark Canter, Barbara Collier, Mary Hatcher, Valerie Hopkins, Leena Mathew,
Jeanne Sung, and Amos Tevelow.

(310583)

GAO's Mission

The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( [46]www.gao.gov ). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site. To
have GAO e-mail you a list of newly posted products every afternoon, go to
[47]www.gao.gov and select "Subscribe to Updates."

Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548

To order by Phone: Voice: (202) 512-6000
TDD: (202) 512-2537
Fax: (202) 512-6061

To Report Fraud, Waste, and Abuse in Federal Programs

Contact:

Web site: [48]www.gao.gov/fraudnet/fraudnet.htm
E-mail: [49][email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470

Congressional Relations

Gloria Jarmon, Managing Director, [50][email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548

Public Affairs

Susan Becker, Acting Manager, [51][email protected] (202) 512-4800 U.S.
Government Accountability Office, 441 G Street NW, Room 7149 Washington,
D.C. 20548

www.gao.gov/cgi-bin/getrpt?GAO-07-1019.

To view the full product, including the scope
and methodology, click on the link above.

For more information, contact Gregory Wilshusen at (202) 512-6244 or
[email protected].

Highlights of GAO-07-1019, a report to congressional requesters

September 2007

INFORMATION SECURITY

Sustained Management Commitment and Oversight Are Vital to Resolving
Long-standing Weaknesses at the Department of Veterans Affairs

In May 2006, the Department of Veterans Affairs (VA) announced that
computer equipment containing personal information on approximately 26.5
million veterans and active duty military personnel had been stolen. Given
the importance of information technology (IT) to VA's mission, effective
information security controls are critical to maintaining public and
veteran confidence in its ability to protect sensitive information. GAO
was asked to evaluate (1) whether VA has effectively addressed GAO and VA
Office of Inspector General (IG) information security recommendations and
(2) actions VA has taken since May 2006 to strengthen its information
security practices and secure personal information. To do this, GAO
examined security policies and action plans, interviewed pertinent
department officials, and conducted testing of encryption software at
select VA facilities.

[52]What GAO Recommends

GAO is making 17 recommendations to the Secretary of Veterans Affairs
aimed at improving the effectiveness of VA's efforts to strengthen
information security practices by developing and documenting processes,
policies, and procedures, and completing the implementation of key
initiatives. In commenting on a draft of this report, VA stated that it
generally agreed with the recommendations and has implemented or is
working to implement them.

Although VA has made progress, it has not yet fully implemented most of
the key GAO and IG recommendations to strengthen its information security
practices. Specifically, VA has implemented two GAO recommendations: to
develop a process for managing its plan to correct identified weaknesses
and to regularly report on progress in updating its security plan to the
Secretary. However, it has not fully implemented two other GAO
recommendations: to complete a comprehensive security management program
and to ensure consistent use of information security performance standards
for appraising senior VA executives. In addition, the department has not
yet fully implemented 20 of 22 recommendations made by the IG in 2006. For
example, VA has not completed activities to appropriately restrict access
to data, networks, and department facilities; ensure that only authorized
changes and updates to computer programs are made; and strengthen critical
infrastructure planning. Because these recommendations have not yet been
implemented, unnecessary risk exists that the personal information of
veterans and others, such as medical providers, will be exposed to data
tampering, fraud, and inappropriate disclosure.

Since the May 2006 security incident, VA has continued or begun several
major initiatives to strengthen its information security practices and
secure personal information within the department, but more remains to be
done. These initiatives include continuing efforts begun in October 2005
to reorganize its management structure to provide better oversight and
fiscal discipline over its IT systems; developing an action plan to
correct identified weaknesses; establishing an information protection
program; improving its incident management capability; and establishing an
office responsible for oversight of IT within the department. However,
implementation shortcomings limit the effectiveness of these initiatives.
For example, no documented process exists between the Director of Field
Operations and Security and the chief information security officer (CISO)
to ensure the effective coordination and implementation of security
policies and procedures within the department. In addition, the position
of the CISO has been unfilled since June 2006. Although, 39 percent of
items in the department's remedial action plan are tasks to develop,
document, revise, or update a policy or program, 87 percent of these items
have no corresponding task with an established time frame for
implementation across the department. VA also did not have clear guidance
for identifying devices that require encryption functionality, and it
lacked adequate procedures for incident response and notification.
Finally, VA's Office of IT Oversight and Compliance lacks a standard
methodology and established criteria to ensure that its examination of
internal controls is consistent across VA facilities. Until the department
addresses recommendations to resolve identified weaknesses and implements
the major initiatives it has undertaken, it will have limited assurance
that it can protect its systems and information from the unauthorized
disclosure, misuse, or loss of personal information of veterans and other
personnel.

References

Visible links
  35. http://www.gao.gov/cgi-bin/getrpt?GAO-02-703
  36. http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-21
  37. http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-98-68
  38. http://www.gao.gov/cgi-bin/getrpt?GAO-07-844
  39. http://www.gao.gov/cgi-bin/getrpt?GAO-07-505
  40. http://www.gao.gov/cgi-bin/getrpt?GAO-07-1100T
  41. http://www.gao.gov/cgi-bin/getrpt?GAO-07-657
  42. http://www.gao.gov/cgi-bin/getrpt?GAO-07-657
  43. http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-21
  44. http://www.gao.gov/cgi-bin/getrpt?GAO-01-1008G
  45. http://www.gao.gov/
  46. http://www.gao.gov/
  47. http://www.gao.gov/
  48. http://www.gao.gov/fraudnet/fraudnet.htm
  49. mailto:[email protected]
  50. mailto:[email protected]
  51. mailto:[email protected]
*** End of document. ***