Agency has made some gains but still faces data risks, federal auditors say
The U.S. Department of Veterans Affairs still hasn’t adequately addressed many of the internal IT security shortcomings cited following the loss last May of a laptop with personal data on 26.5 million veterans and active-duty personnel, according to federal government and agency auditors.
As a result, sensitive data is still at risk of being accidentally or deliberately misused across the VA, the auditors warned last week at a congressional hearing on the agency’s information and security management processes.
In response, VA Deputy Secretary Gordon Mansfield said the agency is working hard to implement a series of recommended changes and has made “substantial progress in a relatively short time frame.” He acknowledged, though, that the VA has yet to achieve its overall goal of becoming a security role model for other federal agencies.
“We have done a lot of work and come a long way since last May’s major incident occurred,” Mansfield said. “But we still have an awful long way to go.”
The hearing was held by the oversight and investigations subcommittee of the House Committee on Veterans’ Affairs. Rep. Harry Mitchell (D-Ariz.), the subcommittee’s chairman, said the panel originally planned to review the VA’s information security efforts later this year. But the review was accelerated after the VA disclosed last month that a portable hard drive with information on up to 1.8 million veterans and doctors was reported missing from its medical center in Birmingham, Ala., on Jan. 22.
Gregory Wilshusen, director of information security issues at the U.S. Government Accountability Office, said at the hearing that the VA has taken several “important steps” to improve its IT security practices. That includes an ongoing centralization of security functions and personnel under the CIO’s office and the establishment of “a data security corrective plan” to serve as a guideline for some of the security improvements, he said.
But many of those changes have yet to be fully implemented, Wilshusen added. For example, policies for assessing risks and implementing enterprise patch management capabilities haven’t been developed. Nor does the VA have a plan for proactively mitigating known vulnerabilities across all of its systems, he said.
In addition, of the 24 agencies covered under the Federal Information Security Management Act, the VA is the only one that didn’t submit a report for 2006 on its compliance with FISMA to the White House Office of Management and Budget, Wilshusen said.
Source |
