WASHINGTON VETERANS AFFAIRS REPORTS PROGRESS ON INFORMATION SECURITY FederalTimes.com

Commentary: VA reports progress on information security

By ROBERT HOWARD

October 29, 2007

Seven priorities guide realignment in the Office of Information and Technology at the Veterans Affairs Department: (1) establishing a well-led, high-performing organization that delivers responsive information technology support; (2) standardizing IT infrastructure and IT business processes; (3) establishing programs that make VA’s IT system more interoperable and compatible; (4) effectively managing appropriations to ensure sustainment and modernization of our IT infrastructure and more focused application development to meet increasing and changing requirements of our business units; (5) strengthening data security controls within VA and among our contractors to reduce the risk of unauthorized exposure of veteran or VA employee sensitive personal information; (6) creating an environment of vigilance and awareness to security risks in daily activities; and (7) remedying the department’s long-standing IT material weaknesses relating to a lack of security controls.

A Government Accountability Office report on our realignment progress correctly identified that more work needs to be done to have a successful transition from a decentralized to a centralized organization. We have begun implementing some of GAO’s recommendations such as establishing an IT governance plan, continuing with process development and development of performance metrics to track progress.

We have made solid progress in other areas. We have improved incident response through policy, guidance and training on information protection. We have seen an increase in self-reporting security and privacy violations and incidents. We are improving data protection by encrypting more than 18,000 laptops, and we are implementing procedures for issuing encrypted portable data storage devices, purchasing encryption software, reducing the use of Social Security numbers, and reviewing and eliminating the personally identifiable information VA holds. We have, for the first time, completed testing of more than 10,000 security controls on our 603computer systems. We recently awarded a contract for port monitoring, which will help us better control network access — an important tool in our information protection tool kit.

We are addressing the critical issue of asset management. A recent GAO report found inadequate controls and risk associated with theft, loss and misappropriation of IT equipment at selected VA locations. We have completed a handbook on the control of IT equipment that includes each GAO’s recommendations. It will provide clear direction on all aspects of IT asset management.

For the past six months, tightening IT inventory control throughout VA has been the focus of a Tiger Team. In addition, VA is requiring each facility to complete by the end of December a wall-to-wall inventory of IT equipment assets, including sensitive items, regardless of cost. Reporting requirements have been established at facility, regional and field operations levels to ensure that issues are identified and addressed early. By way of support, we have established an online IT Inventory Control Knowledge Center accessible by all VA personnel. This Web site provides references, templates, definitions, frequently asked questions and a link to contact the Tiger Team. Also, the Office of Oversight and Compliance is working with Tiger Team members to develop a compliance checklist that will be used for scheduled and unscheduled audits regarding IT assets. This initial inventory will help provide an IT asset baseline — something that has not existed before.

Lastly, an important and fair question to ask regarding this realignment is how has it affected delivery of health care and benefits to veterans. In my opinion, there has been no significant change in these two areas. This is not to say we have not had problems — we have. But we have also experienced improvements in our ability to gain knowledge over IT activities that were not very visible in the past, in IT funding details across VA, and in our ability to protect the sensitive information of our veterans.

Robert Howard is assistant Veterans Affairs secretary for information and technology. Above are edited excerpts of Sept. 26 testimony before the House Veterans Affairs Committee.