VA accelerates privacy, security training

The Veterans Benefits Administration has examined data and systems used to test applications before they are deployed, as well as inventoried databases that contain sensitive veterans' information and the interfaces and data feeds that update the databases, to ensure that veterans' data is secure, an agency official told lawmakers today.

VBA, an administration of the Veterans Affairs Department, also is accelerating annual privacy and security training so that all employees will have completed it by the end of this month, said Ronald Aument, VA's deputy undersecretary for benefits.

These are some of the technical and policy changes that VA and its administrations have implemented since the recent theft of sensitive data of 26.5 million veterans, reservists and active-duty military personnel from a VA employee's home.

"VBA is thoroughly examining every aspect of our information security program, our processes and our procedures to ensure that sensitive veterans' data is neither mismanaged nor used for any unauthorized purpose," Aument told a joint hearing of House Veterans Affairs subcommittees on Disability Assistance and Memorial Affairs and on Economic Opportunity.

VBA also is assessing policies and procedures related to the release of data protected by the Privacy Act and will make recommendations to strengthen protection, including periodic recertification of the business need for the release.

Earlier this month, VBA suspended work-at-home arrangements for employees providing disability claims processing. Those employees were to return to work in VA offices and return all claims folders and computer equipment while VBA evaluates ways to protect sensitive data transported to and from offices.

Shortly before the theft in May, VBA began to push implementation of public-key infrastructure technology as part of VA's effort to support more secure electronic transactions and e-mail.

To notify 17.5 million veterans so far, the VA has spent $206 million for postage, $7 million for the letters, $1 million for printing and $7 million for call-center operations, he said. VA has requested reprogramming of fiscal year 2006 funds to pay for notification.

"Not all records contained complete data, and without the Social Security number we cannot search for an address," Aument said. Some Social Security numbers were invalid and some veterans were deceased.

Despite positive steps, representatives of VA's inspector general's office and the Government Accountability Office told lawmakers that centralizing IT authority was necessary so VA can apply and enforce security in a standardized manner across the department. Both the GAO and IG have reported that VA may make IT security improvements in one location but not across the department.

Under VA's federated model of centralization, however, the department CIO will have authority over IT operations and management and related personnel, while VA's administrations will retain authority over IT development and those employees.

"We will need to review whether existing IT systems and operations under the purview of the CIO will efficiently and effectively communicate with newly designed applications implemented by these development offices," said Michael Staley, VA's assistant inspector general for auditing.

VA still needs to develop policy to coordinate security across the department and ensure authority and independence for security officers, said Gregory Wilshusen, director of GAO's information security issues.

IT security controls have been a major reported weakness at VBA for many years, Staley said. Various reviews have disclosed IT and security deficiencies at 67 percent of the 55 VBA facilities reviewed, he said. For example, some separated employees were found to still have access to VA data.

"They have the ability to access but there are no examples that anyone has," Staley said.

VA made progress last year to improve IT controls and to implement some of the IG's security recommendations, Staley said. For example, VA said it completed certification and accreditation and deployed intrusion detection systems, but the IG will have to validate that in the next audit under the Federal Information Security Management Act.

Mary Mosquera is a staff writer for Washington Technology's sister publication, Government Computer News.