The Nation's #1 Independent Veterans Web Site
                                                   Click here to make VA Watchdog dot Org your homepage

                  VA NEWS FLASH from Larry Scott at VA Watchdog dot Org -- 07-25-2007 #3		  


 

VA Medical Malpractice Lawyer -  Malpractice Cases for Veterans Against the VA - The Law Offices of W. Robb Graham, L.L.C. - Former Navy Judge Advocate
click for more info

 


  click ad for more info
 

Tired of Going Around in Circles with the VA? Not Getting the Benefits You Earned? We Will Fight to Obtain ALL Possible VA Benefits. Admitted to U.S. Court of Appeals for Veterans' Claims. Nationwide Practice.

 DILLEY LAW FIRM
CALL TOLL-FREE
1-800-460-0111
click for more info


 

 



VA Watchdog Stuff
cups, hats, shirts
click here to
support the site





Be sure to get all four
VA Watchdog dot Org
RSS feeds --
Daily VA
News Flashes
 House CVA
Veterans' News
 Senate CVA
Veterans' News
 VA Press
Releases

 


Download your
free copy of the
2007 VA benefits
handbook here...

 

 

 

 

Bookmark this page: 

Printer Friendly Page

GAO REPORT: VETERANS' DATA STILL AT RISK -- A

weak overall control environment...poses a

significant security vulnerability to the nation’s

veterans with regard to sensitive data.

 

 

Just when you thought it was safe for the VA to handle your personal data.....

.....we have a GAO report that says otherwise.

This is in four parts.

1.  GAO testimony is here...
http://www.gao.gov/new.items/d071100t.pdf

2.  Highlights of testimony is here...
http://www.gao.gov/highlights/d071100thigh.pdf

3.  GAO report is here...
http://www.gao.gov/new.items/d07505.pdf

4.  Highlights of report is here...
http://www.gao.gov/highlights/d07505high.pdf

Report highlights are printed below:

For more on VA data loss issues...go to the VA Watchdog VA Data Theft News Page here... http://vawatchdog
.org/va%20data%20theft%20news.htm

-------------------------

VETERANS AFFAIRS

Inadequate Controls over IT Equipment at Selected VA Locations Pose Continuing Risk of Theft, Loss, and Misappropriation

 

WHY GAO DID THIS STUDY

In July 2004, GAO reported that the six Department of Veterans Affairs (VA) medical centers it audited lacked a reliable property control database and had problems with implementation of VA inventory policies and procedures. Fewer than half the items GAO selected for testing could be located. Most of the missing items were information technology (IT ) equipment. Given recent thefts of laptops and data breaches, the requesters were concerned about the adequacy of physical inventory controls over VA IT equipment. GAO was asked to determine (1) the risk of theft, loss, or misappropriation of IT equipment at selected locations; (2) whether selected locations have adequate procedures in place to assure accountability and physical security of IT equipment in the excess property disposal process; and (3) what actions VA management has taken to address identified IT inventory control weaknesses. GAO statistically tested inventory controls at four case study locations.

 

WHAT GAO FOUND

A weak overall control environment for VA IT equipment at the four locations GAO audited poses a significant security vulnerability to the nation’s veterans with regard to sensitive data maintained on this equipment. GAO’s Standards for Internal Control in the Federal Government requires agencies to establish physical controls to safeguard vulnerable assets, such as IT equipment, which might be vulnerable to risk of loss, and federal records management law requires federal agencies to record essential transactions. However, GAO found that current VA property management policy does not provide guidance for creating records of inventory transactions as changes occur. GAO also found that policies requiring annual inventories of sensitive items, such as IT equipment; adequate physical security; and immediate reporting of lost and missing items have not been enforced. GAO’s statistical tests of physical inventory controls at four VA locations identified a total of 123 missing IT equipment items, including 53 computers that could have stored sensitive data. The lack of user-level accountability and inaccurate records on status, location, and item descriptions make it difficult to determine the extent to which actual theft, loss, or misappropriation may have occurred without detection. The table below summarizes the results of GAO’s statistical tests at each location.

GAO also found that the four VA locations reported over 2,400 missing IT equipment items, valued at about $6.4 million, identified during physical inventories performed during fiscal years 2005 and 2006. Missing items were often not reported for several months and, in some cases, several years. It is very difficult to investigate these losses because information on specific events and circumstances at the time of the losses is not known. GAO’s limited tests of computer hard drives in the excess property disposal process found hard drives at two of the four case study locations that contained personal information, including veterans’ names and Social Security numbers. GAO’s tests did not find any remaining data after sanitization procedures were performed. However, weaknesses in physical security at IT storage locations and delays in completing the data sanitization process heighten the risk of data breach. Although VA management has taken some actions to improve controls over IT equipment, including strengthening policies and procedures, improving the overall control environment for sensitive IT equipment will require a renewed focus, oversight, and continued commitment throughout the organization.

 

WHAT GAO RECOMMENDS

GAO makes 12 recommendations to improve VA-wide policies and procedures with respect to controls over IT equipment, including recordkeeping requirements, physical inventories, user-level accountability, and physical security. VA agreed with GAO’s findings, noted significant actions under way, and concurred on the 12 recommendations.

------------

NOTE:  The 12 recommendations from the full report appear below:

 

• Revise VA property management policy and procedures to include detailed requirements for what transactions must be recorded to document inventory events and to clearly establish individual responsibility for recording all essential transactions in the property management process.

• Revise VA purchase card policy to require purchase card holders to notify property management officials of IT equipment and other property items acquired with government purchase cards at the time the items are received so that they can be recorded in property management systems.

• Establish procedures to require specific, individual user-level accountability for IT equipment. In implementing this recommendation, consideration should be given to making the unit head, or a designee, accountable for shared IT equipment.

• Enforce user-level accountability and IT coordinator responsibility by taking appropriate disciplinary action, including holding employees financially liable, as appropriate, for lost or missing IT equipment.

• Establish specific time frames for finalizing a Report of Survey once an inventory has been completed so that research on missing items is completed expeditiously and does not continue indefinitely without meeting formal reporting requirements.

• Establish a mechanism to monitor adherence by the San Diego and Houston medical centers and other VA organizations, as appropriate, to VA policy for performing annual inventories of sensitive items under $5,000, including IT equipment.

• Require that IRM and IT Services personnel at the various medical centers be given access to the central property database and be furnished with hand scanners so they can electronically update the property control records, as appropriate, during installation, repair, replacement, and relocation or disposal of IT equipment.

• Require physical security personnel to perform inspections of buildings and storage facilities to identify informal and undesignated IT storage locations so that security assessments are performed and corrective actions are implemented, where appropriate.
To assure inventory accuracy and prompt resolution of inventory discrepancies and improve security of IT equipment and any sensitive data stored on that equipment, we recommend that the Secretary require the CIO to take the following four actions.

• Establish a formal policy requiring a review of the results of annual inventories to ensure that IT equipment inventory records are properly updated and no blank fields remain.

• Establish a process for reviewing Reports of Survey for lost, missing, and stolen IT equipment items to identify systemic weaknesses for appropriate corrective action.

• Establish and implement a policy requiring IRM personnel and IT coordinators to inform physical security officers of the site of all IT equipment storage locations so that these store rooms can be subjected to required inspections.

• Establish and implement a policy for reviewing the results of physical security inspections of IT equipment storerooms and ensure that needed corrective actions are completed.

-------------------------

Larry Scott  --

Don't forget to read all of today's VA News Flashes (click here)

Click here to make VA Watchdog dot Org your homepage

email Larry  PGP key on request

Send this page to a friend:    

(go back to VA Watchdog dot Org Home Page)
 

The Order of the
Silver Rose

Honoring Victims of Agent Orange Illnesses & Deaths with Gratis Medal - Vietnam Veterans get a Yearly Full Physical - Your Life May Be Saved
click for more info
 

Has Uncle Sam turned his back
on your request
for VA benefits?

 Contact LEGAL HELP FOR VETERANS for assistance with the benefits you deserve.
click for more info

 

 



 VA Watchdog Stuff
cups, hats, shirts
click here to
support the site







 

 

   
Google
 
Web www.vawatchdog.org


FAIR USE NOTICE: This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such materials available in an effort to advance understanding of veterans' issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit to those who have expressed an interest in receiving the included information for educational purposes. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner.