The US Department of Veterans Affairs still hasn't adequately addressed many of the internal security revealed following the loss last May of a laptop with 26.5 million veterans and active-duty personnel, according to official auditors.
Sensitive data is still at risk of being accidentally or deliberately misused across the agency, the auditors warned last week at a congressional hearing on the agency's information and security management processes.
In response, VA Deputy Secretary Gordon Mansfield said the agency is working hard to implement a series of recommended changes and has made "substantial progress in a relatively short time frame." He acknowledged, though, that the VA has yet to achieve its overall goal of becoming a security role model for other US government agencies.
Gregory Wilshusen, director of information security issues at the US Government Accountability Office, said at the hearing that the VA has taken several "important steps" to improve its IT security practices. That includes an ongoing centralisation of security functions and personnel under the CIO's office and the establishment of "a data security corrective plan" to serve as a guideline for some of the planned changes, he said.
But many of those changes have yet to be fully implemented, Wilshusen added. For example, policies for assessing risks and implementing enterprise patch management capabilities haven't been developed. Nor does the VA have a plan for proactively mitigating known vulnerabilities across all of its systems, he said.
In addition, of the 24 agencies covered under the Federal Information Security Management Act, the VA is the only one that didn't submit a report for 2006 on its compliance with FISMA to the White House Office of Management and Budget, Wilshusen said.
An ongoing audit of the VA's FISMA compliance has shown that none of the 17 security recommendations made in previous reports has been implemented thus far, Regan said. She also said that the inspector general's office expects to cite "several new high-risk areas," including remote access and the ability of non-employees to gain access to sensitive data.
Ten months after the laptop was the home of a VA employee, the agency has yet to determine how many of its employees and contractors are using personally owned systems to access VA networks and data, said Regan.
The agency also doesn't have any way of knowing what data is being downloaded and stored on such devices, she said. In addition, much of the agency's sensitive data remains unencrypted, as do many e-mail transmissions.