Veterans Affairs: Leadership Needed to Address Information Security Weaknesses and Privacy Issues (14-JUN-06, GAO-06-866T). The recent information security breach at the Department of Veterans Affairs (VA), in which personal data on millions of veterans were compromised, has highlighted the importance of the department's security weaknesses, as well as the ability of federal agencies to protect personal information. Robust federal security programs are critically important to properly protect this information and the privacy of individuals. GAO was asked to testify on VA's information security program, ways that agencies can prevent improper disclosures of personal information, and issues concerning notifications of privacy breaches. In preparing this testimony, GAO drew on its previous reports and testimonies, as well as on expert opinion provided in congressional testimony and other sources. -------------------------Indexing Terms------------------------- REPORTNUM: GAO-06-866T ACCNO: A55527 TITLE: Veterans Affairs: Leadership Needed to Address Information Security Weaknesses and Privacy Issues DATE: 06/14/2006 SUBJECT: Computer security Information disclosure Information leaking Information security Information security management Right of privacy Veterans Internal controls System vulnerabilities Personal information ****************************************************************** ** This file contains an ASCII representation of the text of a ** ** GAO Product. ** ** ** ** No attempt has been made to display graphic images, although ** ** figure captions are reproduced. Tables are included, but ** ** may not resemble those in the printed version. ** ** ** ** Please see the PDF (Portable Document Format) file, when ** ** available, for a complete electronic file of the printed ** ** document's contents. ** ** ** ****************************************************************** GAO-06-866T * [1]Results in Brief * [2]Background * [3]Key Laws Govern Agency Security and Privacy Practices * [4]Interest in Data Breach Notification Legislation Has Increas * [5]VA's Information Security Is Weak * [6]VA's Information Security Weaknesses Are Long Standing * [7]VA's Efforts to Address Information Security Weaknesses Have * [8]Agencies Can Take Steps to Reduce the Likelihood That Person * [9]Conduct Privacy Impact Assessments * [10]Employ Measures to Prevent Inadvertent Data Breaches * [11]Public Notification of Data Breaches Has Clear Benefits as W * [12]Concerns Have Been Raised About the Criteria for Issuing Not * [13]Effective Notices Should Provide Useful Information and Be E * [14]Contacts and Acknowledgments * [15]Attachment 1: Selected GAO Products * [16]Products Related to VA Information Security * [17]Products Related to Privacy Issues * [18]Attachment 2. Chronology of Information Security Weaknesses * [19]PDF6-Ordering Information.pdf * [20]Order by Mail or Phone * [21]PDF6-Ordering Information.pdf * [22]Order by Mail or Phone United States Government Accountability Office Testimony GAO Before the Committee on Veterans' Affairs, House of Representatives For Release on Delivery Expected at time 10:30 a.m. EDT VETERANS AFFAIRS June 14, 2006 Leadership Needed to Address Information Security Weaknesses and Privacy Issues Statement of Linda D. Koontz Director, Information Management Issues and Gregory C. Wilshusen Director, Information Security Issues GAO-06-866T VETERANS AFFAIRS Leadership Needed to Address Information Security Weaknesses and Privacy Issues What GAO Found For many years, significant concerns have been raised about VA's information security--particularly its lack of a robust information security program, which is vital to avoiding the compromise of government information, including sensitive personal information. Both GAO and the department's inspector general have reported recurring weaknesses in such areas as access controls, physical security, and segregation of incompatible duties. The department has taken steps to address these weaknesses, but these have not been sufficient to establish a comprehensive information security program. For example, it is still developing plans to complete a security incident response program to monitor suspicious activity and cyber alerts, events, and incidents. Without an established and implemented security program, the department will continue to have major challenges in protecting its information and information systems from security breaches such as the one it recently experienced. In addition to establishing robust security programs, agencies can take a number of actions to help guard against the possibility that databases of personally identifiable information are inadvertently compromised. A key step is to develop a privacy impact assessment--an analysis of how personal information is collected, stored, shared, and managed--whenever information technology is used to process personal information. In addition, agencies can take more specific practical measures aimed at preventing data breaches, including limiting the collection of personal information, limiting the time that such data are retained, limiting access to personal information and training personnel accordingly, and considering the use of technological controls such as encryption when data need to be stored on portable devices. When data breaches do occur, notification of those affected and/or the public has clear benefits, allowing people the opportunity to protect themselves from identity theft. Although existing laws do not require agencies to notify the public of data breaches, such notification is consistent with agencies' responsibility to inform individuals about how their information is being accessed and used, and it promotes accountability for privacy protection. That said, care is needed in defining appropriate criteria for triggering notification. Notices should be coordinated with law enforcement to avoid impeding ongoing investigations, and in order to be effective, notices should be easy to understand. Because of the possible adverse impact of a compromise of personal information, it is critical that people fully understand the threat and their options for addressing it. Strong leadership, sustained management commitment and effort, disciplined processes, and consistent oversight will be needed for VA to address its persistent, long-standing control weaknesses. United States Government Accountability Office *** End of document. ***