“The department continues to face challenges in maintaining its information security controls over its systems and in fully implementing the information security program required under the Federal Information Security Management Act of 2002", Joel Willemssen, the GAO’s managing director of information technology, told the House Committee on Veterans’ Affairs this week.
"These weaknesses have left VA vulnerable to disruptions in critical operations, theft, fraud, and inappropriate disclosure of sensitive information”.
Willemssen said that these lax information security controls have resulted in numerous security breaches, including the 2006 data breach in which computer equipment containing personal information of veterans and active duty personnel was stolen.
The department reported the highest number of information security incidents from FY 2007 through 2009 in comparison to 23 other major federal agencies. In addition, it had lower percentages of individuals who received security training and lower percentage of individuals with significant security responsibilities who received specialized security training than other major federal agencies, Willemssen testified.
VA chief information officer Roger Baker disputed the GAO’s characterization of his department’s information security controls. “We have made substantial progress in information security since the challenges experienced in 2006 by instituting controls that now provide for remote access to VA resources for employees and selected business partners, and implementing a sound security strategy to facilitate secure data exchange with Department of Defense and private sector healthcare organizations, and facilitating access to electronic health records for our veterans over the internet”, Baker told the House panel.