[ISN] VA: IT, security progress to accelerate in 2008

From: InfoSec News (alerts@private)
Date: Thu Sep 27 2007 - 23:18:04 PDT


By Mary Mosquera
September 27, 2007

The Veterans Affairs Department expects the technical applications that 
are the foundation of its information security will be in place during 
the next fiscal year, said Robert Howard, VAs chief information officer. 
Improving policies and procedures are a continuous process.

In the past few weeks, VA has awarded contracts that will let it perform 
port monitoring and use rights-management software to secure e-mail 
attachments, Howard told lawmakers today.

We expect to see dramatic improvement in 2008, he said at a hearing of 
the House Veterans Affairs Committee. VA provided similar testimony 
before the Senate committee last week.

The department is implementing information security in a comprehensive 
strategy instead of piecemeal at the same time it is reorganizing its 
information technology environment under a centralized IT approach, he 
said. VA plans to complete the reorganization in July 2008. Earlier this 
year, VA moved authority over 6,000 IT employees to the department CIOs 
office from VAs health, benefits and cemetery administrations.

The Government Accountability Office, however, said VA has lagged in its 
reorganization and the management processes needed to make that change 
occur. VA does not have a schedule of when it will complete milestones 
for the IT reorganization or a way to measure them, said Valerie Melvin, 
director of GAOs workforce and management information systems issues.

VA may not complete its IT reorganization by next summer as planned 
because it has not put in place the management processes that support it 
and has not yet hired all the managers it needs to oversee it, she said. 
Although the department has gotten support from top executives and 
established a governance structure to manage resources, VA continues to 
operate without a single, dedicated implementation team to oversee the 
realignment, Melvin said.

Unless VA dedicates a team to oversee the further implementation of the 
realignment including defining and establishing the processes that will 
enable the department to address its IT management weaknesses it risks 
delaying or missing the potential benefits of the realignment, she told 
lawmakers. The department has tested only two of the planned 36 
management processes.

Similarly, VA has implemented only four of GAOs 26 prior IT security 

Until the department addresses shortcomings in its major security 
initiatives and implements prior recommendations, it will have limited 
assurance that it can protect its systems and information from the 
unauthorized disclosure, misuse, or loss of personally identifiable 
data, Melvin said.

Although he said VA has moved slowly, Howard said the deputy assistant 
secretaries who report to him are implementing the management processes 
for the reorganization and IT security, such as enterprise 
infrastructure and incident response. For example, last week VA 
completed its new security handbook, which has guidance on policy and 
procedures for IT professionals and rules of behavior standardized 
departmentwide for all employees. VA also will add an e-learning module 
from the Office of Personnel Management to help train employees, said 
Adair Martinez, deputy assistant secretary for information protection 
and risk management in VAs CIO office.

Although GAO and lawmakers have praised VAs move to standardize IT, VA 
physicians have concerns, said Ben Davoren, director of clinical 
informatics at the departments San Francisco Medical Center.

I believe they felt that the regionalization of IT resources would 
create new points of failure that could not be controlled by the sites 
experiencing the impact, Davoren said.

That fear materialized last month, when the data-processing center in 
Sacramento suffered a nine-hour outage during business hours that 
crippled the clinical-information systems of 17 VA medical facilities, 
including the San Francisco hospital. He called it the most significant 
technological threat to patient safety VA has ever had. Backup systems 
for the regional strategy were unavailable or overwhelmed in four of the 
medical centers, Davoren said.

VA is investigating the incident internally and with an independent 
review to assure contingency plans, Howard said. He is also evaluating 
the design of the regional processing strategy, which VA started years 
ago, before centralization. It aims to better protect information in a 
secure data center instead of in the local facility. Regional data 
centers received a push and further evaluation after Hurricane Katrina 
to assure that veterans hospital records would be available if a 
hospital system went down, as happened in New Orleans, Howard said.

CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com

This archive was generated by hypermail 2.1.3 : Thu Sep 27 2007 - 23:45:45 PDT