[ISN] VA has made progress in data security

From: InfoSec News (alerts@private)
Date: Tue Mar 25 2008 - 00:12:00 PST


http://www.fcw.com/online/news/152027-1.html

By Mary Mosquera
FCW.com
March 24, 2008

The Veterans Affairs Department has made measurable progress in 
establishing information security controls and a culture of vigilance, a 
senior VA official said today.

VA has performed 40 percent of the 400 actions it outlined in its action 
plan in the wake of a major data breach in May 2006, said Robert Howard, 
the department's chief information officer, at an industry event 
sponsored by AFCEA Internationals Washington, D.C., chapter.

The CIOs office conducted numerous assessments of aspects of information 
security, management and technology to determine a baseline and how to 
prioritize its resources and actions, he said. VA has also introduced 
stronger controls as part of its plan to improve security and comply 
with Office of Management and Budget directives for protecting 
personally identifiable information. Specifically, VA has encrypted all 
laptop PCs and requires physicians and other partners and contractors 
who handle sensitive VA data on their own computers to encrypt them, 
Howard said.

He added that the department has installed applications to monitor ports 
for unauthorized devices, prevent access to the network if a laptop PC 
fails to have adequate antivirus protection, and better protect e-mail 
messages and attachments. The department also directed employees to use 
only encrypted thumb drives provided by VA.

VA published Handbook 6500 to provide rules of behavior and other data 
security guidelines for employees and managers. In addition to employing 
technology to help with data security, VA has used education, training 
and reminders to change the departments security culture to one that 
promotes personal responsibility and accountability, he said.

Leadership is key in a tough environment. Theres some aggravation 
associated with the security mandates, Howard said, adding that vendors 
are making encryption easier to use.

The 2006 data breach was a wake-up call for VA and all government 
agencies, he said. Even as VA steadily improves its information 
security, its difficult to escape repeated retellings of its former 
lapses in information technology security each time an agency loses a 
laptop PC, he added. In the most recent reported breach, a researcher 
from the National Institutes of Health had a laptop PC stolen from a 
locked car trunk last month. It contained information on 2,500 patients 
involved in a clinical research project at NIHs National Heart, Lung and 
Blood Institute. NIH officials said the laptop PC was not encrypted.

Its going to happen if youre careless, Howard said.

Even as he underscored the progress VA has made in IT security, he said 
the process has been slow because of the decentralized nature of the 
department. The 2006 data breach also accelerated VAs move to a 
centralized IT organization. Howard now has authority over about 7,000 
IT personnel from VAs health care, benefits and burial administrations, 
including systems development staff and the headquarters CIOs office.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Tue Mar 25 2008 - 00:21:07 PST