By Bob Brewin
May 25, 2006
Jim Nicholson, the Department of Veterans Affairs' secretary.
testifying in Congress about the theft of personally identifiable data
for every living veteran, vowed to enforce existing policies and
procedures and institute new ones to ensure the department protects
The VA, Nicholson said, has "begun a relentless examination of its
policies and procedures to make sure nothing like this happens ever
Nicholson, testifying today before a joint hearing held by the Senate
Veterans' Affairs and Homeland Security committees, also acknowledged
that the culture at the VA in regards to information security needs to
The agency has in place policy directives to safeguard sensitive
information, but many VA employees view those directives as just
guidelines, Nicholson said.
The data analyst who loaded personal information on 26.5 million
veterans on a PC at home which was stolen May 3, did so in direct
violation of agency policy, Nicholson told the hearing.
Nicholson, an Army veteran who spent eight years on active duty 22
years in the Reserves, said "I'm damn mad about the loss of veteran
data, and the fact that one person has put us all at risk."
To ensure other VA make data protection a key part of their jobs,
Nicholson said, every employee will be required to complete a
cybersecurity and information privacy course by June 30 and will need
to sign a privacy act statement on an annual basis.
The VA also intends to run regular background investigations on
department employees who handle sensitive information, Nicholson said.
The unidentified data analyst who lost the information has worked for
the VA for 32 years and has not been subject to a National Agency
Check since he was employed, Nicholson added.
Nicholson said he has started the recruitment process for a "personal
information security czar" to ensure that data protection remains in
the forefront at the department.
The VA will also work to encrypt sensitive information and plans to
have new guidelines by June to govern user access to data, Nicholson
told the hearing, but did not provide any details.
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.