By Mary Mosquera
September 27, 2007
The Veterans Affairs Department expects the technical applications that
are the foundation of its information security will be in place during
the next fiscal year, said Robert Howard, VAs chief information officer.
Improving policies and procedures are a continuous process.
In the past few weeks, VA has awarded contracts that will let it perform
port monitoring and use rights-management software to secure e-mail
attachments, Howard told lawmakers today.
We expect to see dramatic improvement in 2008, he said at a hearing of
the House Veterans Affairs Committee. VA provided similar testimony
before the Senate committee last week.
The department is implementing information security in a comprehensive
strategy instead of piecemeal at the same time it is reorganizing its
information technology environment under a centralized IT approach, he
said. VA plans to complete the reorganization in July 2008. Earlier this
year, VA moved authority over 6,000 IT employees to the department CIOs
office from VAs health, benefits and cemetery administrations.
The Government Accountability Office, however, said VA has lagged in its
reorganization and the management processes needed to make that change
occur. VA does not have a schedule of when it will complete milestones
for the IT reorganization or a way to measure them, said Valerie Melvin,
director of GAOs workforce and management information systems issues.
VA may not complete its IT reorganization by next summer as planned
because it has not put in place the management processes that support it
and has not yet hired all the managers it needs to oversee it, she said.
Although the department has gotten support from top executives and
established a governance structure to manage resources, VA continues to
operate without a single, dedicated implementation team to oversee the
realignment, Melvin said.
Unless VA dedicates a team to oversee the further implementation of the
realignment including defining and establishing the processes that will
enable the department to address its IT management weaknesses it risks
delaying or missing the potential benefits of the realignment, she told
lawmakers. The department has tested only two of the planned 36
Similarly, VA has implemented only four of GAOs 26 prior IT security
Until the department addresses shortcomings in its major security
initiatives and implements prior recommendations, it will have limited
assurance that it can protect its systems and information from the
unauthorized disclosure, misuse, or loss of personally identifiable
data, Melvin said.
Although he said VA has moved slowly, Howard said the deputy assistant
secretaries who report to him are implementing the management processes
for the reorganization and IT security, such as enterprise
infrastructure and incident response. For example, last week VA
completed its new security handbook, which has guidance on policy and
procedures for IT professionals and rules of behavior standardized
departmentwide for all employees. VA also will add an e-learning module
from the Office of Personnel Management to help train employees, said
Adair Martinez, deputy assistant secretary for information protection
and risk management in VAs CIO office.
Although GAO and lawmakers have praised VAs move to standardize IT, VA
physicians have concerns, said Ben Davoren, director of clinical
informatics at the departments San Francisco Medical Center.
I believe they felt that the regionalization of IT resources would
create new points of failure that could not be controlled by the sites
experiencing the impact, Davoren said.
That fear materialized last month, when the data-processing center in
Sacramento suffered a nine-hour outage during business hours that
crippled the clinical-information systems of 17 VA medical facilities,
including the San Francisco hospital. He called it the most significant
technological threat to patient safety VA has ever had. Backup systems
for the regional strategy were unavailable or overwhelmed in four of the
medical centers, Davoren said.
VA is investigating the incident internally and with an independent
review to assure contingency plans, Howard said. He is also evaluating
the design of the regional processing strategy, which VA started years
ago, before centralization. It aims to better protect information in a
secure data center instead of in the local facility. Regional data
centers received a push and further evaluation after Hurricane Katrina
to assure that veterans hospital records would be available if a
hospital system went down, as happened in New Orleans, Howard said.
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com