Information Security
Leadership Needed to Address Weaknesses and Privacy Issues at Veterans Affairs Gao ID: GAO-06-897T June 20, 2006The recent information security breach at the Department of Veterans Affairs (VA), in which personal data on millions of veterans were compromised, has highlighted the importance of the department's security weaknesses, as well as the ability of federal agencies to protect personal information. Robust federal security programs are critically important to properly protect this information and the privacy of individuals. GAO was asked to testify on VA's information security program, ways that agencies can prevent improper disclosures of personal information, and issues concerning notifications of privacy breaches. In preparing this testimony, GAO drew on its previous reports and testimonies, as well as on expert opinion provided in congressional testimony and other sources.
For many years, significant concerns have been raised about VA's information security--particularly its lack of a robust information security program, which is vital to avoiding the compromise of government information, including sensitive personal information. GAO and the department's inspector general have reported recurring weaknesses throughout VA, including the Veterans Benefits Administration, in such areas as access controls, physical security, and segregation of incompatible duties. The department has taken steps to address these weaknesses, but these have not been sufficient to establish a comprehensive information security program. For example, it is still developing plans to complete a security incident response program to monitor suspicious activity and cyber alerts, events, and incidents. Without an established and implemented security program, the department will continue to have major challenges in protecting its information and information systems from security breaches such as the one it recently experienced. In addition to establishing robust security programs, agencies can take a number of actions to help guard against the possibility that databases of personally identifiable information are inadvertently compromised. A key step is to develop a privacy impact assessment--an analysis of how personal information is collected, stored, shared, and managed--whenever information technology is used to process personal information. In addition, agencies can take more specific practical measures aimed at preventing data breaches, including limiting the collection of personal information, limiting the time that such data are retained, limiting access to personal information and training personnel accordingly, and considering the use of technological controls such as encryption when data need to be stored on portable devices. When data breaches do occur, notification of those affected and/or the public has clear benefits, allowing people the opportunity to protect themselves from identity theft. Although existing laws do not require agencies to notify the public of data breaches, such notification is consistent with agencies' responsibility to inform individuals about how their information is being accessed and used, and it promotes accountability for privacy protection. That said, care is needed in defining appropriate criteria for triggering notification. Notices should be coordinated with law enforcement to avoid impeding ongoing investigations, and in order to be effective, notices should be easy to understand. Because of the possible adverse impact of a compromise of personal information, it is critical that people fully understand the threat and their options for addressing it. Strong leadership, sustained management commitment and effort, disciplined processes, and consistent oversight will be needed for VA to address its persistent, long-standing control weaknesses.
GAO-06-897T, Information Security: Leadership Needed to Address Weaknesses and Privacy Issues at Veterans Affairs
This is the accessible text file for GAO report number GAO-06-897T
entitled 'Information Security: Leadership Needed to Address Weaknesses
and Privacy Issues at Veterans Affairs' which was released on June 20,
2006.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
GAO:
Testimony:
Before the Subcommittees on Disability Assistance and Memorial Affairs
and on Economic Opportunity, Committee on Veterans' Affairs, House of
Representatives:
For Release on Delivery:
Expected at time 10:00 a.m. EDT June 20, 2006:
Information Security:
Leadership Needed to Address Weaknesses and Privacy Issues at Veterans
Affairs:
Statement of Linda D. Koontz:
Director, Information Management Issues:
and:
Gregory C. Wilshusen:
Director, Information Security Issues:
GAO-06-897T:
GAO Highlights:
Highlights of GAO-06-897T, a testimony before the Subcommittees on
Disability Assistance and Memorial Affairs and on Economic Opportunity,
Committee on Veterans‘ Affairs, House of Representatives.
Why GAO Did This Study:
The recent information security breach at the Department of Veterans
Affairs (VA), in which personal data on millions of veterans were
compromised, has highlighted the importance of the department‘s
security weaknesses, as well as the ability of federal agencies to
protect personal information. Robust federal security programs are
critically important to properly protect this information and the
privacy of individuals.
GAO was asked to testify on VA‘s information security program, ways
that agencies can prevent improper disclosures of personal information,
and issues concerning notifications of privacy breaches. In preparing
this testimony, GAO drew on its previous reports and testimonies, as
well as on expert opinion provided in congressional testimony and other
sources.
What GAO Found:
For many years, significant concerns have been raised about VA‘s
information security”particularly its lack of a robust information
security program, which is vital to avoiding the compromise of
government information, including sensitive personal information. GAO
and the department‘s inspector general have reported recurring
weaknesses throughout VA, including the Veterans Benefits
Administration, in such areas as access controls, physical security,
and segregation of incompatible duties. The department has taken steps
to address these weaknesses, but these have not been sufficient to
establish a comprehensive information security program. For example, it
is still developing plans to complete a security incident response
program to monitor suspicious activity and cyber alerts, events, and
incidents. Without an established and implemented security program, the
department will continue to have major challenges in protecting its
information and information systems from security breaches such as the
one it recently experienced.
In addition to establishing robust security programs, agencies can take
a number of actions to help guard against the possibility that
databases of personally identifiable information are inadvertently
compromised. A key step is to develop a privacy impact assessment”an
analysis of how personal information is collected, stored, shared, and
managed”whenever information technology is used to process personal
information. In addition, agencies can take more specific practical
measures aimed at preventing data breaches, including limiting the
collection of personal information, limiting the time that such data
are retained, limiting access to personal information and training
personnel accordingly, and considering the use of technological
controls such as encryption when data need to be stored on portable
devices.
When data breaches do occur, notification of those affected and/or the
public has clear benefits, allowing people the opportunity to protect
themselves from identity theft. Although existing laws do not require
agencies to notify the public of data breaches, such notification is
consistent with agencies‘ responsibility to inform individuals about
how their information is being accessed and used, and it promotes
accountability for privacy protection. That said, care is needed in
defining appropriate criteria for triggering notification. Notices
should be coordinated with law enforcement to avoid impeding ongoing
investigations, and in order to be effective, notices should be easy to
understand. Because of the possible adverse impact of a compromise of
personal information, it is critical that people fully understand the
threat and their options for addressing it.
Strong leadership, sustained management commitment and effort,
disciplined processes, and consistent oversight will be needed for VA
to address its persistent, long-standing control weaknesses.
What GAO Recommends:
To ensure that security and privacy issues are adequately addressed,
GAO has made recommendations previously to VA and other agencies on
implementing federal privacy and security laws. In addition, GAO has
previously testified that in considering security breach notification
legislation, the Congress should consider setting specific reporting
requirements for agencies.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-897T].
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Gregory Wilshusen at
(202) 512-6244 or wilshuseng@gao.gov.
[End of Section]
Messers. Chairmen and Members of the Subcommittees:
Thank you for inviting us to participate in today's hearing on
information security and privacy at the Department of Veterans Affairs
(VA). For many years, we have identified information security as a
governmentwide high-risk issue[Footnote 1] and emphasized its
criticality for protecting the government's information assets. The
recent security breach at VA, involving the loss of personal data on
millions of veterans, also raises important questions about the
protection of personally identifiable information.[Footnote 2]
Today we will first address VA's information security program,
including weaknesses reported by us and others, as well as actions that
VA has taken to address past recommendations in this area. We will then
discuss potential measures that federal agencies can take to help limit
the likelihood of personal information being compromised. Finally, we
will highlight key benefits and challenges associated with effectively
notifying the public about security breaches.
To describe VA's information security weaknesses, we reviewed our
previous work in this area, as well as reports by VA's inspector
general (IG) and others. To determine the implementation status of our
open recommendations, we analyzed VA documentation and met with
officials from VA, including security and IG officials. To address
measures that agencies can take to help limit the likelihood of
personal information being compromised, we identified and summarized
issues raised by experts in congressional testimony and in our previous
reports, including our recent work regarding the federal government's
use of personal information from companies known as information
resellers.[Footnote 3] To identify benefits and challenges associated
with effectively notifying the public about security breaches, we
reviewed our previous work in this area. We conducted the work for our
previous reports in accordance with generally accepted government
auditing standards. To provide additional information on our previous
work related to VA security issues and to privacy, we have included, as
an attachment, a list of pertinent GAO publications.
Results in Brief:
Significant concerns have been raised over the years about VA's
information security--particularly its lack of a robust information
security program, which is vital to avoiding the compromise of
government information. We have previously reported on wide-ranging
deficiencies in VA's information security controls.[Footnote 4] For
example, the department lacked effective controls to prevent
individuals from gaining unauthorized access to VA systems and
sensitive information, and it had not consistently provided adequate
physical security for its computer facilities, assigned duties in a
manner that segregated incompatible functions, controlled changes to
its operating systems, or updated and tested its disaster recovery
plans. These deficiencies existed, in part, because VA had not fully
implemented key components of a comprehensive, integrated information
security program. Although VA has taken steps to implement components
of its security program, its efforts have not been sufficient to
effectively protect its information and information systems. As a
result, sensitive information, including personally identifiable
information, remains vulnerable to inadvertent or deliberate misuse,
loss, or improper disclosure, as the recent breach demonstrates.
In addition to establishing a robust information security program,
agencies can take a number of actions to help protect personally
identifiable information from compromise. A key step is to develop a
privacy impact assessment--an analysis of how personal information is
collected, stored, shared, and managed in a federal information system-
-whenever information technology is used to process personal
information. In addition, specific practical measures aimed at
preventing inadvertent data breaches include limiting the collection of
personal information, limiting data retention, limiting access to
personal information and training personnel accordingly, and
considering the use of technological controls such as encryption when
data need to be stored on portable devices.
When data breaches do occur, notification to the individuals affected
and/or the public has clear benefits, allowing people the opportunity
to take steps to protect themselves against the dangers of identity
theft. It is also consistent with agencies' responsibility to inform
individuals about how their information is being accessed and used, and
promotes accountability for its protection. If agencies are required to
report security breaches to the public, care will be needed to develop
appropriate criteria for incidents that require notification. Care is
also needed to ensure that notices are useful and easy to understand,
so that they are effective in alerting individuals to actions they may
want to take to minimize the risk of identity theft.
We have made recommendations previously to VA regarding information
security and to the Office of Management and Budget (OMB) and agencies
regarding privacy issues, including the conduct of privacy impact
assessments. In addition, we have previously testified that the
Congress should consider setting specific reporting requirements for
agencies as part of its consideration of security breach legislation.
Further, the Congress should consider requiring OMB to provide guidance
to agencies on how to develop and issue security breach notices to
affected individuals.
Background:
Since the early 1990s, increasing computer interconnectivity--most
notably growth in the use of the Internet--has revolutionized the way
that our government, our nation, and much of the world communicate and
conduct business. The benefits have been enormous, but without proper
safeguards in the form of appropriate information security, this
widespread interconnectivity also poses significant risks to the
government's computer systems and the critical operations and
infrastructures they support.
In prior reviews we have repeatedly identified weaknesses in almost all
areas of information security controls at major federal agencies,
including VA, and we have identified information security as a high
risk area across the federal government since 1997. In July 2005, we
reported that pervasive weaknesses in the 24 major agencies'
information security policies and practices threatened the integrity,
confidentiality, and availability of federal information and
information systems.[Footnote 5] As we reported, although federal
agencies showed improvement in addressing information security, they
also continued to have significant control weaknesses that put federal
operations and assets at risk of inadvertent or deliberate misuse,
financial information at risk of unauthorized modification or
destruction, sensitive information at risk of inappropriate disclosure,
and critical operations at risk of disruption. These weaknesses existed
primarily because agencies had not yet fully implemented strong
information security programs, as required by the Federal Information
Security Management Act (FISMA).
The significance of these weaknesses led us to conclude in the audit of
the federal government's fiscal year 2005 financial statements[Footnote
6] that information security was a material weakness.[Footnote 7] Our
audits also identified instances of similar types of weaknesses in
nonfinancial systems. Weaknesses continued to be reported in each of
the major areas of general controls: that is, the policies, procedures,
and technical controls that apply to all or a large segment of an
entity's information systems and help ensure their proper
operation.[Footnote 8]
To fully understand the significance of the weaknesses we identified,
it is necessary to link them to the risks they present to federal
operations and assets. Virtually all federal operations are supported
by automated systems and electronic data, without which agencies would
find it difficult, if not impossible, to carry out their missions and
account for their resources. The following examples show the broad
array of federal operations and assets placed at risk by information
security weaknesses:
* Resources, such as federal payments and collections, could be lost or
stolen.
* Computer resources could be used for unauthorized purposes or to
launch attacks on others.
* Personal information, such as taxpayer data, social security records,
and medical records, and proprietary business information could be
inappropriately disclosed, browsed, or copied for purposes of identity
theft, industrial espionage, or other types of crime.
* Critical operations, such as those supporting national defense and
emergency services, could be disrupted.
* Data could be modified or destroyed for purposes of fraud, theft of
assets, or disruption.
* Agency missions could be undermined by embarrassing incidents that
result in diminished confidence in their ability to conduct operations
and fulfill their fiduciary responsibilities.
The potential disclosure of personal information raises additional
identity theft and privacy concerns. Identity theft generally involves
the fraudulent use of another person's identifying information--such as
Social Security number, date of birth, or mother's maiden name--to
establish credit, run up debt, or take over existing financial
accounts. According to identity theft experts, individuals whose
identities have been stolen can spend months or years and thousands of
dollars clearing their names. Some individuals have lost job
opportunities, been refused loans, or even been arrested for crimes
they did not commit as a result of identity theft. The Federal Trade
Commission (FTC) reported in 2005 that identity theft represented about
40 percent of all the consumer fraud complaints it received during each
of the last 3 calendar years. Beyond the serious issues surrounding
identity theft, the unauthorized disclosure of personal information
also represents a breach of individuals' privacy rights to have control
over their own information and to be aware of who has access to this
information.
Key Laws Govern Agency Security and Privacy Practices:
Federal agencies are subject to security and privacy laws aimed in part
at preventing security breaches, including breaches that could enable
identity theft.
FISMA is the primary law governing information security in the federal
government; it also addresses the protection of personal information in
the context of securing federal agency information and information
systems. The act defines federal requirements for securing information
and information systems that support federal agency operations and
assets.[Footnote 9] Under FISMA, agencies are required to provide
sufficient safeguards to cost-effectively protect their information and
information systems from unauthorized access, use, disclosure,
disruption, modification, or destruction, including controls necessary
to preserve authorized restrictions on access and disclosure (and thus
to protect personal privacy, among other things). The act requires each
agency to develop, document, and implement an agencywide information
security program to provide security for the information and
information systems that support the operations and assets of the
agency, including those provided or managed by another agency,
contractor, or other source.
FISMA describes a comprehensive information security program as
including the following elements:
* periodic assessments of the risk and magnitude of harm that could
result from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information or information systems;
* risk-based policies and procedures that cost-effectively reduce risks
to an acceptable level and ensure that security is addressed throughout
the life cycle of each information system;
* security awareness training for agency personnel, including
contractors and other users of information systems that support the
operations and assets of the agency;
* periodic testing and evaluation of the effectiveness of information
security policies, procedures, and practices;
* a process for planning, implementing, evaluating, and documenting
remedial action to address any deficiencies through plans of action and
milestones; and:
* procedures for detecting, reporting, and responding to security
incidents.
In particular, FISMA requires that for any information they hold,
agencies evaluate the associated risk according to three categories:
(1) confidentiality, which is the risk associated with unauthorized
disclosure of the information; (2) integrity, the risk of unauthorized
modification or destruction of the information; and (3) availability,
which is the risk of disruption of access to or use of information.
Thus, each agency should assess the risk associated with personal data
held by the agency and develop appropriate protections.
The agency can use this risk assessment to determine the appropriate
controls (operational, technical, and managerial) that will reduce the
risk to an acceptably low level. For example, if an agency assesses the
confidentiality risk of the personal information as high, the agency
could create control mechanisms to help protect the data from
unauthorized disclosure. Besides appropriate policies, these controls
would include access controls and monitoring systems:
* Access controls are key technical controls to protect the
confidentiality of information. Organizations use these controls to
grant employees the authority to read or modify only the information
the employees need to perform their duties. In addition, access
controls can limit the activities that an employee can perform on data.
For example, an employee may be given the right to read data, but not
to modify or copy it. Assignment of rights and permissions must be
carefully considered to avoid giving users unnecessary access to
sensitive files and directories.
* To ensure that controls are, in fact, implemented and that no
violations have occurred, agencies need to monitor compliance with
security policies and investigate security violations. It is crucial to
determine what, when, and by whom specific actions are taken on a
system. Organizations accomplish this by implementing system or
security software that provides an audit trail that they can use to
determine the source of a transaction or attempted transaction and to
monitor users' activities. The way in which organizations configure
system or security software determines the nature and extent of
information that can be provided by the audit trail. To be effective,
organizations should configure their software to collect and maintain
audit trails that are sufficient to track security events.
A comprehensive security program of the type described is a
prerequisite for the protection of personally identifiable information
held by agencies. In addition, agencies are subject to requirements
specifically related to personal privacy protection, which come
primarily from two laws, the Privacy Act of 1974 and the E-Government
Act of 2002.
* The Privacy Act places limitations on agencies' collection,
disclosure, and use of personal information maintained in systems of
records. The act describes a "record" as any item, collection, or
grouping of information about an individual that is maintained by an
agency and contains his or her name or another personal identifier. It
also defines "system of records" as a group of records under the
control of any agency from which information is retrieved by the name
of the individual or by an individual identifier. The Privacy Act
requires that when agencies establish or make changes to a system of
records, they must notify the public by a "system-of-records notice"
that is, a notice in the Federal Register identifying, among other
things, the type of data collected, the types of individuals about whom
information is collected, the intended "routine" uses of data, and
procedures that individuals can use to review and correct personal
information.[Footnote 10] Among other provisions, the act also requires
agencies to define and limit themselves to specific predefined
purposes.
The provisions of the Privacy Act are consistent with and largely based
on a set of principles for protecting the privacy and security of
personal information, known as the Fair Information Practices,[Footnote
11] which have been widely adopted as a standard benchmark for
evaluating the adequacy of privacy protections; they include such
principles as openness (keeping the public informed about privacy
policies and practices) and accountability (those controlling the
collection or use of personal information should be accountable for
taking steps to ensure the implementation of these principles).
* The E-Government Act of 2002 strives to enhance protection for
personal information in government information systems by requiring
that agencies conduct privacy impact assessments (PIA). A PIA is an
analysis of how personal information is collected, stored, shared, and
managed in a federal system. More specifically, according to OMB
guidance,[Footnote 12] a PIA is to (1) ensure that handling conforms to
applicable legal, regulatory, and policy requirements regarding
privacy; (2) determine the risks and effects of collecting,
maintaining, and disseminating information in identifiable form in an
electronic information system; and (3) examine and evaluate protections
and alternative processes for handling information to mitigate
potential privacy risks. To the extent that PIAs are made publicly
available,[Footnote 13] they provide explanations to the public about
such things as the information that will be collected, why it is being
collected, how it is to be used, and how the system and data will be
maintained and protected.
Interest in Data Breach Notification Legislation Has Increased:
Federal laws to date have not required agencies to report security
breaches to the public,[Footnote 14] although breach notification has
played an important role in the context of security breaches in the
private sector. For example, requirements of California state law led
ChoicePoint, a large information reseller,[Footnote 15] to notify its
customers of a security breach in February 2005. Since the ChoicePoint
notification, bills were introduced in at least 44 states and enacted
in at least 29[Footnote 16] that require some form of notification upon
a security breach.
A number of congressional hearings were held and bills introduced in
2005 in the wake of the ChoicePoint security breach as well as
incidents at other firms. In March 2005, the House Subcommittee on
Commerce, Trade, and Consumer Protection of the House Energy and
Commerce Committee held a hearing entitled "Protecting Consumers' Data:
Policy Issues Raised by ChoicePoint," which focused on potential
remedies for security and privacy concerns regarding information
resellers. Similar hearings were held by the House Energy and Commerce
Committee and by the U.S. Senate Committee on Commerce, Science, and
Transportation in spring 2005.
Several bills introduced at the time of these hearings, such as the
Data Accountability and Trust Act (DATA),[Footnote 17] would establish
a national requirement for companies that maintain personal information
to notify the public of security breaches. In May 2006, DATA was
amended to also require federal agencies to notify citizens and
residents of the United States whose personal information is acquired
by an unauthorized person as a result of a security breach. Other bills
under consideration also include federal agencies. For example, the
Notification of Risk to Personal Data Act[Footnote 18] would require
federal agencies as well as any "persons engaged in interstate
commerce" to disclose security breaches involving unauthorized
acquisition of personal data.
VA's Information Security Is Weak:
Our previous reports and testimonies describe numerous weaknesses in
VA's information security controls, including those at the Veterans
Benefits Administration. Although the department has taken steps to
address these weaknesses, they have not been sufficient to fully
implement a comprehensive, integrated information security program and
to fully protect VA's information and information systems. As a result,
these remain at risk.
VA's Information Security Weaknesses Are Long Standing:
In carrying out its mission of providing health care and benefits to
veterans, VA relies on a vast array of computer systems and
telecommunications networks to support its operations and store
sensitive information, including personal information on veterans. VA's
networks are highly interconnected, its systems support many users, and
the department has increasingly moved to more interactive, Web-based
services to better meet the needs of its customers. Effectively
securing these computer systems and networks is critical to the
department's ability to safeguard its assets, maintain the
confidentiality of sensitive veterans' health and disability benefits
information, and ensure the integrity of its financial data.
In this complex IT environment, VA has faced long-standing challenges
in achieving effective information security across the department. Our
reviews[Footnote 19] identified wide-ranging, often recurring
deficiencies in the department's information security controls
(attachment 2 provides further detail on our reports and the areas of
weakness they discuss). Examples of areas of deficiency include the
following.
* Access authority was not appropriately controlled. A basic management
objective for any organization is to protect the resources that support
its critical operations from unauthorized access. Electronic access
controls are intended to prevent, limit, and detect unauthorized access
to computing resources, programs, and information and include controls
related to user accounts and passwords, user rights and file
permissions, logging and monitoring of security-relevant events, and
network management. Inadequate controls diminish the reliability of
computerized information and increase the risk of unauthorized
disclosure, modification, and destruction of sensitive information and
disruption of service.
However, VA had not established effective electronic access controls to
prevent individuals from gaining unauthorized access to its systems and
sensitive data, as the following examples illustrate:
* User accounts and passwords: In 1998, many user accounts at four VA
medical centers and data centers had weaknesses including passwords
that could be easily guessed, null passwords, and passwords that were
set to never expire. We also found numerous instances where medical and
data center staff members were sharing user IDs and passwords.
* User rights and permissions: We reported in 2000 that three VA health
care systems were not ensuring that user accounts with broad access to
financial and sensitive veteran information had proper authorization
for such access, and were not reviewing these accounts to determine if
their level of access remained appropriate.
* Logging and monitoring of security-related events: In 1998, VA did
not have any departmentwide guidance for monitoring both successful and
unsuccessful attempts to access system files containing key financial
information or sensitive veteran data, and none of the medical and data
centers we visited were actively monitoring network access activity. In
1999, we found that one data center was monitoring failed access
attempts, but was not monitoring successful accesses to sensitive data
and resources for unusual or suspicious activity.
* Network management: In 2000, we reported that one of the health care
systems we visited had not configured a network parameter to
effectively prevent unauthorized access to a network system; this same
health care system had also failed to keep its network system software
up to date.
* Physical security controls were inadequate. Physical security
controls are important for protecting computer facilities and resources
from espionage, sabotage, damage, and theft. These controls restrict
physical access to computer resources, usually by limiting access to
the buildings and rooms in which the resources are housed and by
periodically reviewing the access granted, in order to ensure that
access continues to be appropriate. VA had weaknesses in the physical
security for its computer facilities. For example, in our 1998 and 2000
reports, we stated that none of the VA facilities we visited were
adequately controlling access to their computer rooms. In addition, in
1998 we reported that sensitive equipment at two facilities was not
adequately protected, increasing the risk of disruption to computer
operations or network communications.
* Employees were not prevented from performing incompatible duties.
Segregation of duties refers to the policies, procedures, and
organizational structures that help ensure that one individual cannot
independently control all key aspects of a process or computer-related
operation. Dividing duties among two or more individuals or
organizational groups diminishes the likelihood that errors and
wrongful acts will go undetected, because the activities of one
individual or group will serve as a check on the activities of the
other. We determined that VA did not assign employee duties and
responsibilities in a manner that segregated incompatible functions
among individuals or groups of individuals. For example, in 1998 we
reported that some system programmers also had security administrator
privileges, giving them the ability to eliminate any evidence of their
activity in the system. In 2000, we reported that two VA health care
systems allowed some employees to request, approve, and receive medical
items without management approval, violating both basic segregation of
duties principles and VA policy; in addition, no mitigating controls
were found to alert management of purchases made in this manner.
* Software change control procedures were not consistently implemented.
It is important to ensure that only authorized and fully tested systems
are placed in operation. To ensure that changes to systems are
necessary, work as intended, and do not result in the loss of data or
program integrity, such changes should be documented, authorized,
tested, and independently reviewed. We found that VA did not adequately
control changes to its operating systems. For example, in 1998 we
reported that one VA data center had not established detailed written
procedures or formal guidance for modifying operating system software,
for approving and testing operating system software changes, or for
implementing these changes. The data center had made more than 100
system software changes during fiscal year 1997, but none of the
changes included evidence of testing, independent review, or
acceptance. We reported in 2000 that two VA health care systems had not
established procedures for periodically reviewing changes to standard
application programs to ensure that only authorized program code was
implemented.
* Service continuity planning was not complete. In addition to
protecting data and programs from misuse, organizations must also
ensure that they are adequately prepared to cope with a loss of
operational capability due to earthquakes, fires, accidents, sabotage,
or any other disruption. An essential element in preparing for such
catastrophes is an up-to-date, detailed, and fully tested service
continuity plan. Such a plan is critical for helping to ensure that
information system operations and data can be promptly restored in the
event of a disaster. We reported that VA had not completed or tested
service continuity plans for several systems. For example, in 1998 we
reported that one VA data center had 17 individual disaster recovery
plans covering various segments of the organization, but it did not
have an overall document that integrated the 17 separate plans and
defined the roles and responsibilities for the disaster recovery teams.
In 2000, we determined that the service continuity plans for two of the
three health care systems we visited did not include critical elements
such as detailed recovery procedures, provisions for restoring mission-
critical systems, and a list of key contacts; in addition, none of the
health care systems we visited were fully testing their service
continuity plans.
These deficiencies existed, in part, because VA had not implemented key
components of a comprehensive computer security program. Specifically,
VA's computer security efforts lacked:
* clearly delineated security roles and responsibilities;
* regular, periodic assessments of risk;
* security policies and procedures that addressed all aspects of VA's
interconnected environment;
* an ongoing security monitoring program to identify and investigate
unauthorized, unusual, or suspicious access activity; and:
* a process to measure, test, and report on the continued effectiveness
of computer system, network, and process controls.
As a result, we made a number of recommendations in 2002 that were
aimed at improving VA's security management.[Footnote 20] Among the
primary elements of these recommendations were that (1) VA centralize
its security management functions and (2) it perform other actions to
establish an information security program, including actions related to
risk assessments, security policies and procedures, security awareness,
and monitoring and evaluating computer controls.[Footnote 21]
VA's Efforts to Address Information Security Weaknesses Have Been
Limited:
The department has taken steps to address the weaknesses that we
described, but these have not been sufficient to fully implement a
comprehensive information security program.[Footnote 22] Examples of
actions that VA has taken and still needs to take include the
following:
* Central security management function: The department realigned its
information technology resources to place administration and field
office security functions more directly under the oversight of the
department's CIO, consolidating all administration-level cyber security
functions under the department's cyber security office. In addition, to
provide greater management accountability for information security, the
Secretary instituted information security standards for members of the
department's senior executive service. The cyber security officer
organized his office to focus more directly on critical elements of
information security control, and he updated the department's security
management plan and information security policies and procedures.
However, the department still needed to develop policy and guidance to
ensure (1) authority and independence for security officers and (2)
departmentwide coordination of security functions.
* Periodic risk assessments: VA is implementing a commercial tool to
identify the level of risk associated with system changes and also to
conduct information security risk assessments. It also created a
methodology that establishes minimum requirements for such risk
assessments. However, it has not yet completed its risk assessment
policy and guidance. VA reported that such guidance was forthcoming as
part of an overarching information system security certification and
accreditation policy that was to be developed during 2006. Without
these elements, VA cannot be assured that it is appropriately
performing risk assessments departmentwide.
* Security policies and procedures: VA's cyber security officer
reported that VA has action ongoing to develop a process for collecting
and tracking performance data, ensuring management action when needed,
and providing independent validation of reported issues. VA also has
ongoing efforts in the area of detecting, reporting, and responding to
security incidents. For example, it established network intrusion
prevention capability at its four enterprise gateways. It is also
developing strategic and tactical plans to complete a security incident
response program to monitor suspicious activity and cyber alerts,
events, and incidents. However, these plans are not complete.
* Security awareness: VA has taken steps to improve security awareness
training. It holds an annual department information security
conference, and it has developed a Web portal for security training,
policy, and procedures, as well as a security awareness course that VA
employees are required to review annually. However, VA has not
demonstrated that it has a process to ensure compliance.
* Monitoring and evaluating computer controls: VA established a process
to better monitor and evaluate computer controls by tracking the status
of security weaknesses, corrective actions taken, and independent
validations of corrective actions through a software data
base.[Footnote 23] However, more remains to be done in this area. For
example, although certain components of VA reported vulnerability and
penetration testing to evaluate controls on internal and external
access to VA systems, this testing was not part of an ongoing
departmentwide program.
Since our last report in 2002, VA's IG and independent auditors have
continued to report serious weaknesses with the department's
information security controls. The auditors' report on internal
controls,[Footnote 24] prepared at the completion of VA's 2005
financial statement audit, identified weaknesses related to access
control, segregation of duties, change control, and service continuity-
-a list of weaknesses that are virtually identical to those we
identified years earlier. The department's FY 2005 Annual Performance
and Accountability Report states that the IG determined that many
information system security vulnerabilities reported in national audits
from 2001 through 2004 remain unresolved, despite the department's
actions to implement IG recommendations in previous audits. The IG also
reported specific security weaknesses and vulnerabilities at 45 of 60
VA health care facilities and 11 of 21 VA regional offices where
security issues were reviewed, placing VA at risk that sensitive data
may be exposed to unauthorized access and improper disclosure, among
other things. As a result, the IG determined that weaknesses in VA's
information technology security controls were a material weakness.
In response to the IG's findings, the department indicates that plans
are being implemented to address the material weakness in information
security. According to the department, it has maximized limited
resources to make significant improvement in its overall security
posture in the near term by prioritizing FISMA remediation activities,
and work will continue in the next fiscal year.
Despite these actions, the department has not fully implemented the key
elements of a comprehensive security management program, and its
efforts have not been sufficient to effectively protect its information
systems and information, including personally identifiable information,
from unauthorized disclosure, misuse, or loss.
Agencies Can Take Steps to Reduce the Likelihood That Personal Data
Will Be Compromised:
In addition to establishing a robust information security program,
agencies can take other actions to help guard against the possibility
that personal information they maintain is inadvertently compromised.
These include conducting privacy impact assessments and taking other
practical measures.
Conduct Privacy Impact Assessments:
It is important that agencies identify the specific instances in which
they collect and maintain personal information and proactively assess
the means they intend to use to protect this information. This can be
done most effectively through the development of privacy impact
assessments (PIAs), which, as previously mentioned, are required by the
E-Government Act of 2002 when agencies use information technology to
process personal information. PIAs are important because they serve as
a tool for agencies to fully consider the privacy implications of
planned systems and data collections before those systems and
collections have been fully implemented, when it may be relatively easy
to make critical adjustments.
In prior work we have found that agencies do not always conduct PIAs as
they are required. For example, our review of selected data mining
efforts at federal agencies[Footnote 25] determined that PIAs were not
always being done in full compliance with OMB guidance. Similarly, as
identified in our work on federal agency use of information
resellers,[Footnote 26] few PIAs were being developed for systems or
programs that made use of information reseller data, because officials
did not believe they were required. Complete assessments are an
important tool for agencies to identify areas of noncompliance with
federal privacy laws, evaluate risks arising from electronic collection
and maintenance of information about individuals, and evaluate
protections or alternative processes needed to mitigate the risks
identified. Agencies that do not take all the steps required to protect
the privacy of personal information risk the improper exposure or
alteration of such information. We recommended that the agencies
responsible for the data mining efforts we reviewed complete or revise
PIAs as needed and make them available to the public. We also
recommended that OMB revise its guidance to clarify the applicability
of the E-Gov Act's PIA requirement to the use of personal information
from resellers. OMB stated that it would discuss its guidance with
agency senior officials for privacy to determine whether additional
guidance concerning reseller data was needed.
Employ Measures to Prevent Inadvertent Data Breaches:
Besides strategic approaches such as establishing an information
security program and conducting PIAs, agencies can consider a range of
specific practical measures for protecting the privacy and security of
personal information. Several that may be of particular value in
preventing inadvertent data breaches include the following:
Limit collection of personal information. One item to be analyzed as
part of a PIA is the extent to which an agency needs to collect
personal information in order to meet the requirements of a specific
application. Limiting the collection of personal information, among
other things, serves to limit the opportunity for that information to
be compromised. For example, key identifying information--such as
Social Security numbers--may not be needed for many agency applications
that have databases of other personal information. Limiting the
collection of personal information is also one of the fair information
practices, which are fundamental to the Privacy Act and to good privacy
practice in general.
Limit data retention. Closely related to limiting data collection is
limiting retention. Retaining personal data longer than needed by an
agency or statutorily required adds to the risk that the data will be
compromised. In discussing data retention, California's Office of
Privacy Protection recently reported an example in which a university
experienced a security breach that exposed 15-year-old data, including
Social Security numbers. The university subsequently reviewed its
policies and decided to shorten the retention period for certain types
of information.[Footnote 27] As part of their PIAs, federal agencies
can make decisions up front about how long they plan to retain personal
data, aiming to retain the data for as brief a period as necessary.
Limit access to personal information and train personnel accordingly.
Only individuals with a need to access agency databases of personal
information should have such access, and controls should be in place to
monitor that access. Further, agencies can implement technological
controls to prevent personal data from being readily transferred to
unauthorized systems or media, such as laptop computers, discs, or
other electronic storage devices. Security training, which is required
for all federal employees under FISMA, can include training on the
risks of exposing personal data to potential identity theft, thus
helping to reduce the likelihood of data being exposed inadvertently.
Consider using technological controls such as encryption when data need
to be stored on portable devices. In certain instances, agencies may
find it necessary to enable employees to have access to personal data
on portable devices such as laptop computers. As discussed, this should
be minimized. However, when absolutely necessary, the risk that such
data could be exposed to unauthorized individuals can be reduced by
using technological controls such as encryption, which significantly
limits the ability of such individuals to gain access to the data.
Although encrypting data adds to the operational burden on authorized
individuals, who must enter pass codes or use other authentication
means to convert the data into readable text, it can provide reasonable
assurance that stolen or lost computer equipment will not result in
personal data being compromised, as occurred in the recent incident at
VA. A decision about whether to use encryption would logically be made
as an element of the PIA process and an agency's broader information
security program.
While these suggestions do not amount to a complete prescription for
protecting personal data, they are key elements of an agency's strategy
for reducing the risks that could lead to identity theft.
Public Notification of Data Breaches Has Clear Benefits as Well as
Challenges:
In the event a data breach does occur, agencies must respond quickly in
order to minimize the potential harm associated with identity theft.
The chairman of the Federal Trade Commission has testified that the
Commission believes that if a security breach creates a significant
risk of identity theft or other related harm, affected consumers should
be notified.[Footnote 28] The Federal Trade Commission has also
reported that the overall cost of an incident of identity theft, as
well as the harm to the victims, is significantly smaller if the misuse
of the victim's personal information is discovered quickly.[Footnote
29]
Applicable laws such as the Privacy Act currently do not require
agencies to notify individuals of security breaches involving their
personal information; however, doing so allows those affected the
opportunity to take steps to protect themselves against the dangers of
identity theft. For example, California's data breach notification law
is credited with bringing to the public's notice large data breaches
within the private sector, such as those involving ChoicePoint and
LexisNexis last year. Arguably, the California law may have mitigated
the risk of identity theft to affected individuals by keeping them
informed about data breaches and thus enabling them to take steps such
as contacting credit bureaus to have fraud alerts placed on their
credit files, obtaining copies of their credit reports, scrutinizing
their monthly financial account statements, and taking other steps to
protect themselves.
Breach notification is also important in that it can help an
organization address key privacy rights of individuals, in accordance
with the fair information practices mentioned earlier. Breach
notification is one way that organizations--either in the private
sector or the government--can follow the openness principle and meet
their responsibility for keeping the public informed of how their
personal information is being used and who has access to it. Equally
important, notification is consistent with the principle that those
controlling the collection or use of personal information should be
accountable for taking steps to ensure the implementation of the other
principles, such as use limitation and security safeguards. Public
disclosure of data breaches is a key step in ensuring that
organizations are held accountable for the protection of personal
information.
Concerns Have Been Raised About the Criteria for Issuing Notices to the
Public:
Although the principle of notifying affected individuals (or the
public) about data breaches has clear benefits, determining the
specifics of when and how an agency should issue such notifications
presents challenges, particularly in determining the specific criteria
for incidents that merit notification. In congressional testimony, the
Federal Trade Commission[Footnote 30] raised concerns about the
threshold at which consumers should be notified of a breach, cautioning
that too strict a standard could have several negative effects. First,
notification of a breach when there is little or no risk of harm might
create unnecessary concern and confusion. Second, a surfeit of notices,
resulting from notification criteria that are too strict, could render
all such notices less effective, because consumers could become numb to
them and fail to act when risks are truly significant. Finally, the
costs to both individuals and business are not insignificant and may be
worth considering. FTC points out that, in response to a security
breach notification, a consumer may cancel credit cards, contact credit
bureaus to place fraud alerts on credit files, or obtain a new driver's
license number. These actions could be time-consuming for the
individual and costly for the companies involved. Given these potential
negative effects, care is clearly needed in defining appropriate
criteria for required breach notifications.
While care needs to be taken to avoid requiring agencies to notify the
public of trivial security incidents, concerns have also been raised
about setting criteria that are too open-ended or that rely too heavily
on the discretion of the affected organization. Some public advocacy
groups have cautioned that notification criteria that are too weak
would give companies an incentive not to disclose potentially harmful
breaches, and the same concern would apply to federal agencies. In
congressional testimony last year, the executive director of the Center
for Democracy and Technology argued that if an entity is not certain
whether a breach warrants notification, it should be able to consult
with the Federal Trade Commission.[Footnote 31] He went on to suggest
that a two-tiered system may be desirable, with notice to the Federal
Trade Commission of all breaches of personal data and notice to
consumers where there is a potential risk of identity theft. The Center
for Democracy and Technology's comments regarding the Federal Trade
Commission were aimed at commercial entities such as information
resellers. A different entity--such as OMB, which is responsible for
overseeing security and privacy within the federal government--might be
more appropriate to take on a parallel role with respect to federal
agencies.
Effective Notices Should Provide Useful Information and Be Easy to
Understand:
Once a determination has been made that a public notice is to be
issued, care must be taken to ensure that it does its job effectively.
Designing useful, easy-to-understand notices has been cited as a
challenge in other areas where privacy notices are required by law,
such as in the financial industry--where businesses are required by the
Gramm-Leach-Bliley Act to send notices to consumers about their privacy
practices--and in the federal government, which is required by the
Privacy Act to issue public notices in the Federal Register about its
systems of records containing personal information. For example, as
noted during a public workshop hosted by the Department of Homeland
Security's Privacy Office, designing easy-to-understand consumer
financial privacy notices to meet Gramm-Leach Bliley Act requirements
has been challenging. Officials from the FTC and Office of the
Comptroller of the Currency described widespread criticism of these
notices--that they were unexpected, too long, filled with legalese, and
not understandable.
If an agency is to notify people of a data breach, it should do so in
such a way that they understand the nature of the threat and what steps
need to be taken to protect themselves against identity theft. In
connection with its state law requiring security breach notifications,
the California Office of Privacy Protection has published recommended
practices for designing and issuing security breach notices.[Footnote
32] The office recommends that such notifications include, among other
things,
* a general description of what happened;
* the type of personal information that was involved;
* what steps have been taken to prevent further unauthorized
acquisition of personal information;
* the types of assistance to be provided to individuals, such as a toll-
free contact telephone number for additional information and
assistance;
* information on what individuals can do to protect themselves from
identity theft, including contact information for the three credit
reporting agencies; and:
* information on where individuals can obtain additional information on
protection against identity theft, such as the Federal Trade
Commission's Identity Theft Web site (www.consumer.gov/idtheft).
The California Office of Privacy Protection also recommends making
notices clear, conspicuous, and helpful by using clear, simple language
and avoiding jargon, and it suggests avoiding using a standardized
format to mitigate the risk that the public will become complacent
about the process.
The Federal Trade Commission has issued guidance to businesses on
notifying individuals of data breaches that reiterates several key
elements of effective notification--describing clearly what is known
about the data compromise, explaining what responses may be appropriate
for the type of information taken, and providing information and
contacts regarding identity theft in general. The Commission also
suggests providing contact information for the law enforcement officer
working on the case, as well as encouraging individuals who discover
that their information has been misused to file a complaint with the
Commission.[Footnote 33]
Both the state of California and the Federal Trade Commission recommend
consulting with cognizant law-enforcement officers about an incident
before issuing notices to the public. In some cases, early notification
or disclosure of certain facts about an incident could hamper a law
enforcement investigation. For example, an otherwise unknowing thief
could learn of the potential value of data stored on a laptop computer
that was originally stolen purely for the value of the hardware. Thus
it is recommended that organizations consult with law enforcement
regarding the timing and content of notifications. However, law
enforcement investigations should not necessarily result in lengthy
delays in notification. California's guidance states that it should not
be necessary for a law enforcement agency to complete an investigation
before notification can be given.
When providing notifications to the public, organizations should
consider how to ensure that these are easily understood. Various
techniques have been suggested to promote comprehension, including the
concept of "layering."[Footnote 34] Layering involves providing only
the most important summary facts up front--often in a graphical format-
-followed by one or more lengthier, more narrative versions in order to
ensure that all information is communicated that needs to be.
Multilayering may be an option to achieving an easy-to-understand
notice that is still complete. Similarly, providing context to the
notice (explaining to consumers why they are receiving the notice and
what to do with it) has been found to promote comprehension,[Footnote
35] as did visual design elements such as a tabular format, large and
legible fonts, appropriate white space, and simple headings.
Although these techniques were developed for other kinds of notices,
they can be applied to those informing the public of data breaches. For
example, a multilayered security breach notice could include a brief
description of the nature of the security breach, the potential threat
to victims of the incident, and measures to be taken to protect against
identity theft. The notice could provide additional details about the
incident as an attachment or by providing links to additional
information. This would accomplish the purpose of communicating the key
details in a brief format, while still providing complete information
to those who require it. Given that people may be adversely affected by
a compromise of their personal information, it is critical that they
fully understand the nature of the threat and the options they have to
address it.
In summary, the recent security breach at VA has highlighted the
importance of implementing effective information security practices.
Long-standing information security control weaknesses at VA have placed
its information systems and information, including personally
identifiable information, at increased risk of misuse and unauthorized
disclosure. Although VA has taken steps to mitigate previously reported
weaknesses, it has not implemented a comprehensive, integrated
information security program, which it needs in order to effectively
manage risks on an ongoing basis. Much work remains to be done. Only
through strong leadership, sustained management commitment and effort,
disciplined processes, and consistent oversight can VA address its
persistent, long-standing control weaknesses.
To reduce the likelihood of experiencing such breaches, agencies can
take a number of actions that can help guard against the possibility
that databases of personally identifiable information are inadvertently
compromised: strategically, they should ensure that a robust
information security program is in place and that PIAs are developed.
More specific practical measures aimed at preventing inadvertent data
breaches include limiting the collection of personal information,
limiting data retention, limiting access to personal information and
training personnel accordingly, and considering using technological
controls such as encryption when data need to be stored on mobile
devices.
Nevertheless, data breaches can still occur at any time, and when they
do, notification to the individuals affected and/or the public has
clear benefits, allowing people the opportunity to take steps to
protect themselves against the dangers of identity theft. Care is
needed in defining appropriate criteria if agencies are to be required
to report security breaches to the public. Further, care is also needed
to ensure that notices are useful and easy to understand, so that they
are effective in alerting individuals to actions they may want to take
to minimize the risk of identity theft.
We have previously testified that as Congress considers legislation
requiring agencies to notify individuals or the public about security
breaches, it should ensure that specific criteria are defined for
incidents that merit public notification. It may want to consider
creating a two-tier reporting requirement, in which all security
breaches are reported to OMB, and affected individuals are notified
only of incidents involving significant risk. Further, Congress should
consider requiring OMB to provide guidance to agencies on how to
develop and issue security breach notices to the public.
Messers. Chairmen, this concludes our testimony today. We would be
happy to answer any questions you or other members of the committee may
have.
Contacts and Acknowledgments:
If you have any questions concerning this testimony, please contact
Linda Koontz, Director, Information Management, at (202) 512-6240,
koontzl@gao.gov, or Gregory Wilshusen, Director, Information Security,
at (202) 512-6244, wilshuseng@gao.gov. Other individuals who made key
contributions include Idris Adjerid, Barbara Collier, William Cook,
John de Ferrari, Valerie Hopkins, Suzanne Lightman, Barbara Oliver,
David Plocher, Jamie Pressman, J. Michael Resser, and Charles Vrabel.
Attachment 1: Selected GAO Products:
Products Related to VA Information Security:
Information Systems: VA Computer Control Weaknesses Increase Risk of
Fraud, Misuse, and Improper Disclosure. GAO/AIMD-98-175. Washington,
D.C.: September 23, 1998.
VA Information Systems: The Austin Automation Center Has Made Progress
in Improving Information System Controls. GAO/AIMD-99-161. Washington,
D.C.: June 8, 1999.
Information Systems: The Status of Computer Security at the Department
of Veterans Affairs. GAO/AIMD-00-5. Washington, D.C.: October 4, 1999.
VA Systems Security: Information System Controls at the North Texas
Health Care System. GAO/AIMD-00-52R. Washington, D.C.: February 1,
2000.
VA Systems Security: Information System Controls at the New Mexico VA
Health Care System. GAO/AIMD-00-88R. Washington, D.C.: March 24, 2000.
VA Systems Security: Information System Controls at the VA Maryland
Health Care System. GAO/AIMD-117R. Washington, D.C.: April 19, 2000.
Information Technology: Update on VA Actions to Implement Critical
Reforms. GAO/T-AIMD-00-74. Washington, D.C.: May 11, 2000.
VA Information Systems: Computer Security Weaknesses Persist at the
Veterans Health Administration. GAO/AIMD-00-232. Washington, D.C.:
September 8, 2000.
Major Management Challenges and Program Risks: Department of Veterans
Affairs. GAO-01-255. Washington, D.C.: January 2001.
VA Information Technology: Important Initiatives Begun, Yet Serious
Vulnerabilities Persist. GAO-01-550T. Washington, D.C.: April 4, 2001.
VA Information Technology: Progress Made, but Continued Management
Attention is Key to Achieving Results. GAO-02-369T. Washington, D.C.:
March 13, 2002.
Veterans Affairs: Subcommittee Post-Hearing Questions Concerning the
Department's Management of Information Technology. GAO-02-561R.
Washington, D.C.: April 5, 2002.
Veterans Affairs: Sustained Management Attention is Key to Achieving
Information Technology Results. GAO-02-703. Washington, D.C.: June 12,
2002.
VA Information Technology: Management Making Important Progress in
Addressing Key Challenges. GAO-02-1054T. Washington, D.C.: September
26, 2002.
Information Security: Weaknesses Persist at Federal Agencies Despite
Progress Made in Implementing Related Statutory Requirements. GAO-05-
552. Washington, D.C.: July 15, 2005.
Products Related to Privacy Issues:
Privacy: Key Challenges Facing Federal Agencies. GAO-06-777T.
Washington, D.C.: May 17, 2006.
Personal Information: Agencies and Resellers Vary in Providing Privacy
Protections. GAO-06-609T. Washington, D.C.: April 4, 2006.
Personal Information: Agency and Reseller Adherence to Key Privacy
Principles. GAO-06-421. Washington, D.C.: April 4, 2006.
Data Mining: Agencies Have Taken Key Steps to Protect Privacy in
Selected Efforts, but Significant Compliance Issues Remain. GAO-05-866.
Washington, D.C.: August 15, 2005.
Aviation Security: Transportation Security Administration Did Not Fully
Disclose Uses of Personal Information during Secure Flight Program
Testing in Initial Privacy Notices, but Has Recently Taken Steps to
More Fully Inform the Public. GAO-05-864R. Washington, D.C.: July 22,
2005.
Identity Theft: Some Outreach Efforts to Promote Awareness of New
Consumer Rights are Under Way. GAO-05-710. Washington, D.C.: June 30,
2005.
Electronic Government: Federal Agencies Have Made Progress Implementing
the E-Government Act of 2002. GAO-05-12. Washington, D.C.: December 10,
2004.
Social Security Numbers: Governments Could Do More to Reduce Display in
Public Records and on Identity Cards. GAO-05-59. Washington, D.C.:
November 9, 2004.
Federal Chief Information Officers: Responsibilities, Reporting
Relationships, Tenure, and Challenges, GAO-04-823. Washington, D.C.:
July 21, 2004.
Data Mining: Federal Efforts Cover a Wide Range of Uses, GAO-04-548.
Washington, D.C.: May 4, 2004.
Privacy Act: OMB Leadership Needed to Improve Agency Compliance. GAO-
03-304. Washington, D.C.: June 30, 2003.
Data Mining: Results and Challenges for Government Programs, Audits,
and Investigations. GAO-03-591T. Washington, D.C.: March 25, 2003.
Technology Assessment: Using Biometrics for Border Security. GAO-03-
174. Washington, D.C.: November 15, 2002.
Information Management: Selected Agencies' Handling of Personal
Information. GAO-02-1058. Washington, D.C.: September 30, 2002.
Identity Theft: Greater Awareness and Use of Existing Data Are Needed.
GAO-02-766. Washington, D.C.: June 28, 2002.
Social Security Numbers: Government Benefits from SSN Use but Could
Provide Better Safeguards. GAO-02-352. Washington, D.C.: May 31, 2002.
Attachment 2. Chronology of Information Security Weaknesses Identified
by GAO:
[See PDF for Image]
Notes: Hines is a suburb of Chicago.
Full citations are provided in attachment 1.
[End of Section]
FOOTNOTES
[1] GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.:
January 2005) and Information Security: Weaknesses Persist at Federal
Agencies Despite Progress Made in Implementing Related Statutory
Requirements, GAO-05-552 (Washington, D.C.: July 15, 2005).
[2] For purposes of this testimony, the term personal information
encompasses all information associated with an individual, including
both identifiable and nonidentifying information. Personally
identifiable information, which can be used to locate or identify an
individual, includes such things as names, aliases, and Social Security
numbers. Nonidentifying personal information includes such things as
age, education, finances, criminal history, physical attributes, and
gender.
[3] GAO, Personal Information: Agency and Reseller Adherence to Key
Privacy Principles, GAO-06-421 (Washington: D.C.: Apr. 4, 2006).
[4] See attachment 1.
[5] GAO, Information Security: Weaknesses Persist at Federal Agencies
Despite Progress Made in Implementing Related Statutory Requirements,
GAO-05-552 (Washington, D.C.: July 15, 2005).
[6] U.S. Department of the Treasury, Financial Report of the United
States Government 2005 (Washington, D.C.: 2005).
[7] A material weakness is a condition that precludes the entity's
internal control from providing reasonable assurance that
misstatements, losses, or noncompliance that is material in relation to
the financial statements or to stewardship information would be
prevented or detected on a timely basis.
[8] The main areas of general controls are an agencywide security
program, access controls, software change controls, segregation of
duties, and continuity of operations planning.
[9] FISMA, Title III, E-Government Act of 2002, Pub. L. 107-347 (Dec.
17, 2002).
[10] Under the Privacy Act of 1974, the term "routine use" means (with
respect to the disclosure of a record) the use of such a record for a
purpose that is compatible with the purpose for which it was collected.
5 U.S.C. § 552a(a)(7).
[11] These principles were first proposed in 1973 by a U.S. government
advisory committee; they were intended to address what the committee
termed a poor level of protection afforded to privacy under
contemporary law. Congress used the committee's final report as a basis
for crafting the Privacy Act of 1974. See U.S. Department of Health,
Education, and Welfare, Records, Computers and the Rights of Citizens:
Report of the Secretary's Advisory Committee on Automated Personal Data
Systems (Washington, D.C.: July 1973).
[12] Office of Management and Budget, OMB Guidance for Implementing the
Privacy Provisions of the E-Government Act of 2002, M-03-22
(Washington, D.C.: Sept. 26, 2003).
[13] The E-Government Act requires agencies, if practicable, to make
privacy impact assessments publicly available through agency Web sites,
publication in the Federal Register, or by other means. Pub. L. 107-
347, § 208(b)(1)(B)(iii).
[14] At least one agency has developed its own requirement for breach
notification. Specifically, the Department of Defense instituted a
policy in July 2005 requiring notification to affected individuals when
protected personal information is lost, stolen, or compromised.
[15] Information resellers are companies that collect information,
including personal information about consumers, from a wide variety of
sources for the purpose of reselling such information to their
customers, which include both private-sector businesses and government
agencies. For additional information, see GAO-06-421.
[16] States that have enacted breach notification laws include Arizona,
Arkansas, Colorado, Connecticut, Delaware, Florida, Georgia, Idaho,
Illinois, Indiana, Kansas, Louisiana, Maine, Minnesota, Montana,
Nebraska, Nevada, New Jersey, New York, North Carolina, North Dakota,
Ohio, Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Washington,
and Wisconsin.
[17] H.R. 4127; introduced by Representative Clifford B. Stearns on
October 25, 2005.
[18] S. 751; introduced by Senator Dianne Feinstein on April 11, 2005.
[19] Attachment 1 includes a list of our products related to IT
vulnerabilities at VA.
[20] GAO, Veterans Affairs: Sustained Management Attention Is Key to
Achieving Information Technology Results, GAO-02-703 (Washington, D.C.:
June 12, 2002).
[21] We based our recommendations on guidance and practices provided in
GAO, Federal Information System Controls Audit Manual, GAO/AIMD-12.19.6
(Washington, D.C.: January 1999); Information Security Management:
Learning from Leading Organizations, GAO/AIMD-98-68 (Washington, D.C.:
May 1998); Information Security Risk Assessment: Practices of Leading
Organizations, GAO/AIMD-00-33 (Washington, D. C.: November 1999); and
Chief Information Officer Council, Federal Information Technology
Security Assessment Framework (Washington, D.C.: Nov. 28, 2000). FISMA
(passed in late 2002) and associated guidance are generally consistent
with this earlier guidance.
[22] This result is also reflected in the department's failing grade in
the annual report card on computer security that is issued by the House
Government Reform Committee: Computer Security Report Card (Washington,
D.C.: Mar. 16, 2006).
[23] VA's Security Management and Reporting Tool (SMART).
[24] The auditor's report is included in VA's FY 2005 Annual
Performance and Accountability Report.
[25] GAO, Data Mining: Agencies Have Taken Key Steps to Protect Privacy
in Selected Efforts, but Significant Compliance Issues Remain, GAO-05-
866 (Washington, D.C.: Aug. 15, 2005).
[26] GAO-06-421, pp. 59-61.
[27] State of California Department of Consumer Affairs, Recommended
Practices on Notice of Security Breach Involving Personal Information
(April 2006), p. 6.
[28] Federal Trade Commission, Prepared Statement of the Federal Trade
Commission Before the Committee on Commerce, Science, and
Transportation, U.S. Senate, on Data Breaches and Identity Theft
(Washington, D.C.: June 16, 2005), p. 10.
[29] Synovate, Federal Trade Commission Identity Theft Survey Report
(McLean, Va.: September 2003).
[30] Federal Trade Commission, Prepared Statement on Data Breaches and
Identity Theft, p. 10.
[31] Center for Democracy and Technology, Securing Electronic Personal
Data: Striking a Balance between Privacy and Commercial and Government
Use (Washington, D.C.: Apr. 13, 2005), p. 7.
[32] State of California, Recommended Practices on Notice of Security
Breach.
[33] Federal Trade Commission, Information Compromise and the Risk of
Identity Theft: Guidance for Your Business (Washington, D.C.: June
2004).
[34] This concept was discussed during a recent public workshop on
"Transparency and Accountability: The Use of Personal Information
within the Government," hosted by the DHS Privacy Office.
[35] At the DHS workshop, panelists from the Federal Trade Commission
and the Office of the Comptroller of the Currency presented these
findings of an interagency research project on design of easy-to-
understand consumer financial privacy notices. Kleimann Communication
Group, Inc., Evolution of a Prototype Financial Privacy Notice: A
Report on the Form Development Project (Feb. 28, 2006).
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149:
Washington, D.C. 20548:
