GAO: VA must tighten lax inventory controls

By not enforcing policies, the department continues to put IT equipment and sensitive data at risk.

The Veterans Affairs Department risks more theft and loss of information technology equipment -- and the sensitive data it might contain -- because of lax internal controls, the Government Accountability Office said. In tests of inventory controls at four VA locations, GAO identified 123 IT items that went missing in the past year, including 53 computers that could have stored personally identifiable data.GAO also found that VA did not enforce policies that require inventories of IT equipment, said McCoy Williams, GAO’s director of financial management and assurance.“We found an overall lack of accountability for IT equipment,” he said at a hearing of the House Veterans’ Affairs Committee’s Oversight and Investigations Subcommittee and in a report released today.VA also reported a total of 2,400 missing IT items valued at about $6.4 million in fiscal 2005 and 2006 from those four locations, the GAO report states.Robert Howard, VA’s chief information officer, said he does not know whether the missing computers contain sensitive data, but there have been no indications of data misuse.“It’s possible, but I couldn’t say,” he said after the hearing. “I have not found any case of identity theft as a result of any of these [past] incidents. We have monitored them closely.”GAO examined inventory controls at VA’s headquarters and at medical centers in Washington, Indianapolis and San Diego. In tests of computer hard drives that were being disposed of, GAO found no data that had been certified as sanitized. Some drives have been waiting to be sanitized for several years, Williams said.Since GAO’s 2004 report on its IT inventory, VA has taken actions to strengthen its controls over IT equipment, including clarifying property management policies and centralizing IT functions under the CIO. But VA has not ensured consistent, effective control over the IT equipment inventory or clearly defined employees’ responsibilities.“Until these shortcomings are addressed, VA will continue to face major challenges in safeguarding IT equipment and sensitive personal data on this equipment from loss, theft and misappropriation,” Williams said.But if VA takes the actions detailed in its testimony today, the department could get back on track, he added.“I think this is a good first start in what I see in the testimony,” Williams said. “The proof will be in the actions.”Howard agreed with GAO’s findings and said it was vitally important that VA remedy the problems.“With a single IT authority, VA is now in a better position to improve asset management and have actions under way,” he told lawmakers.VA uses several systems to collect data on IT assets and is planning to adopt a single system. It recently began using IBM’s Maximo Asset Management software to better track inventory and has issued a request for information to identify software that can capture the more detailed data needed to account for IT assets, such as the presence of personally identifiable information, Howard said. He hopes to introduce additional software capabilities by fall.VA has located some of the equipment reported missing by the Office of Information and Technology under the previous decentralized IT organization. Howard’s team has reduced the number of missing items to 443 and will soon account for the rest, he said.A team is working to improve asset management and accountability by developing standard procedures, and VA is preparing to issue a new directive and guidelines.In February, VA expanded the CIO’s responsibilities to include conducting on-site assessments of IT security, privacy and records management, and the physical security of IT assets. To date, the CIO’s office has conducted 58 assessments.In accordance with the VA’s new directive, employees are being required to sign receipts for the IT equipment they are assigned. The department has also begun deploying software that will detect and monitor any device that is connected to its networks.

NEXT STORY: Security's new unified command