VA security policies lack enforcement teeth, legislator says
Department directive issued last week restricts the transmission of agency data.
The Veterans Affairs Department has issued a series of directives intended to prevent future security breaches, but the rules lack firm enforcement mechanisms, a lawmaker and congressional staff member said.
A June 7 directive, signed by Gordon Mansfield, the department's deputy secretary and chief operating officer, and Robert T. Howard, supervisor of the Office of Information Technology, establishes security measures for all data handled by employees. In particular, it covers the transmission of data and the use of nonelectronic records outside a regular agency work site.
Rep. Bob Filner, D-Calif., a member of the House Veterans' Affairs Committee, said the policies are "somewhat light on enforcement and on [the] specific liabilities and punitive actions" for employees who fail to protect sensitive information.
Len Sistek, Democratic staff director for the House Veterans' Affairs Subcommittee on Oversight and Investigations, noted the directive uses the word "enforcing," but said the policy does not make clear what that means or where the enforcement authority resides.
Considering that VA Secretary James Nicholson wants stiffer penalties for government employees who mishandle sensitive information, the document, while generally an improvement, is still light on explaining the repercussions for noncompliance, Sistek said.
House Veterans Affairs Committee Chairman Steve Buyer, R-Ind., said he had not seen the directive and could not comment on it.
A VA spokesman cited testimony presented by Nicholson last week before the House Government Reform Committee, stating that the department has the authority "to discipline employees and possibly bring criminal actions against those who willfully disregard the safeguards" needed to protect sensitive data.
Nicholson also said the centralization of information technology management will enhance the VA's ability enforce address information security policies.
Bruce Brody, vice president for information security at the Reston, Va-based market research firm INPUT and associate deputy assistant secretary for cyber and information security at the VA from 2001 to 2004, said the chief information officer's office attempted to put a similar policy in place years ago, but experienced resistance from VA leaders.
Brody questioned how the directive would be enforced because, he said, "central authority over information security doesn't exist" at the VA.
"Everyone is in charge, therefore no one is in charge," he said.