Hon. Robert T. Howard
Thank you, Mr. Chairman. I would like to thank you for the opportunity to testify on IT asset management within the Department of Veterans Affairs. I am joined today by Mr. Robert J. Henke, Assistant Secretary for Management. I am also accompanied by:
- Ms. Adair Martinez, my Deputy Assistant Secretary for Information Protection and Risk Management
- Mr. Ray Sullivan, my Director of Field Operations
- Mr. Arnie Claudio, my Director for IT Oversight and Compliance
- Mr. Fernando O. Rivera, Director of the Washington DC VA Medical Center and
- Mr. Steve Robinson, Chief Acquisition and Materiel Management Service for the Washington DC VA Medical Center
IT asset management is a critically important issue that also has a direct bearing on our ability to enhance information protection throughout VA. As you know, a recent GAO report (GAO report 07-505) on VA’s IT asset management found inadequate controls and risk associated with theft, loss, and misappropriation of IT equipment at selected VA locations. In that report, GAO found inadequate accountability and included a number of important recommendations – with which we agree.
As the Chief Information Officer for VA, I am responsible for ensuring compliance with the integrity and security of VA’s IT assets. I understand that when poor IT inventory procedures exist, both the loss of expensive equipment, as well as the loss of any sensitive information resident on the equipment, could occur. This is a situation of the utmost importance. It is a situation that we are working hard to remedy. I am prepared to answer your questions today about procedures that already exist, as well as more rigorous and standard procedures that are being implemented.
The GAO findings demonstrate a need for more emphasis and vigilance in this area. With the establishment of a single IT authority in the VA, we are now in a much better posture to improve the IT asset management situation and have a number of actions already underway. We currently have several systems in VA that capture IT assets, and we are working to standardize this and move to a single IT asset management system.
We have been able to locate some of the equipment that was reported missing. For example, regarding the items of missing equipment that were assigned to the previous Office of Information and Technology organization, we have been able to locate most of them. We assembled a team to conduct a search for missing items (e.g. network equipment, servers, digital cameras, etcetera) that were assigned to the Office of Information and Technology prior to the consolidation of IT in VA. At the end of this review, which took place over a 3-month period, the team had located about 90 percent of the equipment and although much of the equipment was found, the lack of accountability was clearly evident.
To improve our asset management and accountability within VA, a special team has been established to develop standard procedures. A new Directive and accompanying Handbook on the Control of Information Technology Equipment within the VA have been prepared and we have already implemented some of the procedures they describe. The Directive and Handbook will provide clear direction on all aspects of IT asset management.
Additionally, we have expanded the responsibilities of my Office of Information Technology Oversight and Compliance. This office was established in February 2007 to conduct on-site assessments of IT security, privacy and records management at VA facilities. As of today, the office has completed over 58 assessments. The oversight of physical security for IT assets is now a part of their assessment routine. The results of the reviews will help us support and strengthen VA IT security controls. This office ensures that facilities are aligned with the National Institute of Standards and Technology’s recommended security controls for Federal Information Systems.
We must also increase awareness at the individual user-level regarding accountability for IT equipment. The new Directive and Handbook, mentioned earlier, will require employees, who have been assigned VA IT equipment, sign a receipt for the IT equipment in their possession. Supervisors will be held responsible for common equipment that is not assigned to individuals. The receipt used is the printout of the Equipment Inventory List, which describes equipment assigned to employees by name. These procedures have already been implemented. We have also begun to deploy network monitoring software that will help us detect and monitor any device that is connected to the VA network.
Special procedures are also being implemented for equipment that may be considered “expendable” but which must be accounted for, not because of the cost, but because the equipment has the potential for storing sensitive information. An example of such low-cost IT equipment that must be tracked are the encrypted thumb drives being distributed throughout the VA.
In closing, I want to assure you Mr. Chairman that we will remain focused in our efforts to improve all aspects of the Information and Technology environment in the VA – including the overall accountability and control of IT equipment. This will not only reduce the risk of loss of expensive equipment but also the potential loss of sensitive information the equipment may contain. Thank you for your time and the opportunity to speak on this issue. I would be happy to answer any questions you may have.