Executive Summary on Veterans Affairs (VA) Loss of Private Information

Background

On 3 May 2006, a Department of Veterans Affairs (VA) workstation was stolen from a VA information

expert's home in Montgomery County, Maryland. Notwithstanding the PC, an individual outer hard drive

was stolen. The outside hard drive contained the individual information (names, government disability

numbers, dates of birth, inability appraisals) for 26.5 million veterans and their mates. It ought to be

noticed that the gigantic information burglary was just a single of numerous that had been found through

the span of 1.5 years.Upon disclosure of the robbery, the VA representative promptly told the

neighborhood police and his bosses. His directors did not advise the Veterans Affairs Secretary until the

point that 16 May 2006. On 17 May 2006, the Veterans Affairs Secretary informed the FBI, who started to

work with the Montgomery County police to examine the robbery.

Results and Conclusions

Issue 1: The VA representative had approval to access and utilize the VA databases for execution of

authority obligations. He was not, in any case, approved to take it home as he had no official need the

information at home. The private information was not legitimately shielded. He neglected to watchword

secure (at the extremely least) and scramble it. For this, he gets the most elevated respects in the

blockhead class.
Issue 2: The reaction of directors and senior administrators in regards to the warning of stolen

information was unseemly and not auspicious. They neglected to decide the greatness of the information

misfortune. There was an inability to inform proper law authorization substances of the potential effect on

VA projects and operations.

Issue 3: There was an absence of criticalness in advising the Secretary of Veterans Affairs by his prompt

staff. They didn't inform the Secretary until the point when 16 May 2006 – an entire 13 days after the

robbery of information. This was not unmistakably recognized as a high need occurrence and there was

an inability to catch up on the episode until after they got a call from the Inspector General.

Issue 4: Information Security authorities neglected to successfully trigger fitting notices and start an

examination of the stolen information. The data security authority's occurrence report contained

oversights and critical mistakes. This brought about missed chance to re-make the substance of the PC

and outer drive and to perceive the seriousness of the potential loss of information. The cybersecurity

operations authorities neglected to guarantee an auspicious examination and notices were made with

respect to the seriousness of the lost information.

Issue 5: VA Policies, strategies and practices were difficult to recognize, were not present, nor were they

finished. The VA approaches and methodology for protecting against divulgence of private data were

insufficient with respect to keeping the information misfortune occurrence. The approaches and

techniques for revealing and examining lost or stolen private information not all around characterized in

the VA strategies.

Recommendations
1. Actualize a brought together Agency-Wide Information Technology (IT) security program

2. Actualize a fix administration program to guarantee projects and applications are fully informed

regarding security patches.

3. Execute viable observing of systems using electronic filtering with a specific end goal to proactively

recognize and redress security vulnerabilities.

4. Convey and introduce Intrusion Detection Systems (IDS).

5. Actualize and utilize Configuration Management.

6. Use application program/working framework change controls.

7. Introduce more stringent physical access controls.

8. Use entrance testing to test the security of the remote system.

9. Encode touchy, individual and restrictive information on VA systems.

10. Execute preparing for VA representatives and temporary workers by using preparing modules which

are cutting-edge.

11. Set up one compact and clear VA arrangement on defending ensured information when put away and

not put away on a VA mechanized framework. Guarantee this approach is effectively and promptly

available to workers. Consider representatives responsible for resistance.

12. Set up a VA approach and systems which give clear and steady gauges to announcing, researching,

and following episodes of misfortune, burglary, or potential exposure of ensured information. Incorporate

particular time allotments and duties regarding announcing inside the VA levels of leadership, Office of

the Inspector General (If fitting or material) and other law authorization organizations. Guarantee the

approach and system determines when it is fitting to advise people whose ensured information may have

been bargained.