VA defends its weak security policies

June 23, 2006 at 2:04 PM
share with facebook
share with twitter
Sign up for our Security newsletter

WASHINGTON, June 23 (UPI) -- U.S. Veterans Affairs officials this week defended the weak security policies that contributed to the theft of data on 26.5 million people.

The Veterans Affairs Department's chief legal officer on Thursday defended memorandums opposing attempts to centralize authority over technology, telling legislators that he based them on the laws governing federal information security, GovExec.com reported Thursday.

A lack of central authority to enforce information security policies at the VA has become a focus of lawmakers who are examining last month's massive data breach.

Rep. Steve Buyer, R-Ind., chairman of the Veterans' Affairs Committee of the U.S. House of Representatives, said at a House hearing Thursday that memos signed by VA General Counsel Tim McClain contributed to the weak security controls culminating in the data breach. Agency officials responsible for enforcing security policies did not have the necessary authority, he said.

"It is incongruent to say one has responsibility, but no authority," Buyer told McClain, referring to the general counsel's decision on a directive from then-VA Secretary Anthony Principi. "We ended up with a legal opinion that is a heterodox opinion."

A March 2004 memo from Principi stated that then-CIO Robert McFarland was responsible for implementing a department-wide information security program, GovExec.com said. But a subsequent memo from McClain weakened that directive. In his testimony McClain said the Principi memo merely asserted the secretary's "intention" to grant McFarland the "power and authority needed" to enforce information security policies, the report said.

McClain said he would not retract either of two memos, one dated Aug. 1, 2003, and the other April 7, 2004, finding that the chief information security officer lacked the authority under the 2002 Federal Information Security Management Act to hold organizations and individuals within the department accountable for information security, the report said.

Related UPI Stories
Trending Stories