Walker: Limit the information agencies collect

Comptroller General Walker's testimony

Limiting the personal information that is collected and restricting the information that is stored are practical measures for avoiding information breaches, U.S. Comptroller General David Walker said Thursday in congressional testimony.

The House Government Reform Committee held a hearing about the loss of millions of veterans’ and active duty military personnel’s personal information, including Social Security numbers, when a laptop PC storing the data was stolen from a Department of Veterans Affairs employee's home.

Walker said agencies should assess how personal information is stored and managed. They need a robust information security program, as the Federal Information Security Management Act (FISMA) mandates. He suggested encryption as another means of protection.

He told the committee that Congress should consider a two-tier reporting requirement to define when to issue a public notice of an information breach. First, the agency should report all incidents to the Office of Management and Budget, and affected individuals should be notified if the risk warrants it, he said.

Clay Johnson, deputy director for management at OMB, told the committee he has directed agency heads to describe in their annual FISMA reports the specific actions they will take to ensure their plans are in place.

“The recent incident makes painfully obvious a long-known security risk — a single trusted individual can mistakenly or intentionally, and very quickly, undo all of the sophisticated and expensive controls designed to safeguard our information and systems from attack,” Johnson said.

He said each individual must be responsible for such incidents.

The VA has ordered a security review of every laptop at the agency and has banned employees from connecting any employee-owned computer to the VA virtual private network, VA Secretary James Nicholson said at the hearing.