The Department of Veterans Affairs generated more than its share of unwelcome headlines a few years back following the theft of an agency laptop and other issues related to data security. Since then, the agency has made myriad improvements to its security regime, including encrypting mobile devices, implementing a continuous awareness program and deploying continuous network monitoring tools.  The second largest federal agency, the VA is subject to a host of IT-related mandates, including those under the Federal Information Security Management Act and the Health Insurance Portability and Accountability Act, and its data practices are regularly audited. In an interview with FierceCIO, General Kearney, CIO for a network of seven VA medical centers in Michigan, Indiana and Illinois, discusses some of the agency's data security and compliance initiatives.

FierceCIO:  What is the greatest risk to your network security these days?

General Kearney: That is really a hard question because there are so many. From an external perspective, the biggest threat is coming through new phishing expeditions and malware. The internal threats mostly come through some type of social engineering or disgruntled employees.

FCIO: What percentage of your IT staff works on security? 

Kearney: Security is the responsibility of everyone. We have an information security officer at each of our facilities, and they are the primary leads for the security program. Each of my facilities also has a facility CIO, and they have system administrators. We all work in tangent with the information security officers. Even though the ISO is the lead person, we all do continuous monitoring. 

Everyone works on security. System administrators do configuration management, patch control, continuous monitoring, checking logs, coordinating with ISOs, doing the FISMA smart database update. Technicians do the trouble shooting. These folks not only go out and make sure mobile work stations are protected, but they talk to the end users and make them aware of privacy and security issues. They make sure we have protected screen savers on monitors.  

It's an effort by the whole team. It's massive, ongoing and continuous. 

FCIO: What are some of the tools you are using to manage security risks?

Kearney: On the physical side, we have put physical locks on the computers, and we lock the computers down to the desks. We have screen protectors on computers in common areas. We encrypt all mobile devices that leave our boundaries. 

On the logical side, one application we use is called CimTrak (from Cimcor Inc.), which provides us with auditing and risk management tools. It goes in and takes a snapshot of our configuration on a server or workstation and stores that information on a repository. If anyone tries to change a file, the application will pick it up. If a system administrator goes in and makes a change, CimTrak provides a log of who made the change and when.

Say we had a patch that was sent out and a system administrator deployed it within his environment. This application would pick up the patch update and ask whether you are sure you want to make the changes. It would then log the change. Later we could use this application to know when the patch was deployed so we could roll back the patch if need be.

You set the threshold for this, and the parameters are almost endless. If anything deviates from the footprint that you have established, the system administrator will be alerted. Before deploying CimTrak, we used several different tools for patch management and monitoring. We used this application to replace at least three other applications. We still use other notification tools along with it--we have a pretty fortified perimeter.

FCIO: How do you see the IT department evolving in terms of the amount of resources dedicated to security?

Kearney: Five years ago, [this security program] was sort of non-existent. I don't think it was taken seriously. We have beefed up our staffing, not to where I would like it, but by at least 10 or 15 percent. We also require folks to do more. We educate all of our employees better. We've taken the approach that not only would we increase IT and the security resources, but we would also train the entire workforce.

FCIO: Have you had to deal with issues of "rogue users" who try to procure/deploy/manage IT solutions independently?

Kearney: I think when I first came to the VA 10 years ago, that was probably an issue. Now, everything is hierarchical. If someone were to try to come in and plug in a different device, it would trip an alert. The structure you see now [was implemented] in 2007. Prior to that, each IT staff fell under a medical center. Now we fall under the Office of Information Technology, so there's consistency across the VA. Everything is structured and locked down. We are still working at it, but we've made leaps and bounds.

Related Articles:
The 10 Most Terrifying IT Debacles of 2009
Interview with Rich Shirey, CIO, Baptist Health System
Interview with Stephen Fletcher, CIO, State of Utah
Creative budget-cutting tactics from state CIOs: Part 1, Washington
Creative budget-cutting tactics from state CIOs: Part 2, Tennessee and Georgia