Recommendations

Take whatever administrative action deemed appropriate concerning the individuals involved in the appropriate and untimely handling of the notification of stolen VA data.

Establish one clear, concise VA policy on safeguarding protected information when stored or not stored in VA automated systems, ensure policy is readily available, and employees held accountable.

Modify the mandatory Cyber Security and Privacy Awareness training to identify and provide a link to all applicable laws and VA policy.

We recommend that the Secretary ensure that all position descriptions are evaluated and have proper sensitivity level designations, that there is consistency nationwide for positions that are similar in nature or have similar access to VA protected information and automated systems, and that all required background checks are completed in a timely manner.

Establish VA-wide policy for contracts for services that requires access to protected information, ensures contractor personnel held to same standards, and information is safeguarded.

Establish VA policy and procedures that provide clear, consistent criteria for reporting, investigating, and tracking incidents of loss, theft, or potential disclosure of protected information.