Seven years after the 2006 data breach, VA information security employees still reacted with indifference, little sense of urgency, or responsibility concerning a possible cyber threat incident. Austin Information Technology Center (AITC) Office of Information and Technology (OIT) employees failed to follow VA information security policy and contract security requirements when they approved VA contractor employees to work remotely and access VA’s network from China and India. One accessed it from China using personally-owned equipment (POE) that he took to and left in China, and the other accessed it from India using POE that he took with him to India and then brought back to the United States. After the Acting Chief Information Officer (CIO) learned of this improper remote access, he gave verbal instructions for it to cease; however, VA information security employees at all levels failed to quickly respond to stop the practice and to determine if there was a compromise to any VA data as a result of VA’s network being accessed internationally. Further, OIG found that a VA employee, as well as other VA contractor employees, improperly connected to VA’s network from foreign locations.
