Veterans Information Security Improvement Act

Veterans Information Security Improvement Act

Directs the Secretary of Veterans Affairs to: (1) carry out certain information security activities, (2) ensure that officials and staff of the Department of Veterans Affairs (VA) possess specified qualifications in such areas, and (3) coordinate the staffing of related information technology and security offices.

Requires the Secretary to ensure that: (1) the Assistant Secretary for Information and Technology, the head of the Office of Information Security (OIS), and relevant field staff possess certain levels of information technology education, certifications, and experience; (2) Office of Information and Technology (OIT) staff are assigned to the OIS; and (3) subordinate OIT offices maintain appropriate information security functions.

Directs the Secretary to ensure that subordinate OIT offices maintain functions to: (1) integrate the VA's security architecture into the VA's overall enterprise architecture strategy, (2) restrict the development of new data warehouses and data marts holding sensitive personal information of veterans, (3) reduce the number of data marts holding such personal information, and (4) deploy an incident response capability.

Defines:

• "data mart" as a subset of a data warehouse that contains information for a specific entity of an organization rather than the entire organization, and
• "data warehouse" as a collection of data designed to support management decision making that contains a wide variety of data presenting a coherent picture of business conditions for an entire organization at a single point in time and whose development includes systems to extract data from operating systems plus installation of a warehouse database system that provides managers with flexible data access.

Requires the Secretary to safeguard VA network infrastructure, computers, and servers.

Directs the Secretary to protect the confidentiality of sensitive personal information of veterans by:

• providing upgrades or phaseouts of outdated or unsupported operating systems to protect against harmful viruses and malicious software; and
• securing VA web applications and the Veterans Health Information Systems and Technology Architecture (commonly referred to as the "Vista system," which allows for an integrated inpatient and outpatient electronic health record for patients and provides administrative tools to VA employees).

Directs the Secretary to submit certifications to Congress regarding the VA's compliance with information security requirements, including actions required by the National Institute of Standards and Technology and the Office of Management and Budget.

Requires the Secretary to submit monthly reports to Congress regarding security vulnerabilities discovered after performing regular scans of VA computers and servers.