OIG to VA: Online collaboration tool an insecure time-waster

The Department of Veterans Affairs Office of Inspector General has chastised the VA for the improper use of the use of the Yammer social network, according to a recent report.

Yammer, a collaboration tool meant to help increase productivity, was not approved for employee use and had vulnerable security features, according to the report. It also led to individuals wasting time and resources, OIG said.

The report chides Stephen Warren, former executive in charge of information technology and CIO, for using Yammer in a 2014 open chat forum, giving the false impression that the VA approved its use.

Warren, who will leave the VA at the end of this month, according to FierceGovernmentIT, in a July call with reporters, called security a "cultural" responsibility, one that requires that every employee in the organization understands that security is part of his or her job.

There were about 50,000 VA email addresses registered on Yammer as of Aug. 3, with half of those being active users, according to the report. Yammer also allows users to create private groups, which managers could not screen. OIG investigators were able to access only the public groups.

Yammer users violated VA policy when they shared files, videos and images from the site, risking introducing malware or viruses that could quickly spread.

"We found numerous user posts that were non-VA related, unprofessional, or had disparaging content that reflected a broad misuse of time and resources," the report said.

In addition, the non-VA video and other large files the employees were using had the potential to congest the VA network and cause degradation of service. The Yammer website also had no administrator or system to ensure the removal access for former VA or contractor employees and to remove any inappropriate content, which could include protected health information or other sensitive data.

Disabling accounts when an employee leaves an organization is one of the key pieces of data governance policy cited as essential in the Institute for Critical Infrastructure Technology's review of the U.S. Office of Personnel Management hack. Meanwhile, the VA recently failed its cybersecurity audit for the 16th consecutive year.

To learn more:
- read the report (.pdf)