Breadcrumb

Administrative Investigation, Improper Use of Web-based Collaboration Technology, Office of Information and Technology

Report Information

Issue Date
Report Number
13-03054-463
VA Office
Information and Technology (OIT)
Report Author
Office of Investigations
Report Type
Administrative Investigation
Recommendations
3
Questioned Costs
$0
Better Use of Funds
$0
Congressionally Mandated
No

Summary

Summary
VA employees improperly used Yammer.com, a Web-based collaboration technology, which was not approved or monitored as required by VA policy. Further, the website had vulnerable security features, recurring website malfunctions, and users engaged in a misuse of time and resources. Although One VA Technical Reference Model (TRM) approved, with constraints, the installation of Yammer’s Notifier, a Windows desktop application, use of the Yammer social network was not VA-approved for employee use. Further, it was not only promoted by VA employees, but it was used and showcased in June 2013 by the former Executive in Charge of Information Technology (IT) and Chief Information Officer (CIO), for an open chat forum, as well as in a June 2014 CIO Message reminding employees to comply with VA Directive 6515 when using Yammer, giving the false impression that VA approved the use of Yammer.com. The Yammer website did not have an administrator or system set in place to ensure removal of former VA or contractor employees and the relatively simple process to post to Yammer not only made VA vulnerable from user uploading, on purpose or accidentally, personally identifiable information (PII), protected health information (PHI), or VA sensitive information, of which any current or former employee remaining active on the site would have access. Yammer users violated VA policy when they downloaded and shared files, videos, and images, risking malware or viruses spreading quickly from the site. Further, Yammer regularly spammed and excessively emailed users, as well as VA employees who had no interest in joining the site, and users were unable to remove the Online Now instant messaging feature, resulting in every user violating VA policy simply by logging onto the site. There were numerous user posts that were non-VA related, unprofessional, or had disparaging content that reflected a broad misuse of time and resources. Moreover, the continuous data streams, instant messaging, video, audio, large files and attachments, and other uploaded non-VA content to the site may cause congestion, delay, or disruption of service and degrade the performance of VA’s network.

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommend that the VA Chief of Staff confer with the Offices OIT, OPIA, and General Counsel (OGC) to ensure that VA Yammer is formally evaluated, approved, and/or disapproved for VA use. If approved, ensure it meets all Federal laws and regulations, as well as VA policy and guidance. If disapproved, ensure that all VA employees cannot access it from VA-issued equipment or VA's network.
No. 2
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommend that the VA Chief of Staff confer with the Offices of Human Resources (OHR), Accountability Review (OAR), and OGC to determine the appropriate administrative action to take, if any, against accountable OIT and OPIA officials, as well as other VA and contractor employees involved in this particular matter.
No. 3
Closed and Implemented Recommendation Image, Checkmark
to Veterans Health Administration (VHA)
We recommend that the VA Chief of Staff ensure that all VA employees are made fully aware of which Web-based collaboration technologies VA has approved for their use and which are prohibited.