Page:United States Statutes at Large Volume 120.djvu/3486

 PUBLIC LAW 109–461—DEC. 22, 2006

120 STAT. 3455

Department, with such orders to supersede and take priority over all operational tasks and assignments and be complied with immediately. ‘‘(5) Ensuring that— ‘‘(A) all employees within their organizations take immediate action to comply with orders from the Assistant Secretary for Information and Technology to— ‘‘(i) mitigate the impact of any potential security vulnerability; ‘‘(ii) respond to a security incident; or ‘‘(iii) implement the provisions of a bulletin or alert of the Security Operations Center; and ‘‘(B) organizational managers have all necessary authority and means to direct full compliance with such orders from the Assistant Secretary. ‘‘(6) Ensuring the VA National Rules of Behavior is signed and enforced by all system users to ensure appropriate use and protection of the information which is used to support Department missions and functions on an annual basis. ‘‘(f) USERS OF DEPARTMENT INFORMATION AND INFORMATION SYSTEMS.—Users of Department information and information systems are responsible for the following: ‘‘(1) Complying with all Department information security program policies, procedures, and practices. ‘‘(2) Attending security awareness training on at least an annual basis. ‘‘(3) Reporting all security incidents immediately to the Information Security Officer of the system or facility and to their immediate supervisor. ‘‘(4) Complying with orders from the Assistant Secretary for Information and Technology directing specific activities when a security incident occurs. ‘‘(5) Signing an acknowledgment that they have read, understand, and agree to abide by the VA National Rules of Behavior on an annual basis. ‘‘(g) INSPECTOR GENERAL OF DEPARTMENT OF VETERANS AFFAIRS.—In accordance with the provisions of subchapter III of chapter 35 of title 44, the Inspector General of the Department is responsible for the following: ‘‘(1) Conducting an annual audit of the Department information security program. ‘‘(2) Submitting an independent annual report to the Office of Management and Budget on the status of Department information security program, based on the results of the annual audit. ‘‘(3) Conducting investigations of complaints and referrals of violations as considered appropriate by the Inspector General.

Audit. Reports.

Investigations.

‘‘§ 5724. Provision of credit protection and other services ‘‘(a) INDEPENDENT RISK ANALYSIS.—(1) In the event of a data breach with respect to sensitive personal information that is processed or maintained by the Secretary, the Secretary shall ensure that, as soon as possible after the data breach, a non-Department entity or the Office of Inspector General of the Department conducts an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential

VerDate 14-DEC-2004

12:05 Jul 13, 2007

Jkt 059194

PO 00003

Frm 00258

Fmt 6580

Sfmt 6581

E:\PUBLAW\PUBL003.109

APPS06

PsN: PUBL003

�