IT practices at the U.S. Department of Veterans Affairs faced intense scrutiny after the theft of a laptop containing data on 26 million vets and their spouses. Among the surprises: No centralized security policy, despite recommendations years ago to create one.

Robert Howard, a retired general who's been acting CIO since April, has been confirmed by the Senate as the VA's first centralized CIO, to whom deputy CIOs in units including Veterans Health Administration and Veterans Benefits Administration report. A 2004 report from the inspector general's office made 16 recommendations for improving IT security at the VA, most of which weren't implemented. Howard told the Senate Committee on Veterans' Affairs that the VA's plan to improve data security "is without question my highest priority." The VA also is paying IBM $16 million to help it improve its management of IT infrastructure, operations, and maintenance.

While centralizing budgeting, operations, and maintenance, the VA will keep application development under its diverse units. Sounds like a healthy--and overdue--approach.