VA Systems Security:

Information System Controls at the VA Maryland Health Care System

AIMD-00-117R: Published: Apr 19, 2000. Publicly Released: Apr 19, 2000.

Additional Materials:


Robert F. Dacey
(202) 512-3000


Office of Public Affairs
(202) 512-4800

Pursuant to a legislative requirement, GAO assessed the effectiveness of information system general controls at the Department of Veterans Affairs' Maryland Health Care System (VAMHCS).

GAO noted that: (1) there are significant weaknesses that pose a risk of inadvertent or deliberate misuse, fraudulent use, improper disclosure, and destruction of financial and sensitive veteran medical information; (2) specifically, GAO found that VAMHCS had not: (a) established effective access controls to its network and main computer system; (b) adequately managed network user identifications (ID) and passwords; or (c) monitored network system activity; (3) in addition, VAMHCS had not established procedures to control access by powerful user IDs to its main computer systems, nor had it appropriately segregated the access authority of selected procurement staff to request, approve, and receive medical items; (4) moreover, VAMHCS also had not established comprehensive physical security controls or adequately provided for continued processing of its critical financial and sensitive medical system in the event of service interruptions; (5) the lack of a comprehensive computer security management program is the primary reason for VAMHCS' information system general control problems; (6) GAO's May 1998 study of security management best practices found that an effective program would include guidance and procedures for assessing risks, establishing appropriate policies and related controls, raising awareness of prevailing risks and mitigating controls, and monitoring and evaluating the effectiveness of established controls; and (7) while VAMHCS had established an effective security awareness program, it had not yet established a framework for assessing risk, or evaluating the effectiveness of information system general controls, nor had it established comprehensive policies and procedures needed for an effective computer control environment.

May 11, 2016

Apr 28, 2016

Mar 21, 2016

Feb 10, 2016

Jan 12, 2016

Nov 18, 2015

Nov 12, 2015

Nov 4, 2015

Oct 30, 2015

Oct 28, 2015

Looking for more? Browse all our products here