VA Systems Security:

Information System Controls at the VA Maryland Health Care System

AIMD-00-117R: Published: Apr 19, 2000. Publicly Released: Apr 19, 2000.

Contact:

Robert F. Dacey
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a legislative requirement, GAO assessed the effectiveness of information system general controls at the Department of Veterans Affairs' Maryland Health Care System (VAMHCS).

GAO noted that: (1) there are significant weaknesses that pose a risk of inadvertent or deliberate misuse, fraudulent use, improper disclosure, and destruction of financial and sensitive veteran medical information; (2) specifically, GAO found that VAMHCS had not: (a) established effective access controls to its network and main computer system; (b) adequately managed network user identifications (ID) and passwords; or (c) monitored network system activity; (3) in addition, VAMHCS had not established procedures to control access by powerful user IDs to its main computer systems, nor had it appropriately segregated the access authority of selected procurement staff to request, approve, and receive medical items; (4) moreover, VAMHCS also had not established comprehensive physical security controls or adequately provided for continued processing of its critical financial and sensitive medical system in the event of service interruptions; (5) the lack of a comprehensive computer security management program is the primary reason for VAMHCS' information system general control problems; (6) GAO's May 1998 study of security management best practices found that an effective program would include guidance and procedures for assessing risks, establishing appropriate policies and related controls, raising awareness of prevailing risks and mitigating controls, and monitoring and evaluating the effectiveness of established controls; and (7) while VAMHCS had established an effective security awareness program, it had not yet established a framework for assessing risk, or evaluating the effectiveness of information system general controls, nor had it established comprehensive policies and procedures needed for an effective computer control environment.

Apr 9, 2014

Mar 25, 2014

Mar 5, 2014

Feb 27, 2014

Jan 15, 2014

Jan 14, 2014

Jan 13, 2014

Dec 3, 2013

Nov 13, 2013

Oct 31, 2013

Looking for more? Browse all our products here