Skip to main content

Information Systems: The Status of Computer Security at the Department of Veterans Affairs

AIMD-00-5 Published: Oct 04, 1999. Publicly Released: Oct 04, 1999.
Jump To:
Skip to Highlights

Highlights

Pursuant to a legislative requirement, GAO reported on the status of computer security throughout the Department of Veterans Affairs (VA).

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Veterans Affairs The Secretary of Veterans Affairs should direct the VA Chief Information Officer to periodically report to the Secretary on progress in implementing its information security program plan.
Closed – Implemented
In January 2000, the VA Acting Chief Information Officer began a process of quarterly reporting to agency management on progress made in implementing the department-wide security management program. In implementing this program, VA has established several plan milestones to phase in key program elements, several of which have already been implemented. This program is scheduled to be fully operational by January 2003.
Department of Veterans Affairs The Secretary of Veterans Affairs should direct the VA Chief Information Officer to develop detailed departmentwide guidance and oversight processes as described in this report so that important aspects of computer security programs, such as periodically assessing risks, monitoring system and user access activity, and monitoring and evaluating information system policy and control effectiveness, are fully addressed and implemented consistently throughout the department.
Closed – Implemented
In January 2002, VA updated its computer security policies and procedures on (1 ) risk assessments, and (2) requirements to monitor system access activities for unusual or suspicious activities. The policy on risk assessments includes guidance on performing assessments when significant system changes are made, and requires the facility security function to perform, at least annually, a review to ensure that risk assessments were performed. For monitoring system access activities, VA established procedures to assist in identifying and reviewing system logs for unauthorized actions. Furthermore, in February 2002, VA deployed intrusion detection systems to selected sites as a precursor to its enterprise-wide implementation of these systems. In October 2001, VA developed and implemented a program to provide security oversight. This program provides that the department's central security function perform reviews of computer security department-wide to measure, test, and report on the effectiveness of its system of computer controls. These reviews will cover such areas as network security over routers, firewalls, and servers, access to mainframes, and disaster recovery plans.
Department of Veterans Affairs The Secretary of Veterans Affairs should direct the VA Chief Information Officer to expand the scope of procedures for tracking information security weaknesses so that all information security weaknesses identified by management, consultants, the audit community, or other external organizations are included and that reported corrective actions are operating as intended.
Closed – Implemented
In January 2000, the Department of Veterans Affairs expanded its information security audit remediation report to track all information security weaknesses, including those identified by internal commissioned reviews, the Office of the Inspector General, and GAO reports. As part of this process, VA's central security group is validating the specific corrective actions taken.

Full Report

GAO Contacts

Office of Public Affairs

Topics

Computer securityConfidential communicationsFederal agency accounting systemsFinancial management systemsFinancial statement auditsHomeland securityInformation resources managementInformation securityInternal controlsComputer resources management