VA Systems Security:
Information System Controls at the North Texas Health Care System
AIMD-00-52R, Feb 1, 2000
Pursuant to a legislative requirement, GAO reviewed the weaknesses of the North Texas Health Care System's (NTHCS) information system general controls and the status of corrective actions taken to mitigate these weaknesses.
GAO noted that: (1) NTHCS made progress in correcting specific computer security weaknesses that GAO identified in its previous evaluation of information system general controls; (2) NTHCS had resolved 18 of GAO's prior recommended actions, as well as 3 additional issues GAO identified during its most recent review; (3) however, GAO identified continuing significant weaknesses that pose a risk of inadvertent or deliberate misuse, fraudulent use, improper disclosure, and destruction of financial and sensitive veteran medical information; (4) GAO found that NTHCS had not established effective access controls over its network or adequately: (a) managed network user identifications (ID) and passwords; (b) controlled remote access; or (c) monitored network system activity; (5) in addition, NTHCS had not established procedures to control access by powerful user IDs to its main computer systems; (6) NTHCS had not adequately segregated security administration duties, provided for continued processing of its critical financial and sensitive medical systems in the event of service interruptions, or established comprehensive physical security controls; (7) GAO identified 23 specific weaknesses, 20 of which remained open as of the end of GAO's fieldwork; (8) NTHCS had established a foundation for implementing a computer security management program which included appointing a full-time security officer with specific roles and responsibilities, promoting security awareness, and developing a plan to review its security policies and procedures; (9) however, NTHCS had not yet instituted a framework for continually assessing risks or routinely monitoring and evaluating the effectiveness of information system general controls; (10) GAO's May 1998 study of security management best practices found that both these missing elements are key ingredients in a comprehensive computer security management program which is essential to ensure that information system general controls work effectively on a continuing basis; (11) in November 1999, NTHCS provided GAO with a corrective action plan to address the remaining weaknesses GAO identified; (12) proper implementation of this plan should correct all previously identified security issues and ensure that an effective computer security environment is achieved and maintained; (13) the plan included updated information regarding corrective actions taken since GAO completed its fieldwork; and (14) GAO did not verify these corrective actions, but plans to do so as part of future reviews.