Information Systems:

VA Computer Control Weaknesses Increase Risk of Fraud, Misuse, and Improper Disclosure

AIMD-98-175: Published: Sep 23, 1998. Publicly Released: Sep 23, 1998.

Additional Materials:

Contact:

Robert F. Dacey
(202) 512-3317
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a legislative requirement, GAO provided information on weaknesses in general computer controls that support key financial management and benefit delivery operations of the Department of Veteran Affairs (VA).

GAO noted that: (1) general computer control weaknesses place critical VA operations, such as financial management, health care delivery, benefit payments, life insurance services, and home mortgage loan guarantees, and the assets associated with these operations, at risk of misuse and disruption; (2) sensitive information contained in VA's systems, including financial transaction data and personal information on veteran medical records and benefit payments, is vulnerable to inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction, possibly occurring without detection; (3) the general control weaknesses GAO identified could also diminish the reliability of the department's financial statements and other management information derived from VA's systems; (4) GAO found significant problems related to the department's control and oversight of access to its systems; (5) VA did not adequately limit the access of authorized users or effectively manage user identifications (ID) and passwords; (6) VA also had not established effective controls to prevent individuals, both internal and external, from gaining unauthorized access to VA systems; (7) VA's access control weaknesses were further compounded by ineffective procedures for overseeing and monitoring systems for unusual or suspicious access activities; (8) VA was not providing adequate physical security for its computer facilities, assigning duties in such a way as to segregate incompatible functions, controlling changes to powerful operating system software, or updating and testing disaster recovery plans to prepare its computer operations to maintain or regain critical functions in emergency situations; (9) a primary reason for VA's continuing general computer control problems is that it does not have a comprehensive computer security planning and management program; (10) the VA facilities that GAO visited plan to address all of the specific computer control weaknesses identified; (11) the director of the Dallas Medical Center and the Veterans Benefits Administration (VBA) Chief Information Officer (CIO) also said that specific actions had been taken to correct the computer control weaknesses that GAO identified at the Dallas Medical Center and the Hines and Philadelphia benefits delivery centers; and (12) VA plans to develop a comprehensive security plan and management program.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In January 2000, the Department of Veteran Affairs issued a policy to strengthen user ID and password management controls across all VA computer platforms. This policy included specific guidance for establishing passwords, including specifications on the length of passwords and use of special characters. In addition, this policy established requirements for testing compliance with this policy on a periodic basis.

    Recommendation: The Secretary of Veterans Affairs should direct the VA CIO to work in conjunction with the VBA and VHA CIOs and the facility directors, as appropriate, to implement identification and password management controls across all computer platforms to maintain individual accountability and protect password confidentiality and test these controls periodically to ensure that they are operating effectively.

    Agency Affected: Department of Veterans Affairs

  2. Status: Closed - Implemented

    Comments: In January 2002, VA updated its computer security policies and procedures on monitoring user access activity. This update provided specific policy on monitoring access to identify and investigate unusual or suspicious user access activity. In addition, procedures were established requiring the facility security function to perform, at least annually, a review to ensure compliance with this policy. Further, the department's central security function would be required to conduct periodic reviews at selected VA facilities to ensure compliance with the updated security policies and procedures.

    Recommendation: The Secretary of Veterans Affairs should direct the VA CIO to work in conjunction with the VBA and VHA CIOs and the facility directors, as appropriate, to develop targeted monitoring programs to routinely identify and investigate unusual or suspicious system and user access activity.

    Agency Affected: Department of Veterans Affairs

  3. Status: Closed - Implemented

    Comments: In January 2002, VA updated its computer security policies and procedures for granting individuals physical access to its computer centers. This update provided specific criteria for granting access based on employment status (e.g., employee, contractor) and job responsibilities. In addition, VA established procedures requiring the facility security function to perform, at least annually a review of physical access to its computer center. Further, the department's central security function would be required to conduct periodic reviews at selected facilities to ensure compliance with VA's updated physical access policies and procedures.

    Recommendation: The Secretary of Veterans Affairs should direct the VA CIO to work in conjunction with the VBA and VHA CIOs and the facility directors, as appropriate, to restrict access to computer rooms based on job responsibility and periodically review this access to determine if it is still appropriate.

    Agency Affected: Department of Veterans Affairs

  4. Status: Closed - Implemented

    Comments: In January 2002, VA updated its computer security policies and procedures on segregating computer related duties. This update provided specific policy requirements for segregating incompatible duties such as, system programming and security administration. In addition, procedures were established requiring the facility security function to perform, at least annually, a facility review to ensure compliance with this policy. Further, the department's central security function would be required to conduct periodic reviews at selected VA facilities to ensure compliance with the department's updated security policies and procedures.

    Recommendation: The Secretary of Veterans Affairs should direct the VA CIO to work in conjunction with the VBA and VHA CIOs and the facility directors, as appropriate, to separate incompatible computer responsibilities, such as system programming and security administration, and ensure that access controls enforce segregation of duties principles.

    Agency Affected: Department of Veterans Affairs

  5. Status: Closed - Implemented

    Comments: In March 1999, the Department of Veterans Affairs developed procedures that require all system software changes, including operating system software changes, to be authorized, tested, independently reviewed prior to implementation, and implemented by an independent party. This procedure provides that each system software change fully document these actions.

    Recommendation: The Secretary of Veterans Affairs should direct the VA CIO to work in conjunction with the VBA and VHA CIOs and the facility directors, as appropriate, to require operating system software changes to be documented, authorized, tested, independently reviewed, and implemented by a third party.

    Agency Affected: Department of Veterans Affairs

  6. Status: Closed - Implemented

    Comments: In January 2002, VA updated its computer security policies and procedures. This update provided specific policy on developing, maintaining, and testing disaster recovery plans. In addition, the policy included requirements for maintaining these plans offsite. Also, procedures were established requiring the facility security function to perform, at least annually, a review of its disaster recovery plans. Further, the department's central security function would be required to conduct periodic reviews at selected VA facilities to ensure compliance with the updated security policies and procedures.

    Recommendation: The Secretary of Veterans Affairs should direct the VA CIO to work in conjunction with the VBA and VHA CIOs and the facility directors, as appropriate, to establish controls to ensure that disaster recovery plans are comprehensive, current, fully tested, and maintained at the off-site storage facility.

    Agency Affected: Department of Veterans Affairs

  7. Status: Closed - Implemented

    Comments: As part of the Department of Veterans Affairs' (VA) strategy to establish a fully operational departmentwide security management program by January 2003, in September 1999 the VA established a central security group to provide security guidance and oversight to the department. In conjunction with this effort, VA defined the roles and responsibilities of all key security functions in VA.

    Recommendation: The Secretary of Veterans Affairs should develop and implement a comprehensive departmentwide computer security planning and management program. Included in this program should be procedures for ensuring that security roles and responsibilities are clearly assigned and security management is given adequate attention.

    Agency Affected: Department of Veterans Affairs

  8. Status: Closed - Implemented

    Comments: In January 2002, VA updated its computer security policies and procedures on risk assessments. This update provided specific policy on performing risk assessments, including guidance on performing these assessments when significant system changes are made. In addition, procedures were established requiring the facility security function to perform, at least annually, a review to ensure that risk assessments were being conducted. Further, the department's central security function would be required to conduct periodic reviews at selected VA facilities to ensure compliance with the updated security policies and procedures.

    Recommendation: The Secretary of Veterans Affairs should develop and implement a comprehensive departmentwide computer security planning and management program. Included in this program should be procedures for ensuring that risks are assessed periodically to ensure that controls are appropriate.

    Agency Affected: Department of Veterans Affairs

  9. Status: Closed - Implemented

    Comments: In January 2002, VA updated its computer security policies and procedures to address its interconnected computer environment. This update provided specific computer security policy on VA's mainframe and network environments, including its wide area and local area networks. In addition, procedures were established requiring the facility security function to perform, at least annually, a review to ensure compliance with these updated security policies. Further, the department's central security function would be required to conduct periodic reviews at selected VA facilities to ensure compliance with these security policies and procedures.

    Recommendation: The Secretary of Veterans Affairs should develop and implement a comprehensive and departmentwide computer security planning and management program. Included in this program should be procedures for ensuring that security policies and procedures comprehensively address all aspects of VA's interconnected environment.

    Agency Affected: Department of Veterans Affairs

  10. Status: Closed - Implemented

    Comments: In January 2002, VA updated its computer security policies and procedures to require its facilities to monitor access activities for unusual or suspicious activities. In addition, VA established procedures to assist in identifying and reviewing system logs for unauthorized actions. Further, in February 2002, VA deployed intrusion detection systems to selcted sites as a precursor to its enterprise-wide implementation of these systems. In March 2002, VA completed implementation of its department-wide centrally managed computer virus detection system. In connection with this effort, VA also established a computer security incident reporting system.

    Recommendation: The Secretary of Veterans Affairs should develop and implement a comprehensive departmentwide computer security planning and management program. Included in this program should be procedures for ensuring that attempts, both successful and unsuccessful, to gain access to VA computer systems and the sensitive data files and critical production programs stored on these systems are identified, reported, and reviewed on a regular basis.

    Agency Affected: Department of Veterans Affairs

  11. Status: Closed - Implemented

    Comments: In October 2001, VA developed and implemented a program to provide security oversight. This program provides that the department's central security function perform reviews of computer security across the department to measure, test, and report on the effectiveness of its system of computer controls. These reviews will cover such areas as network security over routers, firewalls, and servers, access to mainframe-host systems, and disaster recovery plans. In addition, VA established procedures that require the facility security function to perform specific security reviews annually. The department's central security function will monitor facility security actions to ensure compliance.

    Recommendation: The Secretary of Veterans Affairs should develop and implement a comprehensive departmentwide computer security planning and management program. Included in this program should be procedures for ensuring that a security oversight function, including both ongoing local oversight and periodic external evaluations, is implemented to measure, test, and report on the effectiveness of controls.

    Agency Affected: Department of Veterans Affairs

  12. Status: Closed - Implemented

    Comments: In January 1999, the Department of Veterans Affairs Acting Chief Information Officer established a process to monitor and track the status of corrective actions taken on all identified weaknesses. As part of this process, a quarterly report is prepared listing the corrective action(s) taken, if any, for each identified security weakness. This report is distributed to all key VA program and security managers for their review and appropriate action.

    Recommendation: The Secretary of Veterans Affairs should direct the VA CIO to review and assess computer control weaknesses that have been identified throughout the department and establish a process to ensure that these weaknesses are addressed.

    Agency Affected: Department of Veterans Affairs

  13. Status: Closed - Implemented

    Comments: In February 1999, the Department of Veterans Affairs Acting Chief Information Officer established a quarterly reporting process to communicate the status of actions taken to improve computer security in the VA. This quarterly reporting is made to each of the VA administrations, including the Veterans Benefit Administration, Veterans Health Administration, National Cemetery Administration, and Office of Financial Management. This quarterly reporting will continue through the implementation of the departmentwide computer security management program scheduled for January 2003.

    Recommendation: The Secretary of Veterans Affairs should direct the VA CIO to monitor and periodically report on the status of actions taken to improve computer security throughout the department.

    Agency Affected: Department of Veterans Affairs

  14. Status: Closed - Implemented

    Comments: In January 2002, VA updated its computer security policies and procedures on access to computer programs and data. This update provided specific policy on limiting access based on job responsibilities. In addition, procedures were established requiring the facility security function to perform, at least annually, a review of user access to computer programs and data. Further, the department's central security function would be required to conduct periodic reviews at selected VA facilities to ensure compliance with these updated security policies and procedures.

    Recommendation: The Secretary of Veterans Affairs should direct the VA CIO to work in conjunction with the VBA and Veterans Health Administration (VHA) CIOs and the facility directors, as appropriate, to limit access authority to only those computer programs and data needed to perform job responsibilities and review access authority periodically to identify and correct inappropriate access.

    Agency Affected: Department of Veterans Affairs

  15. Status: Closed - Implemented

    Comments: At the close of fiscal year 1998, the Department of Veterans Affairs designated information security as a new material weakness under the Federal Managers Financial Integrity Act (FMFIA) program. For fiscal year 1999, VA continued to report information security as a material weakness under FMFIA.

    Recommendation: The Secretary of Veterans Affairs should report the information system security weaknesses GAO identified as material internal control weaknesses in the department's Federal Managers' Financial Integrity Act report until these weaknesses are corrected.

    Agency Affected: Department of Veterans Affairs

 

Explore the full database of GAO's Open Recommendations »

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Jan 28, 2014

Jan 8, 2014

Sep 26, 2013

Looking for more? Browse all our products here