VA Information Systems:
The Austin Automation Center Has Made Progress in Improving Information System Controls
AIMD-99-161, Jun 8, 1999
Pursuant to a legislative requirement, GAO assessed the effectiveness of information system general controls at the Department of Veterans Affairs' (VA) Austin Automation Center (AAC).
GAO noted that: (1) AAC had made substantial progress in correcting specific computer security weaknesses that GAO identified in its previous evaluation of information system controls; (2) AAC had established a solid foundation for its computer security planning and management program by creating a centralized computer security group, developing a comprehensive security policy, and promoting security awareness; (3) however, AAC had not yet established a framework for continually assessing risks and routinely monitoring and evaluating the effectiveness of information system controls; (4) GAO also identified additional computer security weaknesses that increased the risk of inadvertent or deliberate misuse, fraudulent use, improper disclosure, and destruction of financial and sensitive veteran medical and benefit information on AAC systems; (5) an effective computer security planning and management program would have allowed AAC to identify and correct the types of additional weaknesses that GAO identified; (6) in addition, AAC continues to run the risk that unauthorized access may not be detected because it had not established a program to identify and investigate unusual or suspicious patterns of successful access to sensitive data and resources; (7) these weaknesses could also affect other agencies that depend on AAC information technology services; (8) AAC was very responsive to addressing new security exposures identified and corrected several weaknesses before GAO's fieldwork was completed; (9) the Acting Assistant Secretary for Information Technology said VA would implement all of GAO's recommendations by September 30, 1999; and (10) addressing the remaining issues will help ensure that an effective computer security environment is achieved and maintained.