Information Systems:

The Status of Computer Security at the Department of Veterans Affairs

AIMD-00-5: Published: Oct 4, 1999. Publicly Released: Oct 4, 1999.

Additional Materials:


Robert F. Dacey
(202) 512-3317


Office of Public Affairs
(202) 512-4800

Pursuant to a legislative requirement, GAO reported on the status of computer security throughout the Department of Veterans Affairs (VA).

GAO noted that: (1) in September 1998, GAO reported that VA's information system controls placed critical department operations, such as financial management, health care delivery, benefit payments, and other operations, at risk of misuse and disruption; (2) since then, VA organizations have taken actions to correct some of the weaknesses GAO reported and independently initiated actions to improve certain aspects of their computer security management programs; (3) progress in correcting the weaknesses GAO identified in its September 1998 report has been inconsistent across VA organizations, and efforts to improve local computer security management programs were not part of a coordinated, departmentwide effort; (4) in connection with VA's fiscal year 1998 consolidated financial statement audit, GAO and VA's Office of Inspector General continued to find serious problems related to the department's control and oversight of access to its information systems; (5) these weaknesses placed sensitive information, including financial data and sensitive veteran medical and benefit information at increased risk of inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction, possibly occurring without detection; (6) VA has recognized the significance of these problems and reported information system security as a material weakness in its Federal Managers' Financial Integrity Act report for 1998; (7) in September 1998, GAO also reported that the primary reason for VA's continuing information system control problems was that the department did not have a comprehensive computer security planning and management program; (8) to strengthen its departmentwide computer security management program, VA established a centrally managed security group in February 1999 and an Information Security Working Group, which includes representatives from the central security group and all VA line and staff organization security groups, in March 1999; (9) the Information Security Working Group developed a departmentwide plan to improve information system security throughout VA and establish a departmentwide computer security planning and management program; (10) because this multi-year plan is at an early stage of development, its ultimate effectiveness cannot yet be assessed; and (11) VA's success in improving information security is largely dependent on the level of commitment to this throughout VA and adequate resources being effectively dedicated to implement its departmentwide plan.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In January 2000, the VA Acting Chief Information Officer began a process of quarterly reporting to agency management on progress made in implementing the department-wide security management program. In implementing this program, VA has established several plan milestones to phase in key program elements, several of which have already been implemented. This program is scheduled to be fully operational by January 2003.

    Recommendation: The Secretary of Veterans Affairs should direct the VA Chief Information Officer to periodically report to the Secretary on progress in implementing its information security program plan.

    Agency Affected: Department of Veterans Affairs

  2. Status: Closed - Implemented

    Comments: In January 2002, VA updated its computer security policies and procedures on (1 ) risk assessments, and (2) requirements to monitor system access activities for unusual or suspicious activities. The policy on risk assessments includes guidance on performing assessments when significant system changes are made, and requires the facility security function to perform, at least annually, a review to ensure that risk assessments were performed. For monitoring system access activities, VA established procedures to assist in identifying and reviewing system logs for unauthorized actions. Furthermore, in February 2002, VA deployed intrusion detection systems to selected sites as a precursor to its enterprise-wide implementation of these systems. In October 2001, VA developed and implemented a program to provide security oversight. This program provides that the department's central security function perform reviews of computer security department-wide to measure, test, and report on the effectiveness of its system of computer controls. These reviews will cover such areas as network security over routers, firewalls, and servers, access to mainframes, and disaster recovery plans.

    Recommendation: The Secretary of Veterans Affairs should direct the VA Chief Information Officer to develop detailed departmentwide guidance and oversight processes as described in this report so that important aspects of computer security programs, such as periodically assessing risks, monitoring system and user access activity, and monitoring and evaluating information system policy and control effectiveness, are fully addressed and implemented consistently throughout the department.

    Agency Affected: Department of Veterans Affairs

  3. Status: Closed - Implemented

    Comments: In January 2000, the Department of Veterans Affairs expanded its information security audit remediation report to track all information security weaknesses, including those identified by internal commissioned reviews, the Office of the Inspector General, and GAO reports. As part of this process, VA's central security group is validating the specific corrective actions taken.

    Recommendation: The Secretary of Veterans Affairs should direct the VA Chief Information Officer to expand the scope of procedures for tracking information security weaknesses so that all information security weaknesses identified by management, consultants, the audit community, or other external organizations are included and that reported corrective actions are operating as intended.

    Agency Affected: Department of Veterans Affairs


Explore the full database of GAO's Open Recommendations »

Nov 12, 2020

Sep 30, 2020

Sep 28, 2020

Sep 21, 2020

Sep 16, 2020

Sep 9, 2020

Aug 21, 2020

Jul 29, 2020

Looking for more? Browse all our products here