Skip to main content

Information Systems: VA Computer Control Weaknesses Increase Risk of Fraud, Misuse, and Improper Disclosure

AIMD-98-175 Published: Sep 23, 1998. Publicly Released: Sep 23, 1998.
Jump To:
Skip to Highlights

Highlights

Pursuant to a legislative requirement, GAO provided information on weaknesses in general computer controls that support key financial management and benefit delivery operations of the Department of Veteran Affairs (VA).

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Veterans Affairs The Secretary of Veterans Affairs should direct the VA CIO to work in conjunction with the VBA and Veterans Health Administration (VHA) CIOs and the facility directors, as appropriate, to limit access authority to only those computer programs and data needed to perform job responsibilities and review access authority periodically to identify and correct inappropriate access.
Closed – Implemented
In January 2002, VA updated its computer security policies and procedures on access to computer programs and data. This update provided specific policy on limiting access based on job responsibilities. In addition, procedures were established requiring the facility security function to perform, at least annually, a review of user access to computer programs and data. Further, the department's central security function would be required to conduct periodic reviews at selected VA facilities to ensure compliance with these updated security policies and procedures.
Department of Veterans Affairs The Secretary of Veterans Affairs should direct the VA CIO to work in conjunction with the VBA and VHA CIOs and the facility directors, as appropriate, to implement identification and password management controls across all computer platforms to maintain individual accountability and protect password confidentiality and test these controls periodically to ensure that they are operating effectively.
Closed – Implemented
In January 2000, the Department of Veteran Affairs issued a policy to strengthen user ID and password management controls across all VA computer platforms. This policy included specific guidance for establishing passwords, including specifications on the length of passwords and use of special characters. In addition, this policy established requirements for testing compliance with this policy on a periodic basis.
Department of Veterans Affairs The Secretary of Veterans Affairs should direct the VA CIO to work in conjunction with the VBA and VHA CIOs and the facility directors, as appropriate, to develop targeted monitoring programs to routinely identify and investigate unusual or suspicious system and user access activity.
Closed – Implemented
In January 2002, VA updated its computer security policies and procedures on monitoring user access activity. This update provided specific policy on monitoring access to identify and investigate unusual or suspicious user access activity. In addition, procedures were established requiring the facility security function to perform, at least annually, a review to ensure compliance with this policy. Further, the department's central security function would be required to conduct periodic reviews at selected VA facilities to ensure compliance with the updated security policies and procedures.
Department of Veterans Affairs The Secretary of Veterans Affairs should direct the VA CIO to work in conjunction with the VBA and VHA CIOs and the facility directors, as appropriate, to restrict access to computer rooms based on job responsibility and periodically review this access to determine if it is still appropriate.
Closed – Implemented
In January 2002, VA updated its computer security policies and procedures for granting individuals physical access to its computer centers. This update provided specific criteria for granting access based on employment status (e.g., employee, contractor) and job responsibilities. In addition, VA established procedures requiring the facility security function to perform, at least annually a review of physical access to its computer center. Further, the department's central security function would be required to conduct periodic reviews at selected facilities to ensure compliance with VA's updated physical access policies and procedures.
Department of Veterans Affairs The Secretary of Veterans Affairs should direct the VA CIO to work in conjunction with the VBA and VHA CIOs and the facility directors, as appropriate, to separate incompatible computer responsibilities, such as system programming and security administration, and ensure that access controls enforce segregation of duties principles.
Closed – Implemented
In January 2002, VA updated its computer security policies and procedures on segregating computer related duties. This update provided specific policy requirements for segregating incompatible duties such as, system programming and security administration. In addition, procedures were established requiring the facility security function to perform, at least annually, a facility review to ensure compliance with this policy. Further, the department's central security function would be required to conduct periodic reviews at selected VA facilities to ensure compliance with the department's updated security policies and procedures.
Department of Veterans Affairs The Secretary of Veterans Affairs should direct the VA CIO to work in conjunction with the VBA and VHA CIOs and the facility directors, as appropriate, to require operating system software changes to be documented, authorized, tested, independently reviewed, and implemented by a third party.
Closed – Implemented
In March 1999, the Department of Veterans Affairs developed procedures that require all system software changes, including operating system software changes, to be authorized, tested, independently reviewed prior to implementation, and implemented by an independent party. This procedure provides that each system software change fully document these actions.
Department of Veterans Affairs The Secretary of Veterans Affairs should direct the VA CIO to work in conjunction with the VBA and VHA CIOs and the facility directors, as appropriate, to establish controls to ensure that disaster recovery plans are comprehensive, current, fully tested, and maintained at the off-site storage facility.
Closed – Implemented
In January 2002, VA updated its computer security policies and procedures. This update provided specific policy on developing, maintaining, and testing disaster recovery plans. In addition, the policy included requirements for maintaining these plans offsite. Also, procedures were established requiring the facility security function to perform, at least annually, a review of its disaster recovery plans. Further, the department's central security function would be required to conduct periodic reviews at selected VA facilities to ensure compliance with the updated security policies and procedures.
Department of Veterans Affairs The Secretary of Veterans Affairs should develop and implement a comprehensive departmentwide computer security planning and management program. Included in this program should be procedures for ensuring that security roles and responsibilities are clearly assigned and security management is given adequate attention.
Closed – Implemented
As part of the Department of Veterans Affairs' (VA) strategy to establish a fully operational departmentwide security management program by January 2003, in September 1999 the VA established a central security group to provide security guidance and oversight to the department. In conjunction with this effort, VA defined the roles and responsibilities of all key security functions in VA.
Department of Veterans Affairs The Secretary of Veterans Affairs should develop and implement a comprehensive departmentwide computer security planning and management program. Included in this program should be procedures for ensuring that risks are assessed periodically to ensure that controls are appropriate.
Closed – Implemented
In January 2002, VA updated its computer security policies and procedures on risk assessments. This update provided specific policy on performing risk assessments, including guidance on performing these assessments when significant system changes are made. In addition, procedures were established requiring the facility security function to perform, at least annually, a review to ensure that risk assessments were being conducted. Further, the department's central security function would be required to conduct periodic reviews at selected VA facilities to ensure compliance with the updated security policies and procedures.
Department of Veterans Affairs The Secretary of Veterans Affairs should develop and implement a comprehensive and departmentwide computer security planning and management program. Included in this program should be procedures for ensuring that security policies and procedures comprehensively address all aspects of VA's interconnected environment.
Closed – Implemented
In January 2002, VA updated its computer security policies and procedures to address its interconnected computer environment. This update provided specific computer security policy on VA's mainframe and network environments, including its wide area and local area networks. In addition, procedures were established requiring the facility security function to perform, at least annually, a review to ensure compliance with these updated security policies. Further, the department's central security function would be required to conduct periodic reviews at selected VA facilities to ensure compliance with these security policies and procedures.
Department of Veterans Affairs The Secretary of Veterans Affairs should develop and implement a comprehensive departmentwide computer security planning and management program. Included in this program should be procedures for ensuring that attempts, both successful and unsuccessful, to gain access to VA computer systems and the sensitive data files and critical production programs stored on these systems are identified, reported, and reviewed on a regular basis.
Closed – Implemented
In January 2002, VA updated its computer security policies and procedures to require its facilities to monitor access activities for unusual or suspicious activities. In addition, VA established procedures to assist in identifying and reviewing system logs for unauthorized actions. Further, in February 2002, VA deployed intrusion detection systems to selcted sites as a precursor to its enterprise-wide implementation of these systems. In March 2002, VA completed implementation of its department-wide centrally managed computer virus detection system. In connection with this effort, VA also established a computer security incident reporting system.
Department of Veterans Affairs The Secretary of Veterans Affairs should develop and implement a comprehensive departmentwide computer security planning and management program. Included in this program should be procedures for ensuring that a security oversight function, including both ongoing local oversight and periodic external evaluations, is implemented to measure, test, and report on the effectiveness of controls.
Closed – Implemented
In October 2001, VA developed and implemented a program to provide security oversight. This program provides that the department's central security function perform reviews of computer security across the department to measure, test, and report on the effectiveness of its system of computer controls. These reviews will cover such areas as network security over routers, firewalls, and servers, access to mainframe-host systems, and disaster recovery plans. In addition, VA established procedures that require the facility security function to perform specific security reviews annually. The department's central security function will monitor facility security actions to ensure compliance.
Department of Veterans Affairs The Secretary of Veterans Affairs should direct the VA CIO to review and assess computer control weaknesses that have been identified throughout the department and establish a process to ensure that these weaknesses are addressed.
Closed – Implemented
In January 1999, the Department of Veterans Affairs Acting Chief Information Officer established a process to monitor and track the status of corrective actions taken on all identified weaknesses. As part of this process, a quarterly report is prepared listing the corrective action(s) taken, if any, for each identified security weakness. This report is distributed to all key VA program and security managers for their review and appropriate action.
Department of Veterans Affairs The Secretary of Veterans Affairs should direct the VA CIO to monitor and periodically report on the status of actions taken to improve computer security throughout the department.
Closed – Implemented
In February 1999, the Department of Veterans Affairs Acting Chief Information Officer established a quarterly reporting process to communicate the status of actions taken to improve computer security in the VA. This quarterly reporting is made to each of the VA administrations, including the Veterans Benefit Administration, Veterans Health Administration, National Cemetery Administration, and Office of Financial Management. This quarterly reporting will continue through the implementation of the departmentwide computer security management program scheduled for January 2003.
Department of Veterans Affairs The Secretary of Veterans Affairs should report the information system security weaknesses GAO identified as material internal control weaknesses in the department's Federal Managers' Financial Integrity Act report until these weaknesses are corrected.
Closed – Implemented
At the close of fiscal year 1998, the Department of Veterans Affairs designated information security as a new material weakness under the Federal Managers Financial Integrity Act (FMFIA) program. For fiscal year 1999, VA continued to report information security as a material weakness under FMFIA.

Full Report

GAO Contacts

Office of Public Affairs

Topics

Access controlComputer fraudComputer securityDisaster recovery plansFacility securityFederal agency accounting systemsFinancial management systemsInformation resources managementInternal controlsManagement information systemsPasswordsSoftwareSoftware verification and validationVeterans benefitsSystem software