From: FierceGovernmentIT
Significant deficiencies in configuration management and identity management pervaded Veterans Affairs Department information technology during the last fiscal year, says an audit commissioned by the department’s office of inspector general.
The audit (.pdf), the latest edition of an annual look at security practices at the VA (and required under the Federal Information Security Management Act), also attaches the “significant deficiency” tag to access controls. In addition, it says incident response teams let a high number of known malware infections fester for more than 30 days. In March 2012, the VA launched a new effort dubbed the Continuous Readiness in Information Security Program–aka CRISP–meant to improve multiple areas of security management, and it has resulted in improvements, the audit says. Nonetheless, VA must “continue to address control deficiencies existing in other areas across all VA locations,” the audit says.
Overall, many security weaknesses identified in the audit “can be attributed to VA’s ineffective enforcement of its agency-wide information security risk management program and ineffective communication from senior management to the individual field offices,” the audit says
Leave a Reply