From: GAO
What GAO Found
The Department of Veterans Affairs (VA) continues to face long-standing challenges in effectively implementing its information security program. Specifically, from fiscal year 2007 through 2013, VA has consistently had weaknesses in key information security control areas (see table).
Control Weaknesses for Fiscal Years 2007-2013
| Security control category | 2007 | 2008 | 2009 | 2010 | 2011 | 2012 | 2013 |
|---|---|---|---|---|---|---|---|
| Access control | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Configuration management | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Segregation of duties | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Contingency planning | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Security management | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Source: GAO analysis based on VA and inspector general reports.
In addition, in fiscal year 2013, the department’s independent auditor reported, for the 12th year in a row, that weaknesses in information system controls over financial systems constituted a material weakness. Further, the department’s inspector general has identified development of an effective information security program and system security controls as a major management challenge for VA. These findings are consistent with challenges GAO has identified in VA’s implementation of its security program going back to the late 1990s. More recently, GAO has reported and made recommendations on issues regarding the protection of personally identifiable information at federal agencies, including VA. These were related to developing and implementing policies and procedures for responding to data breaches, and implementing protections when engaging in computerized matching of data for the purposes of determining individuals’ eligibility for federal benefits.
Leave a Reply