Information Systems

Computer control weaknesses put critical operations at the Department of Veterans Affairs (VA), from health care delivery to benefit payments to home mortgage loan guarantees, at risk of misuse and disruption. In addition, sensitive information in VA's systems, including financial transaction data and medical records, is vulnerable to inadvertent or deliberate misuse, even destruction. GAO found significant weaknesses in VA's control and oversight of access to its systems. For example, VA did not adequately limit the access of authorized users or effectively manage user identifications and passwords. In addition, VA did not provide adequate physical security for its computer facilities, assign duties so that incompatible functions were segregated, control changes to powerful operating system software, or update and test disaster recovery plans to prepare its computer operations to maintain or regain critical functions in emergencies. A primary reason for VA's computer control problems is that the agency lacks a comprehensive computer security planning and management program.

GAO noted that: (1) general computer control weaknesses place critical VA operations, such as financial management, health care delivery, benefit payments, life insurance services, and home mortgage loan guarantees, and the assets associated with these operations, at risk of misuse and disruption; (2) sensitive information contained in VA's systems, including financial transaction data and personal information on veteran medical records and benefit payments, is vulnerable to inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction, possibly occurring without detection; (3) the general control weaknesses GAO identified could also diminish the reliability of the department's financial statements and other management information derived from VA's systems; (4) GAO found significant problems related to the department's control and oversight of access to its systems; (5) VA did not adequately limit the access of authorized users or effectively manage user identifications (ID) and passwords; (6) VA also had not established effective controls to prevent individuals, both internal and external, from gaining unauthorized access to VA systems; (7) VA's access control weaknesses were further compounded by ineffective procedures for overseeing and monitoring systems for unusual or suspicious access activities; (8) VA was not providing adequate physical security for its computer facilities, assigning duties in such a way as to segregate incompatible functions, controlling changes to powerful operating system software, or updating and testing disaster recovery plans to prepare its computer operations to maintain or regain critical functions in emergency situations; (9) a primary reason for VA's continuing general computer control problems is that it does not have a comprehensive computer security planning and management program; (10) the VA facilities that GAO visited plan to address all of the specific computer control weaknesses identified; (11) the director of the Dallas Medical Center and the Veterans Benefits Administration (VBA) Chief Information Officer (CIO) also said that specific actions had been taken to correct the computer control weaknesses that GAO identified at the Dallas Medical Center and the Hines and Philadelphia benefits delivery centers; and (12) VA plans to develop a comprehensive security plan and management program.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone: