Information Systems

GAO reported last year that computer controls at the Department of Veterans Affairs (VA) placed critical operations, such as financial management, health care delivery, and benefit payments, at risk of misuse and disruption. (See GAO/AIMD-98-175, Sept. 1998.) Since then, VA has tried to correct some of the weaknesses GAO cited and has independently begun to improve its computer security management programs. However, progress in correcting the shortcomings GAO identified has been inconsistent across VA organizations, and efforts to strengthen local computer security management programs were not part of a coordinated, departmentwide effort. In connection with VA's fiscal year 1998 consolidated financial statement audit, GAO and VA's Office of Inspector General continued to find serious problems with the agency's control and oversight of access to its information systems. In September 1998, GAO also reported that the primary reason for VA's continuing information system control problems was that VA lacked a comprehensive computer security planning and management program. A VA working group has developed a plan to improve information system security throughout the agency and establish a departmentwide computer security planning and management program. Because this multiyear plan is at an early stage of development, it is too soon to assess its effectiveness. As VA implements its computer security management program, establishing detailed guidance can help ensure that the program's requirements are implemented fully and consistently throughout the agency.

GAO noted that: (1) in September 1998, GAO reported that VA's information system controls placed critical department operations, such as financial management, health care delivery, benefit payments, and other operations, at risk of misuse and disruption; (2) since then, VA organizations have taken actions to correct some of the weaknesses GAO reported and independently initiated actions to improve certain aspects of their computer security management programs; (3) progress in correcting the weaknesses GAO identified in its September 1998 report has been inconsistent across VA organizations, and efforts to improve local computer security management programs were not part of a coordinated, departmentwide effort; (4) in connection with VA's fiscal year 1998 consolidated financial statement audit, GAO and VA's Office of Inspector General continued to find serious problems related to the department's control and oversight of access to its information systems; (5) these weaknesses placed sensitive information, including financial data and sensitive veteran medical and benefit information at increased risk of inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction, possibly occurring without detection; (6) VA has recognized the significance of these problems and reported information system security as a material weakness in its Federal Managers' Financial Integrity Act report for 1998; (7) in September 1998, GAO also reported that the primary reason for VA's continuing information system control problems was that the department did not have a comprehensive computer security planning and management program; (8) to strengthen its departmentwide computer security management program, VA established a centrally managed security group in February 1999 and an Information Security Working Group, which includes representatives from the central security group and all VA line and staff organization security groups, in March 1999; (9) the Information Security Working Group developed a departmentwide plan to improve information system security throughout VA and establish a departmentwide computer security planning and management program; (10) because this multi-year plan is at an early stage of development, its ultimate effectiveness cannot yet be assessed; and (11) VA's success in improving information security is largely dependent on the level of commitment to this throughout VA and adequate resources being effectively dedicated to implement its departmentwide plan.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone: