VA Information Systems

The Austin Automation Center Has Made Progress in Improving Information System Controls Gao ID: AIMD-99-161 June 8, 1999

As part of its review of computer security at the Department of Veterans Affairs (VA), GAO assessed the effectiveness of information system general controls at the Austin Automation Center. The Center, one of three centralized VA data facilities, maintains the department's financial management and other departmentwide systems, including centralized accounting, payroll, debt collection, benefits delivery, and medical systems. This report is a "limited official use" report that details the weaknesses GAO found at the Center, the current status of corrective actions, and the recommendations GAO made.

GAO noted that: (1) AAC had made substantial progress in correcting specific computer security weaknesses that GAO identified in its previous evaluation of information system controls; (2) AAC had established a solid foundation for its computer security planning and management program by creating a centralized computer security group, developing a comprehensive security policy, and promoting security awareness; (3) however, AAC had not yet established a framework for continually assessing risks and routinely monitoring and evaluating the effectiveness of information system controls; (4) GAO also identified additional computer security weaknesses that increased the risk of inadvertent or deliberate misuse, fraudulent use, improper disclosure, and destruction of financial and sensitive veteran medical and benefit information on AAC systems; (5) an effective computer security planning and management program would have allowed AAC to identify and correct the types of additional weaknesses that GAO identified; (6) in addition, AAC continues to run the risk that unauthorized access may not be detected because it had not established a program to identify and investigate unusual or suspicious patterns of successful access to sensitive data and resources; (7) these weaknesses could also affect other agencies that depend on AAC information technology services; (8) AAC was very responsive to addressing new security exposures identified and corrected several weaknesses before GAO's fieldwork was completed; (9) the Acting Assistant Secretary for Information Technology said VA would implement all of GAO's recommendations by September 30, 1999; and (10) addressing the remaining issues will help ensure that an effective computer security environment is achieved and maintained.



The Justia Government Accountability Office site republishes public reports retrieved from the U.S. GAO These reports should not be considered official, and do not necessarily reflect the views of Justia.