VA Systems Security

Pursuant to a legislative requirement, GAO assessed the effectiveness of information system general controls at the Department of Veterans Affairs' Maryland Health Care System (VAMHCS).

GAO noted that: (1) there are significant weaknesses that pose a risk of inadvertent or deliberate misuse, fraudulent use, improper disclosure, and destruction of financial and sensitive veteran medical information; (2) specifically, GAO found that VAMHCS had not: (a) established effective access controls to its network and main computer system; (b) adequately managed network user identifications (ID) and passwords; or (c) monitored network system activity; (3) in addition, VAMHCS had not established procedures to control access by powerful user IDs to its main computer systems, nor had it appropriately segregated the access authority of selected procurement staff to request, approve, and receive medical items; (4) moreover, VAMHCS also had not established comprehensive physical security controls or adequately provided for continued processing of its critical financial and sensitive medical system in the event of service interruptions; (5) the lack of a comprehensive computer security management program is the primary reason for VAMHCS' information system general control problems; (6) GAO's May 1998 study of security management best practices found that an effective program would include guidance and procedures for assessing risks, establishing appropriate policies and related controls, raising awareness of prevailing risks and mitigating controls, and monitoring and evaluating the effectiveness of established controls; and (7) while VAMHCS had established an effective security awareness program, it had not yet established a framework for assessing risk, or evaluating the effectiveness of information system general controls, nor had it established comprehensive policies and procedures needed for an effective computer control environment.