IG: VA Network Susceptible to Attack

Progress Made, but More Must Be Done to Meet FISMA Provisions
IG: VA Network Susceptible to Attack

The Department of Veterans Affairs, despite progress, faces challenges implementing elements of its information risk management program to meet the requirements of the Federal Information Security Management Act, the law that governs IT security in the federal government.

See Also: New OnDemand: How CISOs Can Ace Cyber Risk Reporting to the Board and the SEC

"VA's internal network remains susceptible to attack from malicious users who could exploit vulnerabilities and gain unauthorized access to VA information systems," Linda Halliday, VA assistant inspector general for audits and evaluations, wrote in a 38-page report dated April 6.

The FISMA assessment for fiscal year 2011, which ended Sept. 30, identified significant deficiencies related to access, configuration management and continuous monitoring controls as well as service continuity practices aimed to safeguard mission-critical systems from unauthorized access, alteration or destruction.

VA didn't fully implement security control standards, including complex password policies on all servers and network devices, the auditor said. The IG identified weak or default user account credentials on critical systems. VA failed to implement procedures to identify and remediate system security vulnerabilities on network devices, database and server platforms and Web applications throughout the department, the audit said.

More than 15,000 outstanding system security risk and corresponding plan of action and milestones to improve its overall IT security posture have yet to be remediated, according to the audit.

The IG presented 31 recommendations to improve VA's information security program and recommended that the department's CIO implement comprehensive procedures to mitigate security vulnerabilities affecting its mission-critical systems.

VA Assistant Secretary for Information and Technology Roger Baker, the department's CIO, concurred with the IG findings, saying Veterans Affairs treats the protection of veteran data very seriously. "VA has embarked on a cultural transformation with the implementation of the Continuous Readiness in Information Security Program." Baker said in a written response to the audit, referring to a new operating model aimed to protect veterans' private and sensitive information.

CRISP takes an integrated approach to protecting sensitive information from inappropriate exposure or loss, Baker said. "Securing information is everyone's responsibility and that cohesive theme will become interwoven into the normal fabric of operations across VA," he said. "CRISP is a secretarial priority to achieve and sustain continuous readiness in information security department-wide."


About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.