VA Information Systems: Computer Security Weaknesses Persist at the Veterans Health Administration

In November 2003, VHA's security office provided GAO with a list of actions taken to correct the computer security weaknesses GAO identified in connection with its review of information system controls at VA's medical facilities in Albuquerque, New Mexico, Baltimore, Maryland, and Dallas, Texas. Based on GAO's review of the actions reported, independent work performed by the VA's Inspector General, and GAO's own review, GAO determined that VA had taken sufficient action to remediate the computer security weaknesses reported.

In March 2001, the VA's Office of Information and Technology reported that all VHA facilities had designated information security officers to work on security activities full-time or at least as a primary duty, as prescribed in VHA policy. These information security officers are to work on information security issues to include assessing risk, implementing policies and controls, promoting security awareness, and evaluating the effectiveness of information system controls.

In February 2002, the VA's Office of Cyber Security established a process to identify and, where appropriate, integrate security guidance already developed by VA components to facilitate department-wide efforts to update its security requirements. This process was implemented in January 2002.

In October 2000, the VA's Office of Information and Technology reported that it had established a process for briefing the VA Secretary and senior Information Technology executives quarterly on the status of information security issues department-wide. This would include highlighting the lack of resource commitment by any VA component. In April 2001, this reporting requirement was reemphasized by the VA Secretary with the appointment of the VA security czar.