VA Systems Security:
Information System Controls at the New Mexico VA Health Care System
AIMD-00-88R, Mar 24, 2000
Pursuant to a legislative requirement, GAO provided information on the effectiveness of information system general controls and computer security at the Department of Veterans Affairs' (VA) New Mexico VA Health Care System (NMVAHCS), focusing on the weaknesses GAO identified at NMVAHCS and the status of corrective actions.
GAO noted that: (1) NMVAHCS made progress in correcting specific computer security weaknesses GAO identified in previous evaluations of information system general controls; (2) however, GAO identified significant weaknesses that pose a risk of inadvertent or deliberate misuse, fraudulent use, improper disclosure, and destruction of financial and sensitive veteran medical information; (3) of particular concern was NMVAHCS's lack of adherence to the internal control standard on segregation of duties, which prescribes that key duties and responsibilities need to be divided or segregated among different people to reduce the risk of error or fraud; (4) when staff control all key aspects of a process it increases the risk that unauthorized, and even fraudulent, transactions may occur; (5) GAO found that NMVAHCS had not: (a) established effective access controls to its network and main computer system; (b) adequately managed network user identifications and passwords; and (c) monitored network system activity; (6) NMVAHCS had not established comprehensive physical security controls or implemented all key components of a comprehensive service continuity plan; (7) the lack of a comprehensive computer security management program is the primary reason for NMVAHCS' continuing information system general control problems; (8) GAO's May 1998 study of security management best practices found that an effective program would include guidance and procedures for assessing risks, establishing appropriate policies and related controls, raising awareness of prevailing risks and mitigating controls, and monitoring and evaluating the effectiveness of established controls; and (9) while some of the network access control weaknesses cannot be corrected without specific efforts by the Veterans Integrated Service Network and VA national office, NMVAHCS needs to continue to work with its offices to ensure resolution of these weaknesses.