VA’s Management of Mobile Devices Generally Met Information Security Standards

VA’s Office of Information Technology (OIT) manages more than 50,000 mobile devices that store and transmit veteran information that must be protected. The VA Office of Inspector General (OIG) conducted this audit to determine whether OIT’s policies and procedures provide enough security for that information. The OIG found OIT’s security practices for mobile devices generally minimized security weaknesses within VA’s network. However, the OIG did find vulnerabilities associated with configuration management. OIT did not block the use of applications to prevent malicious, vulnerable, or flawed software (“blacklisting”) as required by VA policy, increasing the risk of lost data. In addition, VA did not ensure mobile device users are completing the required annual information security training and had no way to validate the effectiveness of that training. VA also did not use configuration management tools to control and automate update releases for its mobile devices and applications—the OIG found 12,298 out of 50,618 mobile devices had unapproved operating systems. According to OIT’s director of mobile technology and endpoint security engineering, OIT decided not to use blacklisting or other configuration management tools because of concerns about workload. OIT has now awarded a contract to Lookout for a new application vetting tool, but it was not available for OIG review in time for publication of this report. The OIG recommended the assistant secretary for information and technology either enforce blacklisting or formally assess and document whether training would work to prevent users from downloading and using non-VA-approved applications. The OIG also recommended that the assistant secretary ensure users do not update devices and applications until after testing is conducted by the Mobile Device Management team and ensure mobile device users complete required annual training before accounts are activated.