Report Summary

Title: Inspection of Information Technology Security at the VA Financial Services Center
Report Number: 21-01221-24 Download
Report
Issue Date: 3/31/2022
City/State:
VA Office: Office of Management
Report Author: Office of Audits and Evaluations
Report Type: Information Technology Inspection
Release Type: Unrestricted
Summary:

VA’s Financial Services Center (FSC) provides products and services to VA and other government agencies. The OIG inspected the FSC to determine whether it was meeting federal guidance in four security control areas: configuration management, contingency planning, security management, and access controls.

Within configuration management, the inspection team identified deficiencies with component inventory, vulnerability management, and flaw remediation. Although the inspection team and VA’s Office of Information and Technology (OIT) both used the same vulnerability-scanning tools, OIT did not detect 228 of the 252 vulnerabilities the team identified. The poor component inventories and vulnerability management contributed to inadequate patch management. Without these controls, VA may be placing critical systems at unnecessary risk of unauthorized access, alteration, or destruction. The inspection team did not identify significant findings in the controls implemented for contingency planning, other than a minor delay in reviewing policies.

The team’s review of security management controls identified that the FSC did not have procedures for how to maintain systems and information integrity. Without procedures, staff may not know how to apply policies or be held accountable for their failure to do so. Finally, the team identified access control deficiencies, as 107 of the 278 FSC systems failed to generate or forward audit logs for analysis. Also, the FSC’s video surveillance system was not fully functional. Ineffective monitoring and recording of facility activities supporting information systems minimizes the FSC’s incident response capabilities. A lack of an effective incident response capability can undermine management’s awareness of security vulnerabilities that could hinder the operation of mission critical systems.

The OIG recommended maintaining an accurate inventory, implementing a more effective patch and vulnerability management program, developing local system and information integrity procedures, generating and forwarding audit reports for analysis, and continuing to upgrade the video surveillance system.