Breadcrumb

Inspection of Information Technology Security at the VA Financial Services Center

Report Information

Issue Date
Report Number
21-01221-24
VISN
17
State
District
VA Office
Information and Technology (OIT)
Report Author
Office of Audits and Evaluations
Report Type
Information Security Inspection
Report Topic
Information Technology and Security
Major Management Challenges
Leadership and Governance
Recommendations
5
Questioned Costs
$0
Better Use of Funds
$0
Congressionally Mandated
No

Summary

Summary
VA’s Financial Services Center (FSC) provides products and services to VA and other government agencies. The OIG inspected the FSC to determine whether it was meeting federal guidance in four security control areas: configuration management, contingency planning, security management, and access controls. Within configuration management, the inspection team identified deficiencies with component inventory, vulnerability management, and flaw remediation. Although the inspection team and VA’s Office of Information and Technology (OIT) both used the same vulnerability-scanning tools, OIT did not detect 228 of the 252 vulnerabilities the team identified. The poor component inventories and vulnerability management contributed to inadequate patch management. Without these controls, VA may be placing critical systems at unnecessary risk of unauthorized access, alteration, or destruction. The inspection team did not identify significant findings in the controls implemented for contingency planning, other than a minor delay in reviewing policies. The team’s review of security management controls identified that the FSC did not have procedures for how to maintain systems and information integrity. Without procedures, staff may not know how to apply policies or be held accountable for their failure to do so. Finally, the team identified access control deficiencies, as 107 of the 278 FSC systems failed to generate or forward audit logs for analysis. Also, the FSC’s video surveillance system was not fully functional. Ineffective monitoring and recording of facility activities supporting information systems minimizes the FSC’s incident response capabilities. A lack of an effective incident response capability can undermine management’s awareness of security vulnerabilities that could hinder the operation of mission critical systems. The OIG recommended maintaining an accurate inventory, implementing a more effective patch and vulnerability management program, developing local system and information integrity procedures, generating and forwarding audit reports for analysis, and continuing to upgrade the video surveillance system.

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
The Financial Services Center director implements measures to maintain an accurate system inventory.
No. 2
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
The Financial Services Center director implements a more effective patch and vulnerability management program that can accurately identify vulnerabilities and enforce patch application.
No. 3
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
The Financial Services Center director implements systems and information integrity procedures that detail how policies are applied to local systems, and create a mechanism for informing employees of new or updated policies and procedures.
No. 4
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
The Financial Services Center director, in conjunction with the system owner, develops and implements capabilities for all systems to generate audit logs and collect and forward audit events to the Cybersecurity Operations Center for review, analysis, and reporting.
No. 5
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
The Financial Services Center director continues to upgrade the video surveillance system and ensure new capabilities provide full surveillance and video retention to improve monitoring and incident response.