Breadcrumb

Inspection of Information Technology Security at the Alexandria VA Medical Center in Louisiana

Report Information

Issue Date
Report Number
22-00971-217
VA Office
Information and Technology (OIT)
Report Author
Office of Audits and Evaluations
Report Type
Information Security Inspection
Report Topic
Information Technology and Security
Major Management Challenges
Information Systems and Innovation
Recommendations
8
Questioned Costs
$0
Better Use of Funds
$0
Congressionally Mandated
No

Summary

Summary

The VA Office of Inspector General (OIG) conducts information technology (IT) inspections to assess whether VA facilities are meeting federal security requirements. They are typically conducted at selected facilities that have not been assessed in the sample for the annual audit required by the Federal Information Security Modernization Act of 2014 (FISMA) or at facilities that previously performed poorly. The OIG selected the Alexandria VA Medical Center (VAMC) in Louisiana because it had not been previously visited as part of the annual FISMA audit. The OIG inspections are focused on four security control areas that apply to local facilities and have been selected based on their levels of risk: configuration management, contingency planning, security management, and access controls. The OIG found deficiencies with configuration management, security management, and access controls, but not with contingency planning controls. The deficiencies in configuration management included inaccurate inventories, uninstalled patches, and out-of-date operating systems, all of which deprive users of reliable access to information and could risk unauthorized access to, or the alteration or destruction of, critical systems. The team identified a security management issue in the center’s video surveillance system that could impact the integrity and protection of that system. Weak physical access controls, such as incorrectly installed or failing equipment, compromised the security and maintenance of the information system, and an outdated operating system prevented accurate tracking of access to the data center. The OIG made six recommendations to the assistant secretary for information and technology and chief information officer to improve controls at the Alexandria VAMC because they are related to enterprise-wide information technology security issues similar to those identified on previous FISMA audits and IT security reviews. The OIG also made two recommendations to the Alexandria VAMC director.

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Implement a more effective process to maintain consistent inventory information for all network segments.
No. 2
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Improve the vulnerability and flaw remediation program to accurately identify vulnerabilities and enforce flaw remediation.
No. 3
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Implement effective configuration control processes that ensure network devices maintain vendor support.
No. 4
Open Recommendation Image, Square
to Information and Technology (OIT)
Perform security control assessments of the video surveillance system and obtain an authorization to operate in accordance with set policy.
No. 5
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Ensure installation of distributed network infrastructure equipment that meets VA installation standards, to include proper equipment mounting and clearance.
No. 6
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Ensure routine maintenance is conducted on uninterruptible power supplies.
No. 7
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Implement database authentication processes that comply with VA security requirements.
No. 8
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Implement a physical access control system for the data center and core switch room that is supportable and can meet VA logging requirements.