VA’S INFORMATION SECURITY PROGRAM 

TESTIMONY OF

RICHARD J. GRIFFIN

INSPECTOR GENERAL

OFFICE OF INSPECTOR GENERAL

DEPARTMENT OF VETERANS AFFAIRS 

HOUSE COMMITTEE ON VETERANS’ AFFAIRS

SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS 

(April 4, 2001) 

 

Mr. Chairman and Members of the Subcommittee, I am here today to report on our ongoing work concerning the Department of Veterans Affairs (VA) Automated Information System (AIS) security program.  During the past several years, the Office of Inspector General (OIG) has reviewed selected VA computer security issues and has identified Department-wide weaknesses in AIS security that continue to make VA’s programs and financial data vulnerable to destruction, manipulation, and inappropriate disclosure.  As a result of these information security weaknesses, since Fiscal Year (FY) 1998 the Department has designated information security as a material weakness under the Federal Manager’s Financial Integrity Act (FMFIA). 

Given the significant information security weaknesses that exist in VA, the OIG continues to focus audit coverage in the AIS program area. This effort includes an evaluation of the Department’s implementation of the computer security requirements of the Government Information Security Reform Act. Our audit work is directed toward identifying areas where the Department’s effort needs to be enhanced to help assure that a comprehensive Department-wide information security program is put in place.  

Our current assessment of VA’s AIS program is being accomplished as part of the following initiatives: 

• National audit of information security in VA.
• Annual audit of VA’s Consolidated Financial Statements (CFS).
• Combined Assessment Program (CAP) reviews of VA facilities.

Our review results indicate that, since our September 21, 2000 testimony to this Subcommittee on VA’s information security program, the Department has taken a number of planning initiatives to enhance its AIS security posture and comply with the Government Information Security Reform Act.  While implementation of these initiatives is in process, our review effort continues to identify significant information security vulnerabilities that place the Department at risk of unauthorized access and sensitive data at risk of unauthorized disclosure.  

These vulnerabilities exist throughout the Department’s operating elements involving health care and benefits, and reflect a continuing number of security control weaknesses that must be corrected before VA can achieve an effective AIS posture.  During the course of our national information security audit, we advised the Department of our review results so that prompt corrective actions could be taken to address the vulnerabilities identified.  Unfortunately, a number of the identified vulnerability areas were previously reported to VA and exist in violation of VA policy guidance.  While not all of the Department’s operating elements have responded to our review findings, those that did respond, replied positively and have indicated that actions are being taken to address the vulnerabilities identified.  

Given the serious nature of VA’s information security weaknesses, computer security should continue to be identified as a Departmental material weakness area under the FMFIA.  However, we believe that with more effective security management, oversight, and control over its systems and data, the Department can enhance its AIS security posture and move toward correction of this material weakness.  A key step in this process would be the expeditious appointment of a Department level Chief Information Officer (CIO) to provide necessary leadership and direction over VA’s information security program. 

Maintaining effective information security is a must for the Department if it is to adequately assure effective control over sensitive information, ensure continuity of operations, and support the Department’s missions of providing patient care and the delivery of benefits to our nation’s veterans. 

A summary of our current information security review effort follows. 

National Audit of Information Security in VA

Audit results indicate that the Department has prepared a comprehensive plan for a department-wide improvement of information security, but much work remains to be done to implement necessary security enhancements. 

Key finding areas include: 

Timelines for addressing some security vulnerabilities need to be shorter 

Our review of VA’s draft Information Security Management Plan found that it included key actions needed to help enhance department-wide information security.  The plan also establishes responsibilities of key officials and committees for management, oversight, and implementation of security action areas.  However, we found that the plan included unacceptably long timelines (completion in FY 2002-2003) for addressing the following key security vulnerabilities: 

• Staffing effective Information Security Officer (ISO) positions to provide adequate oversight and implementation of necessary security control measures at the local facility level.
• Implementing department-wide intrusion detection to reduce VA’s vulnerability to inappropriate and undetected access to its systems and data.
• Deploying department-wide antivirus regime to better prevent/contain virus outbreaks that continue to occur in VA and cause disruption of services, adversely affect staff productivity, and divert technical staff efforts.
• Upgrading to VA-standard external electronic connections to reduce the vulnerability of VA’s systems to penetration because of weaknesses in its external connections.

During the review we advised the Department’s Acting Assistant Secretary for Information and Technology that VA needed to expedite its implementation of these action items in order to provide the security protection that is needed now, and in the future. The Acting Assistant Secretary agreed to amend the plan with accelerated implementation actions in these areas.  

Vulnerabilities to unauthorized access and misuse of sensitive automated information and data need to be addressed  

From December 2000 through March 2001, we completed a series of electronic probes of VA systems in VA Central Office (VACO), at two data centers, and at selected medical centers and benefits offices that identified potential vulnerabilities and risks to unauthorized access and misuse of sensitive VA information and data.  Based on the results of our vulnerability assessments at key VA facilities and operations, we believe that these system vulnerabilities and risks are widespread throughout the Department’s operating elements and reflect a continuing unacceptable level of security and control weaknesses that must be addressed before VA can achieve an effective information security posture.  We found that many of these vulnerabilities exist in violation of existing VA policy.  Examples of serious vulnerabilities included: 

• Inadequate user identifications and passwords that can provide opportunity for unauthorized access to sensitive information and data on individual computers and network resources.
• Program patches not installed that result in use of outdated system software and security vulnerabilities.
• Workstation access not restricted.
• Use of active modems that can allow attackers to circumvent network security.
• Use of remote access software that can provide inappropriate access to individual computers.
• Use of enumerator techniques that allow a user to connect to a network anonymously, providing no ability to identify and track a user’s activity.

Given the significance of the security vulnerabilities identified, we provided the Department with information identifying the vulnerabilities and the suggested corrective actions to either eliminate or reduce the vulnerabilities.  The Department responses we have received indicate that actions are being initiated to address the vulnerabilities identified. 

More centralized information security oversight and control is needed over VACO Network operations  

We found that the Department could enhance the overall security posture of VACO network activities by implementing a centralized organization structure for security oversight and management.  Currently, the Office of the Acting Assistant Secretary for Information and Technology does not have security management control over significant parts of the VACO network, which was referred to by a senior VA official as more of a “confederation” and not a network.  Authority over operation of parts of the VACO network is decentralized to 10 system administrators, providing the opportunity for varying levels of security controls and the existence of the security vulnerabilities that we identified during our vulnerability assessment.  Centralized management over network operations would provide the opportunity to assure more consistent security control measures are in place and reduce the system vulnerabilities that exist.   

Desktop computers used in VA’s automated systems should meet minimum acceptable security standards 

Our security vulnerability assessment of VACO and field facilities found that one cause for the significant number of system security vulnerabilities identified was that minimum acceptable security standards were not followed concerning desktop computers used in VA’s automated systems.  For example, our review of security vulnerabilities in the VACO network found that 461 desktop computers connected to the network were using operating systems that do not meet minimum security configuration standards recommended by VA’s Information Technology Support Service.  The security vulnerability associated with using these operating systems is that they can provide an unauthorized user with access to any data stored on the computer.  A skilled user could add unauthorized applications that could be used to find passwords, access codes, or other sensitive information.  These types of desktop computers are also being used throughout the Department at medical center and regional office facilities. 

Physical security weaknesses continue to place the Department’s data center operations at VACO and the Austin Automation Center (AAC) at risk 

Our physical security assessment of the VACO and AAC data centers found that physical security weaknesses place the continuity of operations of the centers at risk.   

• VACO—The data center at the 810 Vermont Avenue building is located below ground level despite federal standards describing this as the least desirable location due to potential flooding from water mains and surface water runoff.  In addition to these risks, the data center is located below and next to toilets, and below a cafeteria from which water, in 1998, had gotten into the data center room.  A sewer backup in 1996, had also flooded the data center.  While these events have not resulted in any damage to equipment or disrupted data center operations, the risk of damage to equipment and continuity of operations could be reduced by moving the center to a more appropriate location.  A 1995 OIG audit recommended such a move, but no action was taken to relocate the data center.

• AAC—Parking is allowed too close to the AAC building.  This situation increases the risk of potential damage to center equipment and operations and injury to employees who provide critical automation support to the Department.  A 1996 OIG audit recommended that parking areas next to the building be eliminated, but vehicle parking next to the building continues.

VA facility responses to our information security survey identified significant security weakness areas 

We have recently surveyed VA field facilities nationally to determine the implementation status of information security policy, procedures, and controls that are necessary to establish an effective security posture and adequately protect the sensitive information and data maintained.  The survey responses identified a number of areas where local facilities had not implemented existing security policy, procedures, and controls, allowing the opportunity for increased risk for inappropriate access and disclosure of sensitive information.  Key weakness areas included: 

• Inadequate password management and controls.
• Information security officer positions not fully staffed.
• Information technology contingency planning not completed.
• Security risk assessments not completed.
• Security incidents not reported to the VA Critical Information Response Capability.
• Operating uncertified Independent Internet Gateways. (Issue was previously reported in OIG audits completed in 1993 and 1998.) 

We advised the Chief Information Officers (CIO) in the Veterans Benefits Administration, Veterans Health Administration (VHA), and National Cemetery Administration requesting that they review the survey results and take appropriate actions to address the security issues identified.  The VHA CIO has been very responsive in addressing the vulnerabilities identified, and has provided us with detailed corrective actions taken to address the identified vulnerability areas.   

Computer Security Implications from the 2000 Consolidated Financial Statements Audit 

VA’s program and financial data continue to be at risk due to serious problems related to the Department’s control and oversight of access to its information systems.  These weaknesses placed sensitive information, including financial data and sensitive veteran medical and benefit information, at increased risk of inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction, possibly occurring without detection.  The OIG has reported this condition in its FY 1997, 1998, and 1999 audit reports on the Department’s Consolidated Financial Statements.  

Our review noted weaknesses in the application program change controls and operating system change controls at certain data centers and selected medical centers.  Weaknesses included: 

·        Inappropriate access capabilities by application programmers and system support staff to production data.

·        Lack of application change procedures.

·        Inadequate procedures for testing, approving, and migrating system software changes.

·        Inadequate application program change tracking procedures. 

We recommended that improved controls over program and operating system changes be instituted, communicated, and enforced throughout the data and medical center network.  The weaknesses found in the effectiveness of the information technology security controls contributed to our conclusion that VA is not in full compliance with the information security control requirements of Office of Management and Budget Circular A-130. 

Combined Assessment Program (CAP) Reviews of Facility Information Security  

Our CAP reviews provide an independent and objective assessment of key operations and programs at VA Medical Centers (VAMC) and Regional Offices (RO) on a cyclical basis.  These reviews, which identify operational problems on an ongoing basis, continue to identify security weaknesses that need to be addressed.  Since our September 21, 2000 testimony before this Subcommittee, CAP reviews completed at facilities this year have identified the following key security control weaknesses: 

·        A full-time ISO position had not been established.

·        Strong password controls had not been implemented to reduce the risk of unauthorized access to VA systems.

·        User access levels needed to be promptly updated to reflect current access requirements.

·        Physical security of computer room and equipment needed to be strengthened.

·        Annual AIS security awareness training had not been provided.

·        Facility information system risk assessment and contingency plans needed to be developed to help ensure continuity of operations. 

In response to each of the information security weaknesses identified, facility management agreed to take the necessary corrective actions that we had recommended.  Additionally, VHA has issued national guidance to the Veterans Integrated Service Networks to implement security enhancements that should also help address the weaknesses identified. 

This concludes my testimony.  I would be pleased to answer any questions that you and the members of the subcommittee may have.