About the Chairman | About the Committee | Committee News | Committee Hearings | Committee Documents | Committee Legislation | VA Benefits | VA Health Care | Veterans' Links | Democrat's Home Page | Contact the Committee

TESTIMONY OF

MICHAEL SLACHTA, JR.

ASSISTANT INSPECTOR GENERAL FOR AUDITING

OFFICE OF INSPECTOR GENERAL

DEPARTMENT OF VETERANS AFFAIRS

VA’S INFORMATION SECURITY PROGRAM 

HOUSE COMMITTEE ON VETERANS’ AFFAIRS

SUBCOMMITTEE ON OVERSIGHT AND

INVESTIGATIONS 

September 21, 2000 

Mr. Chairman and Members of the Subcommittee, I am here today at your request, to report on our findings concerning the Department of Veterans Affairs (VA) Automated Information System (AIS) security program.  During the past several years, the Office of Inspector General (OIG) has reviewed selected VA computer security issues and has identified Department-wide weaknesses in AIS security that continue to make VA’s programs and financial data vulnerable to destruction, manipulation, and fraud.  These information security weaknesses are so serious that since Fiscal Year 1998 the Department has designated information security as a material weakness under the Federal Manager’s Financial Integrity Act. 

Given the significant information security weaknesses that exist in VA, the OIG is continuing to focus audit coverage in the AIS program area.  To the extent that our resources permit, our audit coverage will be expanded to address the Department’s AIS review and reporting requirements.  This effort will provide for an assessment of the Department’s nationwide AIS posture, including tests of the effectiveness of information security control techniques. While the VA has established a ‘Department Information Security Program Requirements and Budget Plan’ for addressing its security control weaknesses, this effort is expected to take several years to complete. 

Our planned audit work will focus on identifying areas where the Department’s effort needs to be enhanced to help assure that a comprehensive Department-wide information security program is put in place. To help facilitate completion of necessary review work, the Inspector General has established an audit division whose primary mission will focus on information security.  In addition, we will continue to review AIS security issues as part of the annual audit of VA’s Consolidated Financial Statements (CFS) and as part of our continuing Combined Assessment Program (CAP) reviews of facilities.  To further supplement this effort, we also plan to utilize contractor support to assist in completing penetration and vulnerability tests of selected VA automated systems. 

The OIG has been involved with the review and oversight of the Department’s information security program for several years.  Our work has included AIS assessments at the Department’s national data centers, Veterans Integrated Service Networks (VISN), Veterans Benefits Administration (VBA) Regional Offices (RO), and Veterans Health Administration (VHA) Medical Centers (VAMC). In addition to these efforts, we also identified AIS related weaknesses as part of a vulnerability assessment we completed involving VBA’s Compensation and Pension (C&P) program.  This assessment was done in response to a request for assistance from the Under Secretary for Benefits to help identify internal control weaknesses that might facilitate or contribute to fraud in VBA’s C&P program. 

The following describes our information security audits that have identified significant security control weaknesses that make VA’s systems and data vulnerable to unauthorized access and misuse. 

Computer Security Implications from the 1999 Consolidated Financial Statements Audit 

Audit tests associated with our annual CFS audit demonstrate wide spread system security control weaknesses.  We found that often, the needed information security improvements were well known within the security community such as installing and implementing program patches, employing more secure system configurations, and making use of more secure management procedures, but little was done to correct these deficiencies. The following are selected examples of security control weaknesses that were identified: 

·        VBA Penetration Review 

As part of the overall CFS audit, we contracted to conduct penetration tests of VBA systems to help assess the effectiveness of information system security general controls.  The review concluded that a number of significant control weaknesses existed that made VBA systems vulnerable to unauthorized access and misuse. 

In response to the penetration testing results, the Under Secretary for Benefits reported that corrective action had been taken in a number of problem areas with planned corrective action to be completed for all problem areas during Fiscal Year 2000.  In addition to these efforts, the Principal Deputy Assistant Secretary for Information and Technology reemphasized the commitment of his information security program office to strengthening the overall security posture of VA, including the categories of control weaknesses found at the VBA facilities.  He stated that his office would provide whatever manner of assistance that is needed to VBA to facilitate correction of these significant security control weaknesses. 

·        VHA ADP Security Review 

While our review found that a number of significant corrective actions have been initiated to address information security weaknesses, VHA’s program and financial data continue to be vulnerable to error or fraud because of serious weaknesses in Automated Data Processing (ADP) general controls throughout VHA.  Our evaluation of the AIS security management program at one VISN, and testing at four health care systems by the OIG and the General Accounting Office found wide-spread AIS security control weaknesses.  These weaknesses included a lack of:  

1.            A comprehensive computer security management program. 

2.            A security plan that was risk based. 

3.            Contingency planning. 

4.            Access controls to network and main computer systems. 

5.            Management of network user identifications and passwords. 

6.            Monitoring network system activity. 

7.            Comprehensive physical security controls. 

In response key actions being taken by VHA management to improve security include: 

1.            Contracting for additional penetration testing and risk assessments. 

2.         Follow-up testing to ensure local facilities have implemented prior recommendations. 

3.         Completing development of a technical security portion of the Regional Information Security Officer review program. 

4.            Providing security training to the Information Security Officers. 

5.            Completing security policy revisions. 

VHA needs to improve the extent to which security is integrated within its organization and provide added authority to its security program. We believe that VHA’s efforts will not result in adequate security unless there is better integration of the security management program.  VHA has a decentralized organization responsible for managing data processing and sensitive information resources.  We do not believe that VHA will achieve adequate security unless VHA managers commit and dedicate adequate resources to their local security programs. 

Combined Assessment Program (CAP) Reviews of Facility Information Security  

Our CAP reviews provide an independent and objective assessment of key operations and programs at VAMCs and ROs on a cyclical basis (about 30 reviews are planned annually at VAMCs and about 9 at ROs).  These reviews, which include an assessment of facility AIS controls, have identified a number of weaknesses that need to be addressed.  For example, CAP reviews completed at facilities during 1999 and 2000 year to date have identified the following security control weaknesses: 

·        VAMC Security Issues 

1.         Passwords were not changed at designated intervals. 

2.         All users with access to information systems needed to use stronger passwords. 

3.         User access levels need to be promptly updated to reflect current access requirements. 

4.         Physical security of the main computer room needed to be improved. 

5.         Annual AIS security awareness training and refresher training had not been provided. 

6.      Information system contingency plans did not include a detailed prioritization of mission critical systems, designate an alternative processing facility, or include post-disaster recovery issues. 

·        RO Security Issues 

1.         The duties of the Benefits Delivery Network Security Officers and their alternates needed to be assigned to individuals not directly involved with claims processing. 

2.         All users with access to information systems needed to use stronger passwords. 

3.         Each new employee with access to information systems needed to receive security awareness training and annual refresher training. 

In response to each of the information security weaknesses identified, facility management agreed to take the necessary corrective actions that we had recommended. 

Vulnerability Assessment, Management Implications of Employee Thefts from the Compensation and Pension System, and Observed Internal Control Vulnerabilities 

In the past year, the Under Secretary for Benefits asked for our assistance to help identify internal control weaknesses that might facilitate or contribute to fraud in VBA’s C&P program.  The request followed the discovery that three VBA employees had embezzled nearly $1.3 million by exploiting internal control weaknesses in the C&P benefit program.  Our vulnerability assessment identified 18 categories of vulnerability involving numerous technical, procedural, and policy issues.  The following key AIS related security weaknesses were identified: 

1.                  Some stations were issuing employees multiple passwords under multiple identification numbers to enhance employee production, but what actually occurs is the defeat of controls intended to promote separation of duties and prevent fraud or program abuse. 

2.                  A timesaving feature that allows employees to complete various claims actions provides the opportunity for improper access. 

3.                  Passwords must be more secure.  Some stations permitted the use of English words of as few as five characters for passwords, making it relatively easy for unauthorized persons to guess the password an employee is using. 

4.                  Target security ADP records were poorly structured and lacked personal identifying information.  This condition made it impossible to verify the propriety of user accesses or to conduct files maintenance. 

In response to the vulnerability assessment, the Under Secretary for Benefits reported the initiation of actions to address the weaknesses identified. 

Audit of the Compensation and Pension Program’s Internal Controls at the VA Regional Office St. Petersburg, FL 

This recently completed audit was conducted to test the existence of the control weaknesses identified in the 1999 Vulnerability Assessment of VBA’s C&P program.  In addition, we also tested various methodologies for detecting the existence of fraud. The St. Petersburg RO was selected for review because it was one of the largest ROs, accounting for 6 percent of C&P workload and it was the location where 2 of the 3 known frauds took place.  The audit confirmed that most of the AIS related weaknesses identified in the vulnerability assessment existed at the RO.  In response to the report recommendations, the Under Secretary for Benefits agreed to take necessary corrective actions to address AIS related control weaknesses. 

This concludes my testimony.  I would be pleased to answer any questions that you and the members of the subcommittee may have.

Back to Witness List