The VA Office of Inspector General (OIG) conducts information security inspections to assess whether VA facilities are meeting federal security requirements. They are typically conducted at selected facilities that have not been assessed in the sample for the annual audit required by the Federal Information Security Modernization Act of 2014 (FISMA) or at facilities that previously performed poorly. The OIG selected the James E. Van Zandt VA Medical Center in Altoona, Pennsylvania, because it had not been previously visited as part of the OIG’s annual FISMA audit.These inspections focus on four security control areas: configuration management, contingency planning, security management, and access controls. During this inspection, the OIG found deficiencies with configuration management, security management, and access controls.Deficiencies in configuration management included inaccurate component inventories and ineffective vulnerability management, increasing opportunities for exploitation. The security management weakness involved the facility’s special-purpose system, which did not have an authorization to operate, leaving it vulnerable to compromise. Weak access controls, such as inadequately restricting access to computer rooms, communication closets, and generators, increased the risk of damage or destruction. The team also found missing environmental controls in the communication closets, which could lead to damage to organizational assets and result in financial loss or harm to veterans.The OIG made four recommendations, including one addressed to the medical center director and three addressed to the assistant secretary for information and technology and chief information officer, who did not concur with one: to verify and make necessary corrections to the systems’ component inventory. The OIG stands by its recommendation, as the review identified about 2,500 devices on the facility’s network as compared to only about 1,450 devices identified by the component inventory, and OIT’s response did not include additional evidence that would prompt the OIG to reconsider its conclusion.
| Report Date | Agency Reviewed / Investigated | Report Title | Type | Location | |
|---|---|---|---|---|---|
| Department of Veterans Affairs | Inspection of Information Security at the James E. Van Zandt VA Medical Center in Altoona, Pennsylvania | Inspection / Evaluation | Agency-Wide | View Report | |
| Department of Defense | Evaluation of the Collection of Demographic Data in the Military Justice System | Inspection / Evaluation | Agency-Wide | View Report | |
| Department of Justice | Management Advisory Memorandum: Notification of Concerns Regarding Federal Bureau of Prison Policies Pertaining to the Use of Oleoresin Capsicum Aerosol Spray on Inmates with Certain Pre-Existing Medical Conditions | Other | Agency-Wide | View Report | |
| U.S. Agency for International Development | Performance Audit of Incurred Costs for International Resources Group, Ltd., for Fiscal Year 2019 | Other |
|
View Report | |
| Multiple Agencies | Semiannual Report to Congress (October 1, 2022 to March 31, 2023) | Semiannual Report | Agency-Wide | View Report | |
| Multiple Agencies | Semiannual Report to Congress (October 1, 2022, to March 31, 2023) | Semiannual Report | Agency-Wide | View Report | |
| Department of Energy | Access of Executive Branch Personnel Records | Other |
|
View Report | |
| U.S. International Development Finance Corporation | Key Considerations to Inform DFC's Response in Ukraine | Other | Agency-Wide | View Report | |
| Department of Defense | Audit of DoD Actions Taken to Protect DoD Information When Using Collaboration Tools During the Coronavirus Disease–2019 Pandemic | Audit | Agency-Wide | View Report | |
| Social Security Administration | Single Audit of the State of New Jersey for the Fiscal Year Ended June 30, 2022 | Audit | Agency-Wide | View Report | |
