The VA Office of Inspector General (OIG) conducts information security inspections to assess whether VA facilities are meeting federal security requirements. They are typically conducted at selected facilities that have not been assessed for the annual audit required by the Federal Information Security Modernization Act of 2014 (FISMA) or at facilities that previously performed poorly. The OIG selected the Financial Services Center (FSC) in Austin, Texas, as a follow-up to a 2021 inspection.The OIG focused on three control areas it determined to be at highest risk: configuration management, security management, and access controls. The OIG identified four deficiencies in configuration management controls, one in security management controls, and two in access controls; three of the deficiencies were seen during the 2021 inspection. The configuration management deficiencies were in vulnerability management and flaw remediation, database scans, database baseline configurations, and unsupported components. The FSC’s vulnerability management controls did not identify all network weaknesses. Additionally, operating systems were not supported by the vendor and security patches were missing. Evidence of scans for the FSC’s databases was not provided, and databases had vulnerabilities caused by configurations that deviated from an established baseline. Eighteen network switches were using operating systems that did not meet baseline security requirements, and six were not supported by the vendor. The FSC’s security management controls were found deficient in the monitoring of component inventory with a significant disparity between the number of devices on the network and those identified in the cybersecurity management service. The FSC’s deficiencies in access controls were in monitoring inappropriate or unusual activity and reviewing physical access logs.The OIG made eight recommendations to the assistant secretary for information and technology and chief information officer to improve controls at the FSC. Four of these were also recommendations in the 2021 inspection.
| Report Date | Agency Reviewed / Investigated | Report Title | Type | Location | |
|---|---|---|---|---|---|
| Department of Veterans Affairs | Follow-up Information Security Inspection at the VA Financial Services Center in Austin, Texas | Inspection / Evaluation |
|
View Report | |
| Department of the Treasury | Overseas Contingency Operations - Summary of Work Performed by the Department of the Treasury Related to Terrorist Financing and Anti-Money Laundering for the Second Quarter Fiscal Year 2024 | Other | Agency-Wide | View Report | |
| Department of Justice | Informe semestral al Congreso del 1 de octubre de 2023 al 31 de marzo de 2024 | Semiannual Report | Agency-Wide | View Report | |
| National Geospatial-Intelligence Agency | NGA OIG Spring FY 2024 Semiannual Report to Congress, 1 October 2023 - 31 March 2024 | Semiannual Report | Agency-Wide | View Report | |
| U.S. Agency for International Development | Recipient Contracted Audit Report of GOAL Under Multiple Awards for the Year Ended December 31, 2022 | Other |
|
View Report | |
| U.S. Agency for International Development | COVID-19: Audit of Costs Incurred by International Medical Corps from March 1, 2020, to March 31, 2022 | Audit | Agency-Wide | View Report | |
| U.S. Agency for International Development | Operation Enduring Sentinel Lead Inspector General Quarterly Report to Congress, January 1, 2024-March 31, 2024 | Other | Agency-Wide | View Report | |
| Smithsonian Institution | Semiannual Report to Congress for the period ending March 31, 2024 | Semiannual Report | Agency-Wide | View Report | |
| Department of Energy | The Department of Energy’s Ransomware Countermeasures and Response | Audit | Agency-Wide | View Report | |
| Appalachian Regional Commission | The Center for Rural Development | Audit |
|
View Report | |
