The VA Office of Inspector General’s information security inspection program assesses whether VA facilities are meeting federal security requirements related to four control areas the OIG determined to be at highest risk. For this inspection, the OIG selected the Health Eligibility Center (HEC) in Atlanta, Georgia. The OIG found deficiencies in three of the four areas inspected.
Configuration management controls, which identify and manage security features for all hardware and software components of an information system, were deficient in vulnerability remediation, system life-cycle management, and remediation of unauthorized software.
There were no deficiencies in contingency planning controls, which include physical and environmental controls.
In the area of security management, about 3.3 million veterans’ records containing sensitive personal information were not encrypted. VA security policy requires the encryption of sensitive information hosted on computer systems.
Access controls provide reasonable assurance that computer resources are restricted to authorized individuals. At the HEC, the OIG found deficiencies with access controls in the inventory of facility keys as well as in logging administrative actions, log retention, and log reviews.
The OIG made five recommendations aimed at correcting the identified deficiencies.
Atlanta, GA
United States