The VA Office of Inspector General (OIG) conducts information technology (IT) inspections to assess whether VA facilities are meeting federal security requirements. They are typically conducted at selected facilities that have not been assessed in the sample for the annual audit required by the Federal Information Security Modernization Act of 2014 (FISMA) or at facilities that previously performed poorly. The OIG selected the Alexandria VA Medical Center (VAMC) in Louisiana because it had not been previously visited as part of the annual FISMA audit.
The OIG inspections are focused on four security control areas that apply to local facilities and have been selected based on their levels of risk: configuration management, contingency planning, security management, and access controls. The OIG found deficiencies with configuration management, security management, and access controls, but not with contingency planning controls.
The deficiencies in configuration management included inaccurate inventories, uninstalled patches, and out-of-date operating systems, all of which deprive users of reliable access to information and could risk unauthorized access to, or the alteration or destruction of, critical systems. The team identified a security management issue in the center’s video surveillance system that could impact the integrity and protection of that system. Weak physical access controls, such as incorrectly installed or failing equipment, compromised the security and maintenance of the information system, and an outdated operating system prevented accurate tracking of access to the data center.
The OIG made six recommendations to the assistant secretary for information and technology and chief information officer to improve controls at the Alexandria VAMC because they are related to enterprise-wide information technology security issues similar to those identified on previous FISMA audits and IT security reviews. The OIG also made two recommendations to the Alexandria VAMC director.
The report can be found online here.