The Department of Veterans Affairs still failing to properly secure its information systems from cyberattacks according to an audit conducted by a third party. The audit revealed several typical problems VA blunders through each year including training, access controls and intrusion monitoring.
Maybe we should pile tons of $100 bills into dumpsters and light it on fire because each year the agency continues to fall short of expectations concerning IT.
This year, the company CliftonLarsonAllen LLP conducted the FISMA audit. The company applauded VA for reaching at least 4 of the recommendations from last year and piled on another 29 recommendations the agency is still unable to resolve.
At this rate, in just a few years, VA will have around 500 recommendations to resolve. Some of the findings sound very familiar:
Risk Management Strategy
Some of the problems in risk management seem typical for the agency such as inconsistencies in procedures and documentation along with inaccurate reporting.
According to the report:
VA has not fully developed and implemented components of its agency-wide information security risk management program to meet FISMA requirements. VA has established an enterprise risk management program; however, the policies, procedures, and documentation included in the program were not consistently implemented or applied across all VA systems.
For example, Risk Assessments did not always consider all known system security risks and threat sources. Specifically, we identified system Risk Assessments that did not address potential external attacks, human error, previously identified security weaknesses, or significant threat sources such as risks associated with systems not managed by the Office of Information and Technology (OI&T). We also identified issues related to the inaccurate reporting of the status for certain system security controls and noted that two systems were granted Authority to Operate without undergoing an assessment of security controls.
Security System Problems
I’m no techy, but inaccurate reporting concerning security controls doesn’t sound like a great problem:
We continue to identify system security plans with inaccurate information regarding operational environments, including system interconnections, accreditation boundaries, control providers, and compensating information security controls. We also noted that VA inaccurately reported the status of certain security controls within their regional level system security plans. Additionally, while medical devices and special purpose systems were appropriately included within the regional network boundaries, the implementation of specific controls for these devices were not addressed within regional level system security plans.
VA has increased the overall enforcement of strong authentication for its systems and networks. However, reviews of permission settings still identified numerous instances of unnecessary system privileges, excessive and unauthorized user accounts, accounts without formal access authorizations, and active accounts for terminated personnel. VA Handbook 6500, Appendix F details access management policies and procedures for VA’s information systems. Additionally, we noted that user access requests were not consistently reviewed to eliminate conflicting roles and enforce segregation of duties principles. We also identified inconsistent monitoring of access in production environments for individuals with excessive privileges within certain major applications. This occurred because VA has not implemented effective reviews to monitor for instances of unauthorized system access or excessive permissions. Periodic reviews are critical to restrict legitimate users to specific systems and to prevent unauthorized access by both internal and external users. Unauthorized access to critical systems can leave sensitive data vulnerable to inappropriate modification or destruction.
Audit Logging and Monitoring
While VA continues to improve its centralized Security Incident and Event Management processes, we continue to identify deficiencies with how audit logs and security events are managed throughout the enterprise. For example, VA did not consistently review security violations and audit logs supporting mission-critical systems. Specifically, we noted that security logs were not effectively managed, aggregated, or proactively reviewed for certain significant systems, such as Veterans Health Information Systems and Technology Architecture, and users with elevated privileges. VA Handbook 6500, Appendix F provides high-level policy and procedures for collection and review of system audit logs. Audit log collections and reviews are critical for evaluating security-related activities, such as determining individual accountability, reconstructing security events, detecting intruders, and identifying system performance issues. Moreover, we have identified and reported deficiencies with audit logging for more than 10 years in our annual FISMA reports.
Frankly, there are a ton more comments and recommendations, but I become more bored as I read the report and almost dozed off. So… how about those Yankees?
It would be awesome of some of you more inclined to read through IT grog would check back in here with anything that really jumps about at you.