VA Information Systems: The Austin Automation Center Has Made Progress in
Improving Information System Controls (Letter Report, 06/08/99,
GAO/AIMD-99-161).

Pursuant to a legislative requirement, GAO assessed the effectiveness of
information system general controls at the Department of Veterans
Affairs' (VA) Austin Automation Center (AAC).

GAO noted that: (1) AAC had made substantial progress in correcting
specific computer security weaknesses that GAO identified in its
previous evaluation of information system controls; (2) AAC had
established a solid foundation for its computer security planning and
management program by creating a centralized computer security group,
developing a comprehensive security policy, and promoting security
awareness; (3) however, AAC had not yet established a framework for
continually assessing risks and routinely monitoring and evaluating the
effectiveness of information system controls; (4) GAO also identified
additional computer security weaknesses that increased the risk of
inadvertent or deliberate misuse, fraudulent use, improper disclosure,
and destruction of financial and sensitive veteran medical and benefit
information on AAC systems; (5) an effective computer security planning
and management program would have allowed AAC to identify and correct
the types of additional weaknesses that GAO identified; (6) in addition,
AAC continues to run the risk that unauthorized access may not be
detected because it had not established a program to identify and
investigate unusual or suspicious patterns of successful access to
sensitive data and resources; (7) these weaknesses could also affect
other agencies that depend on AAC information technology services; (8)
AAC was very responsive to addressing new security exposures identified
and corrected several weaknesses before GAO's fieldwork was completed;
(9) the Acting Assistant Secretary for Information Technology said VA
would implement all of GAO's recommendations by September 30, 1999; and
(10) addressing the remaining issues will help ensure that an effective
computer security environment is achieved and maintained.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  AIMD-99-161
     TITLE:  VA Information Systems: The Austin Automation Center Has
	     Made Progress in Improving Information System
	     Controls
      DATE:  06/08/99
   SUBJECT:  Computer security
	     Information systems
	     Confidential communication
	     Information resources management
	     Financial management systems
	     Internal controls
	     Veterans benefits

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO report.  This text was extracted from a PDF file.        **
** Delineations within the text indicating chapter titles,      **
** headings, and bullets have not been preserved, and in some   **
** cases heading text has been incorrectly merged into          **
** body text in the adjacent column.  Graphic images have       **
** not been reproduced, but figure captions are included.       **
** Tables are included, but column deliniations have not been   **
** preserved.                                                   **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
** A printed copy of this report may be obtained from the GAO   **
** Document Distribution Center.  For further details, please   **
** send an e-mail message to:                                   **
**                                                              **
**                                            **
**                                                              **
** with the message 'info' in the body.                         **
******************************************************************
AIMD99161.book GAO

United States General Accounting Office

Report to the Acting Chief Information Officer and the Director of
the Austin Automation Center, Department of Veteran Affairs

June 1999 VA INFORMATION SYSTEMS

The Austin Automation Center Has Made Progress in Improving
Information

System Controls

GAO/AIMD-99-161

Page 1 GAO/AIMD-99-161 AAC Computer Controls

United States General Accounting Office Washington, D.C. 20548

Accounting and Information Management Division

B-282593 Letter

June 8, 1999 Mr. Harold F. Gracey, Jr. Acting Chief Information
Officer Department of Veterans Affairs

Mr. Robert P. Evans Director, Austin Automation Center Department
of Veterans Affairs

As part of our review of computer security at the Department of
Veterans Affairs (VA), we assessed the effectiveness of
information system general controls 1 at the Austin Automation
Center (AAC). Our review of VA computer security was performed in
connection with the department's required annual financial
statement audit 2 for fiscal year 1998. Our evaluation included
follow-up on the computer security weaknesses we identified at AAC
in conjunction with the audit of VA's fiscal year 1997 financial
statements.

Today, we are also issuing a report designated for Limited
Official Use, which details the weaknesses we identified at AAC
and the current status of corrective actions. This version of the
report, which was excerpted for public release, provides a general
summary of the weaknesses we identified, the status of corrective
actions, and the recommendations we made.

We advised the director of AAC of specific corrective actions that
could be taken to address the weaknesses we identified. The
results of our evaluation were shared with the VA's Office of
Inspector General (IG) for its use in auditing VA's consolidated
financial statements for fiscal year 1998.

1 General controls affect the overall effectiveness and security
of computer operations as opposed to being unique to any specific
computer application. They include security management, operating
procedures, software security features, and physical protection
designed to ensure that access to data and programs is
appropriately restricted, only authorized changes are made to
computer programs, computer security duties are segregated, and
backup and recovery plans are adequate to ensure the continuity of
essential operations.

2 The Government Management Reform Act of 1994, which expands the
Chief Financial Officers Act of 1990, requires that the inspectors
general of 24 major federal agencies, including VA, annually audit
agencywide financial statements.

B-282593 Page 2 GAO/AIMD-99-161 AAC Computer Controls

Results in Brief AAC had made substantial progress in correcting
specific computer security weaknesses that we identified in our
previous evaluation of

information system controls. AAC had established a solid
foundation for its computer security planning and management
program by creating a centralized computer security group,
developing a comprehensive security policy, and promoting security
awareness. However, AAC had not yet established a framework for
continually assessing risks and routinely monitoring and
evaluating the effectiveness of information system controls.

We also identified additional computer security weaknesses that
increased the risk of inadvertent or deliberate misuse, fraudulent
use, improper disclosure, and destruction of financial and
sensitive veteran medical and benefit information on AAC systems.
An effective computer security planning and management program
would have allowed AAC to identify and correct the types of
additional weaknesses that we identified. In addition, AAC
continues to run the risk that unauthorized access may not be
detected because it had not established a program to identify and
investigate unusual or suspicious patterns of successful access to
sensitive data and resources. These weaknesses could also affect
other agencies that depend on AAC information technology services.

AAC was very responsive to addressing new security exposures
identified and corrected several weaknesses before our fieldwork
was completed. In commenting on this report, the Acting Assistant
Secretary for Information and Technology said VA would implement
all of our recommendations by September 30, 1999. Addressing the
remaining issues will help ensure that an effective computer
security environment is achieved and maintained.

Background VA is responsible for administering health care and
other benefits, such as compensation and pensions, life insurance
protection, and home mortgage

loan guarantees, that affect the lives of more than 25 million
veterans and approximately 44 million members of their families.
In providing these benefits and services, VA collects and
maintains sensitive medical record and benefit payment information
for veterans and their family members.

AAC is one of VA's three centralized data centers. It maintains
the department's financial management and other departmentwide
systems, including centralized accounting, payroll, vendor
payment, debt collection, benefits delivery, and medical systems.
AAC also provides, for a fee,

B-282593 Page 3 GAO/AIMD-99-161 AAC Computer Controls

information technology services to other government agencies. As
of November 1998, the center either provided or had entered into
contracts to provide information technology services, including
batch and online processing and workers' compensation and
financial management computer applications, for nine other federal
agencies. 3

In fiscal year 1998, the VA's payroll was more than $11 billion
and the centralized accounting system processed more than $7
billion in administrative payments. AAC also maintains medical
information for both inpatient and outpatient care. For example,
AAC systems document admission, diagnosis, surgical procedure, and
discharge information for each stay in a VA hospital, nursing
home, or domiciliary. In addition, AAC systems contain information
concerning each of the guaranteed or insured loans closed by VA
since 1944, including about 3.5 million active loans.

As one of VA's three centralized data centers, AAC is part of a
vast array of computer systems and telecommunication networks that
VA relies on to support its operations and store the sensitive
information the department collects in carrying out its mission.
The remaining two data centers support VA's compensation, pension,
education, and life insurance benefit programs.

In addition to the three centralized data centers, the Veterans
Health Administration operates 172 hospitals at locations across
the country that operate local financial management and medical
support systems on their own computer systems. These data centers
and hospitals are interconnected, along with 58 Veterans Benefits
Administration regional offices, the VA headquarters office, and
customer organizations such as non-VA hospitals and medical
universities, through a wide area network. All together, VA's
network services over 700 locations nationwide, including Puerto
Rico and the Philippines.

Objective, Scope, and Methodology

Our objective was to evaluate and test the effectiveness of
information system general controls over the financial systems
maintained and operated by VA at AAC. General controls, however,
also affect the security and reliability of nonfinancial
information, such as veteran medical and loan data, maintained at
this processing center.

3 At the time of our review, GAO had contracted with AAC for
information technology services.

B-282593 Page 4 GAO/AIMD-99-161 AAC Computer Controls

Specifically, we evaluated information system general controls
intended to  protect data, files, programs, and equipment from
unauthorized access,

modification, and destruction;  prevent the introduction of
unauthorized changes to application and

system software;  provide adequate segregation of duties involving
application

programming, system programming, computer operations, security,
and quality assurance;  ensure recovery of computer processing
operations in case of a disaster

or other unexpected interruption; and  ensure that an effective
computer security planning and management

program is in place. We restricted our evaluation to AAC because
VA's Office of Inspector General was planning to review
information system general controls for fiscal year 1998 at the
Hines and Philadelphia benefits delivery centers.

To evaluate information system general controls, we identified and
reviewed AAC's general control policies and procedures. We also
tested and observed the operation of information system general
controls over AAC's information systems to determine whether they
were in place, adequately designed, and operating effectively. In
addition, we determined the status of previously identified
computer security weaknesses, but did not perform any follow-up
penetration testing.

We performed our review from October 1998 through March 1999, in
accordance with generally accepted government auditing standards.
Our evaluation was based on the guidance provided in our Federal
Information System Controls Audit Manual (FISCAM) 4 and the
results of our May 1998 study of security management best
practices at leading organizations. 5

After we completed our fieldwork, the director of AAC provided us
with updated information regarding corrective actions. We did not
verify these corrective actions but plan to do so as part of
future reviews.

4 Federal Information System Controls Audit Manual, Volume I
Financial Statement Audits (GAO/AIMD-12.19.6, January 1999).

5 Information Security Management: Learning From Leading
Organizations (GAO/AIMD-98-68, May 1998).

B-282593 Page 5 GAO/AIMD-99-161 AAC Computer Controls

VA provided us with written comments on a draft of this report,
which are discussed in the Agency Comments section and reprinted
in appendix I.

AAC Has Acted to Improve Security

AAC has made substantial progress in addressing the computer
security issues we previously identified. At the time of our
review in 1998, AAC had corrected 40 of the 46 weaknesses that we
discussed with the director of AAC and summarized in our September
1998 report on VA computer security. 6 AAC had addressed most of
the access control, system software, segregation of duties, and
service continuity weaknesses we identified in 1997 and had
improved computer security planning and management. For example,
AAC had

 reduced the number of users with access to the computer room,
restricted access to certain sensitive libraries, audit
information, and

utilities,  established password and dial-in access controls,
developed a formal system software change control process,
expanded tests of its disaster recovery plan, and  established a
centralized computer security group.

AAC was also proactive in addressing additional computer security
issues we identified during our current review.

Key Issues Were Still Outstanding

We identified a continuing risk of unauthorized access to
financial and sensitive veteran medical and benefit information
because the center had not fully implemented a comprehensive
computer security planning and management program. If properly
designed, such a program should identify and correct the types of
additional access control and system software weaknesses that we
found. In addition, AAC risks certain types of unauthorized access
not being detected because it had not completely corrected the
user access monitoring weaknesses we previously identified.

6 Information Systems: VA Computer Control Weaknesses Increase
Risk of Fraud, Misuse, and Improper Disclosure (GAO/AIMD-98-175,
September 1998).

*** End of document. ***