The Department of Veterans Affairs was deficient in each of five major categories of information security controls in 2006 and remains so today, according to the Government Accountability Office, an investigative arm of Congress.

The five categories are access control, configuration management, segregation of duties, contingency planning and security management.

"Further, in VA's fiscal year 2009 performance and accountability report, the independent auditor stated that, while VA continued to make progress, I.T. security and control weaknesses remained pervasive and continued to place VA's program and financial data at risk," according to testimony GAO officials delivered on May 19 to the oversight subcommittee of the House Committee on Veterans Affairs.

Where there has been progress on security issues there also has been backsliding, according to the GAO. The department in recent years has significantly increased its contingency plan testing, while at the same time the percentage of employees receiving security awareness training has decreased.

Until VA fully and effectively implements a comprehensive information security program and fixes known vulnerabilities, its computer systems--and sensitive information on veterans and beneficiaries--will remain at increased risk, the GAO concludes.

The testimony, "Veterans Affairs Needs to Resolve Long-Standing Weaknesses," is available at

This article can also be found at

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access