VA Office of Inspector General



Similar documents
VA Office of Inspector General

VA Office of Inspector General

Review of Alleged Manipulation of Waiting Times, North Florida/South Georgia Veterans Health System

VA Office of Inspector General

VA Office of Inspector General

VA Office of Inspector General

VA Office of Inspector General

VA Office of Inspector General

VA Office of Inspector General

VA Office of Inspector General

VA Office of Inspector General

VA Office of Inspector General

VA Office of Inspector General

Healthcare Inspection. Follow-Up Review of the Pause in Providing Inpatient Care VA Northern Indiana Healthcare System Fort Wayne, Indiana

VA Office of Inspector General

VA Office of Inspector General

VA Office of Inspector General

Healthcare Inspection. Oversight of the Community Nursing Home Program Oklahoma City VA Medical Center Oklahoma City, Oklahoma

March 17, 2015 OIG-15-43

U.S. DEPARTMENT OF THE INTERIOR OFFICE OF INSPECTOR GENERAL Verification of Previous Office of Inspector General Recommendations September 2009

Healthcare Inspection. Supervision of Nurse Anesthetists in the Anesthesia Section Dayton VA Medical Center Dayton, Ohio

VA Office of Inspector General

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

1 Published on September 14, 2015, and January 6, 2016, respectively.

VA Office of Inspector General

Healthcare Inspection. Patient Telemetry Monitoring Concerns Michael E. DeBakey VA Medical Center Houston, Texas

VA Office of Inspector General

VA Office of Inspector General

VA Office of Inspector General

Healthcare Inspection. Eye Care Concerns Eastern Kansas Health Care System Topeka and Leavenworth, Kansas

Healthcare Inspection. Credentialing and Privileging Concerns Wm. Jennings Bryan Dorn VA Medical Center Columbia, South Carolina

Department of Veterans Affairs

Combined Assessment Program Review of the Atlanta VA Medical Center Atlanta, Georgia

Appendix A: Rules of Behavior for VA Employees

Memorandum. ACTION: Report on Computer Security Controls of Financial Management System, FTA FE May 23, 2000.

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Healthcare Inspection Review of a Surgical Technician s Duties John D. Dingell VA Medical Center Detroit, Michigan

Healthcare Inspection. Surgical Quality of Care Review Southern Arizona VA Health Care System Tucson, Arizona

Information Technology

Department of Homeland Security

Five-Year Strategic Plan

Department of Homeland Security

Office of Inspector General

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

Combined Assessment Program Summary Report. Construction Safety at Veterans Health Administration Facilities

VA Office of Inspector General

GAO INFORMATION SYSTEMS. The Status of Computer Security at the Department of Veterans Affairs. Report to the Secretary of Veterans Affairs

THE FCA INSPECTOR GENERAL: A COMMITMENT TO PUBLIC SERVICE

Healthcare Inspection Management of Government Resources and Personnel Practices VA North Texas Health Care System Dallas, Texas

Healthcare Inspection

VA Office of Inspector General

Office of Inspector General

How To Check If Nasa Can Protect Itself From Hackers

Healthcare Inspection Emergency Department Length of Stay and Call Center Wait Times VA Eastern Colorado Health Care System, Denver, Colorado

Healthcare Inspection. Reporting of Suspected Patient Neglect Central Alabama Veterans Health Care System Tuskegee, Alabama

POSTAL REGULATORY COMMISSION

Audit of the Administrative and Loan Accounting Center, Austin, Texas

Information Security Series: Security Practices. Integrated Contract Management System

`DEPARTMENT OF VETERANS AFFAIRS VA SOUTHEAST NETWORK Automated Information System User Access Notice

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

Audit of the Department of State Information Security Program

OFFICE OF THE SECRETARY

The U.S. Coast Guard Travel to Obtain Health Care Program Needs Improved Policies and Better Oversight

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Review of U.S. Coast Guard's FY 2014 Drug Control Performance Summary Report

STATEMENT OF JOHN E. MCCOY II DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE

Healthcare Inspection. Review of Allegations of Coding and Billing Irregularities, VA Medical Center, Kansas City, Missouri

Audit of Veterans Health Administration Blood Bank Modernization Project

VA Office of Inspector General

VA Office of Inspector General

TITLE III INFORMATION SECURITY

Audit of Veterans Health Administration Vehicle Fleet Management

SYSTEMS AND CONTROLS. Management Assurances FEDERAL MANAGERS FINANCIAL INTEGRITY ACT (FMFIA) ASSURANCE STATEMENT FISCAL YEAR (FY) 2012

AUDIT REPORT. The Energy Information Administration s Information Technology Program

VA Office of Inspector General

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

VA Office of Inspector General

Management Advisory - The Transportation Security Administration's Failure to Address Two Recommendations to Improve the Efficiency and Effectiveness

ROSS PHILO EXECUTIVE VICE PRESIDENT AND CHIEF INFORMATION OFFICER

Combined Assessment Program Review of the VA Southern Oregon Rehabilitation Center and Clinics White City, Oregon

VA Office of Inspector General

Office of Inspector General

VA Office of Inspector General

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

Department of Homeland Security

Public Law th Congress An Act

VA Office of Inspector General

Combined Assessment Program Summary Report. Evaluation of Quality Management in Veterans Health Administration Facilities Fiscal Year 2012

OIG Determination of Veterans Health Administration s Occupational Staffing Shortages

VA Office of Inspector General

Review of Selected Active Directory Domains

VA Office of Inspector General

Department of Veterans Affairs VA DIRECTIVE 6071

Audit of Case Activity Tracking System Security Report No. OIG-AMR

Briefing Report: Improvements Needed in EPA s Information Security Program

Information System Security

Office of Inspector General

Department of Homeland Security Office of Inspector General. Review of U.S. Coast Guard Enterprise Architecture Implementation Process

May 2, 2016 OIG-16-69

Cloud Computing Contract Clauses

Transcription:

VA Office of Inspector General OFFICE OF AUDITS AND EVALUATIONS Department of Veterans Affairs Review of Alleged Lack of Access Controls for the Project Management Accountability System Dashboard May 9, 2016 15-02459-260

ACRONYMS FY IT OIG OI&T OMB PBO PMAS VA Fiscal Year Information Technology Office of Inspector General Office of Information and Technology Office of Management and Budget Project Management Accountability System (PMAS) Business Office Project Management Accountability System Department of Veterans Affairs To Report Suspected Wrongdoing in VA Programs and Operations: Telephone: 1-800-488-8244 E-Mail: vaoighotline@va.gov (Hotline Information: http://www.va.gov/oig/hotline)

Highlights: Review of Alleged Lack of Access Controls for VA s PMAS Dashboard Why We Did This Review The Office of Inspector General received an allegation that the Office of Information and Technology (OI&T) had ineffective access controls over the Project Management Accountability System (PMAS) Dashboard and related project management data and metric reporting information. What We Found We substantiated the allegation that PMAS Dashboard access controls were inadequate. OI&T did not configure 17 of the 18 PMAS Dashboard access groups to provide the least needed access privileges even though VA policy required OI&T grant access to VA systems based on the least need (the practice of limiting access to the minimal level that will allow normal performance of duties). Instead, OI&T designed these 17 groups to have full user access privileges to the PMAS Dashboard data, regardless of individual user need. This occurred because the OI&T director concluded that the PMAS data were not at risk; thus, OI&T should not spend limited funds to develop group access ranging from read only to full access. When requested, OI&T staff could not provide a cost analysis identifying the costs to develop access controls. Federal Information Technology security requirements and VA Handbook 6500, and has assumed unnecessary risks to the integrity of its project management data. What We Recommended We recommended the Assistant Secretary for Information and Technology create read-only access to PMAS and ensure each user s access is based on the least needed privilege. We also recommended that the Assistant Secretary develop Dashboard access logs and periodically review all users access to ensure users still have legitimate needs for system access. Agency Comments The Assistant Secretary for Information and Technology concurred with our recommendations and provided acceptable corrective action plans. We will monitor their implementation. GARY K. ABE Acting Assistant Inspector General for Audits and Evaluations In addition, OI&T did not develop user access logs. This prevented OI&T from identifying active users and periodically validating their actions. Thus, OI&T could not effectively manage its risk to data integrity. Without configuring all the PMAS Dashboard groups to restrict user access to the data, VA does not comply with VA OIG 15-02459-260 May 9, 2016

TABLE OF CONTENTS Results and Recommendations...1 Finding Project Management Accountability System Dashboard Access Controls Are Inadequate...1 Recommendations...3 Appendix A Appendix B Appendix C Appendix D Background, Scope, and Methodology...4 Management Comments...6 OIG Contact and Staff Acknowledgments...9 Report Distribution...10

RESULTS AND RECOMMENDATIONS Finding Project Management Accountability System Dashboard Access Controls Are Inadequate The Office of Inspector General (OIG) received an anonymous allegation that the Office of Information and Technology (OI&T) had ineffective access controls over the Project Management Accountability System (PMAS) Dashboard and related project management data and metric reporting information. What We Found We substantiated the allegation that PMAS Dashboard access controls were inadequate. OI&T did not configure 17 of the 18 PMAS Dashboard access groups to provide the least needed access privileges even though VA policy required OI&T grant access based on the least need (the practice of limiting access to the minimal level that will allow normal performance of duties). Instead, OI&T designed these 17 groups to have full user access privileges to the PMAS dashboard data, regardless of need. This occurred because OI&T thought it would be too costly to develop group access ranging from readonly to full access. Full access would allow users to read, write, modify, and delete data. Without configuring all the PMAS Dashboard access groups to the least needed privilege, VA has assumed unnecessary risks to the integrity of its project management data. PMAS is an information technology (IT) system that is required to comply with VA Handbook 6500, Information Security. The Handbook states VA IT system access should be granted to users based on the least need in order to protect the data in the system and ensure it is not vulnerable to improper modification, disclosure, or destruction. Access privileges must range from read-only to full access depending on the individual needs of the user. Implementing a range of effective access controls would enable OI&T to grant system access to users based on the least need, thereby protecting the PMAS data. At the time OI&T developed the PMAS Dashboard, the PMAS Business Office (PBO) decided to manage PMAS Dashboard security via Windows domain groups, which control a user s access to the Dashboard. When users need access to specific areas of the PMAS Dashboard, the system administrator adds them to the appropriate group, thereby granting access to an area or feature. Once an individual is granted access to a particular group, he or she has all the rights of that group. The Business Intelligence Reports group is the only group where users have read-only access to view and print pre-defined reports. Users in this group, such as analysts and senior officials use these reports to help them make informed management decisions. However, if the system administrator VA OIG 15-02459-260 1

granted any of these same users access to any of the other 17 access groups, they could modify the data that populate the pre-defined reports. For example, 24 users are members of 2 groups, the Business Intelligence Reports and the Manage Investment group. 1 These 24 users, regardless of their read-only access in the Business Intelligence Reports group, had the ability to manipulate cost and schedule data in the Manage Investment group, potentially altering VA s performance metrics, which are reported on the Office of Management and Budget s (OMB) Federal IT Dashboard. Congress and VA use the performance metrics to make budget-related decisions. Reason PMAS Dashboard Groups Improperly Configured OI&T did not see a need to restrict user access privileges except when a user needs to view or print pre-defined reports. The PBO director disclosed that she made the decision because of budget constraints. She stated that it never occurred to her that anyone would want to do anything malicious to the data and was not aware of any malicious activity. She also did not anticipate any interest in the PMAS data, or that anyone would want to verify the data, because she thought the data were for internal use only. The director concluded that the PMAS data were not at risk of being compromised and the PBO should not spend limited financial resources on developing the required read-only access. We requested the costs to develop access controls. However, PBO officials stated they could not separately identify those costs. The PBO director s decision to limit implementation of the read-only requirement to only the Business Intelligence Reports group and not the other 17 groups created an unmitigated risk to data integrity. In addition, OI&T did not develop user access logs. This prevented OI&T from identifying active users and periodically validating their actions. Thus, OI&T could not effectively manage the risk to data integrity. OIG previously reported that VA had not implemented the controls needed to monitor system access logs periodically. In our May 2015 Federal Information Security Management Act audit report, we recommended VA enable system audit logs. 2 Without access logs, OI&T cannot adequately monitor users to ensure they have a continued need for PMAS Dashboard access group memberships. In accordance with VA policy, systems must have read-only privileges and system access logs that are reviewed periodically. 1 The Management Investment group users are granted full access to all data contained within that group. 2 Federal Information Security Management Act Audit for Fiscal Year 2014, Report No. 14-01820-355, May 19, 2015. VA OIG 15-02459-260 2

Conclusion Access controls are necessary to protect Government information and ensure those systems are not vulnerable to improper data modification, disclosure, or destruction. OI&T officials acknowledged that they chose not to implement read-only access privileges during PMAS Dashboard development with the exception of the Business Intelligence Reports group. Consequently, the PMAS data remained at risk for manipulation. Thus, VA does not comply with Federal IT security requirements and VA Handbook 6500 and has assumed unnecessary risks to the integrity of its project management data. Recommendations 1. We recommended the Assistant Secretary for Information and Technology create read-only access capability for the Project Management Accountability System. 2. We recommended the Assistant Secretary for Information and Technology assess the current level of each user s access to the Project Management Accountability System Dashboard to ensure each user s access is based on the least privilege needed. 3. We recommended the Assistant Secretary for Information and Technology develop Project Management Accountability System Dashboard access logs. 4. We recommended the Assistant Secretary for Information and Technology periodically review Project Management Accountability System Dashboard access logs to ensure users have a need for system access. Management Comments OIG Response The Assistant Secretary for Information and Technology concurred with our recommendations and provided acceptable corrective action plans. A new dashboard is currently being developed that will store data related to OI&T s new planning, development, and release process. Implementation of recommendations will be included as part of the mandatory requirements for the Veteran-focused Integrated Process Dashboard and the initial estimate target completion date is December 2016. We consider the corrective actions acceptable and we will monitor their implementation. VA OIG 15-02459-260 3

Appendix A PMAS Dashboard Overview A VA Organizational Tool Background, Scope, and Methodology The PMAS Dashboard IT project was under the purview of PMAS a performance-based project management discipline intended to improve the rate of success of VA s IT projects. OI&T began developing the PMAS Dashboard in FY 2010 and completed development in FY 2014 at a total cost of approximately $13.5 million, including the costs of the existing access controls. PBO officials could not separately identify the access control costs. VA management uses the PMAS Dashboard as an organizational tool to assist in the governance process ensuring that VA s IT investments achieve: Their intended outcomes on time and within budget, meet veterans needs, and support VA s mission and business objectives Appropriate security and privacy protections Conformance to legislative mandates and OMB requirements for IT investment management OI&T uses the PMAS Dashboard to track and report the status of PMAS-managed projects, automate recurring report generation capabilities, centrally store PMAS-related artifacts, and provide automated input for external systems, such as the OMB Federal IT Dashboard. Scope and Methodology We reviewed 18 PMAS Dashboard access groups and select users within those groups. To accomplish our review, we: Interviewed the PBO director, and the PMAS system administrator to obtain an understanding of how OI&T granted access to the PMAS Dashboard Observed a demonstration of the PMAS Dashboard features to include the data users can obtain from the Dashboard and OI&T s process to grant user access to the Dashboard access groups Analyzed a current list of PMAS Dashboard access groups to determine completeness and consistency with the PMAS PBO s cited business rules Reviewed Federal law and VA policy and guidance related to IT access controls Determined whether OI&T used access logs to validate the adequacy of user access and ensure adequate PMAS Dashboard oversight Data Reliability We analyzed the access list provided by the PBO and found the initial list to be incomplete because it did not identify users the audit team knew had access to PMAS data. When we questioned the completeness of the list, the PBO simply provided an updated list without explaining the discrepancy VA OIG 15-02459-260 4

even after we asked. As a result, we limited our findings and conclusions to the users whom we could verify and reported the results accordingly. Thus, we determined the list was sufficiently reliable for the purposes of our findings and conclusions. We did not verify that every user s access was appropriate or evaluate the reliability of PMAS data. 3 Government Standards We conducted this review in accordance with the Council of the Inspectors General on Integrity and Efficiency s Quality Standards for Inspection and Evaluation. 3 We previously reported that OI&T needs to establish controls for ensuring data reliability in the PMAS Dashboard. Audit of the Project Management Accountability System Implementation, Report No. 10-03162-262, August 29, 2011, and Follow-Up Audit of the Information Technology Project Management Accountability System, Report No. 13-03324-85, January 22, 2015. VA OIG 15-02459-260 5

Appendix B Management Comments Department of Veterans Affairs Memorandum Date: April 6, 2016 From: Assistant Secretary for Information and Technology (005) Subj: OIG Draft Report, Review of Alleged Lack of Access Controls for the Project Management Accountability System Dashboard (Project No. 2015-02459-R6-0130) To: Assistant Inspector General for Audits and Evaluations (52) Thank you for the opportunity to review the Office of Inspector General (OIG) draft report, Review of Alleged Lack of Access Controls for the Project Management Accountability System Dashboard. The Office of Information and Technology concurs with the OIG s findings and submits the attached comments for recommendations 1-4. If you have any questions, contact me at (202) 461-6910 or have a member of your staff contact Rob C. Thomas, II, Deputy Assistant Secretary, Enterprise Program Management Office, at (727) 502-1382. (original signed by:) LaVERNE H. COUNCIL Attachment VA OIG 15-02459-260 6

005 Attachment Office of Information and Technology Comments on OIG Draft Report, Review of Alleged Lack of Access Controls for the Project Management Accountability System Dashboard (Project Number: 2015-02459-R6-0130) OIG Recommendation 1: We recommended the Assistant Secretary for Information and Technology create read-only access capability for the Project Management Accountability System. Comments: Concur. The Office of Information and Technology (OI&T) is undergoing a major transformation of its product planning, development, and release processes to more effectively serve customers and Veterans. As part of this transformation, OI&T will phase out use of the PMAS Dashboard over the next several months. A new dashboard is currently being developed that will store data related to OI&T s new planning, development and release process. This new dashboard will be called the Veteran-focused Integrated Process (VIP) Dashboard. OIG Recommendation 1 to create read-only access capability will be included as part of the mandatory requirements for the VIP Dashboard and implemented in that system. The VIP Dashboard will replace the PMAS Dashboard. Development of the VIP Dashboard has just begun; VA s initial estimate for a target completion date is December 2016. OIG Recommendation 2: We recommended the Assistant Secretary for Information and Technology assess the current level of each user s access to the Project Management Accountability System Dashboard to ensure each user s access is based on the least privilege needed. Comments: Concur. The Office of Information and Technology (OI&T) is undergoing a major transformation of its product planning, development, and release processes to more effectively serve customers and Veterans. As part of this transformation, OI&T will phase out use of the PMAS Dashboard over the next several months. A new dashboard is currently being developed that will store data related to OI&T s new planning, development and release process. This new dashboard will be called the Veteran-focused Integrated Process (VIP) Dashboard. OIG Recommendation 2 to assess each user s access to ensure it is based on least privilege needed will be included as part of the mandatory requirements for the VIP Dashboard and implemented in that system. The VIP Dashboard will replace the PMAS Dashboard. Development of the VIP Dashboard has just begun; VA s initial estimate for a target completion date is December 2016. OIG Recommendation 3: We recommended the Assistant Secretary for Information and Technology develop Project Management Accountability System Dashboard access logs. Comments: Concur. The Office of Information and Technology (OI&T) is undergoing a major transformation of its product planning, development, and release processes to more effectively serve customers and Veterans. As part of this transformation, OI&T will phase out use of the PMAS Dashboard over the next several months. VA OIG 15-02459-260 7

A new dashboard is currently being developed that will store data related to OI&T s new planning, development and release process. This new dashboard will be called the Veteran-focused Integrated Process (VIP) Dashboard. OIG Recommendation 3 to develop dashboard access logs will be included as part of the mandatory requirements for the VIP Dashboard and implemented in that system. The VIP Dashboard will replace the PMAS Dashboard. Development of the VIP Dashboard has just begun; VA s initial estimate for a target completion date is December 2016. OIG Recommendation 4: We recommended the Assistant Secretary for Information and Technology periodically review Project Management Accountability System Dashboard access logs to ensure users have a need for system access. Comments: Concur. The Office of Information and Technology (OI&T) is undergoing a major transformation of its product planning, development, and release processes to more effectively serve customers and Veterans. As part of this transformation, OI&T will phase out use of the PMAS Dashboard over the next several months. A new dashboard is currently being developed that will store data related to OI&T s new planning, development and release process. This new dashboard will be called the Veteran-focused Integrated Process (VIP) Dashboard. OIG Recommendation 4 to periodically review access logs to ensure users have a need for system access will be included as part of the mandatory requirements for the VIP Dashboard and implemented in that system. The VIP Dashboard will replace the PMAS Dashboard. An independent group within OI&T s Enterprise Program Management Office (EPMO) will review access logs semi-annually and provide recommendations to the VIP Business Office (VBO) for implementation. Development of the VIP Dashboard has just begun; VA s initial estimate for a target completion date is December 2016. VA OIG 15-02459-260 8

Appendix C OIG Contact and Staff Acknowledgments OIG Contact Acknowledgments For more information about this report, please contact the Office of Inspector General at (202) 461-4720. Mario Carbone, Director Sherry Fincher Heather Jones Brenda Stepps VA OIG 15-02459-260 9

Appendix D Report Distribution VA Distribution Office of the Secretary Veterans Health Administration Veterans Benefits Administration National Cemetery Administration Assistant Secretaries Office of General Counsel Non-VA Distribution House Committee on Veterans Affairs House Appropriations Subcommittee on Military Construction, Veterans Affairs, and Related Agencies House Committee on Oversight and Government Reform Senate Committee on Veterans Affairs Senate Appropriations Subcommittee on Military Construction, Veterans Affairs, and Related Agencies Senate Committee on Homeland Security and Governmental Affairs National Veterans Service Organizations Government Accountability Office Office of Management and Budget This report is available on our Web site at www.va.gov/oig. VA OIG 15-02459-260 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information