What the Audit Found
The OIG team found that VA’s Office of Information and Technology (OIT) inappropriately set the security risk level for BFFS at moderate instead of high. This happened because risk managers did not follow established standards and did not consider the existence of protected health information (PHI) and personally identifiable information (PII) stored in the system’s database. The lower security setting reduced the system’s security and access controls and potentially jeopardized the confidentiality, integrity, and availability of sensitive information related to beneficiaries and fiduciaries. For example, a moderate risk system requires minimum security controls such as a response to audit processing failures and protection of audit information. A high-risk system maintains the same requirements as a moderate system but has additional controls including real-time alerts for responding to audit processing failures and backing up physical systems and components to protect audit information…
What the OIG Recommended
The OIG made four recommendations to improve the BFFS security and access controls to protect data integrity and safeguard protected, personal fiduciary and beneficiary information. Recommendations include reevaluating the risk determination for BFFS, improving controls over end users’ access levels, fully enabling audit logs to ensure VBA can accurately and comprehensively track access to records within BFFS, and improving separation of duties. Read the full 32-page report here.
Source: Security and Access Controls for the Beneficiary Fiduciary Field System Need Improvement – September 12, 2019. VA OIG.