A new GAO (Government Accountability Office) Report reviewed The Department of Veterans Affairs’ (VA) risk management policies including the security standards set by the Interagency Security Committee (ISC). ISC was established via executive order to develop security standards and best practices that federal agencies are to follow when developing and conducting risk assessments.
Many of the findings are related to how the VA does required Security Risk Assessments including the elements that are used in the assessments, the evaluation of protective controls (countermeasures), and that the assessments are not tracked.
The report concluded that VA policy only partially adheres or does not adhere to ISC’s standards, for example: ISC calls for using 5 elements when calculating a facilities security level, but the VA only uses 3, not taking the size of the facility or the facility’s population into consideration!
VA policy does not include performance measures, such as the number of countermeasures (controls) in use or the percentage of facility assessments completed; this percentage is a key element of ISC’s standards for assessing the effectiveness of an agency’s security programs.
The report also pointed out that the VA doesn’t review the quality of the VA medical centers’ required security risk assessments, and also fails to identify whether the recommended countermeasures (controls) were implemented effectively after being identified in the risk assessments.
The VA is the largest integrated health care system in the US, providing care at 1,233 health care facilities, including 168 VA Medical Centers and 1,053 outpatient sites of care of varying complexity (VHA outpatient clinics), serving more than 8.9 million Veterans each year.
You can access the 36-page report at: https://www.gao.gov/assets/690/689414.pdf
THANKS FOR READING THE RISKAlert Report
For more information and more great content: #RISKAlerts #riskandsecurityllc
www.riskandsecurityllc.com or www.caroline-hamilton.com
To subscribe, write to: email@example.com