SECURITY ANALYSIS AND FINDINGS

Security Analysis and Findings

Department of Veteran Association -Information Security Program

For quite a number of decades, the Department of Veteran Affairs (VA) has faced a lot of information security breaches leading to loss of crucial information and data of its clients. The reason behind the security threat is that the information security system of VA has a lot of weaknesses that renders it to become vulnerable in cases of cyber threats and theft. As such, since September 2007 and until the VA embarked on efforts to strengthen its information security practices. However, it has challenging for the Department of VA to implement a lot of security policies and initiatives thereby limiting security effectiveness of its information systems. The Office of Information and Technology (OI&T) oversees Information security policies of the department of VA. Main tasks include issues relating to protection of data and information which includes cyber security, privacy, records management, risk management, incident response, freedom of information act (FOIA), business continuity and critical infrastructure. Besides, OI&T is concerned with developing implementing and overseeing procedures and policies in regard to how information of veterans can be safeguarded. The purpose of this essay is to review the existing information security standards being used by the Department of Veteran Affairs (VA Handbook 6500, 2007).

Common Questions for the security breach of VA

Where is my confidential data?

Where is my data going?

Who is using data?

How can I protect it?

What is the business and resource impact?

How do I get started?

How much does it cost?

To start with, VA implements various information security policies and procedures which includes management controls and operational controls and technical controls. In regard to management controls, security measures target management, reductions and/or elimination of risks and vulnerabilities to an appropriate and reasonable level so as to comply with federal security statutes. Procedure involved in management control entails risk assessment to ascertain potential vulnerabilities, threats and risks to the availability, integrity and confidentiality VA's information assets. This is in compliance with NIST SP 800-30, Risk Management Guide for Information Technology Systems. In this regard, the steps followed during risk assessment include characterization of the information system, identification of the threats, identification of the vulnerabilities, control analysis, determination of likelihood, analysis of impacts, determination of risks, recommendation of control measures and documentation of results. As such, Department of VA complies with procedures that have been laid out by NIST SP 800-30 (VA Handbook 6500, 2007).

In regard to operational controls, the policy of the Department of VA puts focus on the security of its personnel, corrective actions, contingency security controls, separation of duties, controls for physical security, contingency planning, maintenance of both hardware and software, integrity of information, vulnerability scanning and penetration testing and incidence response capability.

The third aspect is technical controls which involves measures that govern availability, accessibility and confidentiality of information resources. The controls measures includes identification and authentication procedures, logical access controls, remote access, wireless and removable storage media security, internet gateways, electronic mai ( e-mails), log-on warning ...