“VA’s Office of Information and Technology (OIT) manages over 50,000 mobile devices that store, process, and transmit veteran information and require protection at all times.VA centrally manages mobile devices accessing VA networks through an enterprise-wide mobile device management (MDM) system. A centralized, enterprise-wide MDM system can provide consistent management, configuration, security, and continuous monitoring of VA mobile devices. The VA Office of Inspector General (OIG) contracts with an independent public accounting firm to conduct an annual audit of VA’s information security program and practices to determine compliance with the Federal Information Security Modernization Act of 2014 (FISMA)…”
“The audit teamfound OIT’s security practices for mobile devices generally mitigated security control weaknesses within VA’s network infrastructure. The Government Accountability Office’s (GAO) Federal Information System Controls Audit Manual (FISCAM) has five general categories of information technology controls—security management, access controls, segregation of duties, contingency planning, and configuration management. OIT’s information technology controls in four of the five categories met OMB, NIST, and VA security standards for VA mobile devices.
“However, the audit team did find vulnerabilities associated with configuration management. Specifically, OIT did not enforce blacklisting of applications as required by VA policy. Blacklisting blocks the use of applications to prevent the execution of malicious, vulnerable, or flawed applications…”
Read the full 33-page report here.
Source: VA’s Management of Mobile Devices Generally Met Information Security Standards – October 22, 2019. OIG.
