A recent audit found cybersecurity shortcomings at the Department of Veterans Affairs, Fierce Government reports.
Ernst & Young and Clifting Gunderson audited the VA as part of annual oversight required by the Federal Information Security Management Act.
Auditors found that the VA’s central reporting tool had more than 15,000 outstanding plans of action and milestones in fiscal year 2011.
Issues with virtual identity management, access control and audit log monitoring are still looming problems for the VA, according to Fierce Government IT.
The report cited ineffective enforcement of information security policy as the problem.
Auditors recommended that the VA chief information officer develop and implement an agency-wide wide risk management structure and strategy.
The VA also needs an agency-wide incident response timeline and should integrate information security costs into capital planning processes, auditors recommended.