The Department of Veterans Affairs Inspector General has found that while the agency’s Office of Information Technology enforced proper mobile security measures, there were certain issues in the fortification of its network infrastructure.
The IG report, released on Tuesday, states that OIT didn’t address vulnerabilities in configuration management and failed to implement blacklisting procedures for mobile applications that could lead to malicious attacks and loss of data to unsafe cloud environments.
According to the audit team’s findings, OIT doesn’t implement configuration management tools to handle automated updates for mobile devices and applications. The Government Accountability Office’s Federal Information System Controls Audit Manual states that such controls “provide reasonable assurance that changes to information system resources are authorized and systems are configured and operated securely and as intended.”
The OIT director of mobile technology and endpoint security engineering noted that the office didn’t implement blacklisting due to the amount of workload associated with the vetting process.
OIT handles over 50,000 VA devices through a centralized, enterprise-wide Mobile Device Management system.