The Veterans Affairs (VA) Office of Inspector General (OIG) has found that the VA's Office of Information Technology (OIT) management of mobile devices generally met information security standards.
VA’s OIT manages more than 50,000 mobile devices that store and transmit veteran information that must be protected, says the audit. The OIG found OIT’s security practices for mobile devices generally minimized security weaknesses within VA’s network. However, the OIG did find vulnerabilities associated with configuration management:
- OIT did not block the use of applications to prevent malicious, vulnerable, or flawed software (“blacklisting”) as required by VA policy, increasing the risk of lost data.
- the VA did not ensure mobile device users are completing the required annual information security training and had no way to validate the effectiveness of that training.
- VA did not use configuration management tools to control and automate update releases for its mobile devices and applications—the OIG found 12,298 out of 50,618 mobile devices had unapproved operating systems.
According to OIT’s director of mobile technology and endpoint security engineering, OIT decided not to use blacklisting or other configuration management tools because of concerns about workload.
The OIG recommended the assistant secretary for information and technology either enforce blacklisting or formally assess and document whether training would work to prevent users from downloading and using non-VA-approved applications. The OIG also recommended that the assistant secretary ensure users do not update devices and applications until after testing is conducted by the Mobile Device Management team and ensure mobile device users complete required annual training before accounts are activated.