Oversight

Watchdog: VA benefits system lacks accurate audit logs

VA logo

The Department of Veterans Affairs' online benefits management system lacks accurate audit logs, and as a result cannot effectively identify the location of and respond to security violations, according to an April 28 Office of the Inspector General report.

The Veterans Benefits Administration established the Veterans Benefits Management System as a technology platform to eliminate the backlog of veteran compensation claims by transitioning from a paper-intensive claims process to a digitized system. VBMS has reportedly made progress in reducing the backlog, but remains subject to the limitations of the department's legacy systems.

Acting on an April 2015 anonymous tip, the VA OIG discovered the VBA failed to pass accurate information along to the legacy audit logs. Audit logs allow Information Security Officers to review, audit and intervene on potential security violations, and deficient ones result in an inability to detect and address security violations within VBMS.

At issue is whether VBA has the ability to detect whether claims employees are working on claims in which they have a conflict of interest, such as those of friends, co-workers, or even their own claims.

Auditors conducted tests of the system by observing 17 employees at three VA regional offices attempt to access veteran employee compensation claims in VBMS, which were committed improperly. Audit logs identified security violations for 15 of the 17 employees, but did not indicate that security violations had occurred within VBMS. Instead, violations were shown to have occurred in a different VBA application or in an unknown system.

VBA disputed the extent of the risk posed by the logging issue. Danny Pummill, acting undersecretary for benefits, wrote that the tests used by OIG to validate its findings create "a false impression of VBA information security weaknesses." Pummill said there are separate control systems that "prevent employees from colluding on the claims of other employees and to ensure separation of duties between staff involved in approving monetary awards and payment of benefits."

Pummell concurred with some of the technical recommendations, and said new requirements on how VBMS data should appear in audit logs by July 31. VA CIO LaVerne Council said that a more integrated audit log could be in place by the end of 2016.

About the Author

Chase Gunter is a former FCW staff writer.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.