Va Cyber Security Research Paper
Department of Veterans Affairs Security Profile 1. Preface
This security profile of the Department of Veterans Affairs (VA) is based on two documents of public record. The first is the published VA Handbook 6500 (VAH 6500) which defined policy and procedures for systems within the purview of the VA (Department of Veterans Affairs, 2007). The second document is the Federal Information Security Management Act Assessment for FY 20011 commissioned by the VA Office of Inspector General (OIG) and performed by Ernst & Young in accordance with Federal Information Security Management Act (FISMA) guidelines (VA Office of Inspector General, 2012, p. i). 2. Identification of Controls
This security profile presents one control function from three primary policy and procedure controls. These controls are “System/New Technology Development Life Cycle” from Management Controls, “Security Training, Education, and Awareness” from Operational Controls, and “Remote Access” from Technical Controls. These controls are selected based on the lack of resolution based on information provided fiscal year 2006, 2010 (VA Office of Inspector General, 2011) and 2011 (VA Office of Inspector General, 2012) FISMA audits. 3. Management Controls
The protection of systems via risk mitigation techniques are referred to as management controls. Management controls are designed to minimize risk associated with development process and systems implementation. 4.1. VAH6500 Section 6.a.(7) System/New Technology Development Life Cycle
VAH6500 requires that any new technology undergo a systems development life cycle (SDLC) specific to the VA. The cycle consists of Initiation, Development / Acquisition, Implementation, Operation / Maintenance and Disposal. Systems must be able to encrypt/decrypt data. Systems not capable of this must receive a waiver from the OIG. 4.2. Implementation Assessment
The SDLC program provided does not provide the necessary information for an
This security profile of the Department of Veterans Affairs (VA) is based on two documents of public record. The first is the published VA Handbook 6500 (VAH 6500) which defined policy and procedures for systems within the purview of the VA (Department of Veterans Affairs, 2007). The second document is the Federal Information Security Management Act Assessment for FY 20011 commissioned by the VA Office of Inspector General (OIG) and performed by Ernst & Young in accordance with Federal Information Security Management Act (FISMA) guidelines (VA Office of Inspector General, 2012, p. i). 2. Identification of Controls
This security profile presents one control function from three primary policy and procedure controls. These controls are “System/New Technology Development Life Cycle” from Management Controls, “Security Training, Education, and Awareness” from Operational Controls, and “Remote Access” from Technical Controls. These controls are selected based on the lack of resolution based on information provided fiscal year 2006, 2010 (VA Office of Inspector General, 2011) and 2011 (VA Office of Inspector General, 2012) FISMA audits. 3. Management Controls
The protection of systems via risk mitigation techniques are referred to as management controls. Management controls are designed to minimize risk associated with development process and systems implementation. 4.1. VAH6500 Section 6.a.(7) System/New Technology Development Life Cycle
VAH6500 requires that any new technology undergo a systems development life cycle (SDLC) specific to the VA. The cycle consists of Initiation, Development / Acquisition, Implementation, Operation / Maintenance and Disposal. Systems must be able to encrypt/decrypt data. Systems not capable of this must receive a waiver from the OIG. 4.2. Implementation Assessment
The SDLC program provided does not provide the necessary information for an
References: Department of Veterans Affairs. (2007). VA Handbook 6500. Washington, DC: US Government Printing Office. Retrieved February 20, 2013, from http://www.va.gov/vapubs/viewPublication.asp?Pub_ID=56 Department of Veterans Affairs. (2010). Strategic Plan FY 2010-2014. Washington, DC: US Government Printing Office. Retrieved February 20, 2013, from http://www.va.gov/op3/Docs/StrategicPlanning/VA_2010_2014_Strategic_Plan.pdf National Institute of Standards and Technology. (2010). Guide for Assessing the Security Controls in Federal Information System (NIST 800-53a). Washington, D.C.: US Government Printing Office. http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf United States Department of Veterans Affairs. (n.d.). CRISP. Retrieved February 21, 2013, from United States Department of Veterans Affairs: http://www.saltlakecity.va.gov/features/CRISP.asp VA Office of Inspector General. (2011). Department of Veterans Affairs Federal Information Security Management Act Assessment for FY 2010 (10-01916-165). Washington, D.C.: US Government Publishing Office. Retrieved from http://www.va.gov/oig/52/reports/2011/VAOIG-10-01916-165.pdf VA Office of Inspector General. (2012). Department of Veterans Affairs Federal Information Security Management Act Assessment for FY 2011 (11-00320-138). Washington, D.C.: US Government Printing Office. Retrieved February 20, 2013,from http://www.va.gov/oig/pubs/VAOIG-11-00320-138.pdf