A Case Study Audit Report of Veterans Affairs Association

A side Study Audit Report of Veterans personal business AssociationIntroductionThe Veterans Affairs (VA) is subject to the Government credential indemnity (GSP) and must(prenominal) envision residency with the GSP and operational standards. The VA is amenable for the treat of an scrutinize to determine the power and effectiveness of its bail course of study. At the request of the VA, we conducted an scrutinize of protective cover to provide focusing of the VA with an objective assessment of it warrantor program. Over solely, we ensnargon that the VA met the requirements of the Government certification constitution (GSP) with respect to conformity, efficiency, and effectiveness. The analyze provides an overview of the main credentials measures we observed. We also identified beas for overture.The department of Veterans Affairs InvestigationA Case Study Audit ReportGenerall(a)y, the VA has put in federal agency a certificate measure program which complies wi th the GSP and operational standards. The roles and responsibilities of warrantor worry, Personnel hostage, Physical Security, learning Technology Security as well as Contracting attention Security and Contingency Measures Security ar clearly specify in the Security Management Structure.The Departmental bail officer (DSO) carries unwrap his duties by coordinating, controlling and updating the bail program on a mend basis. The VA has utilize adequate mechanisms to undertake the protection of bleak learning and assets. The affectionate entropy and assets are classified, designated, declassified or characterised of, in compliance with the standards. Emergency and recovery plans are periodically authentic, documented and revised, in compliance with the requirements.Public Works and bulletproof Impact (PWSI) is soon responsible for auspices masking services which are conducted in compliance with the Security Policy and the Personnel Security Standards. Even thoug h the original agreement among the dickens parties for this service is no longer valid. Moreover, certain roles and responsibilities between the two parties are non clearly established and defined in the agreement. Presently, the VA determines the security level related to the position requirements and requests the appropriate force screening. The PWSI acts as the administrative security officer by granting the level of security requested by the VA.About the AuditThe Veterans Affairs (VA) is responsible for protecting sensitive information such as financial, medical, and personal Veteran and employee information under their leave. The information must be classified and designated considering the provisions for adequate exceptions of the Access to learning Act and the Privacy Act. The data appropriate to information technologies must be classified and specialally designated per their confidentiality, integrity, availability and value. Information and sensitive data must be protected per minimal standards, and related risk and threat assessment.The VA is responsible for the implementation of the Security Policy within its institution and must conduct an inner canvass on their compliance with the policy and their efficiency in implementing it at least every year. This audit is conducted within the framework of treasury Board Secretariats requirements in this respect. accusingsThe objectives of the audit are to ensure the compliance of all sensitive information and veraciouss with the Government Security Policy (GSP) and with the operational standards and the efficiency and effectiveness of the Security Program of the VA. More specifically, the objectives focused on Security organization, Security Management, Physical Security and Personnel Security.Scope of the AuditThe audit covers the followingSecurity makeup the structure of security precaution at the VA for the overall security program.Security Management the security program, the security dir ection and planning programs, the classification and designation of sensitive data, the measures of protection for sensitive information, the breaches and violations of security and opposite security-related incidents, the protection measures watchn for external communications.Physical Security the berth and layout of installations, the identification and the application of protection measures in the installations, the examination and control of strong-arm security measures.Personnel Security the personnel security investigations, the authorization, refusal and revocation of security levels, the measures required at employees termination of employment.Security and management of emergency cases needed actions are interpreted to protect sensitive information and assets and employees during all types of emergencies.Security and management of contracting security measurements are included with other requirements in contracts involving access to sensitive information.Approach and Me thodologyThe audit methodologies are comprised of interviews, data gathering, information and story analyses, the study of files and the observation of practices.Findings and Management retortsSecurity Organizationintention To assert whether there is in keister a security management structure meeting the Agencys requirements for the overall security program, specifically management security, natural security and personnel security.VA has implemented a security management structure which meets the overall security program needs of the Agency. The security responsibilities are clearly defined, established and assigned to personnel whose positions include security responsibilities defined in the position description. firm Impact, a tenant in the uniform building as VA, is responsible for the development and implementation of the physical security. For personnel security screening VA depends on the services of PW.Area of ImprovementThe audit has imbed that the agreement between the VA and PW for the delivery of personnel security screening services has expired. Furthermore, certain roles and responsibilities of PW as related to the security of the VA personnel were non clearly established in the expired agreement.Management ResponseThe VA recognizes the grandeur of maintaining valid agreements with its service providers, especially when dealing with security issues. The VA also appreciates the emergency of having clear roles and responsibilities defined in the agreement and understood by all parties.After being apprised of the above situation, the VA contacted PW to begin negotiation on a new agreement, which would clearly state roles and responsibilities of all parties.The VA get out also ensure that this agreement is revised periodically and that it is extended, based on operational requirements.Security Management impersonal To stray whether a good security program is an integral part of the VAs overall program and meets the GSP requirements and o perational standards.The VA occurrently has a good security program in localise which complies with the requirements of the GSP and operational standards. The responsibilities assigned to security personnel are fully carried out. Guides and procedures have been developed which are used as guidelines for those in charge of security.Area of advancementDevelop a security policy or adapt the TBS security policy to meet the VA requirements.Management ResponseThe VA will review current Government Security Policy and determine how and if it can be fit to meet VA requirements. Should this not be feasible, the VA will develop its own internal security policy.It should be noted that although the VA has no official internal policy which covers all aspects of security, it does have a policy on electronic mail, which sets out standards for ensuring that established security levels are adhered to and that needed information is preserved. objective lens To cast whether there are good securit y education and grooming programs.The VA does not have in place a security education and rearing program.Area of processionProvide training to employee with security responsibilities.Management ResponseThe VA is fully supportive in providing training to its employees. Each year, a training plan is submitted by employees and approved by the Chairperson. The VA will ensure that those employees with specific security functions are made aware of and encouraged to take training required to meet current and upcoming security requirements.Objective To depose whether sensitive information is classified and designated in compliance with the GSP and operational standards, and whether the classifications and designations are unclassified or come aboutd when the information is no longer, or less of a sensitive nature.The VA has implemented a mechanism to ensure that goods of a sensitive nature are classified and designated in compliance with the GSP and operational standards the aforesai d(prenominal) mechanism is also being used to declassify or dispose of the same goods.Area of improvementNo recommended improvementObjective To see to it whether protection measures are applied for sensitive information, as well as for employees, in compliance with the mandatory standards and with a risk management methodology.The VA has implemented mechanisms to ensure the security of sensitive information. A process is in place to declassify sensitive information when it is no longer sensitive. The controls in place ensure authorized to receive such information.Area of improvementNo recommended improvementObjective To verify whether breaches of security, security violations and other security-related incidents that may get hold are the subject of an enquiry, that measures are taken to minimize the losses and that the necessary administrative or disciplinary measures are taken if warranted.Breaches of security, security violations and other security-related incidents are reported to Secure Impact. Secure Impact is responsible to take the necessary administrative measures and to ensure follow-up.A mechanism is in place and is used to report security breaches and to prepare reports.Area of improvementNo recommended improvementObjective To verify whether the necessary protection measures are taken for the sensitive information communicated to or from official sources outside the department.The VA follows procedures concerning sensitive information transmitted to official sources outside the department.Area of improvementNo recommended improvementPhysical SecurityObjective To verify whether consideration was given to providing good siting to, as well as adequate retrofit of installations, to reduce or eliminate threats and risks to which the information, and the employees in those installations are exposed.The VA uses the facilities along with other government departments. Secure Impact ensures the physical security, thus reducing or eliminating threats and ris ks. A physical security committee is established with a representative of the VA. In this regards, the physical security is adequate.Area of improvementNo recommended improvementObjective To verify whether the required physical protection measures are applied in installations, so that sensitive information is well protected.The current physical protection measures ensure that sensitive information is protected.Area of improvementNo recommended improvementObjective To verify whether the physical security measures required are applied in the installations to ensure the protection and security of staff.Implemented physical security measures in the VA facilities ensure employee protection and security.Area of improvementNo recommended improvementObjective To verify whether the physical security measures are periodically reviewed and controlled.Security measures are reviewed and controlled periodically.Area of improvementNo recommended improvementPersonnel SecurityObjective To ensure tha t the personnel of the VA is subjected to a security check per the Government Security Policy (GSP) and the standard on Personnel SecurityThe audit found that security checks were conducted in compliance with the Government Security Policy (GSP) and the standards on Personnel Security. PW is responsible for the safe storing of personnel dispositions and for the filling in and storing of security investigation forms requests.Area of improvementNo recommended improvementObjective To verify whether the necessary levels of security are authorized, refused and revoked per the GSP and to the personnel security standard, and whether such measures are taken in a just and impartial way.The VA has no record of refusals or revocations of levels of security. The VA recognizes its responsibilities in this matter.Area of improvementNo recommended improvementObjective To verify that the necessary measures are taken to reduce or eliminate any risk for the sensitive information and goods as well as for the departments essential systems at the termination of employment.The audit found that the necessary measures are taken at the termination of employment.Area of improvementNo recommended improvementSecurity and Contracting ManagementObjective Ensure that security requirements are included with other requirements in contracts when they involve access to sensitive information.The VA does not have mechanisms in place to check authorization to access facilities by the contracting parties.Area of ImprovementPut in place a mechanism to check the authority to access the facilities by the contracting parties.Management responseThe VA is fully aware of its responsibility to ensure that only those individuals with proper(ip) authority are given access to its facilities. In some cases, authority to access VA facilities is given by another(prenominal) department, such as Secure Impact, but the VA is informed in advance. The VA will ensure that in those situations where another department gives access to its facilities, once the individuals show up, their name and authority will be verified with the other department.ConclusionThe audit provides an overview of the main security measures observed, as well as, identifies areas for improvement. The audit methodologies are comprised of interviews, data gathering, information and report analyses, the study of files and the observation of practices. Finally, the audit covers security organization, security management, physical security, personnel security, security and management of emergency cases, and security and management of contracting.Referencehttp//andrei.clubcisco.ro/cursuri/5master/sric-asr/cursuri/Readings/secaudit.pdf