Report: Lack of audit logs poses security risk for VA's electronic benefits system

While the Department of Veterans Affairs has made progress in implementing its electronic benefits management system, it failed to integrate audit logs into the project, making it impossible to detect and respond to security violations, according to a report from the VA Office of the Inspector General (OIG).

The OIG investigated an anonymous complaint that alleged the system lacked suitable audit logs that would clearly report all security violations occurring within the system. The OIG investigated the complaint by having 17 employees at three VA Regional Offices attempt to access veteran employee compensation claims for which they were not authorized.

While audit logs identified security violations for 15 of the 17 employees, the logs did not show that the security violations occurred within the benefits management system, though they did show the violations within another application employees use. OIG could not determine why the actions of the other two employees were not flagged.

The report calls this a design flaw--failure to develop sufficient system requirements to include audit logs and ensure they're accessible to information security officers. Until this is fixed, it says, regional offices will be susceptible to fraudulent compensation claims processing.

The VA has spend years implementing the paperless system, designed to clear the agency's massive claims backlog. In January, the Government Accountability Office reported that 95 percent of claims records reside within the system, though it did not fully support claims or appeals processing.

The GAO also previously criticized system defects and lack of clear timeline for the project.

To learn more:
- here's the report (.pdf)