This security profile of the Department of Veterans Affairs (VA) is based on two documents of public record. The first is the published VA Handbook 6500 (VAH 6500) which defined policy and procedures for systems within the purview of the VA (Department of Veterans Affairs, 2007). The second document is the Federal Information Security Management Act Assessment for FY 20011 commissioned by the VA Office of Inspector General (OIG) and performed by Ernst & Young in accordance with Federal Information Security Management Act (FISMA) guidelines (VA Office of Inspector General, 2012, p. i). 2. Identification of Controls
This security profile presents one control function from three primary policy and procedure controls. These controls are “System/New Technology Development Life Cycle” from Management Controls, “Security Training, Education, and Awareness” from Operational Controls, and “Remote Access” from Technical Controls. These controls are selected based on the lack of resolution based on information provided fiscal year 2006, 2010 (VA Office of Inspector General, 2011) and 2011 (VA Office of Inspector General, 2012) FISMA audits. 3. Management Controls
The protection of systems via risk mitigation techniques are referred to as management controls. Management controls are designed to minimize risk associated with development process and systems implementation. 4.1. VAH6500 Section 6.a.(7) System/New Technology Development Life Cycle VAH6500 requires that any new technology undergo a systems development life cycle (SDLC) specific to the VA. The cycle consists of Initiation, Development / Acquisition, Implementation, Operation / Maintenance and Disposal. Systems must be able to encrypt/decrypt data. Systems not capable of this must receive a waiver from the OIG. 4.2. Implementation Assessment
The SDLC program provided does not provide the necessary information for an effective...