VA’s controls over security of some 50,000 mobile devices used by its employees generally meet standards, said an IG report that however raised concerns that the department is not using “blacklisting” to block the use of potentially malicious, vulnerable, or flawed applications.
Without such enforcement, “users can download applications that are not authorized on VA mobile devices, such as cloud-based applications. Cloud-based applications could allow users to transfer locally stored VA data into uncontrolled storage, increasing the risk of lost VA data,” said a report, which added that since the audit the department “has started implementing application-vetting tools that have a similar capacity to blacklisting.”
Further, more than 12,000 of the devices had unapproved operating systems because the VA does not use configuration management tools to control and automate updates for its mobile devices and applications but instead leaves users responsible for managing the updates of their applications and operating systems.
Auditors also found that the VA does not validate whether users of mobile devices are completing the required annual training on security of mobile devices. Separate required training on privacy, information security awareness and rules of behavior is validated but does not address prohibited applications on mobile devices, the report said.