A RESEARCH STUDY Audit Statement of Veterans Affairs' Association


The Veterans Affairs (VA) is at the mercy of the Government Security Insurance policy (GSP) and must be sure compliance with the GSP and operational specifications. The VA is accountable for the conduct of any audit to determine the efficiency and effectiveness of its security program. With the need of the VA, we conducted an audit of security to provide management of the VA with a target assessment of it security program. Overall, we discovered that the VA attained certain requirements of the federal government Security Insurance plan (GSP) with respect to conformity, efficiency, and effectiveness. The audit provides an overview of the main security actions we noticed. We also identified areas for improvement.

The office of Veterans Affairs' Investigation


Generally, the VA has put in place a security program which complies with the GSP and operational standards. The functions and tasks of Security Management, Workers Security, Physical Security, Information Technology Security as well as Contracting Management Security and Contingency Actions Security are obviously described in the Security Management Composition.

The Departmental security officer (DSO) holds out his obligations by coordinating, handling and updating the security program on a regular basis. The VA has put in place adequate mechanisms to guarantee the protection of sensitive information and belongings. The very sensitive information and investments are classified, selected, declassified or removed, in conformity with the criteria. Emergency and restoration plans are routinely developed, noted and revised, in conformity with certain requirements.

Public Works and Secure Impact (PWSI) happens to be responsible for security verification services that happen to be conducted in conformity with the Security Insurance plan and the Workers Security Standards. Even though the original agreement between your two parties for this service is no longer valid. Additionally, certain functions and responsibilities between the two parties aren't clearly founded and described in the contract. Currently, the VA can determine the security level related to the position requirements and requests the appropriate staff screening. The PWSI serves as the administrative security officer by granting the level of security wanted by the VA.

About the Audit

The Veterans Affairs (VA) is accountable for protecting very sensitive data such as financial, medical, and personal Veteran and employee information under their power. The information must be classified and designated considering the provisions for enough exceptions of the Access to Information Act and the Personal privacy Act. The data appropriate to information systems must be grouped and specifically selected per their confidentiality, integrity, supply and value. Information and delicate data must be guarded per minimal criteria, and related risk and threat examination.

The VA is responsible for the execution of the Security Policy within its institution and must conduct an interior audit on their compliance with the plan and their efficiency in implementing it at least every year. This audit is conducted within the platform of Treasury Panel Secretariat's requirements in this value.


The objectives of the audit are to ensure the compliance of most very sensitive information and goods with the Government Security Coverage (GSP) and with the functional criteria and the efficiency and effectiveness of the Security Program of the VA. More specifically, the aims focused on: Security organization, Security Management, Physical Security and Workers Security.

Scope of the Audit

The audit addresses the next

Security Group: the structure of security management at the VA for the overall security program.

Security Management: the security program, the security education and training programs, the classification and designation of delicate data, the measures of security for hypersensitive information, the breaches and violations of security and other security-related happenings, the protection actions taken for external communications.

Physical Security: the location and layout of installations, the id and the application of protection procedures in the installations, the exam and control of physical security options.

Personnel Security: the workers security investigations, the authorization, refusal and revocation of security levels, the procedures required at employees' termination of job.

Security and management of crisis situations: necessary actions are taken up to protect hypersensitive information and investments and employees during all sorts of emergencies.

Security and management of contracting: security measurements are included with other requirements in contracts involving usage of very sensitive information.

Approach and Methodology

The audit methodologies are made up of interviews, data gathering, information and article analyses, the analysis of files and the observation of practices.

Findings and Management Responses

Security Organization

Objective: To verify whether there exists set up a security management framework achieving the Agency's requirements for the entire security program, specifically management security, physical security and personnel security.

VA has integrated a security management framework which meets the overall security program needs of the Company. The security duties are clearly identified, established and designated to employees whose positions include security tasks defined in the position information. Secure Impact, a tenant in the same building as VA, is in charge of the development and execution of the physical security. For staff security screening process VA depends upon the services of PW.

Area of Improvement

The audit has discovered that the agreement between your VA and PW for the delivery of workers security testing services has expired. Furthermore, certain jobs and obligations of PW as related to the security of the VA workers were not obviously established in the expired contract.

Management Response

The VA identifies the importance of preserving valid agreements with its service providers, specially when coping with security issues. The VA also appreciates the need of having clear functions and responsibilities defined in the agreement and known by all get-togethers.

After being apprised of these situation, the VA approached PW to commence negotiation on a fresh agreement, which would obviously state jobs and responsibilities of most parties.

The VA will also ensure that this agreement is revised periodically and that it's extended, predicated on functional requirements.

Security Management

Objective: To validate whether a good security program is an integral part of the VA's overall program and matches the GSP requirements and functional standards.

The VA presently has a good security program set up which complies with certain requirements of the GSP and functioning standards. The duties designated to security employees are fully completed. Guides and steps have been developed which are being used as guidelines for those in charge of security.

Area of improvement

Develop a security plan or adjust the TBS security plan to meet up with the VA requirements.

Management Response

The VA will review current Administration Security Policy and regulate how and if it could be adapted to meet VA requirements. Should this not be feasible, the VA will establish its own internal security insurance plan.

It should be noted that however the VA has no official internal policy which includes all aspects of security, it does have a policy on electronic mail, which pieces out standards for ensuring that established security levels are honored and that needed information is preserved.

Objective: To validate whether there are good security education and training programs.

The VA does not have set up a security education and training curriculum.

Area of improvement

Provide training to employee with security tasks.

Management Response

The VA is fully supportive in providing training to its employees. Each year, an exercise plan is published by employees and approved by the Chairperson. The VA will ensure that those employees with specific security functions are made aware of and encouraged to take training necessary to meet current and forthcoming security requirements.

Objective: To verify whether very sensitive information is labeled and selected in conformity with the GSP and operational standards, and whether the classifications and designations are unclassified or eradicated when the info is no longer, or less of an sensitive aspect.

The VA has executed a system to ensure that goods of your sensitive mother nature are grouped and chosen in conformity with the GSP and functional benchmarks; the same system is also being used to declassify or get rid of the same goods.

Area of improvement

No suggested improvement

Objective: To verify whether protection measures are requested very sensitive information, as well for employees, in compliance with the mandatory expectations and with a risk management strategy.

The VA has integrated mechanisms to ensure the security of sensitive information. An activity is in place to declassify delicate information when it is no longer sensitive. The controls in place ensure authorized to receive such information.

Area of improvement

No advised improvement

Objective: To confirm whether breaches of security, security violations and other security-related incidents that you can do are the subject of enquiry, that options are taken to minimize the loss and that the required administrative or disciplinary options are taken if warranted.

Breaches of security, security violations and other security-related incidents are reported to Secure Impact. Secure Impact is liable to take the required administrative measures also to ensure follow-up.

A mechanism is set up and is utilized to report security breaches also to prepare information.

Area of improvement

No recommended improvement

Objective: To verify if the necessary protection methods are considered for the delicate information communicated to or from public sources outside the department.

The VA comes after procedures concerning very sensitive information sent to official resources outside the section.

Area of improvement

No recommended improvement

Physical Security

Objective: To verify whether consideration was presented with to providing good siting to, as well as enough retrofit of installations, to lessen or eliminate hazards and hazards to that your information, and the employees in those installations are shown.

The VA uses the facilities and also other federal government departments. Secure Impact ensures the physical security, thus reducing or eliminating risks and dangers. A physical security committee is established with a agent of the VA. Within this regards, the physical security is satisfactory.

Area of improvement

No suggested improvement

Objective: To confirm if the required physical safeguard steps are applied in installations, so that delicate information is well safeguarded.

The current physical protection procedures ensure that sensitive information is shielded.

Area of improvement

No advised improvement

Objective: To confirm if the physical security steps required are applied in the installations to ensure the security and security of staff.

Implemented physical security options in the VA facilities ensure staff cover and security.

Area of improvement

No recommended improvement

Objective: To check if the physical security actions are periodically researched and managed.

Security methods are analyzed and controlled routinely.

Area of improvement

No recommended improvement

Personnel Security

Objective: To make sure that the staff of the VA is put through a security check per the Government Security Coverage (GSP) and the standard on Workers Security

The audit found that security checks were conducted in compliance with the federal government Security Coverage (GSP) and the criteria on Personnel Security. PW is in charge of the safe storing of employees records and for the completing and storing of security investigation forms demands.

Area of improvement

No advised improvement

Objective: To check whether the necessary levels of security are approved, refused and revoked per the GSP and also to the personnel security standard, and whether such actions are used a just and impartial way.

The VA does not have any record of refusals or revocations of degrees of security. The VA recognizes its responsibilities in this matter.

Area of improvement

No suggested improvement

Objective: To verify that the necessary measures are taken up to reduce or eliminate any risk for the very sensitive information and goods as well for the department's essential systems at the termination of employment.

The audit discovered that the necessary procedures are taken at the termination of employment.

Area of improvement

No recommended improvement

Security and Contracting Management

Objective: Make sure that security requirements are incorporated with other requirements in agreements when they require access to sensitive information.

The VA doesn't have mechanisms in spot to check authorization to access facilities by the contracting people.

Area of Improvement

Put in place a mechanism to check on the authority to gain access to the facilities by the contracting people.

Management response

The VA is fully alert to its responsibility to ensure that only those individuals with proper authority receive access to its facilities. In some instances, authority to gain access to VA facilities is distributed by another division, such as Secure Impact, however the VA is enlightened in advance. The VA will ensure that in those situations where another section gives access to its facilities, once the individuals arrive, their name and authority will be confirmed with the other section.


The audit has an overview of the main security measures detected, as well as, recognizes areas for improvement. The audit methodologies are comprised of interviews, data gathering, information and statement analyses, the analysis of data and the observation of procedures. Finally, the audit addresses security group, security management, physical security, workers security, security and management of crisis cases, and security and management of contracting.


http://andrei. clubcisco. ro/cursuri/5master/sric-asr/cursuri/Readings/secaudit. pdf

Also We Can Offer!

Other services that we offer

If you don’t see the necessary subject, paper type, or topic in our list of available services and examples, don’t worry! We have a number of other academic disciplines to suit the needs of anyone who visits this website looking for help.

How to ...

We made your life easier with putting together a big number of articles and guidelines on how to plan and write different types of assignments (Essay, Research Paper, Dissertation etc)