This is the accessible text file for GAO report number GAO-07-256 
entitled 'Information Security: Sustained Progress Needed to Strengthen 
Controls at the Securities and Exchange Commission' which was released 
on March 28, 2007. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Chairman, Securities and Exchange Commission: 

United States Government Accountability Office: 

GAO: 

March 2007: 

Information Security: 

Sustained Progress Needed to Strengthen Controls at the Securities and 
Exchange Commission: 

GAO-07-256: 

GAO Highlights: 

Highlights of GAO-07-256, a report to the Chairman, Securities and 
Exchange Commission 

Why GAO Did This Study: 

In carrying out its mission to ensure that securities markets are fair, 
orderly, and efficiently maintained, the Securities and Exchange 
Commission (SEC) relies extensively on computerized systems. 
Integrating effective information security controls into a layered 
control strategy is essential to ensure that SECís financial and 
sensitive information is protected from inadvertent or deliberate 
misuse, disclosure, or destruction. 

As part of its audit of SECís financial statements, GAO assessed (1) 
SECís actions to correct previously reported information security 
weaknesses and (2) the effectiveness of controls for ensuring the 
confidentiality, integrity, and availability of SECís information 
systems and information. To do this, GAO examined security policies and 
artifacts, interviewed pertinent officials, and conducted tests and 
observations of controls in operation. 

What GAO Found: 

SEC has made important progress toward correcting previously reported 
information security control weaknesses. Specifically, it has corrected 
or mitigated 58 of the 71 weaknesses previously reported as unresolved 
at the conclusion of GAOís 2005 audit. The commission resolved all of 
the previously reported weaknesses in security related activities and 
contingency planning, and made significant progress in resolving access 
control weaknesses. A key reason for its progress was that SECís senior 
management was actively engaged in implementing information security 
related activities. 

Despite this progress, SEC has not consistently implemented certain key 
controls to effectively safeguard the confidentiality, integrity, and 
availability of its financial and sensitive information and information 
systems. In addition to 13 previously identified weaknesses that remain 
unresolved, 15 new information security weaknesses were identified. By 
the conclusion of GAOís review, SEC took action to address 11 of the 15 
new weaknesses. A primary reason for these control weaknesses is that 
SEC had not consistently implemented elements of its information 
security program. This included inconsistent implementation of agency 
policies and procedures, not sufficiently testing and evaluating the 
effectiveness of controls for a major system as required by its 
certification and accreditation process, and not consistently taking 
effective and timely action to correct deficiencies identified in 
remedial action plans. Until SEC does, it will have limited assurance 
that it will be able to manage risks and protect sensitive information 
on an ongoing basis. 

What GAO Recommends: 

GAO recommends that the SEC Chairman improve the implementation of its 
policies and procedures, control tests and evaluations, and remedial 
action plans as part of its agencywide information security program. 

In commenting on a draft of this report, SEC stated that it will 
actively work to implement GAOís recommendations. 

[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-256]. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Greg Wilshusen at 202-512-
6244 or WilshusenG@gao.gov. 

[End of section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

Objectives, Scope, and Methodology: 

SEC Has Made Important Progress Correcting Previously Reported 
Weaknesses: 

Key Controls Were Not Consistently Implemented: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments: 

Appendix I: Comments from the Securities and Exchange Commission: 

Appendix II: GAO Contact and Staff Acknowledgments: 

Abbreviations: 

CATS: Case Activity Tracking System 2000: 

CIO: chief information officer: 

CISO: chief information security officer: 

EDGAR: Electronic Data Gathering, Analysis, and Retrieval system: 

FISCAM: Federal Information System Controls Audit Manual: 

FISMA: Federal Information Security Management Act: 

SEC: Securities and Exchange Commission: 

United States Government Accountability Office: 
Washington, DC 20548: 

March 27, 2007: 

The Honorable Christopher Cox: 
Chairman, Securities and Exchange Commission: 

Dear Mr. Chairman: 

As you are aware, the Securities and Exchange Commission (SEC) is 
responsible for enforcing securities laws, issuing rules and 
regulations that provide protection for investors, and helping to 
maintain fair, orderly, and efficient securities markets. To support 
its demanding financial and mission-related responsibilities, the 
commission relies extensively on computerized systems. 

Integrating effective information security controls[Footnote 1] into a 
layered control strategy is essential to ensure that financial and 
sensitive information--such as personnel and regulatory information 
maintained by SEC--is adequately protected from inadvertent or 
deliberate misuse, fraudulent use, improper disclosure, or destruction. 

As part of our audit of SEC's fiscal year 2006 financial 
statements,[Footnote 2] we assessed the effectiveness of the 
commission's information security controls over key financial systems, 
data, and networks. Our specific objectives were to assess (1) the 
status of SEC's actions to correct or mitigate previously reported 
information security weaknesses and (2) the effectiveness of the 
commission's information system controls for ensuring the 
confidentiality, integrity, and availability of its information systems 
and information. 

In our report on SEC's financial statements for fiscal years 2006 and 
2005,[Footnote 3] we reported that the new information security 
deficiencies we identified in fiscal year 2006 and the unresolved 
deficiencies from prior audits represented a reportable 
condition[Footnote 4] in internal controls over the commission's 
information systems. 

We performed our work at SEC headquarters in Washington, D.C., and at 
its computer facility in Alexandria, Virginia, from May 2006 through 
November 2006 in accordance with generally accepted government auditing 
standards. 

Results in Brief: 

SEC has made important progress toward correcting previously reported 
information security control weaknesses. Specifically, it has corrected 
or mitigated 58 of the 71 weaknesses previously reported as unresolved 
at the conclusion of our 2005 audit. The commission resolved all of the 
previously reported weaknesses in security related activities and 
contingency planning, and it made significant progress in resolving 
access controls weaknesses. A key reason for its progress was that 
SEC's senior management was actively engaged in implementing 
information security related activities, including establishing 
policies and procedures for risk management, ensuring that all users 
complete security training, and developing an incident response 
program. 

Despite this progress, SEC has not consistently implemented key 
controls to effectively safeguard the confidentiality, integrity, and 
availability of its financial and sensitive information and information 
systems. In addition to 13 previously identified weaknesses that remain 
unresolved, we identified 15 new information security weaknesses 
pertaining to SEC's access controls and configuration management. For 
example, SEC did not have current documentation on the privileges 
granted to users of a major application, did not securely configure 
certain system settings, or has not consistently installed all patches 
to its systems. As a result, the commission's financial and sensitive 
data are at increased risk of unauthorized disclosure, modification, or 
destruction. 

A primary reason for these control weaknesses is that SEC had not 
consistently implemented elements of its information security program. 
Agency policies and procedures were not consistently implemented across 
the agency. In addition, the commission did not sufficiently test and 
evaluate the effectiveness of controls for a major system as required 
by its certification and accreditation process. The commission also did 
not take effective and timely action to correct deficiencies identified 
in remedial action plans. If SEC does not continue to sustain the 
progress it has made to improve its information security program, it 
will not have sufficient assurance that its processes can mitigate 
known weaknesses and protect sensitive information on an ongoing basis. 

We are making recommendations to the SEC Chairman to assist the 
commission in improving the implementation of its policies and 
procedures, control tests and evaluations, and remedial action plans as 
part of its agencywide information security program. 

In a separate report designated "Limited Official Use Only",[Footnote 
5] we are also making 18 recommendations to address actions needed to 
correct 15 information security weaknesses. By the conclusion of our 
review, SEC took action to address 11 of the 15 new information 
security weaknesses. 

In providing written comments on a draft of this report, the SEC 
Chairman and Chief Information Officer agreed that the agency needs to 
maintain momentum addressing the remaining gaps in its information 
security program and stated that it is actively working to complete 
corrective actions for findings that remain open and enhance its 
information security program by implementing our recommendations. 

Background: 

Information security is a critical consideration for any organization 
that depends on information systems and computer networks to carry out 
its mission or business; and it is especially important for government 
agencies, where the public's trust is essential. The dramatic expansion 
in computer interconnectivity and the rapid increase in the use of the 
Internet are changing the way our government, the nation, and much of 
the world communicate and conduct business. Without proper safeguards, 
systems are unprotected from individuals and groups with malicious 
intent to intrude and use the access to obtain sensitive information, 
commit fraud, disrupt operations, or launch attacks against other 
computer systems and networks. These concerns are well founded for a 
number of reasons, including the dramatic increase in reports of 
security incidents, the ease of obtaining and using hacking tools, the 
steady advance in the sophistication and effectiveness of attack 
technology, and the dire warnings of new and more destructive attacks 
to come. 

Computer-supported federal operations are likewise at risk. Our 
previous reports and reports by several agencies' inspectors general 
describe persistent information security weaknesses that place a 
variety of federal operations at risk of inappropriate disclosure, 
fraud, and disruption. We have designated information security as a 
governmentwide high-risk area since 1997.[Footnote 6] 

Recognizing the importance of securing the information systems of 
federal agencies, Congress enacted the Federal Information Security 
Management Act (FISMA)[Footnote 7] in December 2002. FISMA requires 
each agency to develop, document, and implement an agencywide 
information security program for the data and systems that support the 
operations and assets of the agency, using a risk-based approach to 
information security management. Information security program 
requirements to be implemented include assessing risk; developing and 
implementing policies, procedures, and security plans; providing 
security awareness and training; testing and evaluating the 
effectiveness of controls; planning, implementing, evaluating, and 
documenting remedial actions to address information security 
deficiencies; detecting, reporting, and responding to security 
incidents; and ensuring continuity of operations. 

SEC's Role as Protector of Securities Investors: 

Following the stock market crash of 1929, Congress passed the 
Securities Exchange Act of 1934,[Footnote 8] establishing SEC to 
enforce securities laws, regulate the securities markets, and protect 
investors. To carry out its responsibilities and help ensure that fair, 
orderly, and efficient securities markets are maintained, the 
commission issues rules and regulations that promote adequate and 
effective disclosure of information to the investing public. The 
commission also oversees and requires the registration of other key 
participants in the securities industry, including stock exchanges, 
broker-dealers, clearing agencies, depositories, transfer agents, 
investment companies, and public utility holding companies. SEC is an 
independent, quasi-judicial agency that operates at the direction of 
five commissioners appointed by the President and confirmed by the 
Senate. 

In fiscal year 2006, SEC had a budget of about $888 million and staff 
of 3,590. Each year the commission accepts, processes, and publicly 
disseminates more than 600,000 documents from companies and 
individuals, including annual reports from more than 12,000 reporting 
companies. In fiscal year 2006, the commission collected $499 million 
in filing fees and $1.8 billion in penalties and 
disgorgements.[Footnote 9] To support its financial operations and 
store the sensitive information it collects, the commission relies 
extensively on computerized systems interconnected by local and wide 
area networks. To process and track financial transactions such as 
filing fees paid by corporations and penalties from enforcement 
activities, SEC relies on several applications--Momentum, Electronic 
Data Gathering, Analysis, and Retrieval system (EDGAR), and Case 
Activity Tracking System 2000 (CATS). Momentum, a commercial off-the- 
shelf accounting software product, is used to record the commission's 
accounting transactions, to maintain its general ledger, and to 
maintain the information SEC uses to produce financial reports. EDGAR 
is an Internet-based system used to collect, validate, index, and 
accept the submissions of forms filed by SEC-registered companies. 
EDGAR transfers this information to the general ledger nightly. The 
commission's Division of Enforcement uses CATS, a modified commercial 
off-the-shelf database application, to record enforcement data and 
create management reports. CATS tracks enforcement-related data, 
including SEC-imposed fines and penalties. In addition, the commission 
uses these systems to maintain sensitive information, including filing 
data for corporations, and legal information on enforcement activities. 

According to FISMA, the Chairman of the SEC has responsibility for 
providing information security protections commensurate with the risk 
and magnitude of the harm resulting from unauthorized access, use, 
disclosure, disruption, modification or destruction of the agency's 
information systems and information. The Chairman of the SEC delegated 
authority to the chief information officer (CIO) to be responsible for 
establishing and maintaining a comprehensive information security 
program and governance framework. As part of its program, the CIO is to 
(1) ensure that policies, procedures, and control techniques to address 
all applicable information security requirements are effectively 
implemented and maintained; (2) work closely with designated 
authorizing officials to ensure that the SEC-wide program is 
effectively implemented and managed; and (3) delegate authority to the 
agency chief information security officer (CISO) to carry out 
information security responsibilities and to ensure compliance with 
applicable federal laws, regulations, and standards. The CISO serves as 
the CIO's liaison with system owners and authorizing officials to 
ensure the agency security program is effectively implemented. The CISO 
also ensures certifications and accreditations are accomplished in a 
timely and cost-effective manner and that there is centralized 
reporting of all information security related activities. 

Objectives, Scope, and Methodology: 

The objectives of our review were to assess (1) the status of SEC's 
actions to correct or mitigate previously reported information security 
weaknesses and (2) the effectiveness of the commission's information 
system controls for ensuring the confidentiality, integrity, and 
availability of its information systems and information. As part of our 
assessment of the effectiveness of SEC's information system controls, 
we also evaluated the commission's progress toward meeting the 
requirements for an agencywide security program mandated by FISMA. 

We conducted our review using our Federal Information System Controls 
Audit Manual (FISCAM),[Footnote 10] a methodology for reviewing 
information system controls that affect the confidentiality, integrity, 
and availability of computerized data. Specifically, we evaluated 
information security controls in the following areas: 

* security management, which provides a framework and continuing cycle 
of activity for managing risk, developing security policies, assigning 
responsibilities, and monitoring the adequacy of the agency's computer- 
related controls; 

* access controls, which limit or detect access to computer resources 
(data, programs, equipment, and facilities), thereby protecting them 
against unauthorized modification, loss, and disclosure; 

* configuration management, which prevents unauthorized changes to 
information system resources (for example, software programs and 
hardware configurations); 

* segregation of duties, which includes policies, procedures, and an 
organizational structure to manage who can control key aspects of 
computer-related operations; and: 

* contingency planning, so that when unexpected events occur, critical 
operations continue without disruption or are promptly resumed, and 
critical and sensitive data are protected. 

For our first objective, we examined supporting documentation and 
conducted tests and evaluations of corrective actions taken by the 
commission to correct weaknesses previously reported as unresolved at 
the conclusion of our 2005 audit.[Footnote 11] 

To evaluate the effectiveness of the commission's information security 
controls and program, we identified and examined its pertinent security 
policies, procedures, guidance, security plans, and relevant reports. 
Where federal requirements, laws, and other guidelines, including 
National Institute of Standards and Technology guidance, were 
applicable, we used these to assess the extent to which the commission 
had complied with specific requirements. We held discussions with key 
security representatives, system administrators, and management 
officials to determine whether information system controls were in 
place, adequately designed, and operating effectively. In addition, we 
conducted tests and observations of controls in operation using federal 
guidance, checklists and vendor best practices. 

SEC Has Made Important Progress Correcting Previously Reported 
Weaknesses: 

SEC has corrected or mitigated 58 of the 71 security control weaknesses 
previously reported as unresolved at the conclusion of our 2005 audit. 
Specifically, the commission resolved all of the previously reported 
weaknesses in security related activities and contingency planning, and 
it has made significant progress in resolving access control 
weaknesses. A key reason for SEC's progress was that its senior 
management was actively engaged in implementing information security 
related activities and mitigating the previously reported weaknesses. 

The commission has addressed 34 of the previously identified access 
control weaknesses. For example, SEC has: 

* implemented controls to enforce strong passwords, and removed 
excessive rights granted to certain users on their Microsoft Windows 
servers and workstations; 

* established audit trails on its critical financial systems; 

* reconfigured its internal network infrastructure to be configured 
securely; 

* implemented virus protection on all of its Microsoft Windows servers; 

* developed and implemented procedures to review employee and 
contractor access to the data center based on SEC-established criteria; 

* assessed the physical security of each of its 11 field office 
locations and developed a plan to review each of the offices 
biannually; and: 

* developed an incident response program that includes policies and 
procedures for handling and analyzing incidents. 

SEC has also corrected or mitigated all 18 security related activity 
weaknesses previously reported as unresolved at the conclusion of our 
2005 audit. For example, the commission has: 

* implemented a risk assessment process; 

* established a process to ensure that effective information system 
controls exist to safeguard its payroll/personnel system; 

* had 99 percent of employees and contractors complete security 
awareness training; 

* developed and documented a process to ensure background 
investigations were conducted for employees and contractors; and: 

* established a process to identify and remove computer access rights 
accounts granted to separated contractors or nonpaid users of SEC 
systems. 

In addition, SEC has developed and updated its disaster recovery plans 
covering major applications. Moreover, the commission has tested its 
plans throughout the year through a series of disaster recovery 
exercises covering major applications and various scenarios. 

A key reason for its progress was that SEC's senior management was 
actively engaged in implementing information security related 
activities and mitigating the previously reported weaknesses. The 
Chairman has received regular briefings on agency progress in resolving 
the previously reported weaknesses, and the CIO has coordinated efforts 
with other offices involved in implementing information security 
policies and controls at the commission. An executive-level committee 
with oversight responsibility for the commission's internal controls 
was also established and has responsibility for approving programs and 
policies for internal control assessment and testing as well as 
developing policies to resolve internal control weaknesses. 

While SEC has made important progress in strengthening its information 
security controls and program, it has not completed actions to correct 
or mitigate 13 previously reported weaknesses. For example, the 
commission has not mitigated weaknesses in user account and password 
management, periodically reviewed software changes, or adequately 
controlled access to sensitive information. Failure to resolve these 
issues will leave the commission's sensitive data vulnerable to 
unauthorized disclosure, modification, or destruction. 

Key Controls Were Not Consistently Implemented: 

SEC has not consistently implemented certain key controls to 
effectively safeguard the confidentiality, integrity, and availability 
of its financial and sensitive information and information systems. In 
addition to 13 previously identified weaknesses that remain unresolved, 
we identified 15 new information security weaknesses in access controls 
and configuration management. By the conclusion of our review, SEC had 
taken action to address 11 of the 15 new weaknesses. A primary reason 
for these control weaknesses is that SEC had not consistently 
implemented elements of its information security program. As a result, 
the commission cannot be assured that its controls are appropriate and 
working as intended and that its financial and sensitive data and 
systems are not at increased risk of unauthorized disclosure, 
modification, or destruction. 

Access Controls: 

Access controls limit or detect inappropriate access to computer 
resources (data, equipment, and facilities), thereby protecting them 
from unauthorized disclosure, modification, and loss. Specific access 
controls include boundary protection, identification and 
authentication, authorization, and physical security. Without adequate 
access controls, unauthorized individuals, including outside intruders 
and former employees, can surreptitiously read and copy sensitive data 
and make undetected changes or deletions for malicious purposes or 
personal gain. In addition, authorized users can intentionally or 
unintentionally modify or delete data or execute changes that are 
outside their span of authority. 

Boundary Protection: 

Boundary protection pertains to the protection of a logical or physical 
boundary around a set of information resources and implementing 
measures to prevent unauthorized information exchange across the 
boundary in either direction. Organizations physically allocate 
publicly accessible information system components to separate 
subnetworks with separate physical network interfaces, and they prevent 
public access into their internal networks. Unnecessary connectivity to 
an organization's network increases not only the number of access paths 
that must be managed and the complexity of the task, but the risk of 
unauthorized access in a shared environment. SEC policy requires that 
certain automated boundary protection mechanisms be established to 
control and monitor communications at the external boundary of the 
information system and at key internal boundaries within the system. 
Additionally, SEC policy requires that if remote access technology is 
used to connect to the network, it must be configured securely. 

The commission did not configure a remote access application to include 
required boundary protection mechanisms. For example, the application 
was configured to allow simultaneous access to the Internet and the 
internal network. This could allow an attacker who compromised a remote 
user's computer to remotely control the user's secure session from the 
Internet. In addition, SEC did not securely configure the systems used 
for remote administration of its key information technology resources. 
Consequently, a remote attacker could exploit these vulnerabilities to 
launch attacks against other sensitive information systems within the 
commission. 

Identification and Authentication: 

A computer system must be able to identify and authenticate different 
users so that activities on the system can be linked to specific 
individuals. When an organization assigns unique user accounts to 
specific users, the system is able to distinguish one user from 
another--a process called identification. The system must also 
establish the validity of a user's claimed identity by requesting some 
kind of information, such as a password, that is known only by the 
user--a process known as authentication. SEC policy requires the 
implementation of automated identification and authentication 
mechanisms that enable the unique identification of individual users. 

The commission did not securely enforce identification and 
authentication controls on all of its information systems. For example, 
SEC did not remove default database accounts with known or weak 
passwords or ensure that these accounts had been locked. In addition, 
the commission was still unable to enforce strong password management 
on all of its systems and continued to have weak key-management 
practices for some of its secure connections. This increases the risk 
that unauthorized users could gain access to SEC systems and sensitive 
information. 

Authorization: 

Authorization is the process of granting or denying access rights and 
privileges to a protected resource, such as a network, system, 
application, function, or file. A key component of granting or denying 
access rights is the concept of "least privilege." Least privilege is a 
basic principle for securing computer resources and data. It means that 
users are granted only those access rights and permissions that they 
need to perform their official duties. To restrict legitimate users' 
access to only those programs and files that they need in order to do 
their work, organizations establish access rights and permissions. 
"User rights" are allowable actions that can be assigned to users or to 
groups of users. File and directory permissions are rules that are 
associated with a particular file or directory, regulating which users 
can access it--and the extent of that access. To avoid unintentionally 
giving users unnecessary access to sensitive files and directories, an 
organization must give careful consideration to its assignment of 
rights and permissions. SEC policy requires that each user or process 
be assigned only those privileges needed to perform authorized tasks. 

SEC system administrators did not ensure that their systems 
sufficiently restricted system and database access and privileges to 
only those users and processes requiring them to perform authorized 
tasks. For example, administrators had not properly restricted access 
rights to sensitive files on some servers. Nor did the commission 
adequately restrict privileges to a system database. In addition, new 
requests or modifications for user access to the EDGAR system were not 
reviewed by its system owner; nor was current documentation maintained 
on user privileges granted to individuals based on their roles and 
divisions. The commission also continued to experience difficulty 
implementing a process to effectively remove network system accounts 
from separated employees and adequately controlling access to sensitive 
information. These conditions provide more opportunities for 
unauthorized individuals to escalate their privileges and make 
unauthorized changes to files. 

Physical Security: 

Physical security controls are important for protecting computer 
facilities and resources from espionage, sabotage, damage, and theft. 
These controls restrict physical access to computer resources, usually 
by limiting access to the buildings and rooms in which the resources 
are housed and by periodically reviewing the access granted in order to 
ensure that access continues to be appropriate. At SEC, physical access 
control measures (such as guards, badges, and locks--used alone or in 
combination) are vital to protecting the agency's sensitive computing 
resources from both external and internal threats. SEC policy requires 
that specific procedures be followed to protect and control physical 
access to sensitive work areas in its facilities. 

SEC procedures for protecting and controlling physical access to 
sensitive work areas were not always followed. Specifically, the 
commission had not properly implemented perimeter security at a key 
location. Guards at the location did not inspect photo identification 
and expiration dates. In addition, the commission did not adequately 
restrict physical access to its network in public locations. Until SEC 
fully addresses its physical security vulnerabilities, there is 
increased risk that unauthorized individuals could gain access to 
sensitive computing resources and data and inadvertently or 
deliberately misuse or destroy them. 

Configuration Management: 

To protect an organization's information, it is important to ensure 
that only authorized applications and programs are placed in operation 
and that the applications are securely configured. This process, known 
as configuration management, consists of instituting policies, 
procedures, and techniques to help ensure that all programs and program 
modifications are properly authorized, tested, and approved. Specific 
controls for configuration management include policies and procedures 
over change control and patch management. Configuration management 
policies and procedures should be developed, documented, and 
implemented at the agency, system, and application levels to ensure an 
effective configuration management process. Patch management, including 
up-to-date patch installation, helps to mitigate vulnerabilities 
associated with flaws in software code, which could be exploited to 
cause significant damage. SEC policy requires vulnerability management 
of system hardware and software on all of its information systems. 

SEC continues to have difficulty implementing effective control over 
changes to software and other applications. For example, the commission 
lacked procedures to periodically review application code to ensure 
that only authorized changes were made to the production environment, 
did not document authorizations for software modifications, and did not 
always follow its policy of assigning risk classifications to 
application changes. As a result, unapproved changes to SEC production 
systems could be made. 

In addition, the commission did not ensure the application of timely 
and comprehensive patches and fixes to system software. For example, 
the commission did not consistently install critical patches for the 
operating system and third-party applications on its servers and end- 
user workstations. Failure to keep system patches up-to-date could 
allow unauthorized individuals to gain access to network resources or 
launch denial-of-service attacks against those resources. A malicious 
user can exploit these vulnerabilities to gain unauthorized access to 
network resources or disrupt network operations. As a result, there is 
increased risk that the integrity of these network devices and 
administrator workstations could be compromised. 

Information Security Program Not Yet Consistently Implemented: 

A primary reason for these control weaknesses is that SEC had not 
consistently implemented elements of its information security program. 
The effective implementation of an information security program 
includes implementing the key elements required under FISMA and the 
establishment of a continuing cycle of activity--which includes 
assessing risk, developing and implementing security procedures, and 
monitoring the effectiveness of these procedures--to ensure that the 
elements implemented under the program are effective. FISMA requires 
agencies to develop, document, and implement an information security 
program, which includes the following: 

* developing and implementing policies and procedures; 

* testing and evaluating the effectiveness of controls; and: 

* planning, implementing, evaluating, and documenting remedial actions 
to address information security deficiencies. 

Policies and Procedures: 

A key task in developing, documenting, and implementing an effective 
information security program is to establish and implement risk-based 
policies, procedures, and technical standards that cover security over 
an agency's computing environment. If properly implemented, policies 
and procedures can help to reduce the risk that could come from 
unauthorized access or disruption of services. Because security 
policies are the primary mechanism by which management communicates its 
views and requirements, it is important to document and implement them. 

Although SEC has developed and documented information security related 
policies and procedures, it has not consistently implemented them 
across all systems. According to SEC policy, heads of office and system 
owners are responsible for implementing policies and procedures as well 
as reviewing and enforcing security for their systems. However, our 
analysis showed that 13 of the 15 newly identified weaknesses were due 
to the inconsistent implementation of policies and procedures by the 
system owners and offices. Until the commission can verify that all 
system owners and offices implement agency policies and procedures, it 
will not have assurance that requirements are being followed and 
controls will work as intended. 

Tests and Evaluations of Control Effectiveness: 

Testing and evaluating systems is a key element of an information 
security program that ensures that an agency is in compliance with 
policies and that the policies and controls are both appropriate and 
effective. This type of oversight is a fundamental element because it 
demonstrates management's commitment to the security program, reminds 
employees of their roles and responsibilities, and identifies and 
mitigates areas of noncompliance and ineffectiveness. Although control 
tests and evaluations may encourage compliance with security policies, 
the full benefits are not achieved unless the results improve the 
security program. Analyzing the results of security reviews provides 
security specialists and business managers with a means of identifying 
new problem areas, reassessing the appropriateness of existing 
controls, and identifying the need for new controls. FISMA requires 
that the frequency of tests and evaluations be based on risk, but occur 
no less than annually. 

SEC did not sufficiently test and evaluate the effectiveness of 
controls for a major system as required by its certification and 
accreditation process. When the general ledger system underwent a 
significant change, agency policy required that the system undergo 
recertification and reaccreditation, which included system testing and 
evaluation of controls. However, SEC did not complete recertification 
and reaccreditation testing of controls for the system. We identified 
three control weaknesses associated with the change to the general 
ledger system that SEC had not detected. Since the commission has not 
completed sufficient testing and evaluation for the general ledger 
system after it underwent a significant change, it cannot be assured 
that its security policies and controls are appropriate and working as 
intended. 

Remedial Actions: 

Remedial action plans are a key component described in FISMA. These 
plans assist agencies in identifying, assessing, prioritizing, and 
monitoring the progress in correcting security weaknesses that are 
found in information systems. According to Office of Management and 
Budget guidance, agencies should take timely and effective action to 
correct deficiencies that they have identified through a variety of 
information sources. To accomplish this task, remedial action plans 
should be developed for each deficiency, and progress should be tracked 
for each. 

Although SEC developed remedial action plans to mitigate identified 
weaknesses in its systems and developed a mechanism to track the 
progress of actions to correct deficiencies, it did not consistently 
take effective and timely action to do so. Our analysis showed that 7 
of the 15 new weaknesses had been previously identified in remedial 
action plans. Of the 7 weaknesses, 4 were not effectively mitigated, 
although SEC noted that they had been closed in prior year remedial 
action plans. Another known weakness had been listed in a remedial 
action plan since April 2004. This existed in part because until 
recently, system remedial action plans did not have completion dates 
for all deficiencies. These inconsistencies exist because the 
commission did not develop, document, and implement a policy on 
remedial action plans to ensure deficiencies were mitigated in an 
effective and timely manner. As a result, SEC will have limited 
assurance that all known information security weaknesses are mitigated 
or corrected in an effective and timely manner. 

Conclusions: 

Public trust is vital to the proper functioning of the securities 
markets. Because SEC relies heavily on computerized systems to maintain 
fair, orderly, and efficient securities markets, the security of its 
financial and sensitive data is paramount. While the commission has 
made important progress in addressing our previous information security 
recommendations and strengthening its information security program, 
both outstanding and newly identified weaknesses continue to impair 
SEC's ability to ensure the confidentiality, integrity, and 
availability of financial and other sensitive data. Accordingly, these 
deficiencies represent a reportable condition in internal controls over 
SEC's information systems. 

Sustained senior management involvement and oversight are vital for 
SEC's newly developed security program to undergo the continuous cycle 
of activity required for the effective development, implementation, and 
monitoring of policies and procedures. If the commission continues to 
have senior management actively engaged and continues to implement a 
framework and continuous cycle of activity, it will help ensure that 
outstanding weaknesses are mitigated or resolved and that key controls 
are consistently implemented. If progress is not sustained, SEC will 
not have sufficient assurance that its processes can mitigate current 
weaknesses and detect new weakness, and its financial and sensitive 
data will remain at risk of unauthorized disclosure, modification, or 
destruction. 

Recommendations for Executive Action: 

To assist the commission in improving the implementation of its 
agencywide information security program, we recommend that the SEC 
Chairman take the following three actions: 

1. verify that all system owners and offices implement agency security 
policies and procedures; 

2. complete recertification and reaccreditation testing and evaluation 
on the general ledger system; 

3. develop, document, and implement a policy on remedial action plans 
to ensure deficiencies are mitigated in an effective and timely manner. 

In a separate report designated "Limited Official Use Only",[Footnote 
12] we also made 18 recommendations to the SEC Chairman to address 
actions needed to correct 15 information security weaknesses. 

Agency Comments: 

In providing written comments on a draft of this report, the SEC 
Chairman and Chief Information Officer agreed that the agency needs to 
maintain momentum addressing the remaining gaps in its information 
security program and stated that it is actively working to complete 
corrective actions for findings that remain open and enhance its 
information security program by implementing our recommendations. 

They also identified several actions the agency has completed to 
resolve known weaknesses and stated that going forward the commission's 
primary focus will be on making its information security program more 
aggressive in identifying and resolving issues as or before they arise, 
to ensure high levels of security compliance across the agency. Their 
written comments are reprinted in appendix I. 

This report contains recommendations to you. As you know, 31 U.S.C. 720 
requires that the head of a federal agency submit a written statement 
of the actions taken on our recommendations to the Senate Committee on 
Homeland Security and Governmental Affairs and to the House Committee 
on Oversight and Government Reform not later than 60 days from the date 
of the report and to the House and Senate Committees on Appropriations 
with the agency's first request for appropriations made more than 60 
days after the date of this report. Because agency personnel serve as 
the primary source of information on the status of recommendations, GAO 
requests that the agency also provide us with a copy of your agency's 
statement of action to serve as preliminary information on the status 
of open recommendation. 

We are sending copies of this report to the Chairmen and Ranking 
Minority Members of the Senate Committee on Banking, Housing, and Urban 
Affairs; Senate Committee on Homeland Security and Governmental 
Affairs; House Committee on Financial Services; House Committee on 
Oversight and Government Reform; and SEC's Office of Managing Executive 
for Operations; Office of the Executive Director; Office of Financial 
Management; Office of Information Technology; and the SEC's Inspector 
General. We will also make copies available to others on request. In 
addition, this report will be available at no charge on the GAO Web 
site at http://www.gao.gov. 

If you have any questions regarding this report, please contact me at 
(202) 512-6244 or by e-mail at wilshuseng@gao.gov. Contact points for 
our Offices of Congressional Relations and Public Affairs may be found 
on the last page of this report. Key contributors to this report are 
listed in appendix II. 

Sincerely yours, 

Signed by: 

Gregory C. Wilshusen: 
Director, Information Security Issues: 

[End of section] 

Appendix I: Comments from the Securities and Exchange Commission: 

United States Securities And Exchange Commission: 
Washington, D.C. 20549: 

March 20, 2007: 

Mr. Gregory C. Wilshusen, Director: 
Information Security Issues: 
U.S. Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Dear Mr. Wilshusen: 

Thank you for the opportunity to respond to the draft report entitled 
Information Security: Sustained Progress Needed to Strengthen Controls 
at the Securities and Exchange Commission. This audit presents the 
results of the internal controls testing conducted in support the 
agency's financial audit for fiscal year 2006. Since the mission of the 
SEC is to ensure strong internal controls within all U.S. public 
companies, it is imperative that the agency and its staff hold 
ourselves to the highest standards in this area. For this reason, 
improving the effectiveness of the agency's internal controls is, and 
must remain, a top priority. 

As part of the 2006 financial audit, the GAO concluded that information 
security no longer constitutes a material weakness in internal controls 
for the agency. While we are gratified that the agency has made 
measurable improvements in its information security program, we agree 
with you that the agency needs to maintain momentum to address the 
remaining gaps in our information security program, and the agency is 
committed to doing so. 

We are pleased to note the draft report's assessment that the SEC has 
made significant progress to remediate the issues raised by the GAO 
audit teams in fiscal years 2004 through 2006. By the end of fiscal 
2006, the SEC had resolved 58 of the 71 outstanding findings from prior 
years, and 11 of the 15 problems identified by the auditors in fiscal 
2006. Moreover, since the conclusion of the audit in September, the 
agency has continued to work actively to resolve the remaining 
outstanding issues and to further shore up internal controls. In 
particular, we have: 

* Deployed software on agency workstations to protect against malicious 
code attacks; 

* Implemented a process to ensure the SEC follows its policy of 
assigning risk classifications to application changes; 

* Attained 100% completion for yearly security awareness training, as 
well as other events and policy implementations to improve security 
awareness; 

* Implemented procedures and installed equipment to ensure that all 
personnel have a valid 1D badge upon entering the Operations Center and 
that all entrances are properly secured and monitored at all times; 
and: 

* Implemented strong password management on several key systems. 

Going forward, our primary focus is to make the agency's information 
security program more aggressive in identifying and resolving issues 
before or as they arise, so that we can ensure high levels of security 
compliance across the agency. During the remainder of fiscal year 2007 
the agency is working actively to: 

* Complete corrective actions for the specific findings that remain 
open; and: 

* Enhance the SEC's information security program by: 

1. Verifying that all system owners and offices implement agency 
security policies and procedures; 

2. Completing re-certification and re-accreditation testing and 
evaluation on the general ledger system; and: 

3. Developing, documenting, and implementing a policy on remedial 
action plans to ensure deficiencies are mitigated in an effective and 
timely manner. 

Information security is a critical priority for the SEC. We are 
committed to proper stewardship of the sensitive information that is 
entrusted to us. We appreciate GAO's recognition of the significant 
progress we have already made, and appreciate its ongoing support as we 
continue our efforts to realize the highest standards of information 
security. 

Should you have any questions relating to the SEC management response, 
please feel free to contact either one of us at 202-551-2100. 

Sincerely, 

Signed by: 

Christopher Cox: 
Chairman: 

Signed by: 

R. Corey Booth: 
Chief Information Officer: 

[End of section] 

Appendix II: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Gregory C. Wilshusen, (202) 512-6244: 

Staff Acknowledgments: 

In addition to the individual named above, Charles Vrabel and Lon Chin, 
Assistant Directors; Angela Bell, Jason Carroll, Daniel Castro, West 
Coile, William Cook, Anh Dang, Kirk Daubenspeck, Valerie Hopkins, Henry 
Sutanto, Amos Tevelow, and Chris Warweg made key contributions to this 
report. 

FOOTNOTES 

[1] Information security controls include access controls, 
configuration management, segregation of duties, and contingency 
planning. These controls are designed to ensure that access to data is 
appropriately restricted, only authorized changes to computer programs 
are made, computer security duties are segregated, and backup and 
recovery plans are adequate to ensure the continuity of essential 
operations. 

[2] GAO, Financial Audit: Securities and Exchange Commission's 
Financial Statements for Fiscal Years 2006 and 2005, GAO-07-134 
(Washington, D.C.: Nov. 15, 2006). 

[3] GAO-07-134. 

[4] A reportable condition represents a significant design or 
operational deficiency that could adversely affect an agency's ability 
to meet its internal control objectives. 

[5] GAO, Sustained Progress Needed to Strengthen Controls at the 
Securities and Exchange Commission, GAO-07-257SU (Washington, D.C.: 
Mar. 27, 2007). 

[6] GAO, High-Risk Series: Information Management and Technology, GAO/ 
HR-97-9 (Washington, D.C.: February 1997); GAO, High-Risk Series: An 
Update, GAO-07-310 (Washington, D.C.: January 2007). 

[7] FISMA was enacted as title III, E-Government Act of 2002, Pub. L. 
No. 107-347, 116 Stat. 2946 (Dec. 17, 2002). 

[8] 15 U.S.C. ß 78d. 

[9] A disgorgement is the repayment of illegally gained profits (or 
avoided losses) for distribution to harmed investors whenever feasible. 

[10] GAO, Federal Information System Controls Audit Manual, Volume I- 
Financial Statement Audits, GAO/AIMD-12.19.6 (Washington, D.C.: January 
1999). 

[11] GAO, Information Security: Securities and Exchange Commission 
Needs to Address Weak Controls over Financial and Sensitive Data, GAO- 
05-263SU (Washington, D.C.: Mar. 23, 2005); GAO, Information Security: 
Securities and Exchange Commission Needs to Address Weak Controls over 
Financial and Sensitive Data, GAO-05-262 (Washington, D.C.: Mar. 23, 
2005); GAO, Information Security: Securities and Exchange Commission 
Needs to Continue to Improve Its Program, GAO-06-407SU (Washington, 
D.C.: Mar. 31, 2006); GAO, Information Security: Securities and 
Exchange Commission Needs to Continue to Improve Its Program, GAO-06- 
408 (Washington, D.C.: Mar. 31, 2006). 

[12] GAO-07-257SU. 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site (www.gao.gov). Each weekday, GAO posts 
newly released reports, testimony, and correspondence on its Web site. 
To have GAO e-mail you a list of newly posted products every afternoon, 
go to www.gao.gov and select "Subscribe to Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 441 G Street NW, Room LM 
Washington, D.C. 20548: 

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202) 
512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 U.S. 
Government Accountability Office, 441 G Street NW, Room 7125 
Washington, D.C. 20548: 

Public Affairs: 

Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800 
U.S. Government Accountability Office, 441 G Street NW, Room 7149 
Washington, D.C. 20548: