Information Security:

Sustained Progress Needed to Strengthen Controls at the Securities and Exchange Commission

GAO-07-256: Published: Mar 27, 2007. Publicly Released: Mar 27, 2007.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

In carrying out its mission to ensure that securities markets are fair, orderly, and efficiently maintained, the Securities and Exchange Commission (SEC) relies extensively on computerized systems. Integrating effective information security controls into a layered control strategy is essential to ensure that SEC's financial and sensitive information is protected from inadvertent or deliberate misuse, disclosure, or destruction. As part of its audit of SEC's financial statements, GAO assessed (1) SEC's actions to correct previously reported information security weaknesses and (2) the effectiveness of controls for ensuring the confidentiality, integrity, and availability of SEC's information systems and information. To do this, GAO examined security policies and artifacts, interviewed pertinent officials, and conducted tests and observations of controls in operation.

SEC has made important progress toward correcting previously reported information security control weaknesses. Specifically, it has corrected or mitigated 58 of the 71 weaknesses previously reported as unresolved at the conclusion of GAO's 2005 audit. The commission resolved all of the previously reported weaknesses in security related activities and contingency planning, and made significant progress in resolving access control weaknesses. A key reason for its progress was that SEC's senior management was actively engaged in implementing information security related activities. Despite this progress, SEC has not consistently implemented certain key controls to effectively safeguard the confidentiality, integrity, and availability of its financial and sensitive information and information systems. In addition to 13 previously identified weaknesses that remain unresolved, 15 new information security weaknesses were identified. By the conclusion of GAO's review, SEC took action to address 11 of the 15 new weaknesses. A primary reason for these control weaknesses is that SEC had not consistently implemented elements of its information security program. This included inconsistent implementation of agency policies and procedures, not sufficiently testing and evaluating the effectiveness of controls for a major system as required by its certification and accreditation process, and not consistently taking effective and timely action to correct deficiencies identified in remedial action plans. Until SEC does, it will have limited assurance that it will be able to manage risks and protect sensitive information on an ongoing basis.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: We verified in fiscal year 2009, that SEC verified that all system owners and offices implemented agency security policies and procedures.

    Recommendation: To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should verify that all system owners and offices implement agency security policies and procedures.

    Agency Affected: United States Securities and Exchange Commission

  2. Status: Closed - Implemented

    Comments: We verified in fiscal year 2008, that SEC completed recertification and reaccredidation testing and evaluation on the general ledger system.

    Recommendation: To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should complete recertification and reaccreditation testing and evaluation on the general ledger system.

    Agency Affected: United States Securities and Exchange Commission

  3. Status: Closed - Implemented

    Comments: We verified in fiscal year 2009, that SEC developed, documented, and implemented a policy on remedial action plans to ensure deficiencies are mitigated in an effective and timely manner.

    Recommendation: To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should develop, document, and implement a policy on remedial action plans to ensure deficiencies are mitigated in an effective and timely manner.

    Agency Affected: United States Securities and Exchange Commission

 

Explore the full database of GAO's Open Recommendations »

Nov 18, 2014

Nov 17, 2014

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Looking for more? Browse all our products here