Information Security:

Sustained Progress Needed to Strengthen Controls at the Securities and Exchange Commission

GAO-07-256: Published: Mar 27, 2007. Publicly Released: Mar 27, 2007.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

In carrying out its mission to ensure that securities markets are fair, orderly, and efficiently maintained, the Securities and Exchange Commission (SEC) relies extensively on computerized systems. Integrating effective information security controls into a layered control strategy is essential to ensure that SEC's financial and sensitive information is protected from inadvertent or deliberate misuse, disclosure, or destruction. As part of its audit of SEC's financial statements, GAO assessed (1) SEC's actions to correct previously reported information security weaknesses and (2) the effectiveness of controls for ensuring the confidentiality, integrity, and availability of SEC's information systems and information. To do this, GAO examined security policies and artifacts, interviewed pertinent officials, and conducted tests and observations of controls in operation.

SEC has made important progress toward correcting previously reported information security control weaknesses. Specifically, it has corrected or mitigated 58 of the 71 weaknesses previously reported as unresolved at the conclusion of GAO's 2005 audit. The commission resolved all of the previously reported weaknesses in security related activities and contingency planning, and made significant progress in resolving access control weaknesses. A key reason for its progress was that SEC's senior management was actively engaged in implementing information security related activities. Despite this progress, SEC has not consistently implemented certain key controls to effectively safeguard the confidentiality, integrity, and availability of its financial and sensitive information and information systems. In addition to 13 previously identified weaknesses that remain unresolved, 15 new information security weaknesses were identified. By the conclusion of GAO's review, SEC took action to address 11 of the 15 new weaknesses. A primary reason for these control weaknesses is that SEC had not consistently implemented elements of its information security program. This included inconsistent implementation of agency policies and procedures, not sufficiently testing and evaluating the effectiveness of controls for a major system as required by its certification and accreditation process, and not consistently taking effective and timely action to correct deficiencies identified in remedial action plans. Until SEC does, it will have limited assurance that it will be able to manage risks and protect sensitive information on an ongoing basis.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should verify that all system owners and offices implement agency security policies and procedures.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: We verified in fiscal year 2009, that SEC verified that all system owners and offices implemented agency security policies and procedures.

    Recommendation: To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should complete recertification and reaccreditation testing and evaluation on the general ledger system.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: We verified in fiscal year 2008, that SEC completed recertification and reaccredidation testing and evaluation on the general ledger system.

    Recommendation: To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should develop, document, and implement a policy on remedial action plans to ensure deficiencies are mitigated in an effective and timely manner.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: We verified in fiscal year 2009, that SEC developed, documented, and implemented a policy on remedial action plans to ensure deficiencies are mitigated in an effective and timely manner.

    Apr 2, 2014

    Jan 28, 2014

    Jan 8, 2014

    Sep 26, 2013

    Feb 20, 2013

    Feb 1, 2013

    Sep 27, 2012

    Sep 18, 2012

    Jul 17, 2012

    Jun 28, 2012

    Looking for more? Browse all our products here