Information Security:

Securities and Exchange Commission Needs to Continue to Improve Its Program

GAO-08-280: Published: Feb 29, 2008. Publicly Released: Feb 29, 2008.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

In carrying out its mission to ensure that securities markets are fair, orderly, and efficiently maintained, the Securities and Exchange Commission (SEC) relies extensively on computerized systems. Integrating effective information security controls into a layered control strategy is essential to ensure that SEC's financial and sensitive information are protected from inadvertent or deliberate misuse, disclosure, or destruction. As part of its audit of SEC's fiscal year 2007 financial statements, GAO assessed (1) the status of SEC's actions to correct previously reported information security weaknesses and (2) the effectiveness of SEC's controls for ensuring the confidentiality, integrity, and availability of its information systems and information. To do this, GAO examined security plans, policies, and practices; interviewed pertinent officials; and conducted tests and observations of controls in operation.

SEC has made important progress toward correcting previously reported information security control weaknesses. Specifically, it has corrected or mitigated 8 of 20 weaknesses previously reported as unresolved at the time of our prior audit. For example, SEC has documented authorizations for software modifications, developed a comprehensive program for monitoring access activities to its computer network environment, and tested and evaluated the effectiveness of controls for the general ledger system. In addition, the commission has made progress in improving its information security program. To illustrate, it has developed remedial action plans to mitigate identified weaknesses in its systems and developed a mechanism to track the progress of actions to correct deficiencies. A key reason for its progress is that SEC senior management has been actively engaged in implementing information security activities. Nevertheless, SEC has not completed actions to correct 12 previously reported weaknesses. For example, SEC workstations are susceptible to malicious code attacks and perimeter security is not properly implemented at its Operations Center. Significant control weaknesses intended to restrict access to data and systems, as well as other information security controls, continue to threaten the confidentiality, integrity, and availability of SEC's financial and sensitive information and information systems. SEC has not consistently implemented effective controls to prevent, limit, or detect unauthorized access to computing resources. For example, it did not always (1) consistently enforce strong controls for identifying and authenticating users, (2) limit user access to only those individuals who need such access to perform their job functions, (3) encrypt sensitive data, (4) log and monitor security related events, (5) physically protect its computer resources, and (6) fully implement certain configuration management controls. A key reason for these weaknesses is that SEC has not yet fully implemented its information security program to ensure that controls are appropriately designed and operating effectively. Specifically, SEC has not effectively or fully implemented key program activities. For example, security plans for certain enterprise database applications were incomplete, information security training for certain key personnel was not sufficiently documented and monitored, security tests and evaluations of enterprise database applications were not comprehensive, and continuity of operations plans were not always complete. As a result, SEC is at increased risk of unauthorized access to and disclosure, modification, or destruction of its financial information, as well as inadvertent or deliberate disruption of its financial systems, operations, and services.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should complete the annual testing of security controls for the general ledger application and general support system.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In fiscal year 2010,we verified that SEC completed annual testing of security controls for its general ledger application and general support system.

    Recommendation: To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should document and monitor individual specific information system security training activities for the incident handling team.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In fiscal year 2009, we verified that SEC documented and monitored specific information system security training activities for its incident handling team.

    Recommendation: To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should ensure that security plans are complete and that the plans (a) document system interconnection and information sharing agreements with other systems, (b) define system boundaries, (c) identify common security controls, and (d) provide up-to-date information that reflects changes and vulnerabilities discovered based on the applications' risk assessment and security evaluations.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In fiscal year 2011, we verified that SEC, in response to our recommendation, (a) documented system interconnection and information sharing agreements with other systems; (b) defined system boundary; (c) identified common security controls; and (d) provided up-to-date information that reflects changes and vulnerabilities discovered based on the applications

    Recommendation: To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should adequately back up critical data files on key workstations used for storing large accounting data files and ensure that mission-critical application contingency plans contain key information.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In fiscal year 2010, we verified that SEC adequately backed up critical data files on key workstations used for storing large accounting data files and ensured that mission-critical application contingency plans contain key information.

    Jul 17, 2014

    Jun 25, 2014

    May 30, 2014

    Apr 17, 2014

    Apr 2, 2014

    Jan 28, 2014

    Jan 8, 2014

    Sep 26, 2013

    Feb 20, 2013

    Feb 1, 2013

    Looking for more? Browse all our products here