Information Security: Securities and Exchange Commission Needs to Continue to Improve Its Program
GAO-06-408
Published: Mar 31, 2006. Publicly Released: Mar 31, 2006.
Skip to Highlights
Highlights
The Securities and Exchange Commission (SEC) has a demanding responsibility enforcing securities laws, regulating the securities markets, and protecting investors. In enforcing these laws, SEC issues rules and regulations to provide protection for investors and to help ensure that the securities markets are fair and honest. It relies extensively on computerized systems to support its financial and mission-related operations. Information security controls affect the integrity, confidentiality, and availability of sensitive information maintained by SEC. As part of the audit of SEC's fiscal year 2005 financial statements, GAO assessed (1) the status of SEC's actions to correct or mitigate previously reported information security weaknesses and (2) the effectiveness of the commission's information system controls in protecting the confidentiality, integrity, and availability of its financial and sensitive information.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| United States Securities and Exchange Commission | To fully develop, document, and implement an effective agencywide information security program, and to help establish effective information security over key financial systems, data, and networks, the SEC Chairman should direct the Chief Information Officer to fully document and implement a process for assessing risks for its information systems. |
Closed – Implemented
In fiscal year 2006, we verified that SEC fully documented and implemented a process for assessing risks for its information systems.
|
| United States Securities and Exchange Commission | To fully develop, document, and implement an effective agencywide information security program, and to help establish effective information security over key financial systems, data, and networks, the SEC Chairman should direct the Chief Information Officer to finalize comprehensive information security policies and procedures. |
Closed – Implemented
In fiscal year 2006, we verified that SEC finalized comprehensive information security policies and procedures.
|
| United States Securities and Exchange Commission | To fully develop, document, and implement an effective agencywide information security program, and to help establish effective information security over key financial systems, data, and networks, the SEC Chairman should direct the Chief Information Officer to ensure that all system users comply with annual security awareness training requirements. |
Closed – Implemented
In fiscal year 2006, we verified that SEC has ensured that all system users comply with annual security awareness training requirements.
|
| United States Securities and Exchange Commission | To fully develop, document, and implement an effective agencywide information security program, and to help establish effective information security over key financial systems, data, and networks, the SEC Chairman should direct the Chief Information Officer to institute a testing and evaluation program that includes testing the controls within the general support system. |
Closed – Implemented
In fiscal year 2006, we verified that SEC instituted a testing and evaluation program that includes testing the controls within the general support system.
|
| United States Securities and Exchange Commission | To fully develop, document, and implement an effective agencywide information security program, and to help establish effective information security over key financial systems, data, and networks, the SEC Chairman should direct the Chief Information Officer to develop a mechanism to track remedial action plans that incorporates all identified weaknesses and related risks. |
Closed – Implemented
In fiscal year 2006, we verified that SEC developed a mechanism to track remedial action plans that incorporates all identified weaknesses and related risks.
|
| United States Securities and Exchange Commission | To fully develop, document, and implement an effective agencywide information security program, and to help establish effective information security over key financial systems, data, and networks, the SEC Chairman should direct the Chief Information Officer to establish a program for handling security incidents with detection, response, analysis, and reporting capabilities. |
Closed – Implemented
In fiscal year 2006, we verified that SEC established a program for handling security incidents with detection, response, analysis, and reporting capabilities.
|
| United States Securities and Exchange Commission | To fully develop, document, and implement an effective agencywide information security program, and to help establish effective information security over key financial systems, data, and networks, the SEC Chairman should direct the Chief Information Officer to maintain a continuity of operations program that includes fully tested plans for restoring operations. |
Closed – Implemented
In fiscal year 2006, we verified that SEC maintained a continuity of operations program that includes fully tested plans for restoring operations.
|
Full Report
GAO Contacts
Office of Public Affairs
Topics
Baseline security controlsComputer securityInformation securityInformation security managementInformation systemsInternal controlsSecurity assessmentsSystem vulnerabilitiesClassified informationData integrityRisk management