Information Security:
Securities and Exchange Commission Needs to Continue to Improve Its Program
GAO-08-280: Published: Feb 29, 2008. Publicly Released: Feb 29, 2008.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Text:
Contact:
(202) 512-6244
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
In carrying out its mission to ensure that securities markets are fair, orderly, and efficiently maintained, the Securities and Exchange Commission (SEC) relies extensively on computerized systems. Integrating effective information security controls into a layered control strategy is essential to ensure that SEC's financial and sensitive information are protected from inadvertent or deliberate misuse, disclosure, or destruction. As part of its audit of SEC's fiscal year 2007 financial statements, GAO assessed (1) the status of SEC's actions to correct previously reported information security weaknesses and (2) the effectiveness of SEC's controls for ensuring the confidentiality, integrity, and availability of its information systems and information. To do this, GAO examined security plans, policies, and practices; interviewed pertinent officials; and conducted tests and observations of controls in operation.
SEC has made important progress toward correcting previously reported information security control weaknesses. Specifically, it has corrected or mitigated 8 of 20 weaknesses previously reported as unresolved at the time of our prior audit. For example, SEC has documented authorizations for software modifications, developed a comprehensive program for monitoring access activities to its computer network environment, and tested and evaluated the effectiveness of controls for the general ledger system. In addition, the commission has made progress in improving its information security program. To illustrate, it has developed remedial action plans to mitigate identified weaknesses in its systems and developed a mechanism to track the progress of actions to correct deficiencies. A key reason for its progress is that SEC senior management has been actively engaged in implementing information security activities. Nevertheless, SEC has not completed actions to correct 12 previously reported weaknesses. For example, SEC workstations are susceptible to malicious code attacks and perimeter security is not properly implemented at its Operations Center. Significant control weaknesses intended to restrict access to data and systems, as well as other information security controls, continue to threaten the confidentiality, integrity, and availability of SEC's financial and sensitive information and information systems. SEC has not consistently implemented effective controls to prevent, limit, or detect unauthorized access to computing resources. For example, it did not always (1) consistently enforce strong controls for identifying and authenticating users, (2) limit user access to only those individuals who need such access to perform their job functions, (3) encrypt sensitive data, (4) log and monitor security related events, (5) physically protect its computer resources, and (6) fully implement certain configuration management controls. A key reason for these weaknesses is that SEC has not yet fully implemented its information security program to ensure that controls are appropriately designed and operating effectively. Specifically, SEC has not effectively or fully implemented key program activities. For example, security plans for certain enterprise database applications were incomplete, information security training for certain key personnel was not sufficiently documented and monitored, security tests and evaluations of enterprise database applications were not comprehensive, and continuity of operations plans were not always complete. As a result, SEC is at increased risk of unauthorized access to and disclosure, modification, or destruction of its financial information, as well as inadvertent or deliberate disruption of its financial systems, operations, and services.
Recommendations for Executive Action
Status: Closed - Implemented
Comments: In fiscal year 2011, we verified that SEC, in response to our recommendation, (a) documented system interconnection and information sharing agreements with other systems; (b) defined system boundary; (c) identified common security controls; and (d) provided up-to-date information that reflects changes and vulnerabilities discovered based on the applications
Recommendation: To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should ensure that security plans are complete and that the plans (a) document system interconnection and information sharing agreements with other systems, (b) define system boundaries, (c) identify common security controls, and (d) provide up-to-date information that reflects changes and vulnerabilities discovered based on the applications' risk assessment and security evaluations.
Agency Affected: United States Securities and Exchange Commission
Status: Closed - Implemented
Comments: In fiscal year 2009, we verified that SEC documented and monitored specific information system security training activities for its incident handling team.
Recommendation: To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should document and monitor individual specific information system security training activities for the incident handling team.
Agency Affected: United States Securities and Exchange Commission
Status: Closed - Implemented
Comments: In fiscal year 2010,we verified that SEC completed annual testing of security controls for its general ledger application and general support system.
Recommendation: To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should complete the annual testing of security controls for the general ledger application and general support system.
Agency Affected: United States Securities and Exchange Commission
Status: Closed - Implemented
Comments: In fiscal year 2010, we verified that SEC adequately backed up critical data files on key workstations used for storing large accounting data files and ensured that mission-critical application contingency plans contain key information.
Recommendation: To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should adequately back up critical data files on key workstations used for storing large accounting data files and ensure that mission-critical application contingency plans contain key information.
Agency Affected: United States Securities and Exchange Commission
Explore the full database of GAO's Open Recommendations
»
Explore the full database of GAO's Open Recommendations
Oct 9, 2020
Aviation Cybersecurity:
FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics RisksGAO-21-86: Published: Oct 9, 2020. Publicly Released: Oct 9, 2020.
Sep 22, 2020
-
Cybersecurity:
Clarity of Leadership Urgently Needed to Fully Implement the National StrategyGAO-20-629: Published: Sep 22, 2020. Publicly Released: Sep 22, 2020.
Sep 21, 2020
-
Information Security and Privacy:
HUD Needs a Major Effort to Protect Data Shared with External EntitiesGAO-20-431: Published: Sep 21, 2020. Publicly Released: Sep 21, 2020.
Sep 17, 2020
-
Critical Infrastructure Protection:
Treasury Needs to Improve Tracking of Financial Sector Cybersecurity Risk Mitigation EffortsGAO-20-631: Published: Sep 17, 2020. Publicly Released: Sep 17, 2020.
Sep 16, 2020
-
Veterans Affairs:
VA Needs to Address Persistent IT Modernization and Cybersecurity ChallengesGAO-20-719T: Published: Sep 16, 2020. Publicly Released: Sep 16, 2020.
Aug 18, 2020
-
Cybersecurity:
DHS and Selected Agencies Need to Address Shortcomings in Implementation of Network Monitoring ProgramGAO-20-598: Published: Aug 18, 2020. Publicly Released: Aug 18, 2020.
May 27, 2020
-
Cybersecurity:
Selected Federal Agencies Need to Coordinate on Requirements and Assessments of StatesGAO-20-123: Published: May 27, 2020. Publicly Released: May 27, 2020.
May 13, 2020
-
Management Report:
Improvements Are Needed to Enhance the Internal Revenue Service's Information System Security ControlsGAO-20-411R: Published: May 13, 2020. Publicly Released: May 13, 2020.
Apr 24, 2020
-
Information Security:
FCC Made Significant Progress, but Needs to Address Remaining Control Deficiencies and Improve Its ProgramGAO-20-265: Published: Mar 25, 2020. Publicly Released: Apr 24, 2020.
Apr 13, 2020
-
Cybersecurity:
DOD Needs to Take Decisive Actions to Improve Cyber HygieneGAO-20-241: Published: Apr 13, 2020. Publicly Released: Apr 13, 2020.
Looking for more? Browse all our products here
Explore our Key Issues on Information Security
Explore our other Key Issues here
