Financial Markets: Tighter Computer Security Needed
IMTEC-90-15
Published: Jan 05, 1990. Publicly Released: Feb 21, 1990.
Skip to Highlights
Highlights
Pursuant to a congressional request, GAO reviewed the Securities Industry Automation Corporation's (SIAC) Common Message Switch and Intermarket Trading Systems, and the National Association of Securities Dealers' (NASD) Automated Quotations System, focusing on the: (1) number of instances of hacker or virus attacks on certain securities trading networks and their related systems; (2) reasonableness of existing controls used to prevent or detect securities trading systems misuse; and (3) existing regulatory framework under which securities trading systems are accessed, operated, and overseen.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| United States Securities and Exchange Commission | The Chairman, SEC, should immediately follow up on the security weaknesses identified in this report to ensure that they have been corrected. |
Closed – Implemented
SEC Office of Automation and International Markets staff have met with staff from NASD, NYSE, AMEX, and SIAC to confirm that the steps taken to correct these weaknesses were reasonable. Specific corrective actions for each weakness were included in the SEC response.
|
| United States Securities and Exchange Commission | The Chairman, SEC, should oversee the exchanges' and NASD plans as they expand the role of their computer security administration functions. Specifically, SEC should require that they: (1) conduct periodic risk analyses; (2) develop written information security plans, policies and procedures; (3) conduct information security awareness training; and (4) obtain independent assessments of the reasonableness of network security controls. |
Closed – Implemented
SEC continues to believe it is not necessary to mandate by Commission rule that the exchanges and NASD conform to the recommendation regarding risk analyses, written procedures, and awareness training. However, SEC has begun to explore the development of generally accepted security standards for the exchanges and NASD.
|
| United States Securities and Exchange Commission | The Chairman, SEC, should periodically conduct or oversee independent assessments of the exchanges' and NASD information security programs to ensure that they provide reasonable assurance that the networks and systems are adequately secured. |
Closed – Implemented
At the exchanges and NASD, independent assessments are being conducted as to the vulnerability of their systems to external and internal threats. Some assessments will be done by the end of calendar year 1991. The rest will be done by the end of calendar year 1992. SEC will review these assessments.
|
| United States Securities and Exchange Commission | The Chairman, SEC, should acquire the necessary technical expertise to conduct these activities. |
Closed – Implemented
In IMTEC-91-21, April 2, 1991, GAO concluded that SEC still needs to aggressively establish the technical expertise to control the risks of automation. GAO will continue to monitor the extent to which SEC obtained this expertise to effectively carry out its security oversight responsibilities.
|
Full Report
Office of Public Affairs
Topics
Computer crimesComputer securitySoftwareInformation securityCrime preventionData transmissionInformation systemsInternal controlsSecuritiesSecurities regulationStock exchanges