Information Security: Sustained Progress Needed to Strengthen Controls at the Securities and Exchange Commission
Highlights
In carrying out its mission to ensure that securities markets are fair, orderly, and efficiently maintained, the Securities and Exchange Commission (SEC) relies extensively on computerized systems. Integrating effective information security controls into a layered control strategy is essential to ensure that SEC's financial and sensitive information is protected from inadvertent or deliberate misuse, disclosure, or destruction. As part of its audit of SEC's financial statements, GAO assessed (1) SEC's actions to correct previously reported information security weaknesses and (2) the effectiveness of controls for ensuring the confidentiality, integrity, and availability of SEC's information systems and information. To do this, GAO examined security policies and artifacts, interviewed pertinent officials, and conducted tests and observations of controls in operation.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| United States Securities and Exchange Commission | To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should verify that all system owners and offices implement agency security policies and procedures. |
We verified in fiscal year 2009, that SEC verified that all system owners and offices implemented agency security policies and procedures.
|
| United States Securities and Exchange Commission | To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should complete recertification and reaccreditation testing and evaluation on the general ledger system. |
We verified in fiscal year 2008, that SEC completed recertification and reaccredidation testing and evaluation on the general ledger system.
|
| United States Securities and Exchange Commission | To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should develop, document, and implement a policy on remedial action plans to ensure deficiencies are mitigated in an effective and timely manner. |
We verified in fiscal year 2009, that SEC developed, documented, and implemented a policy on remedial action plans to ensure deficiencies are mitigated in an effective and timely manner.
|