Information Security: Securities and Exchange Commission Needs to Continue to Improve Its Program
Highlights
In carrying out its mission to ensure that securities markets are fair, orderly, and efficiently maintained, the Securities and Exchange Commission (SEC) relies extensively on computerized systems. Integrating effective information security controls into a layered control strategy is essential to ensure that SEC's financial and sensitive information are protected from inadvertent or deliberate misuse, disclosure, or destruction. As part of its audit of SEC's fiscal year 2007 financial statements, GAO assessed (1) the status of SEC's actions to correct previously reported information security weaknesses and (2) the effectiveness of SEC's controls for ensuring the confidentiality, integrity, and availability of its information systems and information. To do this, GAO examined security plans, policies, and practices; interviewed pertinent officials; and conducted tests and observations of controls in operation.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| United States Securities and Exchange Commission | To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should ensure that security plans are complete and that the plans (a) document system interconnection and information sharing agreements with other systems, (b) define system boundaries, (c) identify common security controls, and (d) provide up-to-date information that reflects changes and vulnerabilities discovered based on the applications' risk assessment and security evaluations. |
Closed – Implemented
In fiscal year 2011, we verified that SEC, in response to our recommendation, (a) documented system interconnection and information sharing agreements with other systems; (b) defined system boundary; (c) identified common security controls; and (d) provided up-to-date information that reflects changes and vulnerabilities discovered based on the applications
|
| United States Securities and Exchange Commission | To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should document and monitor individual specific information system security training activities for the incident handling team. |
Closed – Implemented
In fiscal year 2009, we verified that SEC documented and monitored specific information system security training activities for its incident handling team.
|
| United States Securities and Exchange Commission | To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should complete the annual testing of security controls for the general ledger application and general support system. |
Closed – Implemented
In fiscal year 2010,we verified that SEC completed annual testing of security controls for its general ledger application and general support system.
|
| United States Securities and Exchange Commission | To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should adequately back up critical data files on key workstations used for storing large accounting data files and ensure that mission-critical application contingency plans contain key information. |
Closed – Implemented
In fiscal year 2010, we verified that SEC adequately backed up critical data files on key workstations used for storing large accounting data files and ensured that mission-critical application contingency plans contain key information.
|