Information Security:

Securities and Exchange Commission Needs to Address Weak Controls over Financial and Sensitive Data

GAO-05-262: Published: Mar 23, 2005. Publicly Released: Mar 23, 2005.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Securities and Exchange Commission (SEC) relies extensively on computerized systems to support its financial and mission-related operations. As part of the audit of SEC's fiscal year 2004 financial statements, GAO assessed the effectiveness of the commission's information system controls in protecting the integrity, confidentiality, and availability of its financial and sensitive information.

SEC has not effectively implemented information system controls to protect the integrity, confidentiality, and availability of its financial and sensitive data. Specifically, the commission had not consistently implemented effective electronic access controls, including user accounts and passwords, access rights and permissions, network security, or audit and monitoring of security-relevant events to prevent, limit, and detect access to its critical financial and sensitive systems. In addition, weaknesses in other information system controls, including physical security, segregation of computer functions, application change controls, and service continuity, further increase risk to SEC's information systems. As a result, sensitive data--including payroll and financial transactions, personnel data, regulatory, and other mission critical information--were at increased risk of unauthorized disclosure, modification, or loss, possibly without detection. A key reason for SEC's information system control weaknesses is that the commission has not fully developed and implemented a comprehensive agency information security program to provide reasonable assurance that effective controls are established and maintained and that information security receives sufficient management attention. Although SEC has taken some actions to improve security management, including establishing a central security management function and appointing a senior information security officer to manage the program, it had not clearly defined roles and responsibilities for security personnel. In addition SEC had not fully (1) assessed its risks, (2) established or implemented security policies, (3) promoted security awareness, and (4) tested and evaluated the effectiveness of its information system controls. As a result, SEC did not have a solid foundation for resolving existing information system control weaknesses and continuously managing information security risks.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In fiscal year 2007 we verified that SEC provided security awareness training to each employee and contractor, and specialized security training to employees and contractors that require such training. SEC has a process to provide security awareness training to employees and contractors and specialized training for employees and contractors that require such training. Further, SEC has a training database to track employee and contractor security training.

    Recommendation: To fully develop and implement an effective agency-wide information security program, the SEC Chairman should direct the CIO to provide security awareness training to each employee and contractor, and specialized security training to employees and contractors that require such training.

    Agency Affected: United States Securities and Exchange Commission

  2. Status: Closed - Implemented

    Comments: In fiscal year 2007 we verified that SEC established and implemented agency-wide information security policies and procedures by addressing security requirements for key control areas and developed and implemented security plans for the general support systems and major applications.

    Recommendation: To fully develop and implement an effective agency-wide information security program, the SEC Chairman should direct the CIO to establish and implement comprehensive information security policies and procedures by addressing security requirements for key control areas and developing and implementing security plans for general support systems and major applications.

    Agency Affected: United States Securities and Exchange Commission

  3. Status: Closed - Implemented

    Comments: In fiscal year 2007 we verified that SEC developed a process for assessing information security risks, including when significant changes are made to SEC facilities or computer systems.

    Recommendation: To fully develop and implement an effective agency-wide information security program, the SEC Chairman should direct the CIO to develop a process for assessing information security risks, including when significant changes are made to SEC facilities or computer systems.

    Agency Affected: United States Securities and Exchange Commission

  4. Status: Closed - Implemented

    Comments: In FY 2007, we verified that SEC designated an individual security staff to provide security oversight at its 11 field offices.

    Recommendation: To fully develop and implement an effective agency-wide information security program, the SEC Chairman should direct the CIO to designate individual security staff to provide security oversight at SEC's 11 field offices.

    Agency Affected: United States Securities and Exchange Commission

  5. Status: Closed - Implemented

    Comments: In fiscal year 2006 we reported that SEC clearly defined the roles and responsibilities of the central security group. SEC has developed, documented, and implemented clearly defined roles and responsibilities of the central security group.

    Recommendation: To fully develop and implement an effective agency-wide information security program, the SEC Chairman should direct the CIO to clearly define the roles and responsibilities of the central security group.

    Agency Affected: United States Securities and Exchange Commission

  6. Status: Closed - Implemented

    Comments: In fiscal year 2007 we verified that SEC instituted an ongoing program of tests and evaluations to ensure that policies and controls were appropriate and effective and that corrective action plans addressed identified weakness.

    Recommendation: To fully develop and implement an effective agency-wide information security program, the SEC Chairman should direct the CIO to institute an ongoing program of tests and evaluations to ensure that policies and controls are appropriate and effective and that corrective action plans address identified weaknesses.

    Agency Affected: United States Securities and Exchange Commission

 

Explore the full database of GAO's Open Recommendations »

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Jan 28, 2014

Jan 8, 2014

Looking for more? Browse all our products here