Information Security: Securities and Exchange Commission Needs to Address Weak Controls over Financial and Sensitive Data

Highlights

The Securities and Exchange Commission (SEC) relies extensively on computerized systems to support its financial and mission-related operations. As part of the audit of SEC's fiscal year 2004 financial statements, GAO assessed the effectiveness of the commission's information system controls in protecting the integrity, confidentiality, and availability of its financial and sensitive information.

Recommendations

Recommendations for Executive Action

Agency Affected	Recommendation	Status
United States Securities and Exchange Commission	To fully develop and implement an effective agency-wide information security program, the SEC Chairman should direct the CIO to clearly define the roles and responsibilities of the central security group.	Closed – Implemented In fiscal year 2006 we reported that SEC clearly defined the roles and responsibilities of the central security group. SEC has developed, documented, and implemented clearly defined roles and responsibilities of the central security group.
United States Securities and Exchange Commission	To fully develop and implement an effective agency-wide information security program, the SEC Chairman should direct the CIO to designate individual security staff to provide security oversight at SEC's 11 field offices.	Closed – Implemented In FY 2007, we verified that SEC designated an individual security staff to provide security oversight at its 11 field offices.
United States Securities and Exchange Commission	To fully develop and implement an effective agency-wide information security program, the SEC Chairman should direct the CIO to develop a process for assessing information security risks, including when significant changes are made to SEC facilities or computer systems.	Closed – Implemented In fiscal year 2007 we verified that SEC developed a process for assessing information security risks, including when significant changes are made to SEC facilities or computer systems.
United States Securities and Exchange Commission	To fully develop and implement an effective agency-wide information security program, the SEC Chairman should direct the CIO to establish and implement comprehensive information security policies and procedures by addressing security requirements for key control areas and developing and implementing security plans for general support systems and major applications.	Closed – Implemented In fiscal year 2007 we verified that SEC established and implemented agency-wide information security policies and procedures by addressing security requirements for key control areas and developed and implemented security plans for the general support systems and major applications.
United States Securities and Exchange Commission	To fully develop and implement an effective agency-wide information security program, the SEC Chairman should direct the CIO to provide security awareness training to each employee and contractor, and specialized security training to employees and contractors that require such training.	Closed – Implemented In fiscal year 2007 we verified that SEC provided security awareness training to each employee and contractor, and specialized security training to employees and contractors that require such training. SEC has a process to provide security awareness training to employees and contractors and specialized training for employees and contractors that require such training. Further, SEC has a training database to track employee and contractor security training.
United States Securities and Exchange Commission	To fully develop and implement an effective agency-wide information security program, the SEC Chairman should direct the CIO to institute an ongoing program of tests and evaluations to ensure that policies and controls are appropriate and effective and that corrective action plans address identified weaknesses.	Closed – Implemented In fiscal year 2007 we verified that SEC instituted an ongoing program of tests and evaluations to ensure that policies and controls were appropriate and effective and that corrective action plans addressed identified weakness.

See All 6 Recommendations

Full Report

Highlights

Full Report (29 pages)

Accessible Text

GAO Contacts

Gregory C. Wilshusen

Director

wilshuseng@gao.gov

(202) 512-4800

Office of Public Affairs

Chuck Young

Managing Director

youngc1@gao.gov

(202) 512-4800

Topics

Information Security

Computer networksComputer securityComputer security policiesData integrityFraudInformation resources managementInformation securityInformation systemsInternal auditsInternal controlsManagement information systemsMission critical informationPasswordsPhysical securityProgram evaluationRisk managementSecurity policiesStrategic planningComputer accountsPolicies and procedures