Information Security:

Securities and Exchange Commission Needs to Continue to Improve Its Program

GAO-06-408: Published: Mar 31, 2006. Publicly Released: Mar 31, 2006.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Securities and Exchange Commission (SEC) has a demanding responsibility enforcing securities laws, regulating the securities markets, and protecting investors. In enforcing these laws, SEC issues rules and regulations to provide protection for investors and to help ensure that the securities markets are fair and honest. It relies extensively on computerized systems to support its financial and mission-related operations. Information security controls affect the integrity, confidentiality, and availability of sensitive information maintained by SEC. As part of the audit of SEC's fiscal year 2005 financial statements, GAO assessed (1) the status of SEC's actions to correct or mitigate previously reported information security weaknesses and (2) the effectiveness of the commission's information system controls in protecting the confidentiality, integrity, and availability of its financial and sensitive information.

Although SEC has taken steps to strengthen its information security program, most of the previously reported information security controls and program weaknesses persist. Specifically, the commission has corrected or mitigated 8 of the 51 weaknesses that GAO reported as unresolved in last year's report. Among the corrective actions SEC has taken include replacing a vulnerable, publicly accessible workstation and developing and implementing change control procedures for a major application. However, the commission has not yet effectively controlled remote access to its servers, established controls over passwords, managed access to its systems and data, securely configured network devices and servers, or implemented auditing and monitoring mechanisms to detect and track security incidents. Overall, SEC has not effectively implemented information security controls to properly protect the confidentiality, integrity, and availability of its financial and sensitive information and information systems. In addition to the 43 previously reported weaknesses that remain uncorrected, GAO identified 15 new information security weaknesses. Most identified weaknesses pertained to electronic access controls such as user accounts and passwords, access rights and permissions, and network devices and services. These weaknesses increase the risk that financial and sensitive information will be inadequately protected against disclosure, modification, or loss, possibly without detection, and place SEC operations at risk of disruption. A key reason for SEC's information security controls weaknesses is that the commission has not fully developed, implemented, or documented key elements of an information security program to ensure that effective controls are established and maintained. Until SEC implements such a program, its facilities and computing resources and the information that is processed, stored, and transmitted on its systems will remain vulnerable.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In fiscal year 2006, we verified that SEC established a program for handling security incidents with detection, response, analysis, and reporting capabilities.

    Recommendation: To fully develop, document, and implement an effective agencywide information security program, and to help establish effective information security over key financial systems, data, and networks, the SEC Chairman should direct the Chief Information Officer to establish a program for handling security incidents with detection, response, analysis, and reporting capabilities.

    Agency Affected: United States Securities and Exchange Commission

  2. Status: Closed - Implemented

    Comments: In fiscal year 2006, we verified that SEC developed a mechanism to track remedial action plans that incorporates all identified weaknesses and related risks.

    Recommendation: To fully develop, document, and implement an effective agencywide information security program, and to help establish effective information security over key financial systems, data, and networks, the SEC Chairman should direct the Chief Information Officer to develop a mechanism to track remedial action plans that incorporates all identified weaknesses and related risks.

    Agency Affected: United States Securities and Exchange Commission

  3. Status: Closed - Implemented

    Comments: In fiscal year 2006, we verified that SEC instituted a testing and evaluation program that includes testing the controls within the general support system.

    Recommendation: To fully develop, document, and implement an effective agencywide information security program, and to help establish effective information security over key financial systems, data, and networks, the SEC Chairman should direct the Chief Information Officer to institute a testing and evaluation program that includes testing the controls within the general support system.

    Agency Affected: United States Securities and Exchange Commission

  4. Status: Closed - Implemented

    Comments: In fiscal year 2006, we verified that SEC has ensured that all system users comply with annual security awareness training requirements.

    Recommendation: To fully develop, document, and implement an effective agencywide information security program, and to help establish effective information security over key financial systems, data, and networks, the SEC Chairman should direct the Chief Information Officer to ensure that all system users comply with annual security awareness training requirements.

    Agency Affected: United States Securities and Exchange Commission

  5. Status: Closed - Implemented

    Comments: In fiscal year 2006, we verified that SEC finalized comprehensive information security policies and procedures.

    Recommendation: To fully develop, document, and implement an effective agencywide information security program, and to help establish effective information security over key financial systems, data, and networks, the SEC Chairman should direct the Chief Information Officer to finalize comprehensive information security policies and procedures.

    Agency Affected: United States Securities and Exchange Commission

  6. Status: Closed - Implemented

    Comments: In fiscal year 2006, we verified that SEC fully documented and implemented a process for assessing risks for its information systems.

    Recommendation: To fully develop, document, and implement an effective agencywide information security program, and to help establish effective information security over key financial systems, data, and networks, the SEC Chairman should direct the Chief Information Officer to fully document and implement a process for assessing risks for its information systems.

    Agency Affected: United States Securities and Exchange Commission

  7. Status: Closed - Implemented

    Comments: In fiscal year 2006, we verified that SEC maintained a continuity of operations program that includes fully tested plans for restoring operations.

    Recommendation: To fully develop, document, and implement an effective agencywide information security program, and to help establish effective information security over key financial systems, data, and networks, the SEC Chairman should direct the Chief Information Officer to maintain a continuity of operations program that includes fully tested plans for restoring operations.

    Agency Affected: United States Securities and Exchange Commission

 

Explore the full database of GAO's Open Recommendations »

Nov 18, 2014

Nov 17, 2014

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Looking for more? Browse all our products here