Information Security: Securities and Exchange Commission Needs to Consistently Implement Effective Controls
Highlights
In carrying out its mission to ensure that securities markets are fair, orderly, and efficiently maintained, the Securities and Exchange Commission (SEC) relies extensively on computerized systems. Effective information security controls are essential to ensure that SEC's financial and sensitive information is protected from inadvertent or deliberate misuse, disclosure, or destruction. As part of its audit of SEC's financial statements, GAO assessed (1) the status of SEC's actions to correct previously reported information security weaknesses and (2) the effectiveness of SEC's controls for ensuring the confidentiality, integrity, and availability of its information systems and information. To do this, GAO examined security policies and artifacts, interviewed pertinent officials, and conducted tests and observations of controls in operation.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| United States Securities and Exchange Commission | To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should direct the CIO to designate a senior agency information security officer who will be responsible for managing SEC's information security program. |
In fiscal year 2010, we verified that SEC designated a senior agency information security office who will be responsible for managing SEC's information security program.
|
| United States Securities and Exchange Commission | To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should direct the CIO to provide full information for management oversight of information security risks. |
In fiscal year 2010, we verified that SEC provided full information for management oversight of information risks.
|
| United States Securities and Exchange Commission | To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should direct the CIO to conduct comprehensive periodic testing and evaluation of the effectiveness of security controls for the general support system and key financial applications. |
In fiscal year 2010, we verified that SEC conducted comprehensive periodic testing and evaluation of the effectiveness of security controls for the general support system and key financial applications.
|
| United States Securities and Exchange Commission | To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should direct the CIO to certify and accredit subsystems that support the production of SEC's financial statements. |
In fiscal year 2010, we verified that SEC, in response to our recommendation, integrated the subsystems that support production of SEC financial statements into the application that constitutes financial system of records which, in the aftermath of our audit, had been identified, certified, and accredited in 2009.
|