Skip to main content

Information Security: Securities and Exchange Commission Needs to Consistently Implement Effective Controls

GAO-09-203 Published: Mar 16, 2009. Publicly Released: Mar 16, 2009.
Jump To:
Skip to Highlights

Highlights

In carrying out its mission to ensure that securities markets are fair, orderly, and efficiently maintained, the Securities and Exchange Commission (SEC) relies extensively on computerized systems. Effective information security controls are essential to ensure that SEC's financial and sensitive information is protected from inadvertent or deliberate misuse, disclosure, or destruction. As part of its audit of SEC's financial statements, GAO assessed (1) the status of SEC's actions to correct previously reported information security weaknesses and (2) the effectiveness of SEC's controls for ensuring the confidentiality, integrity, and availability of its information systems and information. To do this, GAO examined security policies and artifacts, interviewed pertinent officials, and conducted tests and observations of controls in operation.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
United States Securities and Exchange Commission To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should direct the CIO to designate a senior agency information security officer who will be responsible for managing SEC's information security program.
Closed – Implemented
In fiscal year 2010, we verified that SEC designated a senior agency information security office who will be responsible for managing SEC's information security program.
United States Securities and Exchange Commission To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should direct the CIO to provide full information for management oversight of information security risks.
Closed – Implemented
In fiscal year 2010, we verified that SEC provided full information for management oversight of information risks.
United States Securities and Exchange Commission To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should direct the CIO to conduct comprehensive periodic testing and evaluation of the effectiveness of security controls for the general support system and key financial applications.
Closed – Implemented
In fiscal year 2010, we verified that SEC conducted comprehensive periodic testing and evaluation of the effectiveness of security controls for the general support system and key financial applications.
United States Securities and Exchange Commission To assist the commission in improving the implementation of its agencywide information security program, the SEC Chairman should direct the CIO to certify and accredit subsystems that support the production of SEC's financial statements.
Closed – Implemented
In fiscal year 2010, we verified that SEC, in response to our recommendation, integrated the subsystems that support production of SEC financial statements into the application that constitutes financial system of records which, in the aftermath of our audit, had been identified, certified, and accredited in 2009.

Full Report

GAO Contacts

Gregory C. Wilshusen
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Public Inquiries

Topics

Access controlAccountabilityAuthenticationAuthorizationComputer fraudComputer networksComputer securityConfidential communicationsData integrityDatabasesDocumentationFederal regulationsFinancial disclosureFinancial statementsInformation classificationInformation disclosureInformation securityInformation systemsInternal controlsReporting requirementsRisk managementSafeguardsSecuritiesSecurities fraudSecurity regulationsSecurity threatsStocks (securities)Systems evaluationTechnologyPolicies and procedures