GAO-09-203, Information Security: Securities and Exchange Commission Needs to Consistently Implement Effective Controls


This is the accessible text file for GAO report number GAO-09-203 
entitled 'Information Security: Securities and Exchange Commission 
Needs to Consistently Implement Effective Controls' which was released 
on March 17, 2009.

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

[This is a revised version of a prior report that was issued on March 
16, 2009 with an incorrect attachment]. 

Report to the Chairman, Securities and Exchange Commission: 

United States Government Accountability Office: 
GAO: 

March 2009: 

Information Security: 

Securities and Exchange Commission Needs to Consistently Implement 
Effective Controls: 

GAO-09-203: 

GAO Highlights: 

Highlights of GAO-09-203, a report to the Chairman, Securities and 
Exchange Commission. 

Why GAO Did This Study: 

In carrying out its mission to ensure that securities markets are fair, 
orderly, and efficiently maintained, the Securities and Exchange 
Commission (SEC) relies extensively on computerized systems. Effective 
information security controls are essential to ensure that SEC’s 
financial and sensitive information is protected from inadvertent or 
deliberate misuse, disclosure, or destruction. 

As part of its audit of SEC’s financial statements, GAO assessed (1) 
the status of SEC’s actions to correct previously reported information 
security weaknesses and (2) the effectiveness of SEC’s controls for 
ensuring the confidentiality, integrity, and availability of its 
information systems and information. To do this, GAO examined security 
policies and artifacts, interviewed pertinent officials, and conducted 
tests and observations of controls in operation. 

What GAO Found: 

SEC has made important progress toward correcting previously reported 
information security control weaknesses. Specifically, it has corrected 
or mitigated 18 of 34 weaknesses previously reported as unresolved at 
the time of our prior audit. For example, SEC has adequately validated 
electronic certificates from connections to its network, physically 
secured the perimeter of its operations center and put in place a 
process to monitor unusual and suspicious activities, and removed 
network system accounts and data center access rights from separating 
employees. In addition, the commission has made progress in improving 
its information security program. To illustrate, it has developed, 
documented, and implemented a policy on remedial action plans to ensure 
that deficiencies are mitigated in an effective and timely manner, and 
provided individuals with training for incident handling. Nevertheless, 
SEC has not completed actions to correct 16 previously reported 
weaknesses. For example, it did not adequately document access 
privileges granted to users of a key financial application, and did not 
always implement patches on vulnerable workstations and enterprise 
database servers. 

In addition to the 16 previously reported weakness that remain 
uncorrected, GAO identified 23 new weaknesses in controls intended to 
restrict access to data and systems, as well as weaknesses in other 
information security controls, that continue to jeopardize the 
confidentiality, integrity, and availability of SEC’s financial and 
sensitive information and information systems. The commission has not 
fully implemented effective controls to prevent, limit, or detect 
unauthorized access to computing resources. For example, it did not 
always (1) consistently enforce strong controls for identifying and 
authenticating users, (2) sufficiently restrict user access to systems 
(3) encrypt network services, (4) audit and monitor security-relevant 
events for its databases, and (5) physically protect its computer 
resources. SEC also did not consistently ensure appropriate segregation 
of incompatible duties or adequately manage the configuration of its 
financial information systems. 

A key reason for these weaknesses is that the commission has not yet 
fully implemented its information security program to ensure that 
controls are appropriately designed and operating as intended. 
Specifically, SEC has not effectively or fully implemented key program 
activities. For example, it has not (1) filled the vacancy for a senior 
agency information security officer, (2) fully reported or assessed 
risks, (3) sufficiently tested and evaluated the effectiveness of its 
information system controls, and (4) certified and accredited a key 
intermediary subsystem. Although progress has been made, significant 
and preventable information security control deficiencies create 
continuing risks of the misuse of federal assets, unauthorized 
modification or destruction of financial information, inappropriate 
disclosure of other sensitive information, and disruption of critical 
operations. 

What GAO Recommends: 

GAO recommends that SEC fully implement its information security 
program. 

In commenting on a draft of this report, SEC agreed with GAO’s 
recommendations and stated that it plans to address the identified 
weaknesses. 

To view the full product, including the scope and methodology, click on 
[hyperlink, http://www.gao.gov/products/GAO-09-203]. For more 
information, contact Gregory C. Wilshusen at (202) 512-6244 or 
wilshuseng@gao.gov, or Dr. Nabajyoti Barkakati at (202) 512-4499 or 
barkakatin@gao.gov. 

[End of section] 

Contents: 

Letter: 

Background: 

Control Weaknesses Continue to Place Financial Information at Risk: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: Comments from the Securities and Exchange Commission: 

Appendix III: GAO Contacts and Staff Acknowledgments: 

Abbreviations: 

CIO: chief information officer: 

EDGAR: Electronic Data Gathering Analysis, and Retrieval: 

FISMA: Federal Information Security Management Act: 

IT: information technology: 

NIST: National Institute of Standards and Technology: 

OMB: Office of Management and Budget: 

SEC: Securities and Exchange Commission: 

US-CERT: United States Computer Emergency Readiness Team: 

[End of section] 

United States Government Accountability Office:
Washington, DC 20548: 

March 16, 2009: 

The Honorable Mary L. Schapiro: 
Chairman: 
United States Securities and Exchange Commission: 

Dear Madam Chairman: 

As you are aware, the Securities and Exchange Commission (SEC) is 
responsible for enforcing securities laws, issuing rules and 
regulations that provide protection for investors, and helping to 
ensure that the securities markets are fair and honest. To support its 
demanding financial and mission-related responsibilities, the 
commission relies extensively on computerized systems. In order to 
protect financial and sensitive information--including personnel and 
regulatory information maintained by SEC--from inadvertent or 
deliberate misuse, fraudulent use, improper disclosure or manipulation, 
or destruction, it is essential that SEC have effective information 
security controls in place.[Footnote 1] 

As part of our audit of SEC's fiscal year 2008 financial statements, 
[Footnote 2] we assessed the effectiveness of the commission's 
information security controls over key financial systems, data, and 
networks. In our report on SEC's financial statements for fiscal years 
2008 and 2007,[Footnote 3] we concluded that weaknesses in information 
security controls constitute a significant deficiency in internal 
controls over the information systems and data used for financial 
reporting.[Footnote 4] 

In this report, we provide additional details on SEC's information 
security controls. Our specific objectives were to assess (1) the 
status of the commission's actions to correct or mitigate previously 
reported information security weaknesses and (2) the effectiveness of 
its controls for ensuring the confidentiality, integrity, and 
availability of its financial information systems and information. We 
performed our audit at SEC headquarters in Washington, D.C., and at its 
computer facilities in Alexandria and Ashburn, Virginia, from July 2008 
to March 2009 in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform the audit 
to obtain sufficient, appropriate evidence to provide a reasonable 
basis for our findings and conclusions based on our audit objectives. 
We believe that the evidence obtained provides a reasonable basis for 
our findings and conclusions based on our audit objectives. See 
appendix I for additional details on our objectives, scope, and 
methodology. 

Background: 

Information security is a critical consideration for any organization 
that depends on information systems and computer networks to carry out 
its mission or business and is especially important for government 
agencies, where maintaining the public's trust is essential. While the 
dramatic expansion in computer interconnectivity and the rapid increase 
in the use of the Internet have enabled agencies such as SEC to better 
accomplish their missions and provide information to the public, the 
changes also expose federal networks and systems to various threats. 
For example, the Federal Bureau of Investigation has identified 
multiple sources of cyber threats, including foreign nation states 
engaged in information warfare, domestic criminals, hackers and virus 
writers, and disgruntled employees working within an organization. 
Concerns about these threats are well founded for a number of reasons, 
including the dramatic increase in reports of security incidents, the 
ease of obtaining and using hacking tools, and steady advances in the 
sophistication and effectiveness of attack technology. For example, the 
number of incidents reported by federal agencies to the United States 
Computer Emergency Readiness Team (US-CERT), has increased dramatically 
over the past 3 years, increasing from 3,634 incidents reported in 
fiscal year 2005 to 13,029 incidents in fiscal year 2007 (a 259 percent 
increase).[Footnote 5] Without proper safeguards, systems are 
vulnerable to individuals and groups with malicious intent who can 
intrude and use their access to obtain or manipulate sensitive 
information, commit fraud, disrupt operations, or launch attacks 
against other computer systems and networks. 

Our previous reports and reports by federal inspectors general describe 
persistent information security weaknesses that place federal agencies 
at risk of disruption, fraud, or inappropriate disclosure of sensitive 
information. Accordingly, we have designated information security as a 
governmentwide high-risk area since 1997, a designation that remains in 
force today.[Footnote 6] Recognizing the importance of securing federal 
agencies' information systems, Congress enacted the Federal Information 
Security Management Act (FISMA) in December 2002 to strengthen the 
security of information and systems within federal agencies.[Footnote 
7] FISMA requires each agency to develop, document, and implement an 
agencywide information security program to provide information security 
for the information and systems that support the operations and assets 
of the agency, using a risk-based approach to information security 
management. 

SEC's Role as Protector of Securities Investors: 

Following the stock market crash of 1929, Congress passed the 
Securities Exchange Act of 1934, establishing SEC to enforce securities 
laws, regulate the securities markets, and protect investors.[Footnote 
8] To carry out its responsibilities and help ensure that securities 
markets are fair and honest, SEC issues rules and regulations that 
promote adequate and effective disclosure of information to the 
investing public. The commission also oversees the registration of 
other key participants in the securities industry, including stock 
exchanges, broker-dealers, clearing agencies, depositories, transfer 
agents, investment companies, and public utility holding companies. SEC 
is an independent, quasi-judicial agency that operates at the direction 
of five commissioners appointed by the President and confirmed by the 
Senate. 

In fiscal year 2008, SEC received a budget authority of $906 million 
and had a staff of 3,511 employees. In addition, the commission 
collected $569,000 in filing fees and about $434 million in penalties 
and disgorgements.[Footnote 9] 

To support its financial operations and store the sensitive information 
it collects, SEC relies extensively on computerized systems 
interconnected by local and wide-area networks. For example, to process 
and track financial transactions, such as filing fees paid by 
corporations, disgorgements and penalties from enforcement activities, 
and procurement activities, SEC relies on several enterprise database 
applications--Momentum; Phoenix; Electronic Data Gathering, Analysis, 
and Retrieval (EDGAR); and Fee Momentum--and a general support system 
network that allows users to communicate with the database 
applications. The database applications provide SEC with the following 
capabilities: 

* Momentum is used to record the commission's accounting transactions, 
to maintain its general ledger, and to maintain some of the information 
SEC uses to produce financial reports. 

* Phoenix contains and processes sensitive data relating to penalties, 
disgorgements, and restitution on proven and alleged violations of 
securities and futures laws. 

* EDGAR performs automated collection, validation, indexing, 
acceptance, and forwarding of submissions by companies and others that 
are required to file certain information with SEC. Its primary purpose 
is to increase the efficiency and fairness of the securities market for 
the benefit of investors, corporations, and the economy by accelerating 
the receipt, acceptance, dissemination, and analysis of time-sensitive 
corporate information filed with the agency. 

* The general support system is an integrated client-server system 
composed of local- and wide-area networks and is organized into 
distinct subsystems based along SEC's organizational and functional 
lines. The general support system provides services to internal and 
external customers who use them for their business applications. It 
also provides the necessary security services to support these 
applications. 

Under FISMA, the Chairman of SEC has responsibility for, among other 
things, (1) providing information security protections commensurate 
with the risk and magnitude of the harm resulting from unauthorized 
access, use, disclosure, disruption, modification, or destruction of 
the agency's information systems and information; (2) ensuring that 
senior agency officials provide information security for the 
information and information systems that support the operations and 
assets under their control; and (3) delegating to the agency chief 
information officer (CIO) the authority to ensure compliance with the 
requirements imposed on the agency. FISMA requires the CIO to designate 
a senior agency information security officer who shall carry out the 
CIO's information security responsibilities. 

SEC Has Made Important Progress Correcting Previously Reported 
Weaknesses and Improving Security: 

SEC has corrected or mitigated 18 of the 34 security control weaknesses 
that we had reported as unresolved at the time of our prior audit 
report in 2008.[Footnote 10] For example, it has: 

* adequately validated electronic certificates from connections to its 
network, 

* physically secured the perimeter of the operations center, 

* monitored unusual and suspicious activities at its operations center, 
and: 

* removed network system accounts and data center access rights from 
separating employees. 

In addition, SEC has made progress in improving its information 
security program. For example, the commission has developed, 
documented, and implemented a policy on remedial action plans to help 
ensure that deficiencies are mitigated in an effective and timely 
manner, and provided individuals with training for incident handling. 
These efforts constitute an important step toward strengthening the 
agencywide information security program mandated by FISMA. 

While SEC has made important progress in strengthening its information 
security controls, it has not completed actions to correct or mitigate 
16 of the previously reported weaknesses. For example, SEC has not 
adequately documented access privileges for the EDGAR application, 
always implemented patches on vulnerable workstations and enterprise 
database servers, or always sufficiently protected passwords. Failure 
to resolve these issues could leave sensitive data vulnerable to 
unauthorized disclosure, modification, or destruction. 

Control Weaknesses Continue to Place Financial Information at Risk: 

In addition to the 16 previously reported weakness that remain 
uncorrected, we identified 23 new weaknesses in controls intended to 
restrict access to data and systems, as well as weaknesses in other 
information security controls, that continue to jeopardize the 
confidentiality, integrity, and availability of SEC's financial and 
sensitive information and information systems. Previously reported and 
newly identified weaknesses hinder the commission's ability to perform 
vital functions and increase the risk of unauthorized disclosure, 
modification, or destruction of financial information. A key reason for 
these weaknesses was that SEC did not fully implement key activities of 
its information security program. 

SEC Did Not Sufficiently Control Access to Information Resources: 

A basic management objective for any organization is to protect the 
resources that support its critical operations and assets from 
unauthorized access. Organizations accomplish this by designing and 
implementing controls that are intended to prevent, limit, and detect 
unauthorized access to computer resources (e.g., data, programs, 
equipment, and facilities), thereby protecting them from unauthorized 
disclosure, modification, and loss. Specific access controls include 
identification and authentication, authorization, cryptography, audit 
and monitoring, and physical security. Without adequate access 
controls, unauthorized individuals, including outside intruders and 
former employees, can surreptitiously read and copy sensitive data and 
make undetected changes or deletions for malicious purposes or personal 
gain. In addition, authorized users can intentionally or 
unintentionally modify or delete data or execute changes that are 
outside of their span of authority. 

Controls for Identifying and Authenticating Users Were Not Consistently 
Enforced: 

A computer system must be able to identify and authenticate the 
identities of users so that activities on the system can be linked to 
specific individuals. When an organization assigns unique user accounts 
to specific users, the system is able to distinguish one user from 
another--a process called identification. The system must also 
establish the validity of a user's claimed identity by requesting some 
kind of information, such as a password, that is known only by the 
user--a process known as authentication. Furthermore, SEC policy 
requires the implementation of automated identification and 
authentication mechanisms that enable the unique identification of 
individual users and systems. 

SEC did not consistently enforce identification and authentication 
controls for its users and systems. For example, it did not always: 

* securely configure the snmp community string (similar to a password) 
used to monitor and manage network devices;[Footnote 11] 

* remove the default vendor account for a remote network service, which 
could allow access to the network service without the need to provide a 
password; 

* restrict multiple database administrators from sharing the same log- 
on application ID to a powerful database account; and: 

* uniquely identify individual accounts on network switches for https 
login.[Footnote 12] 

As a result, increased risk exists that users will not be uniquely 
identified before they access the SEC network, and SEC will not be able 
to hold them accountable in the event of a security incident. 

User Access to Systems Was Not Sufficiently Restricted: 

Authorization is the process of granting or denying access rights and 
privileges to a protected resource, such as a network, system, 
application, function, or file. A key component of granting or denying 
access rights is the concept of "least privilege." Least privilege is a 
basic principle for securing computer resources and data that means 
that users are granted only those access rights and permissions that 
they need to perform their official duties. To restrict legitimate 
users' access to only those programs and files that they need in order 
to do their work, organizations establish access rights and 
permissions. "User rights" are allowable actions that can be assigned 
to users or to groups of users. File and directory permissions are 
rules that are associated with a particular file or directory, 
regulating which users can access it--and the extent of that access. To 
avoid unintentionally giving users unnecessary access to sensitive 
files and directories, an organization must give careful consideration 
to its assignment of rights and permissions. In addition, SEC policy 
requires that each user or process be assigned only those privileges or 
functions needed to perform authorized tasks and that approval of such 
privileges be documented. Furthermore, SEC policy states that only 
services that are absolutely necessary are allowed to have a remote 
connection. 

SEC did not always sufficiently restrict system access and privileges 
to only those users that needed access to perform their assigned 
duties. For example, SEC did not always: 

* remove excessive user privileges on its financial systems, 

* properly document or maintain approval of user access privileges to 
the Momentum system, 

* restrict unnecessary remote access to database servers, and: 

* limit users' privileges so that users do not monopolize database 
system resources during critical times of the day. 

As a result, increased risk exists that users could gain inappropriate 
access to computer resources, circumvent security controls, and 
deliberately or inadvertently read, modify, or delete critical 
financial information. In addition, SEC's financial information may not 
be available when it is needed. 

Network Services Were Not Always Encrypted: 

Cryptography underlies many of the mechanisms used to enforce the 
confidentiality and integrity of critical and sensitive information. A 
basic element of cryptography is encryption. Encryption can be used to 
provide basic data confidentiality and integrity by transforming 
plaintext into ciphertext using a special value known as a key and a 
mathematical process known as an algorithm. The National Security 
Agency recommends encrypting network services. If encryption is not 
used, user ID and password combinations are susceptible to electronic 
eavesdropping by devices on the network when they are transmitted. 

Although SEC has implemented a network topology that employs extensive 
switching and limits eavesdropping to only the network segment 
accessible by the potential eavesdropper, it did not always ensure that 
information transmitted over the network was adequately encrypted. 
While the eavesdropping risk on the SEC network is reduced by its 
topology, nonetheless, increased risk exists that individuals could 
capture user IDs and passwords and use them to gain unauthorized access 
to network devices. 

Audit and Monitoring of Security-Relevant Events on Databases Was 
Inadequate: 

To establish individual accountability, monitor compliance with 
security policies, and investigate security violations, it is crucial 
to determine what, when, and by whom specific actions have been taken 
on a system. Organizations accomplish this by implementing system or 
security software that provides an audit trail for determining the 
source of a transaction or attempted transaction and monitoring users' 
activities. To be effective, organizations should (1) configure the 
software to collect and maintain a sufficient audit trail for security- 
relevant events; (2) generate reports that selectively identify 
unauthorized, unusual, and sensitive access activity; and (3) regularly 
monitor and take action on these reports. SEC also requires the 
enforcement of auditing and accountability by configuring information 
systems to produce, store, and retain audit records of system, 
application, network, and user activity. 

SEC did not adequately configure several database systems to enable 
auditing and monitoring of security-relevant events. For example, it 
did not configure one database to record successful log-ons or security 
violations for unauthorized modification of data, and three databases 
to safeguard log data against loss. As a result, there is increased 
likelihood that unauthorized activities or policy violations would not 
be detected. 

Weaknesses in Physical Security Controls Reduced Their Effectiveness: 

Physical security controls are important for protecting computer 
facilities and resources from espionage, sabotage, damage, and theft. 
These controls involve restricting physical access to computer 
resources, usually by limiting access to the buildings and rooms in 
which the resources are housed, and periodically reviewing access 
rights granted to ensure that access continues to be appropriate based 
on criteria established for granting it. At SEC, physical access 
control measures (such as guards, badges, and locks, used either alone 
or in combination) are vital to protecting its computing resources and 
the sensitive data it processes from external and internal threats. 

Although SEC has strengthened its physical security controls, certain 
weaknesses reduced its effectiveness in protecting and controlling 
physical access to sensitive work areas. For example, on multiple 
occasions SEC employees entered electronically secured interior spaces 
by following another employee through an open door instead of using 
their badges to obtain access. In addition, physical security standards 
have been drafted but have not been approved by management. As a 
result, increased risk exists that unauthorized individuals could gain 
access to sensitive computing resources and data and inadvertently or 
deliberately misuse or destroy them. 

Weaknesses in Other Information System Controls Increase Risk: 

Incompatible Duties and Functions Were Not Adequately Segregated: 

In addition to having access controls, an organization should have 
policies, procedures, and control techniques in place to appropriately 
segregate computer-related duties. Segregation of duties refers to the 
policies, procedures, and organizational structure that help ensure 
that one individual cannot independently control all key aspects of a 
process or computer-related operation and thereby gain unauthorized 
access to assets or records. Often segregation of incompatible duties 
is achieved by dividing responsibilities among two or more 
organizational groups. Dividing duties among two or more individuals or 
groups diminishes the likelihood that errors and wrongful acts will go 
undetected because the activities of one individual or group will serve 
as a check on the activities of another. Inadequate segregation of 
duties increases the risk that erroneous or fraudulent transactions 
could be processed, improper program changes implemented, and computer 
resources damaged or destroyed. In addition, SEC policy requires that 
each user or process be assigned only those privileges or functions 
needed to perform authorized tasks. 

SEC did not adequately segregate incompatible computer-related duties 
and functions. For example, a financial services branch chief could 
perform multiple incompatible duties such as creating, modifying, and 
deleting security organizations, roles, and security categories. At the 
same time, he could perform financial operations such as creating, 
approving, and changing invoices. These conditions existed, in part, 
because SEC lacked implementation guidelines for assigning incompatible 
duties among personnel administering its computer applications 
environment. In addition, although SEC has logically separated many of 
its networked devices, it did not always adequately separate network 
management traffic from general network traffic. As a result, general 
users could gain inappropriate access and intentionally or 
inadvertently disrupt network operations. As a consequence, increased 
risk exists that users could perform unauthorized system activities 
without detection. 

Configuration Management Controls Were Not Adequately Implemented: 

Configuration management is another important control that involves the 
identification and management of security features for all hardware and 
software components of an information system at a given point and 
systematically controls changes to that configuration during the 
system's life cycle. An effective configuration management process 
includes procedures for (1) identifying, documenting, and assigning 
unique identifiers (for example, serial number and name) to a system's 
hardware and software parts and subparts, generally referred to as 
configuration items; (2) evaluating and deciding whether to approve 
changes to a system's baseline configuration; (3) documenting and 
reporting on the status of configuration items as a system evolves; (4) 
determining alignment between the actual system and the documentation 
describing it; and (5) developing and implementing a configuration 
management plan for each system. In addition, establishing controls 
over the modification of information system components and related 
documentation helps to prevent unauthorized changes and ensure that 
only authorized systems and related program modifications are 
implemented. This is accomplished by instituting policies, procedures, 
and techniques that help make sure all hardware, software, and firmware 
programs and program modifications are properly authorized, tested, and 
approved. 

SEC has implemented several elements of a configuration management 
process. Specifically, it has documented policies and procedures for 
assigning unique identifiers and naming configuration items so that 
they can be distinguished from one another and for requesting changes 
to configuration items. SEC has also developed a change request process 
and an enterprise-level change control board to review changes. 

However, SEC has not adequately implemented key configuration 
management controls over the information system components associated 
with the upgrade to Momentum. Specifically, it did not always document, 
evaluate, or approve changes to a system's baseline. For example, it 
did not consistently document test plans; adequately document or 
approve changes to the requirements, design, and scripts; establish or 
maintain configuration baselines; or apply up-to-date patches on its 
database servers that support processing of financial data. In 
addition, SEC did not document and report on the status of 
configuration items as Momentum evolved, nor did it conduct 
configuration audits to determine the alignment between the actual 
system and the documentation describing it. 

Furthermore, SEC did not (1) develop a configuration management plan 
for Momentum, (2) assign a manager or team to conduct these activities, 
and (3) use adequate tools to implement the process. As a result, 
increased risk exists that authorized changes will not be made and 
unauthorized changes will be made to the Momentum system. 

SEC Has Not Fully Implemented Its Information Security Program: 

SEC has made important progress in implementing its information 
security program. For example, SEC has provided individuals with 
training for incident handling and developed, documented, and 
implemented a policy on remedial action plans to ensure that 
deficiencies are mitigated in an effective and timely manner. However, 
a key reason for the information security weaknesses is that it has not 
effectively or fully implemented key program activities. Until all key 
elements of its information security program are fully and consistently 
implemented, SEC will not have sufficient assurance that new weaknesses 
will not emerge and that financial information and financial assets are 
adequately safeguarded from inadvertent or deliberate misuse, 
fraudulent use, improper disclosure, or destruction. 

SEC Has Not Filled the Senior Agency Information Security Officer 
Position: 

FISMA requires the CIO to designate a senior agency information 
security officer who shall have information security duties as that 
official's primary duty and head an office with the mission and 
resources to assist in ensuring agency compliance with the provisions 
of the act. This officer will be responsible for carrying out the CIO's 
information security responsibilities, including developing and 
maintaining a departmentwide information security program, developing 
and maintaining information security policies and procedures, and 
providing training and oversight to security personnel. 

However, although SEC appointed an acting senior agency information 
security officer from April to July 2008, the position has been vacant 
for the past 8 months. According to an SEC official, a vacancy 
announcement has not yet been posted for this position. Without a 
senior security officer to provide direction for an agencywide security 
focus, SEC is at increased risk that its security program will not be 
adequate to ensure the security of its highly interconnected computer 
environment. 

SEC Did Not Fully Report Risks to Management: 

FISMA and its implementing policies require agencies to develop, 
document, and implement periodic assessments of the risk and magnitude 
of harm that could result from the unauthorized access, use, 
disclosure, disruption, modification, or destruction of information or 
information systems. The National Institute of Standards and Technology 
(NIST) also states that a risk assessment report should be presented as 
a systematic and analytical approach to assessing risk so that senior 
management will understand the risks and allocate resources to reduce 
and correct potential losses. SEC policy states that security risk 
assessment involves the identification and evaluation of IT security 
risks. This process identifies IT security-related risks to information 
and information systems, considers the probability of occurrence, and 
measures their potential impact. The SEC Office of IT Security Group is 
responsible for periodically reviewing the risk assessments to ensure 
that all aspects of risk and applicable IT security requirements have 
been adequately addressed. 

SEC did not provide full information for management oversight of risks 
associated with the Momentum application. For example, the SEC security 
testing and evaluation for Momentum identified numerous configuration 
management vulnerabilities that affect other areas such as access 
controls, separation of duties, and inappropriate administrative roles 
assigned to individuals. Several of these vulnerabilities in the 
security testing and evaluation were not reported in the risk 
assessment summary for the Momentum application for management 
attention. As a result, SEC management may not be fully aware of all 
risks or the magnitude of harm that could result from the unauthorized 
access, use, disclosure, disruption, modification, or destruction of 
information and information systems that support their operations and 
assets. 

System Security Tests Were Not Always Sufficient: 

FISMA and its implementing policies require periodic testing and 
evaluation of the effectiveness of information security policies, 
procedures, and practices performed with a frequency depending on risk, 
but no less than annually; this should include testing of management, 
operational, and technical controls for every system identified in the 
agency's required inventory of major information systems. This type of 
oversight is a fundamental element of a security program because it 
demonstrates management's commitment to the program, reminds employees 
of their roles and responsibilities, and identifies areas of 
noncompliance and ineffectiveness. Analyzing the results of security 
reviews provides security specialists and business managers with a 
means of identifying new problem areas, reassessing the appropriateness 
of existing controls, and identifying the need for new controls. FISMA 
requires that the frequency of tests and evaluations be based on risks 
and occur no less than annually.[Footnote 13] 

However, SEC did not sufficiently conduct periodic testing and 
evaluation of controls. For example, SEC did not test and evaluate the 
effectiveness of security controls for the general support system 
supporting Momentum and EDGAR in fiscal year 2008. In addition, the 
scope and depth of security testing and evaluation that were performed 
were not comprehensive and often did not identify control weaknesses. 
To illustrate, SEC did not test or assess the effectiveness of a key 
subsystem used to develop financial statements, and an independent 
contractor tested only 4 of 65 security roles in Momentum, severely 
limiting the scope of the testing.[Footnote 14] In addition, control 
tests conducted by SEC on Momentum did not identify vulnerabilities in 
the following controls: (1) configuration management, (2) separation of 
duties, (3) audit and monitoring, and (4) access controls; in contrast 
our tests identified vulnerabilities in these controls. As a result, 
there is heightened risk that SEC cannot be assured that Momentum and 
EDGAR meet requirements and perform as intended. 

A Key Intermediary Subsystem Was Not Certified and Accredited: 

According to NIST, security certification and accreditation of 
information systems and subsystems are important activities that 
support a risk management process and are an integral part of an 
agency's information security program.[Footnote 15] Security 
certification consists of conducting a security control assessment and 
developing the security documents. Security accreditation is the 
official management decision given by a senior agency official to 
authorize the operation of an information system and to explicitly 
accept the risk it may present to agency operations, agency assets, or 
individuals based on the implementation of an agreed-upon set of 
security controls. Required by Office of Management and Budget (OMB) 
Circular A-130, appendix III, security accreditation provides a form of 
quality control and challenges managers and technical staffs at all 
levels to implement the most effective security controls possible on an 
information system, given mission requirements and technical, 
operational, and cost/schedule constraints. After certification, a 
security accreditation package with security documents is provided to 
the authorizing official with the essential information for the 
official to make a credible, risk-based decision on whether to 
authorize operation of the information system. The security 
accreditation package includes the security plan, risk assessment, 
contingency plan, security assessment report, and plan of action and 
milestones. 

SEC did not certify and accredit a key intermediary subsystem that 
supports the production of its financial statements. In preparing its 
financial statements, SEC regularly used this intermediary subsystem to 
process transactions before loading the financial data into the 
Momentum application. The subsystem encompassed (1) an application tool 
to handle transactions of disgorgement data between the Phoenix and 
Momentum applications; (2) spreadsheets to record, calculate, maintain, 
and report financial transactions from various accounts; and (3) a 
third-party tool used for manipulating, sorting, and merging financial 
data. SEC did not certify or accredit the subsystem or include it as 
part of the security certification and accreditation process for 
Phoenix and Momentum. For example, the subsystem was not described in a 
security plan, risk assessment, contingency plan, security assessment 
report, or plan of action and milestone. Without certification and 
accreditation of the intermediate subsystem, possible security 
weaknesses may go undetected and management may not be alerted to 
potential vulnerabilities. 

Conclusions: 

SEC has made progress in correcting or mitigating previously reported 
weaknesses. However, information security weaknesses--both old and new-
-continue to impair the agency's ability to ensure the confidentiality, 
integrity, and availability of financial and sensitive information. 
These weaknesses represent a significant deficiency in internal 
controls over the information systems and data used for financial 
reporting. 

A key reason for these weaknesses is that the agency has not yet fully 
implemented critical elements of its agencywide information security 
program. Until SEC (1) mitigates known information security weaknesses 
in access controls and other information system controls and (2) fully 
implements a comprehensive agencywide information security program that 
includes filling the security officer position, adequately reporting 
risks, conducting effective system security tests, and certifying and 
accrediting an intermediary subsystem, its financial information will 
remain at increased risk of unauthorized disclosure, modification, or 
destruction, and its management decisions may be based on unreliable or 
inaccurate information. 

Recommendations for Executive Action: 

To assist the commission in improving the implementation of its 
agencywide information security program, we recommend that the SEC 
Chairman direct the CIO to take the following four actions: 

* designate a senior agency information security officer who will be 
responsible for managing SEC's information security program, 

* provide full information for management oversight of information 
security risks, 

* conduct comprehensive periodic testing and evaluation of the 
effectiveness of security controls for the general support system and 
key financial applications, and: 

* certify and accredit subsystems that support the production of SEC's 
financial statements. 

In a separate report designated as "Limited Official Use Only," we are 
also making 32 recommendations to enhance SEC's access controls and 
configuration management practices. 

Agency Comments: 

In providing written comments on a draft of this report, the SEC 
Chairman agreed with our recommendations and reported that the agency 
is on track to address our new findings and to complete remediation of 
prior year findings. She stated that strong internal controls are one 
of SEC's highest priorities and that it is committed to proper 
stewardship of the information entrusted to it by the public. The 
Chairman's written comments are reprinted in appendix II. 

We are sending copies of this report to the Chairmen and Ranking 
Members of the Senate Committee on Banking, Housing, and Urban Affairs; 
the Senate Committee on Homeland Security and Governmental Affairs; the 
House Committee on Financial Services; and the House Committee on 
Oversight and Government Reform. We are also sending copies to the 
Secretary of the Treasury, the Director of the Office of Management and 
Budget, and other interested parties. In addition, this report will be 
available at no charge on our Web site at [hyperlink, 
http://www.gao.gov]. 

If you have any questions about this report, please contact Gregory C. 
Wilshusen at (202) 512-6244 or Dr. Nabajyoti Barkakati at (202) 512-
4499. We can also be reached by e-mail at wilshuseng@gao.gov or 
barkakatin@gao.gov. Contacts for our offices of Congressional Relations 
and Public Affairs may be found on the last page of this report. 
Individuals who made key contributions to this report are listed in 
appendix III. 

Sincerely yours, 

Signed by: 

Gregory C. Wilshusen: 
Director, Information Security Issues: 

Signed by: 

Dr. Nabajyoti Barkakati: 
Director, Center for Technology and Engineering: 

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

The objectives of our review were (1) to determine the status of the 
Securities and Exchange Commission's (SEC) actions to correct or 
mitigate previously reported information security weaknesses and (2) to 
determine whether controls over key financial systems were effective in 
ensuring the confidentiality, integrity, and availability of financial 
and sensitive information. This review was performed for the purpose of 
supporting the opinion developed during our audit of SEC's internal 
controls over the preparation of its 2008 financial statements. 

To determine the status of SEC's actions to correct or mitigate 
previously reported information security weaknesses, we identified and 
reviewed its information security policies, procedures, practices, and 
guidance. We reviewed prior GAO reports to identify previously reported 
weaknesses and examined the commission's corrective action plans to 
determine which weaknesses it had reported were corrected. For those 
instances where SEC reported that it had completed corrective actions, 
we assessed the effectiveness of those actions by reviewing the 
appropriate documents and interviewing the appropriate officials. 

To determine whether controls over key financial systems were 
effective, we tested the effectiveness of selected information security 
controls. We concentrated our evaluation primarily on the controls for 
financial applications, enterprise database applications, and network 
infrastructure--Momentum; Phoenix; Electronic Data Gathering, Analysis, 
and Retrieval (EDGAR); Fee Momentum; and the general support system--
that directly or indirectly support the processing of material 
transactions reflected in the agency's financial statements. Our 
evaluation was based on our Federal Information System Controls Audit 
Manual, which contains guidance for reviewing information system 
controls that affect the confidentiality, integrity, and availability 
of computerized information. 

Using National Institute of Standards and Technology (NIST) standards 
and guidance and SEC's policies, procedures, practices, and standards, 
we evaluated controls by: 

* testing the complexity and expiration of password settings on 
selected servers to determine if strong password management was 
enforced; 

* analyzing users' system authorizations to determine whether users had 
more permissions than necessary to perform their assigned functions; 

* observing methods for providing secure data transmissions across the 
network to determine whether sensitive data were being encrypted; 

* observing whether system security software was logging successful 
system changes; 

* testing and observing physical access controls to determine if 
computer facilities and resources were being protected from espionage, 
sabotage, damage, and theft; 

* inspecting key servers and workstations to determine whether critical 
patches had been installed or were up to date; 

* examining access privileges to determine whether incompatible 
functions were segregated among different individuals; and: 

* observing end user activity pertaining to the process of preparing 
SEC financial statements. 

Using the requirements identified by the Federal Information Security 
Management Act (FISMA), the Office of Management and Budget (OMB), and 
NIST, we evaluated SEC's implementation of its security program by: 

* reviewing SEC's risk assessment process and risk assessments for 
three key systems that support the preparation of financial statements 
to determine whether risks and threats were documented consistent with 
federal guidance; 

* analyzing SEC's policies, procedures, practices, and standards to 
determine their effectiveness in providing guidance to personnel 
responsible for securing information and information systems; 

* analyzing security plans to determine if management, operational, and 
technical controls were in place or planned and that security plans 
were updated; 

* examining training records for personnel with significant security 
responsibilities to determine if they received training commensurate 
with those responsibilities; 

* analyzing security testing and evaluation results for three key 
systems to determine whether management, operational, and technical 
controls were tested at least annually and based on risk; 

* examining remedial action plans to determine whether they addressed 
vulnerabilities identified in security testing and evaluations; and: 

* examining contingency plans for three key systems to determine 
whether those plans had been tested or updated. 

We also discussed, with key security representatives and management 
officials, whether information security controls were in place, 
adequately designed, and operating effectively. We conducted this audit 
from July 2008 to March 2009 in accordance with generally accepted 
government auditing standards. Those standards require that we plan and 
perform the audit to obtain sufficient, appropriate evidence to provide 
a reasonable basis for our findings and conclusions based on our audit 
objectives. We believe that the evidence obtained provides a reasonable 
basis for our findings and conclusions based on our audit objectives. 

[End of section] 

Appendix II: Comments from the Securities and Exchange Commission: 

United States Securities And Exchange Commission: 
The Chairman: 
Washington, D.C. 20549: 

March 11, 2009: 

Mr. Gregory C. Wilshusen, Director: 
Information Security Issues: 
U.S. Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Dear Mr. Wilshusen: 

Thank you for the opportunity to respond to the draft report entitled 
Information Security: Securities and Exchange Commission Needs To 
Consistently Implement Effective Controls, dated March 2009. As 
required by the Accountability of Tax Dollars Act of 2002, this audit 
was conducted to ensure that the SEC's financial statements for fiscal 
2008 were reliable and to verify that SEC management maintained 
internal controls over financial reporting. Since the mission of the 
SEC' involves ensuring strong internal controls within the companies 
the agency monitors, it is imperative that we hold ourselves to high 
standards in this area. Improving our internal controls has been, and 
continues to be, one of our highest priorities. 

The report demonstrates our commitment to this effort, by documenting 
the SEC's continued progress in addressing GAO findings from previous 
audits, as well as our prompt remediation of many specific issues 
discovered during the course of this year's work. Because in previous 
years the SEC had addressed many of the more common information 
security weaknesses, auditors have increasingly focused their reviews 
on a narrower set of relatively lower-level controls. Since the 
conclusion of the audit in November 2008, we have made additional 
progress in resolving outstanding issues and further strengthening our 
information security program. In particular, we have: 

* Implemented additional processes, tools, and techniques to 
continuously monitor for vulnerabilities in our general support system 
and critical applications; 

* Improved user access reporting by monitoring user accounts and 
ensuring that separated employees do not have access to systems and 
applications; 

* Attained, for the third year, over 99 percent completion rate for 
yearly security awareness training; 

* Implemented a monitoring and notification system to track entry and 
exit from designated high security areas. 

Overall, we agree with GAO's recommendations, are on track to address 
new findings, and to complete remediation of prior year findings. 
Specifically. we will: 

* Improve authentication, authorization, and configuration management 
processes, bringing these critical functions closer to full compliance 
with existing policies; 

* Encrypt, to the maximum extent practical. data and services; 

* Better capture critical information needed for auditing and 
monitoring of security-related events; 

* Improve documentation of our physical security procedures, many of 
which were still in draft form during the audit. 

Enclosure (1) contains our response to specific audit findings 
highlighted in the draft report. Information security continues to be a 
critical priority for this agency and we will allocate our resources on 
a risk-weighted basis to address the GAO recommendations. The SEC is 
committed to providing proper stewardship over the information the 
public routinely entrusts to us. We appreciate GAO's ongoing support in 
helping us achieve these goals. 

If you have any questions relating to the SEC Management Response, 
please feel free to contact me at (202) 551-2100, or contact our Chief 
Information Officer, Charles Boucher, at (202) 551-8802. 

Sincerely, 

Signed by: 

Mary L. Schapiro: 
Chairman: 

Charles Boucher - Chief Information Officer: 

Enclosure (1): SEC Response to GAO 2009 Audit Findings 3-5-09: 

[Enclosure (1) is a restricted use Limited Official Use Only 
attachment]. 

[End of section] 

Appendix III: GAO Contacts and Staff Acknowledgments: 

GAO Contacts: 

Gregory C. Wilshusen, (202) 512-6244 or wilshuseng@gao.gov: 

Dr. Nabajyoti Barkakati, (202) 512-4499 or barkakatin@gao.gov: 

Staff Acknowledgments: 

In addition to the contacts named above, David B. Hayes and William F. 
Wadsworth (Assistant Directors), Angela M. Bell, Mark J. Canter, Kirk 
J. Daubenspeck, Patrick R. Dugan, Mickie E. Gray, Sharon S. Kitrell, 
Lee A. McCracken, Stephanie Santoso, Duc M. Ngo, Tammi L. Nguyen, Henry 
I. Sutanto, Edward R. Tekeley and Jayne L. Wilson made key 
contributions to this report. 

[End of section] 

Footnotes: 

[1] Information security controls include security management, access 
controls, configuration management, segregation of duties, and 
contingency planning. These controls are designed to ensure that there 
is a continuous cycle of activity for assessing risk, logical and 
physical access to sensitive computing resources and information is 
appropriately restricted; only authorized changes to computer programs 
are made; one individual does not control all critical stages of a 
process; and backup and recovery plans are adequate to ensure the 
continuity of essential operations. 

[2] GAO, Financial Audit: Securities and Exchange Commission's 
Financial Statements for Fiscal Years 2008 and 2007, [hyperlink, 
http://www.gao.gov/products/GAO-09-173] (Washington, D.C.: Nov. 14, 
2008). 

[3] [hyperlink, http://www.gao.gov/products/GAO-09-173]. 

[4] A significant deficiency is a control deficiency or a combination 
of control deficiencies that adversely affects the entity's ability to 
initiate, authorize, record, process, or report financial data 
reliability such that there is more than a remote likelihood that a 
more than inconsequential misstatement of SEC's financial statements 
will not be prevented or detected. 

[5] US-CERT is a partnership between the Department of Homeland 
Security and the public and private sectors. Established in 2003 to 
protect the nation's Internet infrastructure, US-CERT coordinates 
defenses against and responses to cyber attacks across the nation. 

[6] GAO, High-Risk Series: Information Management and Technology, 
[hyperlink, http://www.gao.gov/products/GAO/HR-97-9] (Washington, D.C.: 
February 1997) and High-Risk Series: An Update, GAO-09-271 (Washington, 
D.C.: January 2009). 

[7] FISMA was enacted as Title III, E-Government Act of 2002, Pub L. No 
107-347, 116 Stat. 2946 (Dec. 17, 2002). 

[8] 15 U.S.C. § 78d. 

[9] A disgorgement is the repayment of illegally gained profits (or 
avoided losses) for distribution to harmed investors whenever feasible. 

[10] [hyperlink, http://www.gao.gov/products/GAO-08-280]. 

[11] Simple Network Management Protocol (snmp) is a standard protocol 
for remote management and monitoring of network devices that uses a 
community string as a password for authentication. 

[12] Hypertext Transfer Protocol Secure (https) is a separate protocol, 
but refers to the combination of a normal HTTP interaction over an 
encrypted Secure Sockets Layer (SSL) or Transport Layer Security (TLS) 
connection. This ensures reasonable protection from eavesdroppers and 
man-in-the-middle attacks, provided that adequate cipher suites are 
used and that the server certificate is verified and trusted. 

[13] 44 U.S.C. § 3544(b) (5). 

[14] Role-based security is used to restrict access to resources to 
only those users who have been granted a particular security role. 

[15] An information system includes information resources organized for 
the collection, processing, maintenance, use, sharing, dissemination, 
and disposition of information. A subsystem is a major component of an 
information system consisting of information, information technology, 
and personnel that perform one or more specific functions. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: