Information Security: Sustained Progress Needed to Strengthen	 
Controls at the Securities and Exchange Commission (27-MAR-07,	 
GAO-07-256).							 
                                                                 
In carrying out its mission to ensure that securities markets are
fair, orderly, and efficiently maintained, the Securities and	 
Exchange Commission (SEC) relies extensively on computerized	 
systems. Integrating effective information security controls into
a layered control strategy is essential to ensure that SEC's	 
financial and sensitive information is protected from inadvertent
or deliberate misuse, disclosure, or destruction. As part of its 
audit of SEC's financial statements, GAO assessed (1) SEC's	 
actions to correct previously reported information security	 
weaknesses and (2) the effectiveness of controls for ensuring the
confidentiality, integrity, and availability of SEC's information
systems and information. To do this, GAO examined security	 
policies and artifacts, interviewed pertinent officials, and	 
conducted tests and observations of controls in operation.	 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-07-256 					        
    ACCNO:   A67390						        
  TITLE:     Information Security: Sustained Progress Needed to       
Strengthen Controls at the Securities and Exchange Commission	 
     DATE:   03/27/2007 
  SUBJECT:   Computer networks					 
	     Computer security					 
	     Confidential information				 
	     Financial records					 
	     Information management				 
	     Information security				 
	     Information security management			 
	     Information systems				 
	     Information technology				 
	     Internal controls					 
	     Policy evaluation					 
	     Program evaluation 				 
	     Risk management					 
	     Securities 					 
	     Policies and procedures				 
	     Program implementation				 
	     GAO High Risk Series				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-07-256

   

     * [1]Results in Brief
     * [2]Background

          * [3]SEC's Role as Protector of Securities Investors

     * [4]Objectives, Scope, and Methodology
     * [5]SEC Has Made Important Progress Correcting Previously Report
     * [6]Key Controls Were Not Consistently Implemented

          * [7]Access Controls

               * [8]Boundary Protection
               * [9]Identification and Authentication
               * [10]Authorization
               * [11]Physical Security

          * [12]Configuration Management
          * [13]Information Security Program Not Yet Consistently Implemente

               * [14]Policies and Procedures
               * [15]Tests and Evaluations of Control Effectiveness
               * [16]Remedial Actions

     * [17]Conclusions
     * [18]Recommendations for Executive Action
     * [19]Agency Comments
     * [20]GAO Contact
     * [21]Staff Acknowledgments
     * [22]GAO's Mission
     * [23]Obtaining Copies of GAO Reports and Testimony

          * [24]Order by Mail or Phone

     * [25]To Report Fraud, Waste, and Abuse in Federal Programs
     * [26]Congressional Relations
     * [27]Public Affairs

Report to the Chairman, Securities and Exchange Commission

United States Government Accountability Office

GAO

March 2007

INFORMATION SECURITY

Sustained Progress Needed to Strengthen Controls at the Securities and
Exchange Commission

GAO-07-256

Contents

Letter 1

Results in Brief 2
Background 3
Objectives, Scope, and Methodology 6
SEC Has Made Important Progress Correcting Previously Reported Weaknesses
8
Key Controls Were Not Consistently Implemented 9
Conclusions 15
Recommendations for Executive Action 16
Agency Comments 17
Appendix I Comments from the Securities and Exchange Commission 19
Appendix II GAO Contact and Staff Acknowledgments 21
Abbreviations

CATS Case Activity Tracking System 2000

CIO chief information officer

CISO chief information security officer

EDGAR Electronic Data Gathering, Analysis, and Retrieval system

FISCAM Federal Information System Controls Audit Manual

FISMA Federal Information Security Management Act

SEC Securities and Exchange Commission

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

United States Government Accountability Office
Washington, DC 20548

March 27, 2007

The Honorable Christopher Cox
Chairman, Securities and Exchange Commission

Dear Mr. Chairman:

As you are aware, the Securities and Exchange Commission (SEC) is
responsible for enforcing securities laws, issuing rules and regulations
that provide protection for investors, and helping to maintain fair,
orderly, and efficient securities markets. To support its demanding
financial and mission-related responsibilities, the commission relies
extensively on computerized systems.

Integrating effective information security controls^1 into a layered
control strategy is essential to ensure that financial and sensitive
information--such as personnel and regulatory information maintained by
SEC--is adequately protected from inadvertent or deliberate misuse,
fraudulent use, improper disclosure, or destruction.

As part of our audit of SEC's fiscal year 2006 financial statements,^2 we
assessed the effectiveness of the commission's information security
controls over key financial systems, data, and networks. Our specific
objectives were to assess (1) the status of SEC's actions to correct or
mitigate previously reported information security weaknesses and (2) the
effectiveness of the commission's information system controls for ensuring
the confidentiality, integrity, and availability of its information
systems and information.

In our report on SEC's financial statements for fiscal years 2006 and
2005,^3 we reported that the new information security deficiencies we
identified in fiscal year 2006 and the unresolved deficiencies from prior
audits represented a reportable condition^4 in internal controls over the
commission's information systems.

^1Information security controls include access controls, configuration
management, segregation of duties, and contingency planning. These
controls are designed to ensure that access to data is appropriately
restricted, only authorized changes to computer programs are made,
computer security duties are segregated, and backup and recovery plans are
adequate to ensure the continuity of essential operations.

^2GAO, Financial Audit: Securities and Exchange Commission's Financial
Statements for Fiscal Years 2006 and 2005, [28]GAO-07-134 (Washington,
D.C.: Nov. 15, 2006).

^3 [29]GAO-07-134 .

We performed our work at SEC headquarters in Washington, D.C., and at its
computer facility in Alexandria, Virginia, from May 2006 through November
2006 in accordance with generally accepted government auditing standards.

Results in Brief

SEC has made important progress toward correcting previously reported
information security control weaknesses. Specifically, it has corrected or
mitigated 58 of the 71 weaknesses previously reported as unresolved at the
conclusion of our 2005 audit. The commission resolved all of the
previously reported weaknesses in security related activities and
contingency planning, and it made significant progress in resolving access
controls weaknesses. A key reason for its progress was that SEC's senior
management was actively engaged in implementing information security
related activities, including establishing policies and procedures for
risk management, ensuring that all users complete security training, and
developing an incident response program.

Despite this progress, SEC has not consistently implemented key controls
to effectively safeguard the confidentiality, integrity, and availability
of its financial and sensitive information and information systems. In
addition to 13 previously identified weaknesses that remain unresolved, we
identified 15 new information security weaknesses pertaining to SEC's
access controls and configuration management. For example, SEC did not
have current documentation on the privileges granted to users of a major
application, did not securely configure certain system settings, or has
not consistently installed all patches to its systems. As a result, the
commission's financial and sensitive data are at increased risk of
unauthorized disclosure, modification, or destruction.

A primary reason for these control weaknesses is that SEC had not
consistently implemented elements of its information security program.
Agency policies and procedures were not consistently implemented across
the agency. In addition, the commission did not sufficiently test and
evaluate the effectiveness of controls for a major system as required by
its certification and accreditation process. The commission also did not
take effective and timely action to correct deficiencies identified in
remedial action plans. If SEC does not continue to sustain the progress it
has made to improve its information security program, it will not have
sufficient assurance that its processes can mitigate known weaknesses and
protect sensitive information on an ongoing basis.

^4A reportable condition represents a significant design or operational
deficiency that could adversely affect an agency's ability to meet its
internal control objectives.

We are making recommendations to the SEC Chairman to assist the commission
in improving the implementation of its policies and procedures, control
tests and evaluations, and remedial action plans as part of its agencywide
information security program.

In a separate report designated "Limited Official Use Only",^5 we are also
making 18 recommendations to address actions needed to correct 15
information security weaknesses. By the conclusion of our review, SEC took
action to address 11 of the 15 new information security weaknesses.

In providing written comments on a draft of this report, the SEC Chairman
and Chief Information Officer agreed that the agency needs to maintain
momentum addressing the remaining gaps in its information security program
and stated that it is actively working to complete corrective actions for
findings that remain open and enhance its information security program by
implementing our recommendations.

Background

Information security is a critical consideration for any organization that
depends on information systems and computer networks to carry out its
mission or business; and it is especially important for government
agencies, where the public's trust is essential. The dramatic expansion in
computer interconnectivity and the rapid increase in the use of the
Internet are changing the way our government, the nation, and much of the
world communicate and conduct business. Without proper safeguards, systems
are unprotected from individuals and groups with malicious intent to
intrude and use the access to obtain sensitive information, commit fraud,
disrupt operations, or launch attacks against other computer systems and
networks. These concerns are well founded for a number of reasons,
including the dramatic increase in reports of security incidents, the ease
of obtaining and using hacking tools, the steady advance in the
sophistication and effectiveness of attack technology, and the dire
warnings of new and more destructive attacks to come.

^5GAO, Sustained Progress Needed to Strengthen Controls at the Securities
and Exchange Commission, [30]GAO-07-257SU (Washington, D.C.: Mar. 27,
2007).

Computer-supported federal operations are likewise at risk. Our previous
reports and reports by several agencies' inspectors general describe
persistent information security weaknesses that place a variety of federal
operations at risk of inappropriate disclosure, fraud, and disruption. We
have designated information security as a governmentwide high-risk area
since 1997.^6

Recognizing the importance of securing the information systems of federal
agencies, Congress enacted the Federal Information Security Management Act
(FISMA)^7 in December 2002. FISMA requires each agency to develop,
document, and implement an agencywide information security program for the
data and systems that support the operations and assets of the agency,
using a risk-based approach to information security management.
Information security program requirements to be implemented include
assessing risk; developing and implementing policies, procedures, and
security plans; providing security awareness and training; testing and
evaluating the effectiveness of controls; planning, implementing,
evaluating, and documenting remedial actions to address information
security deficiencies; detecting, reporting, and responding to security
incidents; and ensuring continuity of operations.

SEC's Role as Protector of Securities Investors

Following the stock market crash of 1929, Congress passed the Securities
Exchange Act of 1934,^8 establishing SEC to enforce securities laws,
regulate the securities markets, and protect investors. To carry out its
responsibilities and help ensure that fair, orderly, and efficient
securities markets are maintained, the commission issues rules and
regulations that promote adequate and effective disclosure of information
to the investing public. The commission also oversees and requires the
registration of other key participants in the securities industry,
including stock exchanges, broker-dealers, clearing agencies,
depositories, transfer agents, investment companies, and public utility
holding companies. SEC is an independent, quasi-judicial agency that
operates at the direction of five commissioners appointed by the President
and confirmed by the Senate.

^6GAO, High-Risk Series: Information Management and Technology,
[31]GAO/HR-97-9 (Washington, D.C.: February 1997); GAO, High-Risk Series:
An Update, [32]GAO-07-310 (Washington, D.C.: January 2007).

^7FISMA was enacted as title III, E-Government Act of 2002, Pub. L. No.
107-347, 116 Stat. 2946 (Dec. 17, 2002).

^815 U.S.C. S 78d.

In fiscal year 2006, SEC had a budget of about $888 million and staff of
3,590. Each year the commission accepts, processes, and publicly
disseminates more than 600,000 documents from companies and individuals,
including annual reports from more than 12,000 reporting companies. In
fiscal year 2006, the commission collected $499 million in filing fees and
$1.8 billion in penalties and disgorgements.^9 To support its financial
operations and store the sensitive information it collects, the commission
relies extensively on computerized systems interconnected by local and
wide area networks. To process and track financial transactions such as
filing fees paid by corporations and penalties from enforcement
activities, SEC relies on several applications--Momentum, Electronic Data
Gathering, Analysis, and Retrieval system (EDGAR), and Case Activity
Tracking System 2000 (CATS). Momentum, a commercial off-the-shelf
accounting software product, is used to record the commission's accounting
transactions, to maintain its general ledger, and to maintain the
information SEC uses to produce financial reports. EDGAR is an
Internet-based system used to collect, validate, index, and accept the
submissions of forms filed by SEC-registered companies. EDGAR transfers
this information to the general ledger nightly. The commission's Division
of Enforcement uses CATS, a modified commercial off-the-shelf database
application, to record enforcement data and create management reports.
CATS tracks enforcement-related data, including SEC-imposed fines and
penalties. In addition, the commission uses these systems to maintain
sensitive information, including filing data for corporations, and legal
information on enforcement activities.

According to FISMA, the Chairman of the SEC has responsibility for
providing information security protections commensurate with the risk and
magnitude of the harm resulting from unauthorized access, use, disclosure,
disruption, modification or destruction of the agency's information
systems and information. The Chairman of the SEC delegated authority to
the chief information officer (CIO) to be responsible for establishing and
maintaining a comprehensive information security program and governance
framework. As part of its program, the CIO is to (1) ensure that policies,
procedures, and control techniques to address all applicable information
security requirements are effectively implemented and maintained; (2) work
closely with designated authorizing officials to ensure that the SEC-wide
program is effectively implemented and managed; and (3) delegate authority
to the agency chief information security officer (CISO) to carry out
information security responsibilities and to ensure compliance with
applicable federal laws, regulations, and standards. The CISO serves as
the CIO's liaison with system owners and authorizing officials to ensure
the agency security program is effectively implemented. The CISO also
ensures certifications and accreditations are accomplished in a timely and
cost-effective manner and that there is centralized reporting of all
information security related activities.

^9A disgorgement is the repayment of illegally gained profits (or avoided
losses) for distribution to harmed investors whenever feasible.

Objectives, Scope, and Methodology

The objectives of our review were to assess (1) the status of SEC's
actions to correct or mitigate previously reported information security
weaknesses and (2) the effectiveness of the commission's information
system controls for ensuring the confidentiality, integrity, and
availability of its information systems and information. As part of our
assessment of the effectiveness of SEC's information system controls, we
also evaluated the commission's progress toward meeting the requirements
for an agencywide security program mandated by FISMA.

We conducted our review using our Federal Information System Controls
Audit Manual (FISCAM),^10 a methodology for reviewing information system
controls that affect the confidentiality, integrity, and availability of
computerized data. Specifically, we evaluated information security
controls in the following areas:

           o security management, which provides a framework and continuing
           cycle of activity for managing risk, developing security policies,
           assigning responsibilities, and monitoring the adequacy of the
           agency's computer-related controls;
           o access controls, which limit or detect access to computer
           resources (data, programs, equipment, and facilities), thereby
           protecting them against unauthorized modification, loss, and
           disclosure;
           o configuration management, which prevents unauthorized changes to
           information system resources (for example, software programs and
           hardware configurations);
           o segregation of duties, which includes policies, procedures, and
           an organizational structure to manage who can control key aspects
           of computer-related operations; and
           o contingency planning, so that when unexpected events occur,
           critical operations continue without disruption or are promptly
           resumed, and critical and sensitive data are protected.

           For our first objective, we examined supporting documentation and
           conducted tests and evaluations of corrective actions taken by the
           commission to correct weaknesses previously reported as unresolved
           at the conclusion of our 2005 audit.^11

           To evaluate the effectiveness of the commission's information
           security controls and program, we identified and examined its
           pertinent security policies, procedures, guidance, security plans,
           and relevant reports. Where federal requirements, laws, and other
           guidelines, including National Institute of Standards and
           Technology guidance, were applicable, we used these to assess the
           extent to which the commission had complied with specific
           requirements. We held discussions with key security
           representatives, system administrators, and management officials
           to determine whether information system controls were in place,
           adequately designed, and operating effectively. In addition, we
           conducted tests and observations of controls in operation using
           federal guidance, checklists and vendor best practices.
			  
			  SEC Has Made Important Progress Correcting Previously Reported
			  Weaknesses

           SEC has corrected or mitigated 58 of the 71 security control
           weaknesses previously reported as unresolved at the conclusion of
           our 2005 audit. Specifically, the commission resolved all of the
           previously reported weaknesses in security related activities and
           contingency planning, and it has made significant progress in
           resolving access control weaknesses. A key reason for SEC's
           progress was that its senior management was actively engaged in
           implementing information security related activities and
           mitigating the previously reported weaknesses.

           The commission has addressed 34 of the previously identified
           access control weaknesses. For example, SEC has

           o implemented controls to enforce strong passwords, and removed
           excessive rights granted to certain users on their Microsoft
           Windows servers and workstations;
           o established audit trails on its critical financial systems;
           o reconfigured its internal network infrastructure to be
           configured securely;
           o implemented virus protection on all of its Microsoft Windows
           servers;
           o developed and implemented procedures to review employee and
           contractor access to the data center based on SEC-established
           criteria;
           o assessed the physical security of each of its 11 field office
           locations and developed a plan to review each of the offices
           biannually; and
           o developed an incident response program that includes policies
           and procedures for handling and analyzing incidents.

           SEC has also corrected or mitigated all 18 security related
           activity weaknesses previously reported as unresolved at the
           conclusion of our 2005 audit. For example, the commission has

           o implemented a risk assessment process;
           o established a process to ensure that effective information
           system controls exist to safeguard its payroll/personnel system;
           o had 99 percent of employees and contractors complete security
           awareness training;
           o developed and documented a process to ensure background
           investigations were conducted for employees and contractors; and
           o established a process to identify and remove computer access
           rights accounts granted to separated contractors or nonpaid users
           of SEC systems.

           In addition, SEC has developed and updated its disaster recovery
           plans covering major applications. Moreover, the commission has
           tested its plans throughout the year through a series of disaster
           recovery exercises covering major applications and various
           scenarios.

           A key reason for its progress was that SEC's senior management was
           actively engaged in implementing information security related
           activities and mitigating the previously reported weaknesses. The
           Chairman has received regular briefings on agency progress in
           resolving the previously reported weaknesses, and the CIO has
           coordinated efforts with other offices involved in implementing
           information security policies and controls at the commission. An
           executive-level committee with oversight responsibility for the
           commission's internal controls was also established and has
           responsibility for approving programs and policies for internal
           control assessment and testing as well as developing policies to
           resolve internal control weaknesses.

           While SEC has made important progress in strengthening its
           information security controls and program, it has not completed
           actions to correct or mitigate 13 previously reported weaknesses.
           For example, the commission has not mitigated weaknesses in user
           account and password management, periodically reviewed software
           changes, or adequately controlled access to sensitive information.
           Failure to resolve these issues will leave the commission's
           sensitive data vulnerable to unauthorized disclosure,
           modification, or destruction.
			  
			  Key Controls Were Not Consistently Implemented

           SEC has not consistently implemented certain key controls to
           effectively safeguard the confidentiality, integrity, and
           availability of its financial and sensitive information and
           information systems. In addition to 13 previously identified
           weaknesses that remain unresolved, we identified 15 new
           information security weaknesses in access controls and
           configuration management. By the conclusion of our review, SEC had
           taken action to address 11 of the 15 new weaknesses. A primary
           reason for these control weaknesses is that SEC had not
           consistently implemented elements of its information security
           program. As a result, the commission cannot be assured that its
           controls are appropriate and working as intended and that its
           financial and sensitive data and systems are not at increased risk
           of unauthorized disclosure, modification, or destruction.
			  
			  Access Controls

           Access controls limit or detect inappropriate access to computer
           resources (data, equipment, and facilities), thereby protecting
           them from unauthorized disclosure, modification, and loss.
           Specific access controls include boundary protection,
           identification and authentication, authorization, and physical
           security. Without adequate access controls, unauthorized
           individuals, including outside intruders and former employees, can
           surreptitiously read and copy sensitive data and make undetected
           changes or deletions for malicious purposes or personal gain. In
           addition, authorized users can intentionally or unintentionally
           modify or delete data or execute changes that are outside their
           span of authority.
			  
			    Boundary Protection

           Boundary protection pertains to the protection of a logical or
           physical boundary around a set of information resources and
           implementing measures to prevent unauthorized information exchange
           across the boundary in either direction. Organizations physically
           allocate publicly accessible information system components to
           separate subnetworks with separate physical network interfaces,
           and they prevent public access into their internal networks.
           Unnecessary connectivity to an organization's network increases
           not only the number of access paths that must be managed and the
           complexity of the task, but the risk of unauthorized access in a
           shared environment. SEC policy requires that certain automated
           boundary protection mechanisms be established to control and
           monitor communications at the external boundary of the information
           system and at key internal boundaries within the system.
           Additionally, SEC policy requires that if remote access technology
           is used to connect to the network, it must be configured securely.

           The commission did not configure a remote access application to
           include required boundary protection mechanisms. For example, the
           application was configured to allow simultaneous access to the
           Internet and the internal network. This could allow an attacker
           who compromised a remote user's computer to remotely control the
           user's secure session from the Internet. In addition, SEC did not
           securely configure the systems used for remote administration of
           its key information technology resources. Consequently, a remote
           attacker could exploit these vulnerabilities to launch attacks
           against other sensitive information systems within the commission.
			  
			    Identification and Authentication

           A computer system must be able to identify and authenticate
           different users so that activities on the system can be linked to
           specific individuals. When an organization assigns unique user
           accounts to specific users, the system is able to distinguish one
           user from another--a process called identification. The system
           must also establish the validity of a user's claimed identity by
           requesting some kind of information, such as a password, that is
           known only by the user--a process known as authentication. SEC
           policy requires the implementation of automated identification and
           authentication mechanisms that enable the unique identification of
           individual users.

           The commission did not securely enforce identification and
           authentication controls on all of its information systems. For
           example, SEC did not remove default database accounts with known
           or weak passwords or ensure that these accounts had been locked.
           In addition, the commission was still unable to enforce strong
           password management on all of its systems and continued to have
           weak key-management practices for some of its secure connections.
           This increases the risk that unauthorized users could gain access
           to SEC systems and sensitive information.
			  
			    Authorization

           Authorization is the process of granting or denying access rights
           and privileges to a protected resource, such as a network, system,
           application, function, or file. A key component of granting or
           denying access rights is the concept of "least privilege." Least
           privilege is a basic principle for securing computer resources and
           data. It means that users are granted only those access rights and
           permissions that they need to perform their official duties. To
           restrict legitimate users' access to only those programs and files
           that they need in order to do their work, organizations establish
           access rights and permissions. "User rights" are allowable actions
           that can be assigned to users or to groups of users. File and
           directory permissions are rules that are associated with a
           particular file or directory, regulating which users can access
           it--and the extent of that access. To avoid unintentionally giving
           users unnecessary access to sensitive files and directories, an
           organization must give careful consideration to its assignment of
           rights and permissions. SEC policy requires that each user or
           process be assigned only those privileges needed to perform
           authorized tasks.

           SEC system administrators did not ensure that their systems
           sufficiently restricted system and database access and privileges
           to only those users and processes requiring them to perform
           authorized tasks. For example, administrators had not properly
           restricted access rights to sensitive files on some servers. Nor
           did the commission adequately restrict privileges to a system
           database. In addition, new requests or modifications for user
           access to the EDGAR system were not reviewed by its system owner;
           nor was current documentation maintained on user privileges
           granted to individuals based on their roles and divisions. The
           commission also continued to experience difficulty implementing a
           process to effectively remove network system accounts from
           separated employees and adequately controlling access to sensitive
           information. These conditions provide more opportunities for
           unauthorized individuals to escalate their privileges and make
           unauthorized changes to files.
			  
			    Physical Security
				 
           Physical security controls are important for protecting computer
           facilities and resources from espionage, sabotage, damage, and
           theft. These controls restrict physical access to computer
           resources, usually by limiting access to the buildings and rooms
           in which the resources are housed and by periodically reviewing
           the access granted in order to ensure that access continues to be
           appropriate. At SEC, physical access control measures (such as
           guards, badges, and locks--used alone or in combination) are vital
           to protecting the agency's sensitive computing resources from both
           external and internal threats. SEC policy requires that specific
           procedures be followed to protect and control physical access to
           sensitive work areas in its facilities.

           SEC procedures for protecting and controlling physical access to
           sensitive work areas were not always followed. Specifically, the
           commission had not properly implemented perimeter security at a
           key location. Guards at the location did not inspect photo
           identification and expiration dates. In addition, the commission
           did not adequately restrict physical access to its network in
           public locations. Until SEC fully addresses its physical security
           vulnerabilities, there is increased risk that unauthorized
           individuals could gain access to sensitive computing resources and
           data and inadvertently or deliberately misuse or destroy them.
			  
			  Configuration Management

           To protect an organization's information, it is important to
           ensure that only authorized applications and programs are placed
           in operation and that the applications are securely configured.
           This process, known as configuration management, consists of
           instituting policies, procedures, and techniques to help ensure
           that all programs and program modifications are properly
           authorized, tested, and approved. Specific controls for
           configuration management include policies and procedures over
           change control and patch management. Configuration management
           policies and procedures should be developed, documented, and
           implemented at the agency, system, and application levels to
           ensure an effective configuration management process. Patch
           management, including up-to-date patch installation, helps to
           mitigate vulnerabilities associated with flaws in software code,
           which could be exploited to cause significant damage. SEC policy
           requires vulnerability management of system hardware and software
           on all of its information systems.

           SEC continues to have difficulty implementing effective control
           over changes to software and other applications. For example, the
           commission lacked procedures to periodically review application
           code to ensure that only authorized changes were made to the
           production environment, did not document authorizations for
           software modifications, and did not always follow its policy of
           assigning risk classifications to application changes. As a
           result, unapproved changes to SEC production systems could be
           made.

           In addition, the commission did not ensure the application of
           timely and comprehensive patches and fixes to system software. For
           example, the commission did not consistently install critical
           patches for the operating system and third-party applications on
           its servers and end-user workstations. Failure to keep system
           patches up-to-date could allow unauthorized individuals to gain
           access to network resources or launch denial-of-service attacks
           against those resources. A malicious user can exploit these
           vulnerabilities to gain unauthorized access to network resources
           or disrupt network operations. As a result, there is increased
           risk that the integrity of these network devices and administrator
           workstations could be compromised.
			  
			  Information Security Program Not Yet Consistently Implemented

           A primary reason for these control weaknesses is that SEC had not
           consistently implemented elements of its information security
           program. The effective implementation of an information security
           program includes implementing the key elements required under
           FISMA and the establishment of a continuing cycle of
           activity--which includes assessing risk, developing and
           implementing security procedures, and monitoring the effectiveness
           of these procedures--to ensure that the elements implemented under
           the program are effective. FISMA requires agencies to develop,
           document, and implement an information security program, which
           includes the following:

           o developing and implementing policies and procedures;
           o testing and evaluating the effectiveness of controls; and
           o planning, implementing, evaluating, and documenting remedial
           actions to address information security deficiencies.
			  
			    Policies and Procedures

           A key task in developing, documenting, and implementing an
           effective information security program is to establish and
           implement risk-based policies, procedures, and technical standards
           that cover security over an agency's computing environment. If
           properly implemented, policies and procedures can help to reduce
           the risk that could come from unauthorized access or disruption of
           services. Because security policies are the primary mechanism by
           which management communicates its views and requirements, it is
           important to document and implement them.

           Although SEC has developed and documented information security
           related policies and procedures, it has not consistently
           implemented them across all systems. According to SEC policy,
           heads of office and system owners are responsible for implementing
           policies and procedures as well as reviewing and enforcing
           security for their systems. However, our analysis showed that 13
           of the 15 newly identified weaknesses were due to the inconsistent
           implementation of policies and procedures by the system owners and
           offices. Until the commission can verify that all system owners
           and offices implement agency policies and procedures, it will not
           have assurance that requirements are being followed and controls
           will work as intended.
			  
			    Tests and Evaluations of Control Effectiveness

           Testing and evaluating systems is a key element of an information
           security program that ensures that an agency is in compliance with
           policies and that the policies and controls are both appropriate
           and effective. This type of oversight is a fundamental element
           because it demonstrates management's commitment to the security
           program, reminds employees of their roles and responsibilities,
           and identifies and mitigates areas of noncompliance and
           ineffectiveness. Although control tests and evaluations may
           encourage compliance with security policies, the full benefits are
           not achieved unless the results improve the security program.
           Analyzing the results of security reviews provides security
           specialists and business managers with a means of identifying new
           problem areas, reassessing the appropriateness of existing
           controls, and identifying the need for new controls. FISMA
           requires that the frequency of tests and evaluations be based on
           risk, but occur no less than annually.

           SEC did not sufficiently test and evaluate the effectiveness of
           controls for a major system as required by its certification and
           accreditation process. When the general ledger system underwent a
           significant change, agency policy required that the system undergo
           recertification and reaccreditation, which included system testing
           and evaluation of controls. However, SEC did not complete
           recertification and reaccreditation testing of controls for the
           system. We identified three control weaknesses associated with the
           change to the general ledger system that SEC had not detected.
           Since the commission has not completed sufficient testing and
           evaluation for the general ledger system after it underwent a
           significant change, it cannot be assured that its security
           policies and controls are appropriate and working as intended.
			  
			    Remedial Actions

           Remedial action plans are a key component described in FISMA.
           These plans assist agencies in identifying, assessing,
           prioritizing, and monitoring the progress in correcting security
           weaknesses that are found in information systems. According to
           Office of Management and Budget guidance, agencies should take
           timely and effective action to correct deficiencies that they have
           identified through a variety of information sources. To accomplish
           this task, remedial action plans should be developed for each
           deficiency, and progress should be tracked for each.

           Although SEC developed remedial action plans to mitigate
           identified weaknesses in its systems and developed a mechanism to
           track the progress of actions to correct deficiencies, it did not
           consistently take effective and timely action to do so. Our
           analysis showed that 7 of the 15 new weaknesses had been
           previously identified in remedial action plans. Of the 7
           weaknesses, 4 were not effectively mitigated, although SEC noted
           that they had been closed in prior year remedial action plans.
           Another known weakness had been listed in a remedial action plan
           since April 2004. This existed in part because until recently,
           system remedial action plans did not have completion dates for all
           deficiencies. These inconsistencies exist because the commission
           did not develop, document, and implement a policy on remedial
           action plans to ensure deficiencies were mitigated in an effective
           and timely manner. As a result, SEC will have limited assurance
           that all known information security weaknesses are mitigated or
           corrected in an effective and timely manner.
			  
			  Conclusions

           Public trust is vital to the proper functioning of the securities
           markets. Because SEC relies heavily on computerized systems to
           maintain fair, orderly, and efficient securities markets, the
           security of its financial and sensitive data is paramount. While
           the commission has made important progress in addressing our
           previous information security recommendations and strengthening
           its information security program, both outstanding and newly
           identified weaknesses continue to impair SEC's ability to ensure
           the confidentiality, integrity, and availability of financial and
           other sensitive data. Accordingly, these deficiencies represent a
           reportable condition in internal controls over SEC's information
           systems.

           Sustained senior management involvement and oversight are vital
           for SEC's newly developed security program to undergo the
           continuous cycle of activity required for the effective
           development, implementation, and monitoring of policies and
           procedures. If the commission continues to have senior management
           actively engaged and continues to implement a framework and
           continuous cycle of activity, it will help ensure that outstanding
           weaknesses are mitigated or resolved and that key controls are
           consistently implemented. If progress is not sustained, SEC will
           not have sufficient assurance that its processes can mitigate
           current weaknesses and detect new weakness, and its financial and
           sensitive data will remain at risk of unauthorized disclosure,
           modification, or destruction.
			  
			  Recommendations for Executive Action

           To assist the commission in improving the implementation of its
           agencywide information security program, we recommend that the SEC
           Chairman take the following three actions:

                        1. verify that all system owners and offices
                        implement agency security policies and procedures;
                        2. complete recertification and reaccreditation
                        testing and evaluation on the general ledger system;
                        3. develop, document, and implement a policy on
                        remedial action plans to ensure deficiencies are
                        mitigated in an effective and timely manner.

           In a separate report designated "Limited Official Use Only",^12 we
           also made 18 recommendations to the SEC Chairman to address
           actions needed to correct 15 information security weaknesses.
			  
			  Agency Comments

           In providing written comments on a draft of this report, the SEC
           Chairman and Chief Information Officer agreed that the agency
           needs to maintain momentum addressing the remaining gaps in its
           information security program and stated that it is actively
           working to complete corrective actions for findings that remain
           open and enhance its information security program by implementing
           our recommendations.

           They also identified several actions the agency has completed to
           resolve known weaknesses and stated that going forward the
           commission's primary focus will be on making its information
           security program more aggressive in identifying and resolving
           issues as or before they arise, to ensure high levels of security
           compliance across the agency. Their written comments are reprinted
           in appendix I.

           This report contains recommendations to you. As you know, 31
           U.S.C. 720 requires that the head of a federal agency submit a
           written statement of the actions taken on our recommendations to
           the Senate Committee on Homeland Security and Governmental Affairs
           and to the House Committee on Oversight and Government Reform not
           later than 60 days from the date of the report and to the House
           and Senate Committees on Appropriations with the agency's first
           request for appropriations made more than 60 days after the date
           of this report. Because agency personnel serve as the primary
           source of information on the status of recommendations, GAO
           requests that the agency also provide us with a copy of your
           agency's statement of action to serve as preliminary information
           on the status of open recommendation.

           We are sending copies of this report to the Chairmen and Ranking
           Minority Members of the Senate Committee on Banking, Housing, and
           Urban Affairs; Senate Committee on Homeland Security and
           Governmental Affairs; House Committee on Financial Services; House
           Committee on Oversight and Government Reform; and SEC's Office of
           Managing Executive for Operations; Office of the Executive
           Director; Office of Financial Management; Office of Information
           Technology; and the SEC's Inspector General. We will also make
           copies available to others on request. In addition, this report
           will be available at no charge on the GAO Web site at
           http://www.gao.gov.

^10GAO, Federal Information System Controls Audit Manual, Volume
I-Financial Statement Audits,  GAO/AIMD-12.19.6 (Washington, D.C.: January
1999).

^11GAO, Information Security: Securities and Exchange Commission Needs to
Address Weak Controls over Financial and Sensitive Data, GAO-05-263SU
(Washington, D.C.: Mar. 23, 2005); GAO, Information Security: Securities
and Exchange Commission Needs to Address Weak Controls over Financial and
Sensitive Data, GAO-05-262 (Washington, D.C.: Mar. 23, 2005); GAO,
Information Security: Securities and Exchange Commission Needs to Continue
to Improve Its Program,  GAO-06-407SU (Washington, D.C.: Mar. 31, 2006);
GAO, Information Security: Securities and Exchange Commission Needs to
Continue to Improve Its Program, GAO-06-408 (Washington, D.C.: Mar. 31,
2006).

^12GAO-07-257SU.

           If you have any questions regarding this report, please contact me
           at (202) 512-6244 or by e-mail at [email protected]. Contact
           points for our Offices of Congressional Relations and Public
           Affairs may be found on the last page of this report. Key
           contributors to this report are listed in appendix II.

           Sincerely yours,

           Gregory C. Wilshusen
			  Director, Information Security Issues
			  
			  Appendix I: Comments from the Securities and Exchange Commission
			  
			  Appendix II: GAO Contact and Staff Acknowledgments
			  
			  GAO Contact

           Gregory C. Wilshusen, (202) 512-6244
			  
			  Staff Acknowledgments

           In addition to the individual named above, Charles Vrabel and Lon
           Chin, Assistant Directors; Angela Bell, Jason Carroll, Daniel
           Castro, West Coile, William Cook, Anh Dang, Kirk Daubenspeck,
           Valerie Hopkins, Henry Sutanto, Amos Tevelow, and Chris Warweg
           made key contributions to this report.
			  
			  GAOï¿½s Mission

           The Government Accountability Office, the audit, evaluation and
           investigative arm of Congress, exists to support Congress in
           meeting its constitutional responsibilities and to help improve
           the performance and accountability of the federal government for
           the American people. GAO examines the use of public funds;
           evaluates federal programs and policies; and provides analyses,
           recommendations, and other assistance to help Congress make
           informed oversight, policy, and funding decisions. GAO's
           commitment to good government is reflected in its core values of
           accountability, integrity, and reliability.
			  
			  Obtaining Copies of GAO Reports and Testimony

           The fastest and easiest way to obtain copies of GAO documents at
           no cost is through GAO's Web site ( www.gao.gov ). Each
           weekday, GAO posts newly released reports, testimony, and
           correspondence on its Web site. To have GAO e-mail you a list of
           newly posted products every afternoon, go to www.gao.gov and
           select "Subscribe to Updates."
			  
			  Order by Mail or Phone

           The first copy of each printed report is free. Additional copies
           are $2 each. A check or money order should be made out to the
           Superintendent of Documents. GAO also accepts VISA and Mastercard.
           Orders for 100 or more copies mailed to a single address are
           discounted 25 percent. Orders should be sent to:

           U.S. Government Accountability Office 441 G Street NW, Room LM
           Washington, D.C. 20548

           To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax:
           (202) 512-6061
			  
			  To Report Fraud, Waste, and Abuse in Federal Programs

           Contact:

           Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail:
           [email protected] Automated answering system: (800) 424-5454 or
           (202) 512-7470
			  
			  Congressional Relations

           Gloria Jarmon, Managing Director, [email protected] (202)
           512-4400 U.S. Government Accountability Office, 441 G Street NW,
           Room 7125 Washington, D.C. 20548
			  
			  Public Affairs

           Paul Anderson, Managing Director, [email protected] (202)
           512-4800 U.S. Government Accountability Office, 441 G Street NW,
           Room 7149 Washington, D.C. 20548

(310584)

www.gao.gov/cgi-bin/getrpt?GAO-07-256 .

To view the full product, including the scope
and methodology, click on the link above.

For more information, contact Greg Wilshusen at 202-512-6244 or
[email protected].

Highlights of [40]GAO-07-256 , a report to the Chairman, Securities and
Exchange Commission

March 2007

INFORMATION SECURITY

Sustained Progress Needed to Strengthen Controls at the Securities and
Exchange Commission

In carrying out its mission to ensure that securities markets are fair,
orderly, and efficiently maintained, the Securities and Exchange
Commission (SEC) relies extensively on computerized systems. Integrating
effective information security controls into a layered control strategy is
essential to ensure that SEC's financial and sensitive information is
protected from inadvertent or deliberate misuse, disclosure, or
destruction.

As part of its audit of SEC's financial statements, GAO assessed (1) SEC's
actions to correct previously reported information security weaknesses and
(2) the effectiveness of controls for ensuring the confidentiality,
integrity, and availability of SEC's information systems and information.
To do this, GAO examined security policies and artifacts, interviewed
pertinent officials, and conducted tests and observations of controls in
operation.

[41]What GAO Recommends

GAO recommends that the SEC Chairman improve the implementation of its
policies and procedures, control tests and evaluations, and remedial
action plans as part of its agencywide information security program.

In commenting on a draft of this report, SEC stated that it will actively
work to implement GAO's recommendations.

SEC has made important progress toward correcting previously reported
information security control weaknesses. Specifically, it has corrected or
mitigated 58 of the 71 weaknesses previously reported as unresolved at the
conclusion of GAO's 2005 audit. The commission resolved all of the
previously reported weaknesses in security related activities and
contingency planning, and made significant progress in resolving access
control weaknesses. A key reason for its progress was that SEC's senior
management was actively engaged in implementing information security
related activities.

Despite this progress, SEC has not consistently implemented certain key
controls to effectively safeguard the confidentiality, integrity, and
availability of its financial and sensitive information and information
systems. In addition to 13 previously identified weaknesses that remain
unresolved, 15 new information security weaknesses were identified. By the
conclusion of GAO's review, SEC took action to address 11 of the 15 new
weaknesses. A primary reason for these control weaknesses is that SEC had
not consistently implemented elements of its information security program.
This included inconsistent implementation of agency policies and
procedures, not sufficiently testing and evaluating the effectiveness of
controls for a major system as required by its certification and
accreditation process, and not consistently taking effective and timely
action to correct deficiencies identified in remedial action plans. Until
SEC does, it will have limited assurance that it will be able to manage
risks and protect sensitive information on an ongoing basis.

References

Visible links

  28. http://www.gao.gov/cgi-bin/getrpt?GAO-07-134
  29. http://www.gao.gov/cgi-bin/getrpt?GAO-07-134
  30. http://www.gao.gov/cgi-bin/getrpt?GAO-07-257SU
  31. http://www.gao.gov/cgi-bin/getrpt?GAO/HR-97-9
  32. http://www.gao.gov/cgi-bin/getrpt?GAO-07-310
  40. http://www.gao.gov/cgi-bin/getrpt?GAO-07-256
*** End of document. ***