Information Security: Securities and Exchange Commission Needs to
Continue to Improve Its Program (29-FEB-08, GAO-08-280).	 
                                                                 
In carrying out its mission to ensure that securities markets are
fair, orderly, and efficiently maintained, the Securities and	 
Exchange Commission (SEC) relies extensively on computerized	 
systems. Integrating effective information security controls into
a layered control strategy is essential to ensure that SEC's	 
financial and sensitive information are protected from		 
inadvertent or deliberate misuse, disclosure, or destruction. As 
part of its audit of SEC's fiscal year 2007 financial statements,
GAO assessed (1) the status of SEC's actions to correct 	 
previously reported information security weaknesses and (2) the  
effectiveness of SEC's controls for ensuring the confidentiality,
integrity, and availability of its information systems and	 
information. To do this, GAO examined security plans, policies,  
and practices; interviewed pertinent officials; and conducted	 
tests and observations of controls in operation.		 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-08-280 					        
    ACCNO:   A81172						        
  TITLE:     Information Security: Securities and Exchange Commission 
Needs to Continue to Improve Its Program			 
     DATE:   02/29/2008 
  SUBJECT:   Computer systems					 
	     Information security				 
	     Information security management			 
	     Information systems				 
	     Internal controls					 
	     Securities regulation				 
	     Stocks (securities)				 
	     System security plans				 
	     System vulnerabilities				 
	     Systems analysis					 
	     Systems evaluation 				 
	     Systems management 				 
	     Security standards 				 
	     GAO High Risk Series				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-08-280

   

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Chairman, Securities and Exchange Commission: 

United States Government Accountability Office: 

GAO: 

February 2008: 

Information Security: 

Securities and Exchange Commission Needs to Continue to Improve Its 
Program: 

SEC Information Security: 

GAO-08-280: 

GAO Highlights: 

Highlights of GAO-08-280, a report to the Chairman, Securities and 
Exchange Commission. 

Why GAO Did This Study: 

In carrying out its mission to ensure that securities markets are fair, 
orderly, and efficiently maintained, the Securities and Exchange 
Commission (SEC) relies extensively on computerized systems. 
Integrating effective information security controls into a layered 
control strategy is essential to ensure that SECï¿½s financial and 
sensitive information are protected from inadvertent or deliberate 
misuse, disclosure, or destruction. 

As part of its audit of SECï¿½s fiscal year 2007 financial statements, 
GAO assessed (1) the status of SECï¿½s actions to correct previously 
reported information security weaknesses and (2) the effectiveness of 
SECï¿½s controls for ensuring the confidentiality, integrity, and 
availability of its information systems and information. To do this, 
GAO examined security plans, policies, and practices; interviewed 
pertinent officials; and conducted tests and observations of controls 
in operation. 

What GAO Found: 

SEC has made important progress toward correcting previously reported 
information security control weaknesses. Specifically, it has corrected 
or mitigated 8 of 20 weaknesses previously reported as unresolved at 
the time of our prior audit. For example, SEC has documented 
authorizations for software modifications, developed a comprehensive 
program for monitoring access activities to its computer network 
environment, and tested and evaluated the effectiveness of controls for 
the general ledger system. In addition, the commission has made 
progress in improving its information security program. To illustrate, 
it has developed remedial action plans to mitigate identified 
weaknesses in its systems and developed a mechanism to track the 
progress of actions to correct deficiencies. A key reason for its 
progress is that SEC senior management has been actively engaged in 
implementing information security activities. Nevertheless, SEC has not 
completed actions to correct 12 previously reported weaknesses. For 
example, SEC workstations are susceptible to malicious code attacks and 
perimeter security is not properly implemented at its Operations 
Center. 

Significant control weaknesses intended to restrict access to data and 
systems, as well as other information security controls, continue to 
threaten the confidentiality, integrity, and availability of SECï¿½s 
financial and sensitive information and information systems. SEC has 
not consistently implemented effective controls to prevent, limit, or 
detect unauthorized access to computing resources. For example, it did 
not always (1) consistently enforce strong controls for identifying and 
authenticating users, (2) limit user access to only those individuals 
who need such access to perform their job functions, (3) encrypt 
sensitive data, (4) log and monitor security related events, (5) 
physically protect its computer resources, and (6) fully implement 
certain configuration management controls. A key reason for these 
weaknesses is that SEC has not yet fully implemented its information 
security program to ensure that controls are appropriately designed and 
operating effectively. Specifically, SEC has not effectively or fully 
implemented key program activities. For example, security plans for 
certain enterprise database applications were incomplete, information 
security training for certain key personnel was not sufficiently 
documented and monitored, security tests and evaluations of enterprise 
database applications were not comprehensive, and continuity of 
operations plans were not always complete. As a result, SEC is at 
increased risk of unauthorized access to and disclosure, modification, 
or destruction of its financial information, as well as inadvertent or 
deliberate disruption of its financial systems, operations, and 
services. 

What GAO Recommends: 

GAO recommends that the SEC Chairman take several actions to fully 
implement an agencywide information security program. 

In commenting on a draft of this report, SEC agreed with GAOï¿½s 
recommendations and plans to address the identified weaknesses. 

To view the full product, including the scope and methodology, click on 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-280]. For more information, contact Greg 
Wilshusen at (202) 512-6244 or [email protected] or Nabajyoti 
Barkakati at (202) 512-4499 or [email protected]. 

[End of section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

SEC Has Made Important Progress Correcting Previously Reported 
Weaknesses and Improving Security: 

Significant Control Deficiencies Place SEC's Internal Financial 
Information at Risk: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: Comments from the Securities and Exchange Commission: 

Appendix III: GAO Contacts and Staff Acknowledgments: 

Abbreviations: 

CIO: Chief Information Officer: 

CERT: Computer Emergency Readiness Team: 

EDGAR: Electronic Data Gathering Analysis and Retrieval: 

FISMA: Federal Information Security Management Act: 

GSS: general support system: 

IT: information technology: 

NIST: National Institute of Standards and Technology: 

OMB: Office of Management and Budget: 

PKI: public key infrastructure: 

SAM: Strategic Acquisition Manager: 

SEC: Securities and Exchange Commission: 

US-CERT: United States Computer Emergency Readiness Team: 

United States Government Accountability Office: 

Washington, DC 20548: 

February 29, 2008: 

The Honorable Christopher Cox: 
Chairman: 
Securities and Exchange Commission: 

Dear Mr. Chairman: 

As you are aware, the Securities and Exchange Commission (SEC) is 
responsible for enforcing securities laws, issuing rules and 
regulations that provide protection for investors, and helping to 
ensure that the securities markets are fair and honest. To support its 
demanding financial and mission-related responsibilities, the 
commission relies extensively on computerized systems. In order to 
protect financial and sensitive information--including personnel and 
regulatory information maintained by SEC--from inadvertent or 
deliberate misuse, fraudulent use, improper disclosure or manipulation, 
or destruction, it is essential that SEC integrate effective 
information security controls[Footnote 1] into a layered control 
strategy. 

As part of our audit of SEC's fiscal year 2007 financial 
statements,[Footnote 2] we assessed the effectiveness of the 
commission's information security controls over key financial systems, 
data, and networks. In our report on SEC's financial statements for 
fiscal years 2007 and 2006,[Footnote 3] we concluded that weaknesses in 
SEC's information security controls constitute a significant 
deficiency[Footnote 4] in internal controls over the commission's 
financial and information systems. 

In this report, we provide additional details on SEC's information 
security controls. Our specific objectives were to assess (1) the 
status of SEC's actions to correct or mitigate previously reported 
information security weaknesses and (2) the effectiveness of the 
commission's controls for ensuring the confidentiality, integrity, and 
availability of its financial information and information systems. We 
performed our work at SEC headquarters in Washington, D.C., and at its 
computer facility in Alexandria, Virginia, from July 2007 to November 
2007 in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform the audit 
to obtain sufficient, appropriate evidence to provide a reasonable 
basis for our findings and conclusions based on our audit objectives. 
We believe that the evidence obtained provides a reasonable basis for 
our findings and conclusions based on our audit objectives. See 
appendix I for additional details on our objectives, scope, and 
methodology. 

Results in Brief: 

SEC has made important progress toward correcting previously reported 
information security control weaknesses. Specifically, it has corrected 
or mitigated 8 of 20 weaknesses previously reported as unresolved at 
the time of our prior audit. For example, SEC has documented 
authorizations for software modifications, developed a comprehensive 
program for monitoring access activities to its computer network 
environment, and tested and evaluated the effectiveness of controls for 
the general ledger system. In addition, the commission has made 
progress in improving its information security program. To illustrate, 
it has developed remedial action plans to mitigate identified 
weaknesses in its systems and developed a mechanism to track the 
progress of actions to correct deficiencies. A key reason for progress 
in these areas is that SEC senior management has been actively engaged 
in implementing information security activities. Nevertheless, SEC has 
not completed actions to correct 12 previously reported weaknesses. For 
example, SEC workstations are susceptible to malicious code attacks and 
perimeter security is not properly implemented at its Operations 
Center. 

Significant deficiencies in controls intended to restrict access to 
data and systems, as well as weaknesses in other information security 
controls, continue to threaten the confidentiality, integrity, and 
availability of SEC's financial and sensitive information and 
information systems. SEC has not consistently implemented effective 
controls to prevent, limit, or detect unauthorized access to computing 
resources. For example, it did not always (1) consistently enforce 
strong controls for identifying and authenticating users, (2) limit 
user access to only those individuals who need such access to perform 
their job functions, (3) encrypt sensitive data, (4) log and monitor 
security related events, (5) physically protect its computer resources, 
and (6) fully implement certain configuration management controls. A 
key reason for these weaknesses is that SEC has not yet fully 
implemented its information security program to ensure that controls 
are appropriately designed and operating effectively. Specifically, SEC 
has not effectively or fully implemented key program activities. For 
example, security plans for certain enterprise database applications 
were incomplete, information security training for certain key 
personnel was not sufficiently documented and monitored, security tests 
and evaluations of enterprise database applications were not 
comprehensive, and continuity of operations plans were not always 
complete. As a result, SEC is at increased risk of unauthorized access 
to and disclosure, modification, or destruction of its financial 
information, as well as the inadvertent or deliberate disruption of its 
financial systems, operations, and services. 

We are making recommendations to the SEC Chairman to take several 
actions to fully implement a comprehensive, agencywide information 
security program. We are also making recommendations in a separate 
report with limited distribution. These recommendations consist of 
actions to be taken to correct the information security weaknesses 
related to access controls and configuration management practices. 

In providing written comments on a draft of this report, the SEC 
Chairman welcomed our findings as an opportunity for further 
improvement, fully agreed with GAO's recommendations, and stated that 
SEC is on track to address them in the current fiscal year. 

Background: 

Information security is a critical consideration for any organization 
that depends on information systems and computer networks to carry out 
its mission or business and is especially important for government 
agencies, where maintaining the public's trust is essential. While the 
dramatic expansion in computer interconnectivity and the rapid increase 
in the use of the Internet have enabled agencies such as SEC to better 
achieve their mission and provide information to the public, the 
changes also expose federal networks and systems to various threats. 
For example, the Federal Bureau of Investigation has identified 
multiple sources of cyber threats, including foreign nation states 
engaged in information warfare, domestic criminals, hackers, and virus 
writers, and disgruntled employees working within an organization. 
Similarly, the U.S. Secret Service and the Computer Emergency Readiness 
Team (CERT) Coordination Center[Footnote 5] conducted a study on 
insider threats and stated in a May 2005 report that "insiders pose a 
substantial threat by virtue of their knowledge of, and access to, 
employer systems and/or databases." These concerns are well-founded for 
a number of reasons, including the dramatic increase in reports of 
security incidents, the ease of obtaining and using hacking tools, and 
steady advances in the sophistication and effectiveness of attack 
technology. For example, for fiscal year 2006, the Office of Management 
and Budget (OMB) cited[Footnote 6] a total of 5,146 incidents reported 
by federal agencies to the United States Computer Emergency Readiness 
Team (US-CERT),[Footnote 7] an increase of 44 percent from the previous 
fiscal year. Without proper safeguards, systems are vulnerable to 
individuals and groups with malicious intent who can intrude and use 
their access to obtain or manipulate sensitive information, commit 
fraud, disrupt operations, or launch attacks against other computer 
systems and networks. 

Our previous reports and reports by inspectors general describe 
persistent information security weaknesses that place federal agencies 
at risk of disruption, fraud, or inappropriate disclosure of sensitive 
information. Accordingly, we have designated information security as a 
governmentwide high-risk area since 1997,[Footnote 8] a designation 
that remains in force today. Recognizing the importance of securing 
federal agencies' information systems, Congress enacted the Federal 
Information Security Management Act (FISMA) in December 2002[Footnote 
9] to strengthen the security of information and systems within federal 
agencies. FISMA requires each agency to develop, document, and 
implement an agencywide information security program to provide 
information security for the information and systems that support the 
operations and assets of the agency, using a risk-based approach to 
information security management. 

SEC's Role as Protector of Securities Investors: 

Following the stock market crash of 1929, Congress passed the 
Securities Exchange Act of 1934,[Footnote 10] establishing the SEC to 
enforce securities laws, regulate the securities markets, and protect 
investors. To carry out its responsibilities and help ensure that 
securities markets are fair and honest, SEC issues rules and 
regulations that promote adequate and effective disclosure of 
information to the investing public. The commission also oversees and 
requires the registration of other key participants in the securities 
industry, including stock exchanges, broker-dealers, clearing agencies, 
depositories, transfer agents, investment companies, and public utility 
holding companies. SEC is an independent, quasi-judicial agency that 
operates at the direction of five commissioners appointed by the 
President and confirmed by the Senate. 

In fiscal year 2007, SEC had a budget of about $882 million and a staff 
of 3,470. In fiscal year 2007, the commission collected $258 million in 
filing fees and $496 million in penalties and disgorgements.[Footnote 
11] 

To support its financial operations and store the sensitive information 
it collects, SEC relies extensively on computerized systems 
interconnected by local-and wide-area networks. For example, to process 
and track financial transactions, such as filing fees paid by 
corporations, disgorgements and penalties from enforcement activities, 
and procurement activities, SEC relies on several enterprise database 
applications--Momentum; CATS/Phoenix; Electronic Data Gathering, 
Analysis, and Retrieval (EDGAR); Strategic Acquisition Manager (SAM)-- 
and a general support system (GSS) network that allows users to 
communicate with the database applications. The database applications 
provide SEC with the following capabilities: 

* Momentum is used to record some of the commission's accounting 
transactions, to maintain its general ledger, and to maintain some of 
the information SEC uses to produce financial reports. 

* CATS/Phoenix contains and processes sensitive data relating to 
penalties, disgorgements, and restitution on proven and alleged 
violations of the securities and futures laws. 

* EDGAR performs automated collection, validation, indexing, 
acceptance, and forwarding of submissions by companies and others who 
are required to file certain information with SEC. Its primary purpose 
is to increase the efficiency and fairness of the securities market for 
the benefit of investors, corporations, and the economy by accelerating 
the receipt, acceptance, dissemination, and analysis of time-sensitive 
corporate information filed with the agency. 

* SAM is intended to automate procurement processes for the SEC 
Procurement and Contracting office. 

* The GSS is an integrated client-server system comprised of local- and 
wide-area networks and is organized into distinct subsystems based 
along SEC's organizational and functional lines. The GSS provides 
services to internal and external customers who use them for their 
business applications. It also provides the necessary security services 
to support these applications. 

According to FISMA, the Chairman of SEC has responsibility for, among 
other things, (1) providing information security protections 
commensurate with the risk and magnitude of the harm resulting from 
unauthorized access, use, disclosure, disruption, modification, or 
destruction of the agency's information systems and information; (2) 
ensuring that senior agency officials provide information security for 
the information and information systems that support the operations and 
assets under their control; and (3) delegating to the agency chief 
information officer (CIO) the authority to ensure compliance with the 
requirements imposed on the agency under FISMA. SEC's CIO is 
responsible for developing and maintaining a departmentwide information 
security program and for developing and maintaining information 
security policies, procedures, and control techniques that address all 
applicable requirements. 

SEC Has Made Important Progress Correcting Previously Reported 
Weaknesses and Improving Security: 

SEC has corrected or mitigated 8 of the 20 security control weaknesses 
that we had reported as unresolved at the time of our previous audit. 
For example, SEC has: 

* documented authorizations for software modifications, 

* developed a comprehensive program for monitoring access activities to 
its computer network environment, and: 

* tested and evaluated the effectiveness of controls for the general 
ledger system. 

In addition, SEC has made progress in improving its information 
security program. For example, the commission has developed and 
documented information security related policies, including those 
responding to information security incidents, such as unauthorized 
access. SEC has also developed remedial action plans to mitigate 
identified weaknesses in its systems and developed a mechanism to track 
the progress of the actions taken to correct deficiencies. The 
commission also has tested disaster recovery plans two times a year 
through a series of disaster recovery exercises covering major 
applications and various scenarios. These efforts constitute an 
important step towards strengthening the agencywide information 
security program mandated by FISMA. 

A key reason for its progress in these areas is that SEC senior 
management has been actively engaged in mitigating the previously 
reported weaknesses. For example, the Chairman has received regular 
briefings on SEC's progress in resolving the previously reported 
weaknesses, and the CIO has coordinated efforts with other offices 
involved in implementing information security controls and practices at 
the commission. 

While SEC has made important progress in strengthening its information 
security controls, it has not completed actions to correct or mitigate 
12 previously reported weaknesses. For example, SEC has not mitigated 
weaknesses that could lead to malicious code attacks on SEC's 
workstations, has not adequately documented access privileges for the 
EDGAR application, and has not implemented an effective intrusion 
detection system. In addition, SEC has not adequately controlled access 
to its facility. Failure to resolve these issues could leave SEC's 
sensitive data vulnerable to unauthorized disclosure, modification, or 
destruction. 

Significant Control Deficiencies Place SEC's Internal Financial 
Information at Risk: 

Controls intended to restrict access to data and systems, as well as in 
other information security controls, insufficiently protect the 
confidentiality, integrity, and availability of SEC financial systems 
and information. The unresolved, previously reported weaknesses and 
newly identified weaknesses could hinder SEC's ability to perform vital 
functions and increase the risk of unauthorized disclosure, 
modification, or destruction of financial information. A key reason for 
these weaknesses was that SEC did not always effectively implement key 
program activities of its information security program. 

SEC Did Not Sufficiently Control Access to Information Resources: 

A basic management objective for any organization is to protect the 
resources that support its critical operations and assets from 
unauthorized access. Organizations accomplish this objective by 
designing and implementing controls that are intended to prevent, 
limit, and detect unauthorized access to computer resources (e.g., 
data, programs, equipment, and facilities), thereby protecting them 
from unauthorized disclosure, modification, and loss. Specific access 
controls include identification and authentication, authorization, 
cryptography, audit and monitoring, and physical security. Without 
adequate access controls, unauthorized individuals, including outside 
intruders and former employees, can surreptitiously read and copy 
sensitive data and make undetected changes or deletions for malicious 
purposes or personal gain. In addition, authorized users can 
intentionally or unintentionally modify or delete data or execute 
changes that are outside of their span of authority. 

Controls for Identifying and Authenticating Users Were Not Consistently 
Enforced: 

A computer system must be able to identify and authenticate the 
identity of users so that activities on the system can be linked to 
specific individuals. When an organization assigns unique user accounts 
to specific users, the system is able to distinguish one user from 
another--a process called identification. The system must also 
establish the validity of a user's claimed identity by requesting some 
kind of information, such as a password, that is known only by the 
user--a process known as authentication. SEC policy requires the 
implementation of automated identification and authentication 
mechanisms that enable the unique identification of individual users. 

However, SEC did not consistently identify and authenticate the 
identity of users before granting them access to its enterprise 
database applications, as the following examples illustrate: 

* SEC did not always enforce strong password settings on its enterprise 
database servers, which increased the likelihood that passwords could 
be compromised. 

* Multiple individuals shared a single-user account to enter system 
information on a key SEC enterprise database application, which 
diminished SEC's capability to attribute system activity to specific 
individuals. 

* Plaintext passwords may have been accessible to unauthorized users, 
who could have used them to gain access to a key financial application. 

As a result, there was an increased risk that a malicious individual 
could gain inappropriate access to SEC database applications and data. 

Users Were Routinely Authorized More System Access Than Needed to 
Perform Their Job Functions: 

Authorization is the process of granting or denying access rights and 
privileges to a protected resource, such as a network, system, 
application, function, or file. A key component of granting or denying 
access rights is the concept of least privilege. Least privilege is a 
basic principle for securing computer resources and data. It means that 
users are granted only those access rights and permissions that they 
need to perform their official duties. To restrict legitimate users' 
access to only those programs and files that they need in order to do 
their work, organizations establish access rights and permissions. User 
rights are allowable actions that can be assigned to users or to groups 
of users. File and directory permissions are rules that are associated 
with a particular file or directory, regulating which users can access 
it--and determining the extent of that access. To avoid unintentionally 
giving users unnecessary access to sensitive files and directories, an 
organization must give careful consideration to its assignment of 
rights and permissions. SEC policy requires that each user or process 
be assigned only those privileges needed to perform authorized tasks. 

However, SEC did not always have appropriate authorization settings in 
place on its enterprise database applications to ensure proper access 
to data. Specifically, SEC did not adequately restrict user privileges 
to the minimum access employees needed to perform their job-related 
duties on several of its enterprise databases. For example, users could 
escalate their access privileges to run a powerful database system 
account. In addition, SEC also allowed unnecessary links among 
databases that could be used to bypass security controls through remote 
connectivity to other databases. As a result, the unnecessary level of 
access granted to SEC computer resources provided opportunities for 
individuals to circumvent security controls and deliberately or 
inadvertently read, modify, or delete critical information relating to 
financial statements. 

Sensitive Data Were Not Always Encrypted: 

Cryptography underlies many of the mechanisms used to enforce the 
confidentiality and integrity of critical and sensitive information. A 
basic element of cryptography is encryption. Encryption can be used to 
provide basic data confidentiality and integrity by transforming 
plaintext into ciphertext using a special value known as a key and a 
mathematical process known as an algorithm. A public key infrastructure 
(PKI) is a system of hardware, software, and policies that uses 
cryptographic techniques to generate and manage electronic 
certificates, which links an individual or entity to a given public 
key. These certificates are then used to verify digital signatures 
(providing authentication and data integrity) and facilitate data 
encryption (providing confidentiality). A properly designed and 
implemented PKI can also be used to ensure that a given digital 
signature is still properly linked to the individual or entity 
associated with it (providing nonrepudiation). Commonly available 
commercial Web browsers (such as Microsoft's Internet Explorer and 
America Online's Netscape Communicator) make use of the technical 
features of PKI to provide security for Web-enabled transactions. They 
invoke a standardized information exchange protocol known as secure 
sockets layer, which uses PKI-like features to provide authentication 
between a user application, such as a Web browser, and a server. The 
National Security Agency also recommends disabling protocols that do 
not encrypt information, such as user ID and password combinations, 
transmitted across the network. 

SEC did not always ensure that sensitive data was protected by 
encryption. For example, it did not adequately validate electronic 
certificates for certain connections, thereby diminishing their 
effectiveness. SEC also did not enable secure sockets layer 
communications between certain client computers and a key financial 
application's database servers. In addition, users authenticating to a 
key enterprise database application sent unencrypted passwords across 
the network, thereby increasing the likelihood that the passwords would 
be compromised. As a result, an attacker could view unencrypted data, 
such as passwords, and use them to gain unauthorized access to SEC 
network resources and view or modify messages transmitted across the 
network. 

Logging Procedures Did Not Provide Sufficient Audit Trails to Monitor 
Access Activity: 

To establish individual accountability, monitor compliance with 
security policies, and investigate security violations, it is crucial 
to determine what, when, and by whom specific actions have been taken 
on a system. Organizations accomplish this by implementing system or 
security software that provides an audit trail of needed information in 
the desired formats and locations in order to determine the source of a 
transaction or attempted transaction and to monitor users' activities. 
The way in which organizations configure system or security software 
determines the nature and extent of information that the audit trails 
can provide. SEC policy requires the enforcement of auditing and 
accountability by configuring information systems to produce, store, 
and retain audit records of system, application, network, and user 
activity. SEC also requires that audit records contain sufficient 
information to establish what events occurred, when the events 
occurred, the source of the events, and the event's outcomes. In 
addition, SEC policy states that conducting a baseline assessment of 
the network is part of the detection and analysis phase of its incident 
response process. Network baselining enables the organization to detect 
unusual traffic patterns, monitor bandwidth usage, and understand 
normal network behavior. 

However, SEC did not always provide adequate auditing and monitoring of 
enterprise databases. For example, it did not maintain complete audit 
trails of activity by users and applications in the database 
applications that were relevant to security. Key security-related 
events, such as unsuccessful log-in attempts and the use of important 
system privileges, were not logged. In addition, SEC did not conduct a 
baseline assessment of its network to enable the organization to detect 
unusual traffic patterns, monitor bandwidth usage, and understand 
normal network behavior. The lack of effective database logging and 
network baselining increased the risk that anomalous activity in SEC 
would not be effectively detected or investigated. 

Weaknesses in Physical Security Controls Reduced Their Effectiveness: 

Physical access control measures, such as guards, badges, and locks, 
are vital to protecting the agency's sensitive computing resources from 
both external and internal threats. SEC policy requires that managers 
periodically review the list of employees and contractors who have 
physical access to restricted facilities and remove the access 
privileges of individuals who no longer require access. 

However, SEC did not keep updated lists of personnel who had authorized 
access to the Operations Center current and did not promptly remove 
personnel who no longer required access. For example, the list of 
individuals authorized to enter the SEC Operations Center was not 
current and included 48 individuals who no longer worked for the 
commission. A SEC physical security official confirmed that the list 
was inaccurate and that the electronic badges for 21 of the individuals 
were still active and would permit access to the Operations Center. As 
a result, increased risk exists that unauthorized individuals could 
gain access to sensitive computing resources and data and inadvertently 
or deliberately misuse or destroy them. 

Other Weaknesses in Information System Controls Increased Risk: 

Configuration Management Policies Were Not Fully Implemented: 

To protect an organization's information, it is important to ensure 
that only authorized applications and programs are placed in operation. 
This process, known as configuration management, consists of 
instituting policies, procedures, and techniques to help ensure that 
all programs and program modifications are properly authorized, tested, 
and approved. Specific controls for configuration management include 
policies and procedures over change control and patch management. Patch 
management, including up-to-date patch installation, helps to mitigate 
vulnerabilities associated with flaws in software code that could be 
exploited to cause significant damage. 

SEC continues to have difficulty implementing certain configuration 
management controls. For example, SEC lacks procedures to periodically 
review application code to ensure that only authorized changes were 
made to production. In addition, it has not implemented an effective 
patch management program. A malicious user can exploit vulnerabilities 
associated with unpatched applications to gain unauthorized access to 
network resources or disrupt network operations. Consequently, major 
enterprise database applications were vulnerable to code exploit 
attacks, and individuals internal to SEC could gain unauthorized access 
to sensitive information and systems, thereby increasing the risk that 
the integrity of certain network devices and administrator workstations 
could be compromised. 

SEC Has Not Fully Implemented Its Information Security Program: 

Although SEC has made important progress in implementing its 
information security program, a key reason for these weaknesses is that 
SEC has not effectively or fully implemented key program activities. 
The commission requires its components to implement information 
security program activities in accordance with FISMA requirements, OMB 
policies, and applicable National Institute of Standards and Technology 
(NIST) guidance. Among other things, FISMA requires agencies to 
develop, document, and implement: 

* periodic assessments of the risk and magnitude of harm that could 
result from the unauthorized access, use, disclosure, disruption, 
modification, or destruction of information or information systems; 

* plans for providing adequate information security for networks, 
facilities, and systems; 

* security awareness training to inform personnel of information 
security risks and of their responsibilities in complying with agency 
policies and procedures, as well as training personnel with significant 
security responsibilities for information security; 

* periodic testing and evaluation of the effectiveness of information 
security policies, procedures, and practices performed with a frequency 
depending on risk, but no less than annually, that includes testing of 
management, operational, and technical controls for every system 
identified in the agency's required inventory of major information 
systems; 

* a process for planning, implementing, evaluating, and documenting 
remedial actions to address any deficiencies in information security 
policies, procedures, and practices of the agency;[Footnote 12] 

* procedures for detecting, reporting, and responding to security 
incidents; and: 

* plans and procedures to ensure continuity of operations for 
information systems that support the operations and assets of the 
agency. 

SEC has taken several actions to implement elements of its information 
security program. For example, SEC has: 

* implemented a risk assessment process that identified possible 
threats and vulnerabilities to its systems and information, and the 
controls needed to mitigate potential vulnerabilities; 

* implemented a test and evaluation process to assess the effectiveness 
of information security policies, procedures, and practices; 

* ensured that vulnerabilities identified during its tests and 
evaluations are addressed in its remedial action plans and risk 
assessments; 

* developed an incident response policy and has deployed personnel, 
procedures, and tools for managing its audit logs and incident response 
process; and: 

* subjected its GSS network and major applications to disaster recovery 
testing twice a year. 

However, SEC has not yet fully or consistently implemented key elements 
of its information security program. For example, security plans for 
certain enterprise database applications were incomplete, information 
security training for key personnel was not sufficiently documented and 
monitored, security tests and evaluations of enterprise database 
applications were not comprehensive, and continuity of operations plans 
were not always complete. Until all key elements of its information 
security program are fully and consistently implemented, SEC will not 
have sufficient assurance that new weaknesses will not emerge and that 
financial information and financial assets are adequately safeguarded 
from inadvertent or deliberate misuse, fraudulent use, improper 
disclosure, or destruction. 

Security Plans Did Not Adequately Document System Interconnections and 
Other Key Information: 

The purpose of an information system security plan is to provide an 
overview of the security requirements of the system and to describe the 
controls that are in place or planned for meeting those requirements. 
According to NIST guidance, security plans should document all 
interconnected systems and describe the interaction among systems with 
regard to the authorization for the connection to other systems or the 
sharing of information. System interconnections, if not appropriately 
protected, may compromise connected systems and the data they store, 
process, or transmit. SEC policy states that security protections for 
interconnected systems should include documented agreement of all 
interconnected information systems between SEC's systems and systems 
owned or operated by other government agencies or contractors. The 
owners and managers for both of the interconnected systems approve and 
sign the agreement. In addition, system security plans should also 
cover the security categories, objectives, and impact levels, which 
drive requirements for the system's security controls. 

However, the Momentum and GSS security plans were incomplete because 
they did not document system interconnection and information sharing 
agreements with other systems. The Momentum security plan also did not 
define system boundaries, identify common security controls, and 
provide up-to-date information that reflects changes and 
vulnerabilities discovered based on the application's risk assessment 
and security evaluations. Without complete security plans, SEC cannot 
ensure that appropriate controls are in place to protect its systems 
and critical information. Moreover, without current and complete 
documentation on the interconnection of systems supporting SEC, 
unintended access may be granted to connecting parties, and the 
heightened risk of compromise increases for connected systems and the 
data they store, process, or transmit. 

Training for Employees with Significant Security Responsibilities Was 
Not Adequately Documented and Monitored: 

Another important element of an information security program involves 
promoting awareness and providing required training so that users 
understand the system security risks and their role in implementing 
related policies and controls to mitigate those risks. FISMA mandates 
that all federal employees and contractors who use agency information 
systems be provided with information security awareness training. 
Further, FISMA requires agency chief information officers to ensure 
that personnel with significant information security responsibilities 
receive specialized training.[Footnote 13] In addition, NIST Special 
Publication 800-53 states that organizations must document and monitor 
individual information system security training activities, including 
basic security awareness training and specific information system 
security training. 

SEC established an information security awareness program for its 
employees and contractors. This program includes distributing security 
awareness bulletins and brochures and creating information security 
poster boards. In addition, SEC developed specialized security training 
for database, system, and network administrators. However, SEC did not 
document and monitor specific information system security training 
activities for its incident handling team. Specifically, SEC did not 
document and monitor required specialized training that incident 
handling personnel received. While SEC maintained some records of 
employee training certifications, SEC officials stated that they did 
not monitor whether personnel required to take the specific training 
sessions actually completed that training. As a result, SEC has limited 
assurance that incident responders are receiving the instruction they 
need in order to respond more effectively to security incidents. 

Although Controls Were Tested and Evaluated, Tests Were Not Always 
Comprehensive: 

A key element of an information security program is the periodic 
testing and evaluation of controls to ensure that they are in 
compliance with security policies, are effective, and are operating as 
intended. This type of oversight is a fundamental element because it 
demonstrates management's commitment to the security program, reminds 
employees of their roles and responsibilities, and identifies areas of 
noncompliance and ineffectiveness. Although control tests and 
evaluations may encourage compliance with security policies, the full 
benefits are not achieved unless the results improve the security 
program. Analyzing the results of security reviews provides security 
specialists and business managers with a means of identifying new 
problem areas, reassessing the appropriateness of existing controls, 
and identifying the need for new controls. FISMA requires that the 
frequency of tests and evaluations be based on risks, and occur no less 
than annually.[Footnote 14] Furthermore, SEC requires all systems to 
undergo an annual self-assessment by testing controls identified in 
NIST guidance. 

However, SEC had not completed the annual testing of security controls 
for its general ledger application and GSS. Without comprehensive tests 
and evaluations, the commission cannot be assured that employees and 
contractors are complying with established policies or that policies 
and controls are appropriate and working as intended. 

Continuity of Operations Planning Was Not Always Complete: 

Continuity of operations planning, which includes developing and 
testing contingency plans and disaster recovery plans, should be 
performed to ensure that when unexpected events occur, essential 
operations continue without interruption or can be promptly resumed, 
and critical and sensitive data are protected. NIST guidance states 
that organizations should develop and implement a contingency plan that 
addresses contingency roles and responsibilities and describes 
activities associated with backing up and restoring the system after a 
disruption or failure. 

Although SEC tested the contingency plan for its GSS and its major 
applications, it did not adequately back up critical accounting data 
files on key workstations. For example, agency personnel performed 
substantial workstation-based accounting procedures during closing 
processes and financial statement preparation on spreadsheets 
maintained on local drives that were not backed up. In addition, the 
disaster recovery plan for a mission-critical application did not 
contain key information. For example, essential personnel contact 
information, recovery time objectives, and test scripts were missing 
from the Phoenix disaster recovery plan. Without measures to back up 
important data stored on workstation drives and to maintain up-to-date 
information in the application's disaster recovery plan, there is an 
increased risk that SEC will not be able to effectively recover and 
continue operations when an emergency occurs. 

Conclusions: 

SEC has made progress in correcting or mitigating previously reported 
weaknesses, implementing controls over key financial systems, and 
developing and documenting a framework for its agencywide information 
security program. However, information security weaknesses--both old 
and new--continue to impair the commission's ability to ensure the 
confidentiality, integrity, and availability of financial and sensitive 
information. A key reason for these weaknesses is that the agency has 
not yet fully implemented critical elements of its agencywide 
information security program. Until SEC (1) mitigates known information 
security weaknesses in access controls and other information system 
controls and (2) fully implements a comprehensive agencywide 
information security program that includes complete security plans, 
appropriate specialized training, comprehensive tests and evaluations, 
and a complete continuity of operations process, its financial 
information will remain at increased risk of unauthorized disclosure, 
modification, or destruction, and its management decisions may be based 
on unreliable or inaccurate information. 

Recommendations for Executive Action: 

To assist the commission in improving the implementation of its 
agencywide information security program, we recommend that the SEC 
Chairman take the following four actions: 

1. Ensure that security plans are complete and that the plans (a) 
document system interconnection and information sharing agreements with 
other systems, (b) define system boundaries, (c) identify common 
security controls, and (d) provide up-to-date information that reflects 
changes and vulnerabilities discovered based on the applications' risk 
assessment and security evaluations. 

2. Document and monitor individual specific information system security 
training activities for the incident handling team. 

3. Complete the annual testing of security controls for the general 
ledger application and general support system. 

4. Adequately back up critical data files on key workstations used for 
storing large accounting data files and ensure that mission-critical 
application contingency plans contain key information. 

In a separate report designated "Limited Official Use Only," we are 
also making 26 recommendations to enhance SEC's access controls and 
configuration management practices. 

Agency Comments: 

In providing written comments on a draft of this report, the SEC 
Chairman welcomed our findings as an opportunity for further 
improvement, fully agreed with GAO's recommendations, and stated that 
SEC is on track to address them in the current fiscal year. The SEC 
Chairman also reported several actions that the agency has completed in 
resolving outstanding issues and stated that information security 
continues to be a critical priority for the agency, as it is committed 
to proper stewardship of the sensitive information entrusted by the 
public. The Chairman's written comments are reprinted in appendix II. 

We are sending copies of this report to the Chairmen and Ranking 
Members of the Senate Committee on Banking, Housing, and Urban Affairs; 
the Senate Committee on Homeland Security and Governmental Affairs; the 
House Committee on Financial Services; and the House Committee on 
Oversight and Government Reform. We are also sending this report to 
other interested congressional committees, the Director of the Office 
of Management and Budget, and other interested parties. We will also 
make copies available to others upon request. In addition, this report 
will be available at no charge on the GAO Web site at [hyperlink, 
http://www.gao.gov]. 

If you have any questions about this report, please contact Gregory C. 
Wilshusen at (202) 512-6244 or Dr. Nabajyoti Barkakati at (202) 512-
4499. We can also be reached by e-mail at [email protected] or 
[email protected]. Contact points for our Offices of Congressional 
Relations and Public Affairs may be found on the last page of this 
report. GAO staff who made major contributions to this report are 
listed in appendix III. 

Sincerely yours, 

Signed by: 

Gregory C. Wilshusen: 

Director, Information Security Issues: 

Signed by: 

Dr. Nabajyoti Barkakati Acting Chief Technologist: 

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

The objectives of our review were (1) to determine the status of the 
Securities and Exchange Commission's (SEC) actions to correct or 
mitigate previously reported information security weaknesses and (2) to 
determine whether controls over key financial systems were effective in 
ensuring the confidentiality, integrity, and availability of financial 
and sensitive information. This review was performed to support our 
opinion developed during the audit of SEC's internal controls over the 
preparation of financial statements. 

To determine the status of SEC's actions to correct or mitigate 
previously reported information security weaknesses, we identified and 
reviewed its information security policies, procedures, practices, and 
guidance. We reviewed prior GAO reports to identify previously reported 
weaknesses and examined SEC's corrective action plans to determine 
which weaknesses were corrected, as SEC had reported. For those 
instances where SEC reported it had completed corrective actions, we 
assessed the effectiveness of those actions. 

To determine whether controls over key financial systems were 
effective, we tested the effectiveness of information security 
controls. We concentrated our evaluation primarily on the controls for 
financial applications, enterprise database applications, and network 
infrastructure--Momentum; CATS/Phoenix; Electronic Data Gathering, 
Analysis, and Retrieval (EDGAR); the Strategic Acquisition Manager; and 
the general support system (GSS) network--that directly or indirectly 
support the processing of material transactions reflected in the 
agency's financial statements. Our evaluation was based on our Federal 
Information System Controls Audit Manual, which contains guidance for 
reviewing information system controls that affect the confidentiality, 
integrity, and availability of computerized information. 

Using National Institute of Standards and Technology (NIST) standards 
and guidance, and SEC's policies, procedures, practices, and standards, 
we evaluated controls by: 

* testing the complexity and expiration of password settings on servers 
to determine if strong password management was enforced; 

* analyzing users' system authorizations to determine whether they had 
more permissions than necessary to perform their assigned functions; 

* observing methods for providing secure data transmissions across the 
network to determine whether sensitive data was being encrypted; 

* observing whether system security software was logging successful 
system changes; 

* testing and observing physical access controls to determine if 
computer facilities and resources were being protected from espionage, 
sabotage, damage, and theft; 

* inspecting key servers and workstations to determine whether critical 
patches had been installed or were up-to-date; 

* examining access responsibilities to determine whether incompatible 
functions were segregated among different individuals; and: 

* observing end-user activity pertaining to the process of preparing 
SEC financial statements. 

Using the requirements identified by the Federal Information Security 
Management Act (FISMA), which establishes key elements for an effective 
agencywide information security program, we evaluated SEC's 
implementation of its security program by: 

* reviewing SEC's risk assessment process and risk assessments for 
three key SEC systems that support the preparation of financial 
statements to determine whether risks and threats were documented 
consistent with federal guidance; 

* analyzing SEC's policies, procedures, practices, and standards to 
determine their effectiveness in providing guidance to personnel 
responsible for securing information and information systems; 

* analyzing security plans to determine if management, operational, and 
technical controls were in place or planned and that security plans 
were updated; 

* examining training records for personnel with significant security 
responsibilities to determine if they received training commensurate 
with those responsibilities; 

* analyzing security testing and evaluation results for three key SEC 
systems to determine whether management, operational, and technical 
controls were tested at least annually and based on risk; 

* examining remedial action plans to determine whether they addressed 
vulnerabilities identified in the SEC's security testing and 
evaluations; and: 

* examining contingency plans for three key SEC systems to determine 
whether those plans had been tested or updated. 

We also discussed, with key security representatives and management 
officials, whether information security controls were in place, 
adequately designed, and operating effectively. We conducted this 
performance audit from July 2007 to November 2007 in accordance with 
generally accepted government auditing standards. Those standards 
require that we plan and perform the audit to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings and 
conclusions based on our audit objectives. We believe that the evidence 
obtained provides a reasonable basis for our findings and conclusions 
based on our audit objectives. 

[End of section] 

Appendix II: Comments from the Securities and Exchange Commission: 

United States: 
Securities And Exchange Commission: 

Christopher Cox: 
Chairman: 
Headquarters: 
100 F Street, Ne: 
Washington, Dc 20549: 
[email protected]: 
[hyperlink, http://www.sec.gov]: 

Regional Offices:
Atlanta, Boston, Chicago, Denver, Fort Worth,Los Angeles, Miami, New 
York, Philadelphia, Salt Lake City, San Francisco: 

February 15, 2008: 

Mr. Gregory C. Wilshusen, Director: 
Information Security Issues: 
U.S. Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Dear Mr. Wilshusen: 

Thank you for the opportunity to respond to the draft report entitled 
Information Security: Securities and Exchange Commission Needs to 
Continue to Improve Its Program, dated February 2008. This audit was 
part of the internal controls testing to support the agency's financial 
audit for fiscal 2007. Since the mission of the SEC involves ensuring 
strong internal controls within the companies the agency oversees, it 
is imperative that we hold ourselves to high standards in this area, 
and improving our controls has been and continues to be an important 
strategic priority. While we do not believe the SEC has ever 
experienced a significant information security incident, we know that 
we must continually raise the bar to ensure the security of our systems 
and information in the future. 

As the report notes, the SEC has continued to make solid progress in 
addressing the GAO's findings from past audits, and remediating the 
specific issues discovered during the course of this year's work. 
Because the SEC has addressed many of the information security 
weaknesses typically found in large organizations, this audit was 
particularly focused on a narrower set of application-level controls. 
We welcome the GAO's new findings as an opportunity for further 
improvement, even as the audit results also give the agency increased 
confidence that it is doing the right things in securing the core 
infrastructure. 

I am also pleased to report that, since the conclusion of the audit in 
September 2007, the agency has made considerable progress in resolving 
the outstanding issues and further strengthening our information 
security program. In particular, we have: 

* Implemented additional processes, tools, and techniques to 
continuously monitor for vulnerabilities in our general support system 
and critical applications; 

* Implemented specific patches and configuration changes identified for 
key applications and databases;

* Improved user access reporting by monitoring active user accounts and 
ensuring that separated employees do not have access to systems and 
applications; 

* Attained, for the second year, a 99 percent completion rate for 
yearly security awareness training;

* Certified and accredited more than 96 percent of the agency's major 
systems; and: 

* Implemented a notification and monitoring system to monitor entry and 
exit from designated high security areas. 

We fully agree with GAO's four primary recommendations, and are on 
track to address them in the current fiscal year. Specifically, we 
will: 

* Ensure that security plans are complete and current with all required 
information; 

* Document and monitor specialized training initiatives for incident 
handling teams; 

* Complete the annual testing of security controls for the general 
ledger application and general support system; and: 

* Provide adequate backup for critical data files on key workstations, 
and ensure that critical application contingency plans contain current 
information. 

Information security continues to be a critical priority for this 
agency. The SEC is committed to proper stewardship of the sensitive 
information the public routinely entrusts to us. We appreciate the 
GAO's leadership and ongoing support in helping the SEC achieve its 
goals, and appreciate the high standards to which the GAO holds us. 

If you have any additional questions, please feel free to contact me or 
our Chief Information Officer, Corey Booth, at 202-551-2100. 

Sincerely, 

Signed by: 

Christopher Cox: 
Chairman: 
cc: Corey Booth, Chief Information Officer: 

[End of section] 

Appendix III: GAO Contacts and Staff Acknowledgments: 

GAO Contacts: 

Gregory C. Wilshusen, (202) 512-6244 or [email protected]: 

Dr. Nabajyoti Barkakati, (202) 512-4499 or [email protected]: 

Staff Acknowledgments: 

In addition to the contacts named above, Ed Alexander, David Hayes, and 
William Wadsworth (Assistant Directors), Angela Bell, Kirk Daubenspeck, 
Patrick Dugan, Mickie Gray, Sharon Kitrell, Stephanie Lee, Henry 
Sutanto, Amos Tevelow, Chris Warweg, and Jayne Wilson made key 
contributions to this report. 

[End of section] 

Footnotes: 

[1] Information security controls include security management, access 
controls, configuration management, segregation of duties, and 
contingency planning. Among other things, these controls are designed 
to ensure that logical and physical access to sensitive computing 
resources and information is appropriately restricted, that only 
authorized changes to computer programs are made, and that backup and 
recovery plans are adequate to ensure the continuity of essential 
operations. 

[2] GAO, Financial Audit: Securities and Exchange Commission's 
Financial Statements for Fiscal Years 2007 and 2006, GAO-08-167 
(Washington, D.C.: Nov. 16, 2007). 

[3] GAO-08-167. 

[4] A significant deficiency is a control deficiency or a combination 
of control deficiencies that adversely affects the entity's ability to 
initiate, authorize, record, process, or report financial data 
reliability such that there is more than a remote likelihood that a 
more than inconsequential misstatement of SEC's financial statements 
will not be prevented or detected. 

[5] The CERT Coordination Center is a research center that specializes 
in Internet security. It is located at the Software Engineering 
Institute, a federally funded research and development center operated 
by Carnegie Mellon University. 

[6] OMB, FY 2006 Report to Congress on Implementation of The Federal 
Information Security Management Act of 2002 (Washington, D.C., March, 
2007). 

[7] US-CERT is a partnership between the Department of Homeland 
Security and the public and private sectors. Established in 2003 to 
protect the nation's Internet infrastructure, US-CERT coordinates 
defense against and responses to cyber attacks across the nation. 

[8] GAO, High-Risk Series: Information Management and Technology, GAO/ 
HR-97-9 (Washington, D.C.: February 1997) and GAO, High-Risk Series: An 
Update, GAO-07-310 (Washington, D.C.: January 2007). 

[9] FISMA was enacted as Title III, E-Government Act of 2002, Pub L. No 
107-347, 116 Stat. 2946 (Dec. 17, 2002). 

[10] 15 U.S.C. ï¿½ 78d. 

[11] A disgorgement is the repayment of illegally gained profits (or 
avoided losses) for distribution to harmed investors whenever feasible. 

[12] OMB requires agencies to address remedial actions through plans of 
action and milestones for all programs and systems where an information 
technology security weakness has been found. The plan lists the 
weaknesses and shows estimated resource needs, challenges to resolving 
the weaknesses, key milestones and completion dates, and the status of 
corrective actions. 

[13] 44 U.S.C. ï¿½ 3544(a)(3)(D). 

[14] 44 U.S.C. ï¿½ 3544(b)(5). 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability.  

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates."  

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:  

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548:  

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061:  

To Report Fraud, Waste, and Abuse in Federal Programs:  

Contact:  

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: [email protected]: 
Automated answering system: (800) 424-5454 or (202) 512-7470:  

Congressional Relations:  

Ralph Dawn, Managing Director, [email protected]: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548:  

Public Affairs: 

Chuck Young, Managing Director, [email protected]: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: 

*** End of document. ***