SECURITIES AND EXCHANGE COMMISSION NEEDS TO ADDRESS WEAK CONTROLS OVER FINANCIAL AND SENSITIVE DATA.

Publication: Finance Wire

Bookmark this article Print this article Link to this article Email this article Digg It! Add to del.icio.us RSS

COPYRIGHT 2005 FDCH e-media

Original Source: GAO REPORT

Information Security:

Securities and Exchange Commission Needs to Address Weak Controls over Financial and Sensitive Data March 23, 2005 Letter Statement of The Honorable William H. Donaldson Chairman, Securities and Exchange Commission

Dear Mr. Chairman:

As part of our fiscal year 2004 audit of the financial statements of the Securities and Exchange Commission (SEC), we assessed the effectiveness of the commission`s information system general controls.1 Effective information system controls are essential to ensuring that financial information is adequately protected from inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction. These controls also affect the integrity, confidentiality, and availability of nonfinancial information maintained by SEC, such as personnel and regulatory information.

This report summarizes weaknesses in information system controls in SEC`s computer systems. We are also issuing a report for ``Limited Official Use Only,`` which describes in more detail the information security weaknesses identified, our specific recommendations for correcting them, and SEC`s plan for implementing corrective actions.

We performed our review at SEC headquarters in Washington, D.C., and at its computer facility in Alexandria, Virginia, from April 2004 through November 2004. Our review was performed in accordance with generally accepted government auditing standards.

Results in Brief

SEC did not effectively implement information system controls to protect the integrity, confidentiality, and availability of its financial and sensitive information. Specifically, the commission had not consistently implemented effective electronic access controls, including user accounts and passwords, access rights and permissions, network security, or audit and monitoring of security-relevant events to prevent, limit, and detect access to its critical financial and sensitive systems. In addition, weaknesses in other information system controls, including physical security, segregation of computer functions, application change controls, and service continuity, further increase the risk to SEC`s information systems. As a result, sensitive data including payroll and financial transactions, personnel data, regulatory, and other mission critical information were at increased risk of unauthorized disclosure, modification, or loss, possibly without being detected.

A key reason for SEC`s information system control weaknesses is that the commission has not fully developed and implemented a comprehensive agency information security program to provide reasonable assurance that effective controls are established and maintained and that information security receives sufficient management attention. Although SEC has taken some actions to improve security management, including establishing a central security management function and appointing a senior information security officer to manage the program, it had not clearly defined roles and responsibilities for security personnel. In addition, SEC had not fully (1) assessed its risks, (2) established or implemented security policies, (3) promoted security awareness, and (4) tested and evaluated the effectiveness of its information system controls. As a result, SEC did not have a solid foundation for resolving existing information system control weaknesses and continuously managing information security risks.

To assist SEC in implementing an effective agency-wide information security program, we are making recommendations to the SEC Chairman that address these issues.

In providing written comments on a draft of this report, SEC agreed with our recommendations. SEC plans to address the identified weaknesses and indicated that significant progress is already being made to address them.

Background

Following the stock market crash of 1929, Congress passed the Securities Exchange Act of 1934,2 which established the SEC to enforce securities laws, to regulate the securities markets, and to protect investors. In enforcing these laws, the SEC issues rules and regulations to provide protection for investors and to help ensure that the securities markets are fair and honest. This is accomplished primarily by promoting adequate and effective disclosure of information to the investing public. The SEC also oversees and requires the registration of other key participants in the securities industry, including stock exchanges, broker- dealers, clearing agencies, depositories, transfer agents, investment companies, and public utility holding companies. The SEC is an independent, quasi-judicial agency that operates under a bipartisan commission appointed by the President and confirmed by the Senate.

SEC had a budget of about $800 million and staff of 4,100 to monitor and regulate the securities industry in fiscal year 2004. In 2003, the volume traded on U.S. exchanges and NASDAQ exceeded $22 trillion and 850 billion shares. Each year the commission accepts, processes, and disseminates to the public more than 600,000 documents from companies and individuals that are filed with the SEC, including annual reports from more than 12,000 reporting companies.

SEC relies extensively on computerized systems to support its financial operations and store the sensitive information it collects. Its local and wide area networks interconnect these systems. To support the commission`s financial management functions, it relies on several financial systems to process and track financial transactions that include filing fees paid by corporations and penalties from enforcement activities. In fiscal year 2004, the SEC collected $389 million for filing fees and $948 million in penalties and disgorgements. In addition, the commission uses other systems that maintain sensitive personnel information for its employees, filing data for corporations, and legal information on enforcement activities. The commission`s Chief Information Officer (CIO) is SEC`s key official for information security. The CIO is responsible for establishing, implementing, and overseeing the commission`s information security program.

Information system controls are a critical consideration for any organization that depends on computerized systems and networks to carry out its mission or business. Without proper safeguards, there is risk that individuals and groups with malicious intent may intrude into inadequately protected systems and use this access to obtain sensitive information, commit fraud, disrupt operations, or launch attacks against other computer systems and networks.

We have reported information security as a governmentwide high- risk area since February 1997.3 Our previous reports, and those of agency inspectors general, describe persistent information security weaknesses that place a variety of federal operations at risk of disruption, fraud, and inappropriate disclosure.

Congress and the executive branch have taken actions to address the risks associated with persistent information security weaknesses. In December 2002, the Federal Information Security Management Act (FISMA), which is intended to strengthen information security, was enacted as Title III of the E- Government Act of 2002.4 In addition, the administration undertook important actions to improve security, such as integrating information security into the President`s Management Agenda Scorecard. Moreover, the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST) have issued security guidance to agencies.

Objective, Scope, and Methodology

The objective of our review was to assess the effectiveness of SEC`s information system controls in protecting its financial and sensitive information. Our evaluation...

Read the full article for free courtesy of your local library.