Professional Documents
Culture Documents
April 2016
INFORMATION
SECURITY
Opportunities Exist for
SEC to Improve Its
Controls over
Financial Systems
and Data
GAO-16-493
April 2016
INFORMATION SECURITY
Opportunities Exist for SEC to Improve Its Controls
over Financial Systems and Data
Highlights of GAO-16-493, a report to the
Chair, U.S. Securities and Exchange
Commission
While SEC had issued policies and implemented controls based on those
policies, it did not consistently protect access to its systems. Organizations
should design and implement controls to prevent, limit, and detect
unauthorized access to computer resources. The commission did not
consistently protect its network from possible intrusions, identify and
authenticate users, authorize access to resources, audit and monitor actions
taken on its systems and network, and restrict physical access to sensitive
assets.
The commission did not consistently manage the configuration of its
systems. Configuration management includes ensuring that hardware and
software are configured with appropriate security features and that changes
are systematically controlled. However, SEC did not maintain and monitor
official configuration baselines for its financial systems and general support
system.
While SEC had developed contingency and disaster recovery plans for its
information systems, those plans were not fully reviewed, completed, or upto-date. Contingency and disaster recovery planning are essential to
resuming operations in the event of a disruption or disaster.
These weaknesses existed in part because SEC had not fully implemented an
organization-wide information security program, as called for by federal law and
guidance. In particular, the commission had not (1) consistently reviewed and
updated its information security policies in a timely manner, (2) completely
documented plans of action to address weaknesses, (3) documented a physical
inventory of its systems and applications, and (4) fully implemented a program to
continuously monitor the security of its systems and networks.
Finally, of 20 weaknesses previously identified by GAO that remained unresolved
as of September 30, 2014, SEC had resolved 5 and made progress in
addressing the other 15 as of September 30, 2015. Two resolved weaknesses
were important to improving SEC security.
Collectively, these weaknesses increase the risk that SECs systems could be
compromised, jeopardizing the confidentiality, integrity, and availability of
sensitive financial information. While not constituting material weaknesses or
significant deficiencies, they warrant SEC managements attention.
Contents
Letter
1
Background
Information Security Weaknesses Placed SEC Financial Data at
Risk
Conclusions
Recommendations for Executive Action
Agency Comments
2
5
14
14
15
Appendix I
17
Appendix II
19
Appendix III
22
Abbreviations
CIO
EDGAR
FISCAM
FISMA
NIST
POA&M
SEC
This is a work of the U.S. government and is not subject to copyright protection in the
United States. The published product may be reproduced and distributed in its entirety
without further permission from GAO. However, because this work may contain
copyrighted images or other material, permission from the copyright holder may be
necessary if you wish to reproduce this material separately.
Page i
Letter
1
Information security controls include security management, access controls, configuration
management, segregation of duties, and contingency planning. These controls are
designed to ensure that there is a continuous cycle of activity for assessing risk, logical
and physical access to sensitive computing resources and information is appropriately
restricted; only authorized changes to computer programs are made; one individual does
not control all critical stages of a process; and backup and recovery plans are adequate to
ensure the continuity of essential operations.
2
GAO, Financial Audit: Securities and Exchange Commissions Fiscal Years 2015 and
2014 Financial Statements, GAO-16-145R (Washington, D.C.: Nov. 16. 2015).
Page 1
Background
Page 2
5
The Federal Information Security Modernization Act of 2014 (FISMA 2014) (Pub. L. No.
113-283, Dec. 18, 2014) partially superseded the Federal Information Security
Management Act of 2002 (FISMA 2002), enacted as Title III, E-Government Act of 2002,
Pub. L. No. 107-347, 116 Stat. 2899, 2946 (Dec. 17, 2002). As used in this report, FISMA
refers to the new requirements in FISMA 2014, FISMA 2002 requirements relevant here
that were incorporated and continued in FISMA 2014 and to other relevant FISMA 2002
requirements that were unchanged by FISMA 2014 and continue in full force and effect.
6
NIST, Security and Privacy Controls for Federal Information Systems and Organizations,
Special Publication 800-53, revision 4 (Gaithersburg, Md.: April 2013).
NIST, Contingency Planning Guide for Federal Information Systems, Special Publication
800-34, revision 1 (Gaithersburg, Md.: May 2010).
Page 3
Under FISMA, the SEC Chairman has responsibility for, among other
things, (1) providing information security protections commensurate with
the risk and magnitude of harm resulting from unauthorized access, use,
disclosure, disruption, modification, or destruction of the agencys
information systems and information; (2) ensuring that senior agency
officials provide information security for the information and information
systems that support the operations and assets under their control; and
(3) delegating to the agency chief information officer (CIO) the authority to
ensure compliance with the requirements imposed on the agency. FISMA
Page 4
Information Security
Weaknesses Placed
SEC Financial Data
at Risk
Page 5
audit and monitor actions taken on its systems and network, and restrict
physical access to sensitive assets.
Page 6
Audit and monitoring involves the regular collection, review, and analysis
of auditable events for indications of inappropriate or unusual activity, and
the appropriate investigation and reporting of such activity. Automated
mechanisms may be used to integrate audit monitoring, analysis, and
reporting into an overall process for investigating and responding to
suspicious activities. Audit and monitoring controls can help security
Users should have the least amount of privileges (access to services) necessary to
perform their duties.
Page 7
Page 8
Weaknesses in
Segregation of Duties
Increase Risk
Page 9
duties and accepted the risk for those individuals that required access to
multiple environments. However, SEC had not documented
managements acceptance of this risk. Thus, an increased risk exists that
unauthorized individuals from the disaster recovery environment and
test/development environment could gain access to processes and data
in the production environment, potentially impacting the integrity of the
financial data.
Page 10
Page 11
Page 12
fiscal year 2012, including those for the operating systems. Without
maintaining an accurate inventory of systems and applications in
production and conducting annual review of configuration baselines, SEC
may not be able to obtain the current status of its systems and
applications and the agency would not be able to identify unauthorized
actions performed against the baseline.
Personnel for a key financial system were not granted access to the
database scanning tool.
Page 13
Conclusions
Recommendations for
Executive Action
We recommend that the Chair direct the Chief Information Officer to take
six actions to more effectively manage its information security program:
Page 14
Agency Comments
We provided a draft of this report to SEC for its review and comment. In
written comments signed by the Chief Information Officer (reproduced in
app. II), SEC concurred with the six recommendations addressing its
information security program. SEC also stated that the commission had
taken action to address one recommendation and described actions to
address the other five.
This report contains recommendations to you. The head of a federal
agency is required by 31 U.S.C. 720 to submit a written statement on
the actions taken on the recommendations by the head of the agency.
The statement must be submitted to the Senate Committee on Homeland
Security and Governmental Affairs and the House Committee on
Oversight and Government Reform not later than 60 days from the date
of this report. A written statement must also be sent to the House and
Senate Committees on Appropriations with your agencys first request for
appropriations made more than 60 days after the date of this report.
Because agency personnel serve as the primary source of information on
the status of its open recommendations, we request that the commission
also provide us with a copy of its statement of action to serve as
preliminary information on the status of open recommendations.
We are also sending copies of this report to interested congressional
parties. In addition, the report is available at no charge on the GAO
website at http://www.gao.gov.
Page 15
Gregory C. Wilshusen
Director, Information Security Issues
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
GAO Contacts
Staff
Acknowledgments
In addition to the contacts named above, GAO staff who made major
contributions to this report are Michael Gilmore, Hal Lewis, and Duc Ngo
(Assistant Directors), Angela Bell, Lee McCracken, and Henry Sutanto.
(100639)
Page 22
GAOs Mission
Obtaining Copies of
GAO Reports and
Testimony
Order by Phone
To Report Fraud,
Waste, and Abuse in
Federal Programs
Contact:
Website: http://www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470
Congressional
Relations
Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 5124400, U.S. Government Accountability Office, 441 G Street NW, Room
7125, Washington, DC 20548
Public Affairs