Information Security: Securities and Exchange Commission Needs to Address Weak Controls over Financial and Sensitive Data.
GAO-05-262 March 23, 2005
The Securities and Exchange Commission (SEC) relies extensively on computerized systems to support its financial and mission-related operations. As part of the audit of SEC's fiscal year 2004 financial statements, GAO assessed the effectiveness of the commission's information system controls in protecting the integrity, confidentiality Restrictions on the accessibility and dissemination of information. Confidentiality is one of the six fundamental components of information security (see Parkerian Hexad). , and availability of its financial and sensitive information.
SEC has not effectively implemented information system controls to protect the integrity, confidentiality, and availability of its financial and sensitive data. Specifically, the commission had not consistently implemented effective electronic access controls, including user accounts and passwords, access rights and permissions, network security, or audit and monitoring of security-relevant events to prevent, limit, and detect access to its critical financial and sensitive systems. In addition, weaknesses in other information system controls, including physical security, segregation segregation: see apartheid; integration. of computer functions, application change controls, and service continuity, further increase risk to SEC's information systems. As a result, sensitive data--including payroll payroll
a list of employees, their salary rates, tax deductions, amounts paid, payroll tax, long service leave entitlements. and financial transactions, personnel data, regulatory reg·u·late
tr.v. reg·u·lat·ed, reg·u·lat·ing, reg·u·lates
1. To control or direct according to rule, principle, or law.
2. , and other mission critical information--were at increased risk of unauthorized disclosure, modification, or loss, possibly without detection. A key reason for SEC's information system control weaknesses is that the commission has not fully developed and implemented a comprehensive agency information security program to provide reasonable assurance that effective controls are established and maintained and that information security receives sufficient management attention. Although SEC has taken some actions to improve security management, including establishing a central security management function and appointing a senior information security officer to manage the program, it had not clearly defined roles and responsibilities for security personnel. In addition SEC had not fully (1) assessed its risks, (2) established or implemented security policies, (3) promoted security awareness Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization. , and (4) tested and evaluated the effectiveness of its information system controls. As a result, SEC did not have a solid foundation for resolving existing information system control weaknesses and continuously managing information security risks.