(The news featured below is a selection from the news covered in SEC Today, which is distributed to subscribers of SEC Today.)

GAO Says SEC's Information System Controls Are Not Effective

The Government Accountability Office identified numerous weaknesses during its assessment of the effectiveness of the SEC's information system controls as part of its fiscal 2004 audit. A key reason for the ineffectiveness of the SEC's information system controls is that it has not fully developed and implemented a comprehensive program to ensure that such controls are established and maintained. The SEC agreed to complete corrective action for the control weaknesses by June 2006.

The GAO noted that the SEC relies extensively on computerized systems to support its financial and mission-related operations, but it has not implemented controls to protect the integrity, confidentiality and availability of its financial and sensitive information. Each year, the SEC accepts, processes and disseminates more than 600,000 documents, including annual reports filed by over 12,000 reporting companies.

The GAO has reported information security as a government-wide high risk area since February 1997. The SEC, since 2002, has reported information security as a material weakness in its annual accountability report under the Federal Information Security Management Act. The GAO emphasized that an information security program is critical since it forms the foundation for resolving the SEC's information security problems and for managing ongoing information security risks.

The SEC has taken some actions to improve security management, according to the GAO, including the appointment of a senior information security officer to manage the program. The chief information officer is responsible for establishing, implementing and overseeing the SEC's information security program.

The weaknesses uncovered by the GAO included ineffective electronic access controls such as user accounts and passwords, access rights and permissions. The SEC's network is vulnerable to improper access and there is no audit of security-relevant events to prevent, limit and detect access to its critical financial and sensitive systems, according to the GAO. For example, the GAO reported that all of the SEC's 4,100 network users were granted access that would allow them to circumvent the audit controls in the main financial systems. The GAO also found outdated and misconfigured network services and devices that were vulnerable to unauthorized access and manipulation. The SEC has no ability to target unusual or suspicious network activities for review, according to the GAO.

The GAO reported that, at the time of its review, about 300 employees and contractors had access to the SEC's data center, including programmers, budget analysts and support staff. At the GAO's request, the SEC reviewed the list of individuals with access to the computer center and reduced the authorized staff to 150. The GAO also found six wiring closets in three facilities that were unlocked and unattended, which posed a risk that unauthorized individuals could access sensitive resources and data.

The SEC's chief information officer advised that the SEC's computer center access procedures have been revised and it will continue to review access by employees and contractors. The SEC is also finalizing disaster recovery plans and has conducted limited tests on those plans.

The GAO criticized the SEC's goal to train 90% of its employees and contractors who serve in specialized information technology positions in security awareness. The information security laws mandate training for all employees and contractors, according to the GAO.

The GAO issued a list of six recommendations that the SEC should take to implement an effective agency-wide information security program. First, the SEC should define the roles and responsibilities of the central security group and should designate individual security staff to provide oversight at the 11 field offices. The SEC should develop a process for assessing security risks, including risks that may develop as a result of changes at SEC facilities or to computer systems.

The SEC must implement comprehensive information security policies and procedures for key control areas and general support systems, according to the GAO. It must provide security awareness training to all employees and contractors and must institute a program of tests and evaluations to ensure that the policies and controls are appropriate and effective. The SEC also must adopt action plans to correct any identified weaknesses.

The SEC advised that is working on the problems identified by the GAO and is committed to addressing the high risk issues immediately. The SEC expects to show significant improvement throughout 2005.