GAO - SEC Information Security Needs Improvement.pdf - DECLASSIFIED BOOKS - rc51

United States Government Accountability Office

Report to the Chair, U.S. Securities

and Exchange Commission

April 2014

INFORMATION

SECURITY

SEC Needs to

Improve Controls over

Financial Systems

and Data

GAO-14-419

April 2014

INFORMATION SECURITY

SEC Needs to Improve Controls over Financial

Systems and Data

Highlights of GAO-14-419 , a report to the

Chair, U.S Securities and Exchange

Commission

Why GAO Did This Study

SEC is responsible for enforcing

securities laws, issuing rules and

regulations that protect investors, and

helping to ensure that securities

markets are fair and honest. In carrying

out its mission, the commission relies

extensively on computerized systems

that collect and process financial and

sensitive information. Accordingly, it is

essential that SEC have effective

information security controls in place to

protect this information from misuse,

fraudulent use, improper disclosure,

manipulation, or destruction.

As part of its audit of SEC’s fiscal

years 2013 and 2012 financial

statements, GAO assessed the

commission’s information security

controls. The objective was to

determine the effectiveness of

information security controls for

protecting the confidentiality, integrity,

and availability of SEC’s key financial

systems and information. To do this,

GAO assessed security controls in key

areas by reviewing SEC documents,

testing selected systems, and

interviewing relevant officials.

What GAO Recommends

GAO is recommending that SEC take

two actions to (1) more effectively

oversee contractors performing

security-related tasks and (2) improve

risk management. In a separate report

for limited distribution, GAO is

recommending that SEC take 49

specific actions to address

weaknesses in security controls. In

commenting on a draft of this report,

SEC generally agreed with GAO’s

recommendations and described steps

it is taking to address them.

What GAO Found

Although the Securities and Exchange Commission (SEC) had implemented and

made progress in strengthening information security controls, weaknesses

limited their effectiveness in protecting the confidentiality, integrity, and

availability of a key financial system. For this system’s network, servers,

applications, and databases, weaknesses in several controls were found, as the

following examples illustrate:

•

Access controls: SEC did not consistently protect its system boundary from

possible intrusions; identify and authenticate users; authorize access to

resources; encrypt sensitive data; audit and monitor actions taken on the

commission’s networks, systems, and databases; and restrict physical

access to sensitive assets.

•

Configuration and patch management: SEC did not securely configure the

system at its new data center according to its configuration baseline

requirements. In addition, it did not consistently apply software patches

intended to fix vulnerabilities to servers and databases in a timely manner.

•

Segregation of duties: SEC did not adequately segregate its development

and production computing environments. For example, development user

accounts were active on the system’s production servers.

•

Contingency and disaster recovery planning: Although SEC had

developed contingency and disaster recovery plans, it did not ensure

redundancy of a critical server.

The information security weaknesses existed, in part, because SEC did not

effectively oversee and manage the implementation of information security

controls during the migration of this key financial system to a new location.

Specifically, during the migration, SEC did not (1) consistently oversee the

information security-related work performed by the contractor and (2) effectively

manage risk.

Until SEC mitigates control deficiencies and strengthens the implementation of its

security program, its financial information and systems may be exposed to

unauthorized disclosure, modification, use, and disruption. These weaknesses,

considered collectively, contributed to GAO’s determination that SEC had a

significant deficiency in internal control over financial reporting for fiscal year

2013.

View GAO-14-419 . For more information,

contact Gregory C. Wilshusen at (202) 512-

6244 or wilshuseng@gao.gov o r Nabajyoti

Barkakati at (202) 512-4499 or

barkakatin@gao.gov .

United States Government Accountability Office

Contents

Letter

Background

Information Security Weaknesses Placed SEC Financial Data at

Risk

Conclusions

Recommendations for Executive Action

Agency Comments and Our Evaluation

Appendix I

Objective, Scope, and Methodology

Appendix II

Comments from the Securities and Exchange Commission

Appendix III

GAO Contacts and Staff Acknowledgments

Abbreviations

CIO

chief information officer

FISCAM

Federal Information System Controls Audit Manual

FISMA

Federal Information Security Management Act

NIST

National Institute of Standards and Technology

SEC

Securities and Exchange Commission

special publication

This is a work of the U.S. government and is not subject to copyright protection in the

United States. The published product may be reproduced and distributed in its entirety

without further permission from GAO. However, because this work may contain

copyrighted images or other material, permission from the copyright holder may be

necessary if you wish to reproduce this material separately.

Page i

GAO-14-419 SEC 2013 Information Security

441 G St. N.W.

Washington, DC 20548

April 17, 2014

The Honorable Mary Jo White

Chair

U.S. Securities and Exchange Commission

Dear Ms. White:

As you are aware, the U.S. Securities and Exchange Commission (SEC)

is responsible for enforcing securities laws, issuing rules and regulations

that provide protection for investors, and helping to ensure that the

securities markets are fair and honest. To support its demanding financial

and mission-related responsibilities, the commission relies extensively on

computerized systems. In order to protect financial and sensitive

information—including personnel and regulatory information maintained

by SEC—from inadvertent or deliberate misuse, fraudulent use, improper

disclosure or manipulation, or destruction, it is essential that SEC have

effective information security controls in place. 1

On December 16, 2013, we issued our report on the audit of the SEC’s

fiscal years 2013 and 2012 financial statements.

2 In that report, we

identified, among other things, information security control weaknesses

that, considered collectively, represent a significant deficiency 3

in SEC’s

internal control over financial reporting.

1 Information security controls include security management, access controls, configuration

management, segregation of duties, and contingency planning. These controls are

designed to ensure that there is a continuous cycle of activity for assessing risk; logical

and physical access to sensitive computing resources and information is appropriately

restricted; only authorized changes to computer programs are made; one individual does

not control all critical stages of a process; and backup and recovery plans are adequate to

ensure the continuity of essential operations.

2 GAO, Financial Audit: Securities and Exchange Commission’s Financial Statements for

Fiscal Years 2013 and 2012 , GAO-14-213R (Washington, D.C.: Dec. 16. 2013).

3 A deficiency in internal control exists when the design or operation of a control does not

allow management or employees, in the normal course of performing their assigned

functions, to prevent, or detect and correct, misstatements of the entity’s financial

statements on a timely basis. While important enough to merit attention by those charged

with governance, a significant deficiency is less severe than a material weakness, which is

a deficiency in internal control such that there is a reasonable possibility that a material

misstatement will not be prevented, or detected and corrected on a timely basis.

Page 1

GAO-14-419 SEC 2013 Information Security

This report presents more detailed information and our recommendations

related to the specific information security control weaknesses that we

identified during our audit. Our objective was to determine the

effectiveness of information security controls for protecting the

confidentiality, integrity, and availability of SEC’s key financial systems

and information. To do this, we examined the commission’s information

security policies, plans, and procedures; tested controls over key financial

applications; interviewed key agency officials; and reviewed our prior

reports to identify previously reported weaknesses and assessed the

effectiveness of corrective actions taken.

We performed our work in accordance with U.S. generally accepted

government auditing standards. We believe that our audit provided a

reasonable basis for our conclusions in this report. See appendix I for

more details on our objective, scope, and methodology.

Information security is a critical consideration for any organization that

depends on information systems and computer networks to carry out its

mission or business and is especially important for government agencies,

where maintaining the public’s trust is essential. While the dramatic

expansion in computer interconnectivity and the rapid increase in the use

of the Internet have enabled agencies such as SEC to better accomplish

their missions and provide information to the public, agencies’ reliance on

this technology also exposes federal networks and systems to various

threats. This can include threats originating from foreign nation states,

domestic criminals, hackers, and disgruntled employees. Concerns about

these threats are well founded because of the dramatic increase in

reports of security incidents, the ease of obtaining and using hacking

tools, and advances in the sophistication and effectiveness of attack

technology, among other reasons. Without proper safeguards, systems

are vulnerable to individuals and groups with malicious intent who can

intrude and use their access to obtain or manipulate sensitive information,

commit fraud, disrupt operations, or launch attacks against other

computer systems and networks.

Background

We and federal inspectors general have reported on persistent

information security weaknesses that place federal agencies at risk of

disruption, fraud, or inappropriate disclosure of sensitive information.

Accordingly, since 1997, we have designated information security as a

Page 2

GAO-14-419 SEC 2013 Information Security

GAO - SEC Information Security Needs Improvement.pdf

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: