IG Audits Expose SEC's Lack of ControlsSEC Leaders Say They Fixed the Problems Raised by Auditors
Sensitive information contained in Securities and Exchange Commission computers is at risk of being publicly exposed because of lack of proper controls, according to audits by the SEC inspector general.
In one audit, SEC's Controls Over Sensitive/Nonpublic Information Collected and Exchanged with the Financial Stability Oversight Council and Office of Financial Research, IG examiners found that SEC employees and contractors who access the SEC's e-mail system using Outlook Web Access are not restricted from saving and uploading sensitive or nonpublic information on non-SEC computers. "Consequently, sensitive or nonpublic information could potentially be disclosed to unauthorized persons," says SEC Inspector General Carl Hoecker.
The inspector general also says the SEC has failed to appoint primary information owners to oversee information it receives and shares with the Financial Stability Oversight Council, the federal agency charged with monitoring excessive risks to the U.S. financial system, its member agencies or the Office of Financial Research, a part of the Treasury Department responsible for improving the quality of financial data available to policymakers.
In another audit also issued late last month, Review of the SEC's Systems Certification and Accreditation Process, Hoecker takes the commission to task for weaknesses in its certification and accreditation process. For instance, the IG says, personally identifiable information isn't consistently documented, resulting in the potential exposure of private information.
One significant problem Hoecker points out is that SEC information systems owners failed to understand their responsibilities in the C&A process. "They approve C&A packages without having any technical knowledge," he says. "This could potentially result in data not being properly protected."
In its annual FISMA audit, the IG maintains that the SEC didn't fully conduct and document continuous monitoring in accordance with the requirements provided by the National Institute of Standards and Technology.
The IG's assessment of the SEC's risk management strategy found that the agency failed to address the requirements needed for a comprehensive governance structure and organizational overall security risk management. "It does not address risk from a mission and business process perspective, as described in the risk management framework identified in NIST SP 800-37, Rev. 1.2.3," Hoecker says. "As a result of not updating the risk management strategy to address NIST guidelines, the SEC could be exposed to higher risk levels."
In letters to Hoecker, SEC Chief Information Officer Thomas Bayer concurred with the findings and accepted IG recommendations, saying that the commission has taken steps to fix the problems.