The report contains 11 recommendations which if fully implemented should strengthen the SEC's controls over information security. The Office of the Chief Operating Officer and the Office of Information Technology concurred with all the recommendations that were addressed to their respective offices. Your written response to the draft report is included in Appendix VII. Within the next 45 days, please provide the OIG with a written corrective action plan that is designed to address the

more »

... tions. The corrective action plan should include information such as the responsible official/point of contact, timeframes for completing required actions, and milestones identifying how you will address the recommendations. Executive Summary The U.S. Securities and Exchange Commission (SEC or Commission) Office Inspector General (OIG) contracted the services of Networking Institute of Technology, Inc. (NIT) to conduct the fiscal year 2012 Federal Information Security Management Act (FISMA) assessment and a review of the SEC's security requirements. FISMA was enacted, in 2002 as Title III of the E-Government Act of 2002, to recognize the importance of information security to the economic and nationa security interests of the United States. 1 The law emphasizes the need for organizations to develop, document, and implement organization-wide progra providing security for the information systems supporting the organization's operations and assets, as well as information systems provided or managed other agencies, contractors, or other sources. FISMA provides the framewor for securing the federal government's information technology (IT) and requires agency program officials, chief information officers (CIO), privacy officers, an inspectors general to conduct annual reviews of the agency's information security and privacy programs and report the results to Office of Managemen and Budget (OMB). For fiscal year 2012, FISM 12-02 provides instructions t heads of executive departments and agencies for meeting the fiscal year 201 reporting requirements. It also requires inspectors general to independently evaluate and report how their department's or agency's CIO, senior agency official for privacy, and program officials implemented information security requirements. The Office of Information Technology (OIT) supports the SEC and its staff in a areas of IT. The office has overall management responsibility for the Commissi IT program including application development, infrastructure operations and engineering, user support, IT program management, capital planning, security, enterprise architecture, and implementing the SEC's FISMA requirements. OI CIO is responsible for developing and maintaining a Commission-wide information security program. The office also includes a Chief Information Security Officer (CISO) who, among other things, is responsible for establishi and maintaining the SEC's security posture. Objectives. The overall objective of the 2012 FISMA assessment was to as the SEC's systems and provide OIG with input to the SEC's response to the 1 The Office of Information Technology should strengthen its internal controls to ensure user accounts are properly terminated or disabled for employees or contractors who either no longer require user access or are not employed with the SEC. Management Comments. OIT concurred with this recommendation. See Appendix VII for management's full comments. OIG Analysis. We are pleased that OIT concurred with this recommendation. OIG considers this recommendation resolved. However, this recommendation will remain open until documentation is provided to OIG that supports it has been fully implemented. REDACTED PUBLIC VERSION Appendix II requested from and supplied by OIT staff members and information from interviews with various OIT personnel. Use of Computer-Generated Data. We did not assess the reliability of OIT's computers because it did not pertain to our objectives for this review. Further, we did not perform any tests on the general or application controls over OIT's automated systems because such tests were not within the scope of our work. The information was retrieved from these systems as well as the requested documentation provided to us, was sufficient, reliable, and adequate to use in meeting our stated objectives. Prior OIG Reports. NIT reviewed the 2011 FISMA Executive Summary, which has thirteen recommendations. 55 OIT has implemented and closed two of these recommendations, but 11 remain open. While NIT found OIT is working on addressing the open recommendations, as noted in this report, weaknesses still exist. In addition, we reviewed the GAO 2012 Financial Audit and concurred OIT does not adequately ensure network accounts are terminated or deactivated once access is no longer required, in multiple instances. 56 We based the judgmental sample on a limited-scope review of both internal and external systems found in the SEC's system inventory. Judgmental Sampling. As required by FISMA, we conducted a limited-scope review of the Commission's information security posture. The review consisted of a review of the security assessment packages for a judgmental sample of 9 of 59 SEC systems to review its security controls, that were agreed upon between the OIT and NIT. The sample universe of information systems selected for the FY 2012 FISMA consisted of the GSS, . No. 107-347. Requires Federal agencies to develop, document, and implement an agency-wide program providing security for the information and information systems supporting the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. DHS Memorandum FISM 12-02, FY 2012 Reporting Instructions for the Federal Information Security Management Act and Privacy Management Act. Provides instructions to agencies for meeting fiscal year 2012 reporting requirements under FISMA. Recommendation 6: The Office of Information Technology should revise its Federal Information Processing Standard 199 system security categorization form to include signature blocks for the system owner and authorizing official.