• Office of Audits
  • Overview
  • View Issued Reports
  • View Ongoing Audits
• Office of Investigations
  • Overview
  • Hotline
  • Investigative Reports
  • Investigative Memoranda
• Reports and Publications
  • View Semiannual Reports
  • View Testimony
  • View Other Publications
• Administration
  • Organization Chart
  • Inspector General
  • Staff Biographies
• Sign-up
  • RSS Feed

Office of Audits Pending Audits

2010 Federal Information Security Management Act Assessments

The OIG has contracted the services of an outside consultant to perform an independent review of the SEC’s IT systems, in accordance with the Federal Information Security Management Act. The consultant will independently evaluate and report on how the SEC has implemented its mandated IT security requirements regarding the following components:

• Certification and Accreditation;
• Configuration Management;
• Security Incident Management;
• Security Training;
• Remediation/Plans of Actions and Milestones;
• Remote Access;
• Identity Management;
• Continuous Monitoring;
• Contractor Oversight; and
• Contingency Planning.

The consultant will also conduct an assessment of two major SEC IT security components. Specifically, assessments will be conducted of the SEC’s (1) continuous monitoring efforts for IT operations; and (2) oversight of contractors’ handling of SEC data. Further, the consultant will determine whether the SEC’s IT security components meet OMB and NIST requirements.

Review of the SEC’s Economic Analyses for Dodd-Frank Act Rulemaking Initiatives

The Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) was passed on July 21, 2010. Among other things, the Dodd-Frank Act required the SEC to promulgate more than 100 new rules and to produce more than 20 new studies and reports.

During this semiannual reporting period, Congress requested that the OIG review select Dodd-Frank Act rulemakings to determine whether the SEC is performing the required cost-benefit analyses in a consistent manner and in compliance with applicable federal requirements. In its initial review conducted pursuant to this request, the OIG found, as described in the Audits and Evaluations Conducted Section of this Report, that the SEC generally took a systematic approach to preparing the cost-benefit analyses, but that the analyses for particular rulemakings were lacking in the areas of macro-level costs and quantitative analysis.

Upon completion of the OIG’s initial review, the OIG informed Congress that it would conduct a second phase of work consisting of a more in-depth review of SEC cost-benefit analyses performed for five additional rulemakings mandated by the Dodd-Frank Act. In this second phase, the OIG is examining whether the SEC consistently and systematically prepared a cost-benefit analysis in compliance with applicable federal requirements for the following rulemakings:

• Shareholder Approval of Executive Compensation and Golden Parachute Compensation (76 Fed. Reg. 6,010, February 2, 2011)
• Disclosure for Asset-Backed Securities Required by Section 943 of the Dodd-Frank Act (76 Fed. Reg. 4,489, January 26, 2011)
• Issuer Review of Assets in Offerings of Asset-Backed Securities (76 Fed. Reg. 4,231, January 25, 2011)
• Reporting of Security-Based Swap Transaction Data (interim final temporary rule, 75 Fed. Reg. 64,643, October 20, 2010)
 
• Regulation SBSR—Reporting and Dissemination of Security-Based Swap Information (proposed rule, 75 Fed. Reg. 75,208, December 2, 2010)

This review will also determine where improvements are needed and identify best practices to enhance the overall methodology used by the SEC to perform cost-benefit analyses.

Review of the SEC’s System Certification and Accreditation Process

Information systems are essential to accomplishing the SEC’s mission. Protecting the Commission’s systems from hostile attacks, both internal and external, has become a critical and very large component of the OIT’s responsibilities. The certification and accreditation (C&A) process required by federal law is designed to ensure that federal agencies’ information systems are secure before they begin operating and that they remain protected throughout their lifecycle. The C&A process involves determining whether system controls are in place and operating as intended, identifying weaknesses, mitigating weaknesses to the maximum extent possible, and officially recognizing and accepting residual risks. The C&A process must be performed on all SEC systems. A system’s C&A remains in effect for three years unless the system or its operating environment undergoes significant change.

Office of Management and Budget (OMB) Circular A-130, “Management of Federal Information Resources,” establishes policy for managing federal information resources and provides procedural and analytic guidelines for implementing specific aspects of this policy. In addition, OIT has policies and procedures for conducting the C&A process on SEC systems. However, both the OIG and the Government Accountability Office have found that the SEC has system security deficiencies that could significantly affect SEC operations.

The OIG contracted the services of C5i Federal, Inc., to perform an independent review of the SEC’s C&A process. The review will determine whether:

• OIT’s process for evaluating internal controls and gathering support adheres to governing federal guidance;
• OIT has properly established risk factors to ensure that system security controls have been designed to achieve results; and
• Internal controls have been established and are used to safeguard the integrity of the SEC’s programs, activities, and information.

Further, C5i Federal, Inc., will assess whether OIT certifies and accredits SEC systems in accordance with governing guidelines and industry best practices.

2011 Federal Information Security Management Act Assessment

The Federal Information Security Management Act (FISMA) requires that each federal agency’s IT security programs and practices be independently evaluated each year to determine the effectiveness of those programs and practices. The evaluation is to be performed by the agency’s Inspector General or by an independent external auditor, as determined by the agency’s Inspector General. In addition, OMB guidance sets forth specific instructions and templates for meeting FISMA’s reporting requirements.

The OIG has contracted the services of Networking Institute of Technology, Inc., to perform an independent review of OIT’s implementation of IT security programs and practices and the extent to which OIT meets OMB, Department of Homeland Security, and National Institute of Standards and Technology requirements in the following areas:

• risk management,
• configuration management,
• incident response and reporting,
• security training,
• plans of actions and milestones,
• remote access,
• identity and access management,
• continuous monitoring management,
• contingency planning, and
• contractor systems.

The FY 2011 FISMA evaluation and accompanying OIG Executive Summary will also answer OMB’s FY 2011 questions on the Commission’s information security program.

Assessment of the SEC’s Systems and Network Logs

Events occurring within an organization’s IT systems and networks are recorded in logs containing a serious of entries. Each entry in a log contains information related to a specific event that has occurred within a system or network. Many logs within an organization contain information related to computer security. These computer security logs are generated by many sources, including (1) security software, such as antivirus software, firewalls, and intrusion detection and prevention systems; (2) operating systems on servers, workstations, and networking equipment; and (3) applications.

Log management is essential to ensure that computer security records are stored in sufficient detail for an appropriate period of time. In addition, routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful in performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying trends and long-term problems.

The OIG has contracted with C5i Federal, Inc., to conduct an assessment of OIT’s controls over SEC system and network logs and to assess OIT’s ability to produce and maintain sufficient logs. Additionally, C5i Federal, Inc., will evaluate the roles and responsibilities of OIT staff who access the SEC’s enterprise system and network logs; assess the adequacy of OIT’s policies and procedures covering log management and analysis, data collection, and log storage; examine network logs located within OIT’s enterprise to determine if adequate controls have been established to protect SEC data; and assess whether OIT maintains adequate data for forensic analysis.

Review of SEC’s Continuity of Operations Plan

A continuity of operations (COOP) plan is essential for maintaining critical agency operations during disruptions that affect normal operations. The SEC’s Office of the Chief Operating Officer recently assumed overall responsibility for COOP planning for the agency. The SEC’s Chief Information Officer has oversight responsibility for the disaster recovery component of the SEC’s COOP plan.

The SEC has formal COOP policies and procedures and conducts periodic testing of its COOP plan. However, a recently issued OIG report found that OIT failover testing for certain internal IT applications had been unsuccessful. Another recently issued OIG report found that the SEC’s regional offices lacked viable COOP plans and that the SEC had not tested the maximum user limit for remote access to the SEC’s network.

The OIG has contracted with TWM Associates, Inc., to conduct a review of the SEC’s COOP plan. The objectives of the review are to determine whether the SEC has a viable COOP plan, which is sufficient to support the SEC’s operations at its headquarters, Operations Center, Alternate Data Center, and 11 regional offices. TWM Associates, Inc., will also determine whether the SEC is adequately prepared to perform essential functions during a business continuity or disaster recovery event, such as a human/natural disaster, national emergency, or technology failure that could affect the SEC’s ability to continue mission-critical and essential functions.

Audit of Management of SEC-Furnished and SEC-Funded Property Used by Contractors

The SEC accomplishes much of its mission through the use of contractors. In some instances, the SEC provides its contractors with SEC property for use in their work and, in other instances, contractors use SEC funds to acquire property. In either case, the SEC often retains title or ownership of the property. SEC contractors are required to manage and account for property provided to them by the SEC or paid for with SEC funds in accordance with the Federal Acquisition Regulation, as well as other directives and specific contract provisions.

Within the SEC, the Property Management Officer (PMO), located within the Office of Administrative Services, has overall responsibility for developing, administering, and overseeing the SEC’s property management program. In addition, OIT’s Asset Management Branch is responsible for establishing property management policies for IT equipment; serving as the inventory control point for the acquisition, storage, and issuance of IT equipment; acting as the utilization coordinator for the reassignment and disposal of IT assets; and coordinating with the Assistant PMO regarding all IT property issues.

The OIG has contracted with Castro & Company, LLC, to perform an audit to assess whether (1) the SEC has established adequate internal controls over property used by contractors that has been furnished or funded by the SEC; (2) the SEC has reliable records to identify and track contractors who possess property furnished or funded by the SEC; (3) Contracting Officer’s Technical Representatives or others responsible for administration of SEC property used by contractors have been properly trained and perform their duties in accordance with governing policy; (4) annual inventories are performed of SEC-furnished or SEC-funded property used by contractors; (5) adequate policies and procedures exist to cover managing and disposing of SEC-furnished or SEC-funded property used by contractors; and (6) SEC assets held by contractors are properly accounted for by the SEC and, if applicable, appropriately reported in the SEC’s financial statements.