SEC CIO: Vendor Management Must ImproveGAO Audit Identifies Breakdown in Process at the Commission
Securities and Exchange Commission CIO Thomas Bayer fesses up that the SEC could have done a better job keeping track of information security-related work performed by contractors.
Responding to a federal government audit, Bayer acknowledges the lack of oversight could have put commission financial and support systems at risk. "We have not achieved our goals as they relate to information and system protection," Bayer writes in a letter to the Government Accountability Office, responding to an audit report titled Information Security: SEC Needs to Improve Controls over Financial Systems and Data. "While we are confident in our defense-in-depth approach to security, you identified a breakdown in our established verification process and vendor management."
In the audit, released April 17, GAO says the information security weaknesses existed, in part, because the SEC failed to effectively oversee and manage the implementation of information security controls during the migration of a key financial system to a new location during the last fiscal year. Specifically, during the migration, SEC didn't supervise consistently the information security-related work performed by a contractor and effectively manage risk.
"Until SEC mitigates control deficiencies and strengthens the implementation of its security program, its financial information and systems may be exposed to unauthorized disclosure, modification, use and disruption," Gregory Wilshusen, GAO director of information security issues, writes in the report.
Tools Not Fully Deployed
Bayer explains that when the SEC moved to a new data center, its new automated system oversight tools weren't fully deployed. "As a result," he says, "that particular system was deployed without meeting our configuration requirements."
When GAO notified the SEC of the configuration problem, the CIO says the commission immediately shut down the system and reverted to the original, properly configured environment. "Our subsequent move to the second data center was a clean evolution to a properly configured environment," he says.
Alhough Bayer says the SEC regrets the lack of contractor oversight during the migration, the commission remains confident that its layered defense architecture would have allowed it to detect and respond to attempted intrusions in a timely manner. He says an SEC forensic investigation yielded no evidence of compromise to that system.
Bayer concedes, as the GAO report points out, that the SEC failed to update or test disaster recovery plans, saying time constraints didn't allow for an immediate disaster recovery test of the financial system. "However," he says, "individual components of the system were tested in both new data centers and data was being replicated."
Effectiveness of Controls Limited
Wilshusen, in the GAO report, credits the SEC for making progress in strengthening information security controls. But he notes that weaknesses limited SEC's effectiveness in safeguarding the confidentiality, integrity and availabity of a key financial system. For instance, the report says, the SEC did not:
- Consistently protect its system boundary from possible intrusions; identify and authenticate users; authorize access to resources; encrypt sensitive data; audit and monitor actions taken on the commission's networks, systems and databases; and restrict physical access to sensitive assets.
- Securely configure the system at its new data center according to its configuration baseline requirements. In addition, it did not consistently apply software patches intended to fix vulnerabilities to servers and databases in a timely manner.
- Adequately segregate its development and production computing environments. For example, development user accounts were active on the system's production servers.
- Ensure redundancy of a critical service although it had developed contingency and disaster recovery plans.
The government auditors say these weaknesses, considered collectedly, contributed to GAO's determination that the SEC had a significant deficiency in internal control over financial reporting systems for fiscal year 2013, which ended last Sept. 30.
GAO recommends the SEC assign cybersecurity personnel to monitor and evaluate contractor performance in implementing information security controls as well as institute a risk management process to ensure that similar contract oversight weakness are not widespread. That, GAO says, should include identifying and conveying risks, performing security impact analyses and mitigating identified risks as appropriate.
GAO also issued a second, nonpublic report with limited distribution that offered 49 detailed recommendations for actions to be taken to correct specific information security weaknesses related to access control, configuration management, segregation of duties and contingency and disaster recovery plans.