This document is an HTML formatted version of a printed document.
The printed document may contain agency comments, charts, photographs,
appendices, footnotes and page numbers which may not be reproduced in this
electronic version. If you require a printed version of this document
contact the United States Securities and Exchange Commission, Office of
Inspector General, Mail Stop 11-7, 450 Fifth Street N.W., Washington, D.C.
20549 or call (202) 942-4460.
Survey of Information Technology
Audit Report No. 214
February 7, 1995
To assist in audit planning, we performed a survey of the Office of Information Technology (OIT). During the survey, we identified several possible enhancements to OIT's policies and procedures.
These include improving access controls for the headquarters computer room; developing detailed information on the Commission's software applications; and issuing security guidance, among other matters.
OIT generally agrees with our recommendations, and is taking steps to implement them. We have modified the report as appropriate, based on OIT's comments on prior drafts, as well as comments from the Executive Director, the Division of Enforcement, and the Office of Administrative and Personnel Management (attached).
SCOPE AND OBJECTIVES
The primary objective of our survey was to gather information about the Office of Information Technology to assist in audit planning. We also sought (where feasible without detailed testing) to identify possible enhancements to OIT's operations.
During the survey, we interviewed OIT and other Commission staff, reviewed selected documentation, and observed computer room operations. We conducted limited tests of certain security functions.
The survey was performed between August and October 1994, in accordance with generally accepted government auditing standards.
In November 1992, the Offices of ADP Services and EDGAR Management were merged to form the Office of Information Technology. The merger was intended to strengthen ADP planning and operations, and to clarify organizational responsibilities. The head of the office was named the Commission's Chief Information Officer (this position is currently vacant).
OIT has approximately 130 staff, distributed in four offices: Planning, Administration, and Security; Operations; User Support Services; and Systems Support. In addition, the Office makes extensive use of contractors, especially for software development projects.
The Office provides a broad range of ADP services, including mainframe and network operations; application development and maintenance; and related support services. / In its IRM Implementation Plan, the Commission projected 1995 OIT expenditures of approximately $30 million.
Our survey identified several possible enhancements to Commission ADP operations, which are presented below.
The Commission network (known as SECOA) allows users to have concurrent sessions (i.e., logging on from one computer before logging off from another). This feature weakens security, and distorts reporting of user access. On the other hand, the Division of Enforcement has indicated that certain staff regularly need concurrent sessions (see its comments).
OIT should determine whether it is feasible and appropriate to set the SECOA operating system (Novell) to prohibit concurrent sessions. It should consult with affected user offices on this issue.
OIT does not have a policy regarding storage of electronic mail messages on the network. Excessive storage of e-mail could cause unnecessary hardware purchases.
In consultation with user offices, OIT should develop a policy limiting network storage of electronic mail. OIT indicated that a policy has been developed, and will be implemented soon.
Headquarters Computer Room Access
The Office of Administrative and Personnel Management (OAPM) issues card keys to control access to the Operations Center and its computer room.
During the survey, an OIG auditor and an OIT contractor were able to access the headquarters computer room with their card keys. Their user security profiles did not authorize this access. Apparently, the card key software was not working as intended, weakening security.
OAPM should correct the card key software. OAPM indicated that the contractor has corrected the software.
OIT should periodically validate computer room authorizations.
Security Documentation Access
Software security documentation is readily accessible to all users of the Operation Center Library. To enhance security, access to this documentation is normally restricted to authorized personnel.
OIT should restrict access to software security documentation to authorized personnel.
When logging on to the network, users are warned that unauthorized use is prohibited. However, the warning does not mention that the government may monitor user activities.
Users of the mainframe do not receive any warning; instead, they receive the message "Welcome." This message has been construed in court proceedings as an invitation for otherwise unauthorized activities.
OIT should develop a revised warning banner for the Commission's computer systems, and delete the "Welcome" message on the mainframe. A sample warning is shown in the Appendix.
Data on Software Applications
Certain basic data on the Commission's software applications are not readily available, including:
- the hardware they operate on,
- the operating and data base management systems that support them,
- the dates the applications were put into production,
- the dates the applications were last revised, and
- the dates of risk assessments or certifications of the applications.
OIT agrees that this data would be helpful, and has asked a contractor to collect them.
OIT should develop procedures for collecting basic data on Commission software applications.
OIT has not yet issued final guidance on ADP security, although it has developed several drafts, which have not yet been approved by the Office of the Executive Director. This issue has been mentioned in prior OIG audit reports.
In consultation with OIT and the End User Advisory Committee, the Office of the Executive Director should approve issuance of ADP security guidance.
The Commission recently implemented a Private Automatic Branch Exchange (PABX) telephone system. The master password for the PABX has not been changed from the default setting. Anyone knowing this default password could reconfigure the PABX without authorization.
The Office of Administrative and Personnel Management should change the default password, or take other measures to enhance the security of the PABX.
Development of Procurement System
OIT is currently developing an automated procurement system for the Commission. The Patent and Trademark Office (PTO) of the Department of Commerce has a procurement system with several desirable features. It is listed on the GSA schedule, is client server based, and interfaces with the Federal Financial System, the Commission's accounting system. The cost of the system is approximately $50,000.
OIT should consider PTO's procurement system in its alternatives analysis.
Establishing a dial-out connection from the network can take several attempts, particularly when using WINDOWS (three or more attempts from the Operations Center, and ten or more from headquarters). The difficulties relate to the availability of dial-out ports and WINDOWS hardware and software compatibility issues.
OIT should monitor usage and availability of dial-out ports, and inform user support staff of the WINDOWS compatibility issues.
Orientation for New Employees
OAPM gives new employees an orientation to the Commission. Because of the importance of ADP, the orientation should include ADP activities.
OIT, in consultation with OAPM, should develop orientation materials for ADP activities. For example, the materials could include the names of the ADP liaisons, OIT's help desk number, and information on external databases, EDGAR, and the local area network.
The following warning banner is based on the banner used by the Department of Commerce, a banner suggested by the Department of Justice, and the Commission's "Policy Statement on the Use of Electronic Mail."
This computer system is Federal property, and is to be used only for authorized government purposes. Misuse of this computer system is a violation of Federal law (Pub. L. 99-474).
All users of this system, whether authorized or not, are subject to monitoring by system personnel. Anyone using this system expressly consents to such monitoring. Evidence of criminal activity or other misconduct may be provided to law enforcement and Commission officials.
Electronic messages (e-mail) on this system are government property. The Commission may access these messages whenever such access serves a legitimate governmental purpose.