This document is an HTML formatted version of a printed document. The printed document may contain agency comments, charts, photographs, appendices, footnotes and page numbers which may not be reproduced in this electronic version. If you require a printed version of this document contact the United States Securities and Exchange Commission, Office of Inspector General, Mail Stop 11-7, 450 Fifth Street N.W., Washington, D.C. 20549 or call (202) 942-4460.

REGIONAL TELECOMMUNICATION SECURITY

Audit No. 353
August 19, 2002

INTRODUCTION

The Securities and Exchange Commission (SEC), Office of the Inspector General, performed a telecommunications vulnerability audit of the voice and data telecommunications for its 11 field offices. The primary goal of this review was to assess the effectiveness of the controls that were instituted to prevent unauthorized access to the SEC wide area network through SEC dial-up capabilities at its field office locations.

SCOPE AND OBJECTIVES

The scope of our audit consisted primarily of interviewing Commission staff and reviewing supporting documentation, among other procedures performed at Headquarters and selected field offices. We performed our fieldwork from January 2002 through June 2002.

The scope for this review included a dial up assessment for each field offices and two field office site visits for fieldwork. As part of performing this field work we interviewed Commission staff, reviewed selected documentation, and performed other test procedures designed to assess telecommunication controls. We performed our fieldwork from January 2002 through June 2002.

The objectives for this telecommunications vulnerability audit were to determine whether the SEC's voice and data telecommunications (phone lines) for its 11 field offices: (1) are secure from unauthorized intrusion and misuse, (2) are vulnerable to attacks, (3) contain unknown telecommunications access points (i.e., back doors out of SEC to the Internet), and (4) have controls in place to secure digital or analog lines.

AUDIT RESULTS

Based on our review, we identified several non-material control weaknesses and provided recommendations for corrective action. We provided senior management with an oral briefing on August 14, 2002 of our findings and recommended that management strengthen selected telecommunication related controls. Management concurred with the findings and in some cases, we noted that corrective action had already been implemented.