This document is an HTML formatted version of a printed document. The printed document may contain agency comments, charts, photographs, appendices, footnotes and page numbers which may not be reproduced in this electronic version. If you require a printed version of this document contact the United States Securities and Exchange Commission, Office of Inspector General, Mail Stop 11-7, 450 Fifth Street N.W., Washington, D.C. 20549 or call (202) 942-4460.
AUDIT MEMORANDUM No. 25
November 7, 2002
To: Kenneth Fogash
From: Walter Stachnik
Re: Security of External Databases
ACCOUNT CANCELLATION AND PASSWORD SHARING
Based on information provided by the Library, we recently found that the Dow Jones Interactive account of a former Commission employee had incurred extensive charges. The account had not been cancelled timely when the employee left the agency.
We also found that co-workers in the former employee's office shared their passwords, in the belief that the Commission paid a flat fee for the service. 1Therefore, the actual user(s) of the Dow Jones account could not be identified.
Besides Dow Jones Interactive (with 1472 users), Commission staff use a variety of external databases. The Lexis/Nexis service is the most widely used, with about 2770 total users.
We subsequently reviewed a June 2002 Lexis/Nexis listing of active users. The listing included four former employees with active accounts. We provided their names to the Office of Information Technology (OIT) for cancellation.
OIT issued updated Operating Procedures for Lexis/Nexis on July 24, 2002, which should enhance access controls. Under the new procedures, each office's service coordinator ( i.e. , the Administrative Contact) is responsible for adding and canceling users, rather than OIT. Since administrative contacts deal directly with new and departing employees, they are in a better position than OIT to ensure that user accounts are current.
As an additional control, OIT will send the administrative contacts a listing of authorized users every six months. The contacts will then be expected to review the listing and make sure that only authorized users have accounts. OIT has posted the updated procedures on the Intranet, but has not yet informed administrative contacts about them.
The Library has developed a proposal to further improve password management for external databases such as Lexis/Nexis. The proposal includes training of users, and development of policies and procedures for password management. To implement the proposal, additional staff will be required, according to the Library.
The Office of Information Technology should inform administrative contacts regarding the updated procedures for external database password management ( e.g. , by an e-mail or written memorandum).
The Library (in the Office of the Secretary) should make a budget request for the staff needed to implement its proposal described above.
According to the Library staff, some employees designate their personal e-mail accounts (such as Yahoo Hotmail) for downloading of Lexis/Nexis reports. Commission policy is that personal accounts should not be accessed at work, since the access poses a security risk. Moreover, employees working at home can now access their Commission e-mail from home, so use of personal e-mail accounts for Lexis/Nexis reports is unnecessary.
In its user training (see above), the Library should tell users that Lexis/Nexis reports should be sent to their government e-mail account, not their personal account.
1 Under the Dow Jones and Lexis/Nexis contracts administered by the Library, the Commission does pay a flat fee annually. However, usage above a defined amount increases the charge for the following year. The fiscal year 2003 Lexis/Nexis contract limits usage to authorized users and specifically prohibits password sharing. In addition, password sharing violates Commission policy and compromises information technology security, which is a general responsibility of the Office of Information Technology.