This document is an HTML formatted version of a printed document. The printed document may contain agency comments, charts, photographs, appendices, footnotes and page numbers which may not be reproduced in this electronic version. If you require a printed version of this document contact the United States Securities and Exchange Commission, Office of Inspector General, Mail Stop 11-7, 450 Fifth Street N.W., Washington, D.C. 20549 or call (202) 942-4460.
AUDIT MEMORANDUM No. 27
January 29, 2003
To: James McConnell
From: Walter Stachnik
Re: Password Management for the Name Relationship Search Inquiry (NRSI) System
We performed audit work to validate an allegation that Commission staff shared Name Relationship Search Inquiry (NRSI) passwords. NRSI is a cross-referencing application that provides users the capability to obtain variations of similar filings information contained in a number of SEC Automated Information Systems. The system compensates for variations in data, allowing a user to enter a partial or complete name of an individual or company and retrieve a list of records from other SEC systems, such as the Case Action Tracking System (CATS) and the Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system.
The Office of Information Technology (OIT) developed the NRSI system. 1 OIT provides operational support, maintains system hardware components, and performs required software and data maintenance. The OIT Help Desk manages user accounts and can control the granting and revoking of access to the system.
The Office of the Executive Director (OED) owns NRSI. All proposed changes to the system must be reviewed and approved by OED prior to implementation. The Division of Enforcement (ENF) and Office of Filings and Information Services (OFIS) are the most frequent users of NRSI, however, the system is accessible and used by nearly every office within the Commission.
Users are required to complete an Account Request Form (SEC 2555) to obtain access to the NRSI system. The form is manually completed and coordinated through mail distribution with the user's ADP liaison, the OIT Security Group, Division of Enforcement, and the NRSI system administrator before access is granted. During our review, we were told that the current manual process for requesting, validating, granting, and revoking user privileges and passwords is inefficient and time consuming. Program office and OIT personnel believe that the process needs to be streamlined and automated. We were told that if the process was streamlined and automated, more time could be spent auditing password management.
Users are to comply with the password management policies prescribed in SECR 24-2.1. Information Technology Security Program Identification, Authentication, and Passwords, dated April 24, 2001. Although the SECR provides policy for password management and use, the Commission has not developed nor does it enforce administrative sanctions for the misuse and mismanagement of passwords.
We determined that unauthorized users can gain access to the NRSI system and other Commission systems, such as the Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system because of weak password security controls, and user noncompliance with established access control and security policies. Specifically, we found that Commission staff within the Divisions of Enforcement and Corporation Finance:
- Shared NRSI passwords; and
- Logged coworkers onto the system, and then gave the unauthorized users access to their personal workstations to perform searches.
In addition, analysis of user accounts for Commission staff assigned to the Division of Enforcement and Offices of Public Affairs; Investor Education and Assistance; International Affairs; Compliance, Inspections, and Examinations; and Filings and Information Services showed that:
- At least 21 NRSI accounts were active for individuals no longer employed by the SEC;
- NRSI passwords do not expire when inactive for significant periods of time;
- NRSI users are not required to periodically change their passwords; and
- At least 172 NRSI users did not change their default password, as required, after they first accessed the system.
As a result, we gained varying levels of access to the NRSI and EDGAR systems granted to at least:
- 172 NRSI user accounts; and
- 80 EDGAR user accounts.
We were able to gain access to the EDGAR system because users of the NRSI system having access to the EDGAR system used the same default password for both systems.
We concluded that improved technical, operational, and managerial processes and procedures are needed to improve password management within the Commission. Therefore, we are recommending the following management actions.
The Office of the Executive Director (OED) should issue a memorandum instructing Commission staff to comply with existing user password policies prescribed in SECR 24-2.1.
In implementing this recommendation, the OED should instruct all Commission staff who are currently using default passwords to change their passwords to comply with the SECR. Also, staff and supervisors should be reminded that failure to comply with the Commission's password management policies could result in administrative actions to include revocation of system access privileges.
The Office of Information Technology (OIT) should initiate a mandatory one-time user password change, at a minimum, for the 172 NRSI user accounts and 80 EDGAR user accounts included in our review.
OIT should delete the 21 NRSI user accounts for the individuals that are no longer employed by the Commission.
OIT, in coordination with OED, should streamline and automate the Commission's process for requesting, validating, granting, and revoking user access to Commission Automated Information Systems.
cc: Mark Brickman
1 OIT is developing a new version of NRSI (NRSI Version 3.0), which it plans to deploy sometime within the 2 nd Quarter FY 03. Version 3.0 will contain a different authentication method that will eliminate some, but not all of the password security vulnerabilities that we identified.