This document is an HTML formatted version of a printed document. The printed document may contain agency comments, charts, photographs, appendices, footnotes and page numbers which may not be reproduced in this electronic version. If you require a printed version of this document contact the United States Securities and Exchange Commission, Office of Inspector General, Mail Stop 11-7, 450 Fifth Street N.W., Washington, D.C. 20549 or call (202) 942-4460.
AUDIT MEMORANDUM No. 29
April 29, 2003
To: James McConnell
From: Walter Stachnik
Re: Facility Access Control Systems
We performed audit work to determine whether the Commission's headquarters, regional, and district office facility access control systems (ACS) were acquired, installed, and operated in accordance with SECR 24-2, Information Technology Security Program. We determined that headquarters and six of the regional and district offices own a variety of ACSs acquired from a number of vendors.
The ACSs are used to control and restrict physical access to Commission facilities and office space. Individuals are assigned access privileges to physically access controlled and restricted office space based on their job related responsibilities.
Access control systems are generally made up of four basic components; cards, readers, controllers and software. The Commission's ACS hardware and software components include card readers and personal computer (PC) workstations, client-servers, controllers, modems, and operating system software, such as Microsoft Windows 98 and Windows 2000.
REQUIREMENTS AND RESPONSIBILITIES
SECR 24-2, Information Technology Security Program and SECR 24-2.4 Version 1, Technical Bulletin Information Technology Certification and Accreditation establish policies, responsibilities, and authorities for establishing adequate and appropriate levels of protection for all information technology (IT) resources owned or leased by the SEC. The SEC's IT Security Program encompasses information resources and equipment, such as personal computer workstations, network file servers, modems, microcomputer-based hardware and software, telecommunications equipment, and other computer components and electronics.
System owners and sponsors are to identify, establish, and implement adequate and appropriate safeguards for the IT resources under their control. IT resource owners and sponsors are to perform a security risk assessment to identify, characterize, and document the:
In addition, system owners are to consult with the Commission's IT Security Officer to ensure that appropriate IT security requirements are included in the acquisition and operation of all IT hardware, software, equipment, applications, or related services. The Office of Administrative and Personnel Management (OAPM) is the system owner for Commission ACSs.
We determined that OAPM should perform information systems security risk assessments for the facility access control systems owned and acquired by the headquarters, regional, and district offices.
Performing the risk assessments would make sure that appropriate managerial, operational, and technical security controls are identified and implemented to mitigate potential vulnerabilities presented by ACS hardware and software components (e.g. personal computer (PC) workstations, client-servers, controllers, modems, application software, and operating system software). The risk assessments would also make sure that headquarters, regional, and district offices establish and implement procedures to back up ACS database files.
In addition, we determined that servers, PC workstations, monitors, modems, and software acquired as part of a facility access control system need to be reclassified in the Commission's financial accounting system as Information Systems and Telecommunications Equipment and Information Systems Software.
We concluded that by performing the prescribed information systems security risk assessments, OAPM would attain more reasonable assurance that potential ACS computer vulnerabilities are identified and appropriate safeguards are established and implemented to mitigate unacceptable risks.
OAPM should coordinate with OIT and OFM to obtain the resources (technical assistance and contractor support) necessary to inventory all Commission access control systems, assess security risks, and implement appropriate systems security controls.
In implementing Recommendation A, OAPM should establish an action plan with milestones to complete all required facility access control system risk assessments within the next 8 months. The action plan should make sure that an inventory is performed of all headquarters, regional, and district office facility access control system configurations to identify all information technology components, hardware, software, and operating systems. Based on the results of the inventory, OAPM should consult with the Office of Information Technology (OIT) Security Officer to determine the scope and extent of the risk assessments that are required for each facility access control system configuration. The scope and extent of each risk assessment should be based on the size and sophistication of each access control system. OAPM should then perform risk assessments for each facility access control system, document the risk assessment results, and implement appropriate safeguards based on the results of each risk assessment.
In addition, OAPM should establish controls to make sure that future acquisitions of facility access control systems undergo a computer security risk assessment to identify the computer security controls necessary to mitigate vulnerabilities and risks presented by ACS hardware and software components.
OFM should reclassify as Information Systems and Telecommunications Equipment and Information Systems Software the ACSs currently recorded as Office Machines and Equipment in its financial accounting system records.
cc: Mark Brickman