This document is an HTML formatted version of a printed document. The printed document may contain agency comments, charts, photographs, appendices, footnotes and page numbers which may not be reproduced in this electronic version. If you require a printed version of this document contact the United States Securities and Exchange Commission, Office of Inspector General, Mail Stop 11-7, 450 Fifth Street N.W., Washington, D.C. 20549 or call (202) 942-4460.

AUDIT MEMORANDUM No. 24

September 10, 2002

To: Division Directors and Office Heads ¹

From: Walter Stachnik, Inspector General

Re: Program Officials' Information Security Responsibilities

Since passage of the Government Information Security Reform Act (GISRA) on October 30, 2000, the Commission's Chief Information Officer (CIO) has taken action to implement a Commission-wide Security Program to comply with the spirit and intent of GISRA. For example, the Commission's CIO has taken action to:

• Educate the Chairman, program offices and Commission staff on their information security responsibilities;

   

   

• Integrate information security into the Commission's Information Technology Capital Planning (ITCPC) Process;

   

   

• Publish Commission-wide policies and procedures for certifying and accrediting Commission systems and applications; and,

   

   

• Establish a standardized contracting vehicle to assist program offices in certifying and accrediting Commission systems and applications.

   

However, the Commission's Information Security Program is not in full compliance with the GISRA. Specifically, Division Directors and Office Heads have not yet been adequately integrated into the Program. GISRA requires that Division Directors and Office Heads:

• Assess the risk to information processed by the systems supporting their mission areas;

   

   

• Determine the appropriate level of security to protect information processed by their systems;

   

   

• Maintain up-to-date information system security plans, and

   

   

• Ensure that information system security controls are tested and evaluated.

   

Although GISRA does not permit OIT to perform these duties, OIT has developed regulations for system certification and accreditation and has procured a contractor to help divisions and offices comply with GISRA. The OIT Security Group has more information.

We are recommending the following actions to help the Commission achieve compliance with the mandates of GISRA.

Recommendation A

The Office of Information Technology (OIT) should establish and publish Commission-wide definitions of what constitutes a "Major Application" and what constitutes a "General Support System".

Recommendation B

Within 30 days, the Chairman or Executive Director should formally assign system security responsibilities (e.g., to certify the security of applications/systems) to division directors and office heads, as specified in GISRA.

Recommendation C

Upon notification, each division director and office head (see Attachment A) should explicitly assign the responsibility to complete mandated system security tasks (see Attachment B) to their Information Officer. If the division or office does not have an Information Officer, these duties should be assigned to a senior manager having knowledge of the program and some knowledge of the office's use of information technology (IT) in conducting Commission operations. These assignments should be completed and provided to the CIO within 5 days of being notified by the Chairman or Executive Director.

Recommendation D

Within 30-days of assignment, each Information Officer should prioritize the certification and accreditation sequence of the applications and systems for their division or office, and provide the list to the Information Officers Council (IOC) and CIO. For those divisions and offices not having an Information Officer, the senior manager assigned this responsibility should prioritize the certification and accreditation sequence, and provide the list to the IOC and CIO.

In implementing this recommendation, Information Officers and senior managers should meet with the CIO and IOC to establish agreement on which program office is assigned principal ownership of the Commission's application/system. Once application/system ownership responsibilities are

assigned to non-OIT program offices, the IOC and ITCPC should use this baseline to implement Recommendations E, F, and G below.

Recommendation E

The IOC, in coordination with the CIO, should prioritize the portfolio of Commission applications and systems submitted by the Information Officers that require certification and accreditation. All major applications and systems should be certified and accredited within 15 months of the publication date of this audit report.

Recommendation F

The CIO should prioritize and schedule general support systems for certification and accreditation within 12 months of the publication date of this audit report.

Recommendation G

The ITCPC should ensure that appropriate funds are programmed annually to certify and accredit applications and systems on a recurring basis, in compliance with GISRA.

ATTACHMENT A

DIVISION DIRECTORS AND OFFICE HEADS

ES* Mark Radke
OS Jonathan Katz
ED James McConnell
GC Giovanni Preziosio
CF Alan Beller
ENF Stephen Cutler
ENF** James Clarkson
IM Paul Roye
MR Annette Nazareth
ALJ Brenda Murray
OAPM Jayne Seidman
CA Robert Herdman
OCOM Brian Gross
OPA Christi Harlan
OLA Jayne Cobb
OIEA Susan Ferris-Wyderko
OCIE Lori Richards
OEA Lawrence Harris
EEO Deborah Balducchi
OFIS Kenneth Fogash
OFM Margaret Carpenter
OIT Michael Bartell
OIG Walter Stachnik
OIA Felice Friedman

* Executive Staff representing the Commissioners.

** Director responsible for regional and district operations.

ATTACHMENT B

SYSTEM SECURITY MANDATES THAT ARE THE RESPONSIBILITY OF COMMISSION DIVISION DIRECTORS AND OFFICE HEADS

Public Law (P.L. 106-398) including Title X, Subtitle G, "Government Information Security Reform (The Security Act)," amends the Paperwork Reduction Act of 1995 (44 U.S.C. Chapter 35) by enacting a new subchapter on Information Security. The new subchapter primarily addresses the program management and evaluation aspects of information security. The Security Act essentially codifies the existing requirements of OMB Circular A-130, Appendix III, "Security of Federal Automated Resources." The Security Act applies to all Executive agencies and pertains to all "program area" systems, including those systems currently in place, or planned.

Ensuring the security of information systems is no longer the sole responsibility of the Commission's Chief Information Officer, or Office of Information Technology. The Public Law establishes clear roles and responsibilities for the Chairman, Chief Information Officer, and Division Directors and Office Heads. Accordingly, Division Directors and Office Heads are ultimately responsible for the security of their program areas, including the assessment of the security of the information technology applications used by their program area to accomplish the Commission's regulatory responsibilities. Specific information security responsibilities of Commission program offices include:

• Assessing the risk to information processed by the systems supporting your program area;
   
• Determining the appropriate level of security to protect the information processed by the systems supporting your program area;
   
• Establishing and updating information systems security plans for your program area; and
   
• Ensuring that information security controls for the systems used in your core day-to-day operations are routinely tested and evaluated.

The Commission's CIO has established a contracting vehicle to ensure that each division and office consistently implements its information security responsibilities. In addition, the Office of the Executive Director has approved a regulation that outlines the process and procedures for certifying and accrediting Commission systems. Both tools should be used to assess the security of the information systems and applications that support specific program area responsibilities.

¹ See Attachment A

http://www.sec.gov/about/oig/audit/audmemo24final.htm