Sensitive Information Follow-Up
March 8, 2002
Audit No. 333
This document is an HTML formatted version of a printed document. The printed document may contain agency comments, charts, photographs, appendices, footnotes and page numbers which may not be reproduced in this electronic version. If you require a printed version of this document contact the United States Securities and Exchange Commission, Office of Inspector General, Mail Stop 11-7, 450 Fifth Street N.W., Washington, D.C. 20549 or call (202) 942-4460.
SENSITIVE INFORMATION FOLLOW-UP
Audit No. 333
March 8, 2002
The Office of Inspector General conducted a follow-up audit of the security of sensitive information. A previous audit (Audit No. 277, issued May 3, 1999) on sensitive information found that management controls over this information could be improved. In response, Commission management established a task force to implement corrective actions, issued agency-wide policies and procedures (SECR 23-2, Safeguarding Non-Public Information)1, and hired a contractor to review overall Commission security. The contractor's recommendations related to protecting information are being implemented, as appropriate.
During the course of this follow-up audit, we conducted separate related audits of background investigations of staff and contractors at the request of the Subcommittee on Oversight and Investigations of the House Committee on Financial Services. Background investigations can be an effective internal control over sensitive information and reduce the possibility that sensitive information will be misused.
Our audits determined that the Commission's controls over sensitive information, including background investigations of staff and contractors, are now generally adequate. In addition, the Commission is implementing additional security measures in response to the terrorist attacks of September 11.
As explained below, we are recommending further improvements to the controls over sensitive information, including more door locks and shredders, additional staff training, periodic compliance reviews, and enhanced protection of information stored on computers and paper.
Commission management generally concurred with our recommendations.
SCOPE AND OBJECTIVES
Our audit objectives were to determine whether the management controls over sensitive information with respect to Commission staff and contractors were adequate (i.e., SECR 23-2), and to assess compliance with the controls. Our assessment of compliance focused on market sensitive information (e.g., possible mergers), since this information has a high risk of misuse.
We did not review the controls related to possible misuse of sensitive information by the general public. The task force has evaluated the contractor's recommendations, and has begun implementing some of them. Moreover, we generally did not evaluate the security of automated systems containing sensitive information, since our office has reviewed computer security in other audits.
Monitoring, prohibiting, or restricting employee stock trading can help prevent misuse of market sensitive information. However, we did not evaluate compliance with the Commission's trading rules (17 CFR 200.735-5) for two reasons: the rules are being revised, and the Office of Government Ethics recently evaluated the Commission's implementation of government-wide disclosure systems.
During the audit, we interviewed and observed Commission staff, conducted research on best practices used by others (e.g., law and brokerage firms) to protect sensitive information, and reviewed available documentation, among other procedures. The audit was performed from April to November 2001 in accordance with generally accepted government auditing standards.
PRIOR AUDIT AND MANAGEMENT RESPONSE
Our prior audit on sensitive information found that management controls over this information could be improved. Sensitive information includes: market sensitive (e.g., knowledge of unannounced mergers, enforcement and examination information), business sensitive (e.g., customer lists), proprietary (e.g., trading models), and information of interest to foreign governments.
In response to our prior audit, Commission management established a task force to implement corrective actions, issued agency-wide policies and procedures (SECR 23-2, Safeguarding Non-Public Information), and hired a contractor to review overall Commission security. The contractor's recommendations related to protecting information are being implemented, as appropriate.
BACKGROUND INVESTIGATION & EMPLOYEE CLEARANCE AUDITS
The Subcommittee on Oversight and Investigations of the House Committee on Financial Services asked us to review the Commission's procedures for staff and contractor background investigations (Audits 339 and 340 dated August 13, 2001).
Background investigations can help protect sensitive information by reducing the risk that the Commission hires employees or contractors who have questionable (e.g., unethical) backgrounds. Our audits recommended several improvements in the background investigation process, which the Commission is now implementing.2
We also conducted an audit (No. 323 dated September 29, 2000) on the Employee Clearance process. We found that improvements were needed in complying with Commission procedures (e.g., removing computer access when individuals leave the Commission).
The Commission's regulation on protecting non-public (sensitive) information (SECR 23-2) provides detailed guidance on the management controls for protecting this information, and assigns responsibilities for implementing the guidance. Based on our review and research on best practices in the private sector, the regulation and the controls described in it generally appear adequate.
Some additional controls should be considered, and compliance with existing controls can be improved, as discussed below.
EDUCATION AND TRAINING
The Commission has taken several steps to educate and train the staff. Regulation SECR 23-2 was distributed to all Commission staff when issued, and numerous e-mails to the staff have stressed the importance of protecting sensitive information. However, we found that the staff needs to be reminded about the following requirements:3
- Closing their doors when leaving their office;
- The record-keeping requirements when copying sensitive information;
- Use certified, registered, express, or other special mail when mailing sensitive materials; and
- Not storing sensitive materials in the hallways or other open areas. If additional space is needed, they should use the federal records center.
During the audit, the Office of Ethics Counsel and Office of Information Technology (OIT) agreed to ensure that protecting sensitive information continues to be discussed during new employee orientation and annual training in computer security respectively.
The Office of Administrative and Personnel Management (OAPM) should remind the staff about the items that were listed above.
Based on our research, periodic compliance reviews are an important procedure for protecting sensitive information. The Commission could contract with specialized firms for periodic compliance reviews of security procedures. The reviews could identify needed improvements in compliance. If the results are publicized within the Commission, the reviews could act as a deterrent, and help educate the staff.
The Office of the Executive Director (OED) should consider revising the SECR to require periodic compliance reviews of the implementation of SECR 23-2.
Currently, the cleaning crews generally work at night, increasing the risk of theft or misuse of sensitive information. For offices and divisions with sensitive information, cleaning could be done during the day (i.e., 9 to 5:30), when staff are in the office. In this case, the cleaning crews would not necessarily need office keys (or door combinations) further enhancing security.
OAPM should consider revising the cleaning staff's schedule and access to keys as discussed above.
Many staff with possible access to market sensitive information do not have locks on their doors. Also, many staff do not always close their door when leaving their office (see Recommendation A).
The regulation on non-public information (SECR 23-2) does not address how often suite and office door locks (or combination codes) should be changed. Requiring periodic lock changes in areas with sensitive information (e.g., at least annually) would help protect this information.
OAPM, in consultation with affected divisions and offices, should provide door locks for staff with access to market sensitive information and change the locks periodically.
Several computer specialists told us that information on computer hard drives is being appropriately erased when computers are discarded or transferred. We did not independently test this assertion during the audit. Deleting information helps prevent misuse of sensitive information.
Another control is encryption of data on laptop computers when they contain market sensitive information. SECR 23-2 states that "if possible, the information...should be encrypted."
The Office of Compliance Inspections and Examinations and OIT are discussing the possible installation of encryption programs on laptops used in examinations (the Examination Program relies heavily on laptops). The extensive maintenance these programs require is an issue.
Computer data are currently protected by passwords when the computer is turned on, as required by the sensitive information regulation. Passwords can also be required when the computer has been inactive for a specified period of time (when the screen saver appears).
Computer specialists told us that some field offices have implemented this feature for laptops, but with varying time periods (i.e., there is no standard for the number of minutes that should lapse before the password screen saver appears). In addition, the feature can be deactivated or modified by staff.
According to OIT, screen saver passwords have been implemented on all new computers. OIT plans to inform the staff with older computers how to implement this control feature themselves.
OIT, in consultation with affected divisions and offices, should notify the Commission staff about implementing a screen saver password with a uniform time period for desktop and laptop computers.
The Division of Corporation Finance's FACTS system tracks comment letters on filings. Approximately 30% of the Division's staff as well as two staff in the Office of the Chief Accountant have access to FACTS.
FACTS and EDGAR data (the electronic filing system) can be used to identify filings for which the registrant has been asked to restate its financial statements. Restatements can affect the market price of a company's stock, and hence a requested restatement could be market sensitive. Delaying the recording of the requested restatement in the computer systems would help protect this information by reducing the number of staff with the ability to learn that a restatement was requested. Under SECR 23-2, these matters are to be disclosed on a need-to know basis.
The Division of Corporation Finance should consider delaying the recording of market sensitive information in the computer systems, and/or eliminate FACTS access to those staff that do not need it.
For sensitive, non-public materials, SECR 23-2 states that a record is to be maintained of how many copies exist and who had access to them. Based on our interviews, staff are generally not complying with this requirement (see Recommendation A).
The SECR states that shredding is to be performed within the division or office. However, some field offices have a contractor who performs shredding offsite. Also, the Commission makes limited use of a burn facility at Fort Totten run by the District of Columbia.4 Commission policy on shredding needs clarification (one field office told us it is reluctant to use a shredding contractor because of the policy).
An agency-wide plan for shredding has not yet been implemented, although the task force on sensitive information recommended one. Also, some divisions and offices have no shredders or an insufficient number.
OAPM should develop an agency-wide shredding plan and provide shredders in the interim. In developing the plan, OAPM should consult with OED, to determine whether OED would want to modify the requirement about restricting offsite shredding.
The SECR states that sensitive materials should be hand delivered, if transferred within the building. Based on our staff interviews, this procedure is generally being followed.
The regulation further states that if mailed, sensitive materials should be sent as certified, registered, express, or other special mail. Staff told us this procedure is not always followed (see Recommendation A).
Some divisions and offices told us they lack storage space, and occasionally store documents in the hallways or common areas. Some of these documents could contain sensitive information. According to OED, additional storage space was recently made available. However, divisions and offices need to store older materials at the federal records center instead of in their offices and hallways.
Also, a filing is usually reviewed more than once before the Division of Corporation Finance issues a comment letter. Division staff told us that frequently, after performing an initial review, staff leave the filing and the draft comment letter in a common area for the next level reviewer (see Recommendation A).
1 Some offices have issued additional guidance to their staff on implementing SECR 23-2.
2 According to the Office of Information Technology (OIT), background checks on all OIT contractors have been completed.
3 The issues relating to this recommendation are described throughout the remainder of this report.
4 The Commission is not allowed to observe the destruction of the documents at this facility.