This document is an HTML formatted version of a printed document. The printed document may contain agency comments, charts, photographs, appendices, footnotes and page numbers which may not be reproduced in this electronic version. If you require a printed version of this document contact the United States Securities and Exchange Commission, Office of Inspector General, Mail Stop 11-7, 450 Fifth Street N.W., Washington, D.C. 20549 or call (202) 942-4460.

COMMISSION WEB SECURITY

Audit No. 361
August 28, 2002

INTRODUCTION

The Securities and Exchange Commission (SEC), Office of Inspector General, performed an audit of the internal controls over the security of the SEC's public website (www.sec.gov). The primary goal of the audit was to evaluate the adequacy of security practices over the SEC public web site. The scope of the work included an evaluation of system security practices, focused penetration testing of the public website, and port scanning.

SCOPE AND OBJECTIVES

The scope of our audit consisted primarily of interviewing SEC staff and reviewing supporting documentation, among other procedures, performed at SEC Headquarters and the SEC Operations Center. Our fieldwork was conducted during the period from July 22 through August 28, 2002.

The objectives for this website security audit were to determine whether the SEC had designed, implemented and monitored effective security controls over the information available on the public website and the access to that website. In addition, we determined if the SEC Office of Information Technology's security plan followed industry best practices guidelines.

AUDIT RESULTS

Based on our audit, we identified several non-material control weaknesses and provided recommendations for corrective action. We provided senior management with an oral briefing on August 28, 2002 as well as September 24, 2002 of our findings and recommendations that management document certain control objectives and related controls over web related procedures. Management concurred with the findings and corrective actions are being implemented.