SEC’s Information Security Found Wanting by its Inspector General
The SEC continues to have a way to go to improve its own cybersecurity.
A new audit from the agency’s Office of the Inspector General has found that information security at the SEC in at least six of seven functional areas is two levels below what is needed. The seventh functional area is one level below the necessary threshold, according to the report.
The OIG’s Audit of the SEC’s Compliance with the Federal Information Security Modernization Act for Fiscal Year 2017 provided the agency with 21 recommendations desired to bring the SEC’s information up to a level of "managed and measurable." These seven "assessment domains" in which the OIG measures SEC compliance against FISMA requirements are risk management, configuration management, identity and access management, security training, information security continuous management, incident response, and contingency planning.
"Acting on these opportunities for improvement will help minimize the risk of unauthorized disclosure, modification, use and disruption of the SEC’s sensitive, non-public information, and assist the SEC’s information security program reach the next maturity level," the OIG said in the audit report.
The audit report, sections of which were redacted because of the presence of non-public information, showed that the SEC concurred with most of the recommendations. In some cases, the OIG took issue with parts of the agency’s responses.
"The Inspector General’s audit shows that the Commission is struggling with cybersecurity preparedness in many of the same ways as the entities it regulates," said K&L Gates partner and former SEC Office of Market Intelligence chief Vincente Martinez. "Understanding cybersecurity as an ongoing process, rather than a one-time establishment of policies and procedures, has been an industry-wide challenge. Both the Commission and its registrants are coming to understand that there is no separation between cybersecurity and the business. They are one and the same."
In a similar OIG audit for fiscal year 2016 issued last year (ACA Insight, 3/27/17), the watchdog agency also found the SEC’s information security lacking, although the metrics and the way it measured cybersecurity then was somewhat different than in this year’s report. Of 21 recommendations made in the 2016 report, the SEC has satisfactorily completed 18 of them, the OIG said in the new report.
The SEC disclosed a significant cybersecurity problem last September, when it revealed that its EDGAR system had been breached the year before, with some personally identifiable information accessed.
"There is no more urgent internal imperative for the SEC than ensuring the protection of sensitive information obtained and maintained by the agency concerning its regulated entities," said Willkie Farr partner and former SEC deputy chief of staff James Burns.
"Several of the vulnerabilities stated in the report have been on the SEC’s radar for quite some time," said Stradley Ronon counsel Jana Landon. "The report mentions several times that reporting, planning, and testing were not completed because of insufficient staff and/or resources. In short, the SEC is facing the same dilemma that many of the companies it oversees is facing – being challenged to do ‘more with less’ and struggling to find appropriate staff and resources to implement cybersecurity best practices."
"Going forward, it will be interesting to see if the SEC will use these findings to bolster its recent request for a budget increase for fiscal year 2019, which is meant to restore positions lost during the 2017 hiring freeze and add positions to its cyber risk and enforcement groups," she said. "The report also gives the SEC additional justification to retain its $50 million Dodd-Frank reserve fund, which it has historically used for IT modernization; the President proposed eliminating the fund in 2017."
The audit, in measuring the SEC’s seven assessment domains, fit them into five "cybersecurity framework security functions" established by the National Institute of Standards and Technology: Identify, protect, detect, respond and recover. It then measured the "maturity levels" that the SEC achieved in 2017 for each function.
The maturity levels begin with "Ad Hoc" (Level 1), then continue with "Defined" (Level 2), "Consistently Implemented" (Level 3), "Managed and Measurable" (Level 4) and conclude with "Optimized" (Level 5). The OIG considers level 4 "an effective level of security at the domain, function and overall program level."
The audit found that in areas except contingency planning, the SEC’s cybersecurity reached only the second level, "Defined," which is described as occurring when "policies, procedures and strategy are formalized and documented but not consistently implemented." The audit found that contingency planning reached the third level, "Consistently Implemented," which it described as occurring when "policies, procedures and strategy are consistently implemented, but quantitative and qualitative effectiveness measures are lacking."
For these functions to reach the desired "Managed and Measurable" (Level 4), the audit would have to find that "quantitative and qualitative measures on the effectiveness of policies, procedures and strategy are collected across the agency" and that "measures are used to assess policies, procedures and strategy and make necessary changes."
The ultimate goal, "Optimized" (Level 5) is described as occurring when "policies and procedures and strategy are fully institutionalized, repeatable and self-generating, consistently implemented and regularly updated based on a changing threat and technology landscape and business/mission needs."
Following are some of the 21 specific recommendations developed by the OIG audit team for the SEC:
Define and implement a process that includes clear roles and responsibilities for developing and maintaining a comprehensive and accurate inventory of agency information systems [remaining copy redacted]. The SEC’s Office of Information Technology (OIT), which is responsible for information security, in its response, said that it "concurred" with the recommendation. The OIG said it considered the agency’s response to be "responsive" and that the recommendation is therefore resolved and "will be closed upon verification of the action taken."
Define and implement a process to develop and maintain up-to-date inventories that include detailed coverage necessary for tracking and reporting of hardware assets connected to the agency’s network, and [remaining copy redacted]. Here, as above, the OIT concurred and the OIG said that the recommendation will be closed upon verification.
Consider implementing an automated mechanism to centrally document, track and share risk designations and screening information with necessary parties, as appropriate. Here, the OIG was not totally happy with the response from the SEC’s Office of Security Services. The Office said that it concurred with the recommendation, but that the Office "will consider the costs and benefits of implementing " such a system. The OIG noted, in response, that on February 26, 2018, "after the OIG’s exit conference with agency management, the Office of Security Services reported to the OIG that the Office of information Technology’s Information Technology Capital Planning Committee denied the Office of Security Service’s request for funding for this requirement," stating that the recommended automated mechanism "was not a ‘need to have.’"
Develop and implement a process to ensure that all individuals with significant security responsibilities receive required specialized training before gaining access to information systems or before performing assigned duties. OIT concurred with this recommendation, and the OIG accepting its response, saying that future action would be verified.
Fully implement processes to a) consistently document and timestamp every step in the incident response process from detection to resolution; and b) ensure a person other than the incident ticket creator reviews incident documentation (logs and tickets), and confirms that consistent and complete information is maintained for every step in the incident response process. The SEC, in its response, said that the OIT will "define key milestones" that need to be supplied to the incident response system, but the OIG, in responding to this statement, stressed that "as stated in the recommendation, management should also fully develop a process to consistently document and timestamp every [emphasis SEC] step in the incident response process from detection to resolution."