Courtesy of Larry Doyle.
As I sit here collecting my thoughts in the early morning hours of April 18, 2014, I think back to the chilling days of February 26, 1993 and September 11, 2001.
Most reading this will certainly never forget the tragedy that is forever known as 9-11. However, that fateful day was foreshadowed 8 years prior when another World Trade Center bombing took place. Both attacks were clear-cut indications that terrorist forces were at work to assault American interests by massively disrupting activity on Wall Street. We live with this reality each and every day knowing that these same forces remain at work.
After the attack of 1993, Wall Street firms began implementing significant measures for disaster recovery programs and information systems controls. Against that 20 plus year backdrop, I have to admit I am bewildered if not totally dismayed this morning. Why so? Stick with me here.
I just read a recently released report from the General Accounting Office entitled SEC Needs to Improve Controls Over Financial Systems and Data.
If this report is not a scathing indictment of the leadership of former SEC chair Mary Schapiro specifically and those who preceded her as well (Chris Cox, William Donaldson, Harvey Pitt, and Arthur Levitt), I do not know what is. Recall that on February 4, 2009, Madoff whistleblower Harry Markopolos impugned the SEC as deserving of an A+ in incompetence. After reading this report, I can more fully understand and appreciate Harry’s assessment. Let’s navigate.
What GAO Found
Although the Securities and Exchange Commission (SEC) had implemented and made progress in strengthening information security controls, weaknesses limited their effectiveness in protecting the confidentiality, integrity, and availability of a key financial system. For this system’s network, servers, applications, and databases, weaknesses in several controls were found, as the following examples illustrate:
1. Access controls: SEC did not consistently protect its system boundary from possible intrusions; identify and authenticate users; authorize access to resources; encrypt sensitive data; audit and monitor actions taken on the commission’s networks, systems, and databases; and restrict physical access to sensitive assets.
2. Configuration and patch management: SEC did not securely configure the system at its new data center according to its configuration baseline requirements. In addition, it did not consistently apply software patches intended to fix vulnerabilities to servers and databases in a timely manner.
3. Segregation of duties: SEC did not adequately segregate its development and production computing environments. For example, development user accounts were active on the system’s production servers.
4. Contingency and disaster recovery planning: Although SEC had developed contingency and disaster recovery plans, it did not ensure redundancy of a critical server.
The information security weaknesses existed, in part, because SEC did not effectively oversee and manage the implementation of information security controls during the migration of this key financial system to a new location. Specifically, during the migration, SEC did not (1) consistently oversee the information security-related work performed by the contractor and (2) effectively manage risk.
In my opinion, these glaring deficiencies rise to the level of a serious matter of national security. What does the GAO recommend?
GAO is recommending that SEC take two actions to (1) more effectively oversee contractors performing security-related tasks and (2) improve risk management. In a separate report for limited distribution, GAO is recommending that SEC take 49 specific actions to address weaknesses in security controls. In commenting on a draft of this report, SEC generally agreed with GAO’s recommendations and described steps it is taking to address them.
The larger question begs, though, how does this happen? In thinking about this question, I reflect on the woefully incomplete and improper vetting of Ms. Schapiro to be the head of the SEC. This GAO report strikes me as clear-cut evidence that Ms. Schapiro should not have been our nation’s top financial cop.
Additionally, this report also strikes me that those atop Capitol Hill charged with protecting the public interest by making sure that we have the right leadership in place for positions such as the commissioner of the SEC have also massively failed our nation.
But we already knew that.
Navigate accordingly.
