The Securities and Exchange Commission (SEC) Office of Inspector General (OIG) has identified several management and performance challenges at the agency in a report dated Oct. 7. Those challenges include various aspects of data protection and improving cybersecurity, and on that last front the agency is aiming to deepen its understanding of cloud computing and other technologies as part of a plan to improve security.
In addition to efforts outlined in the SEC’s FY2020 Congressional Budget Justification – including deploying new security capabilities and improving its enterprise security controls and practices – the SEC is looking into ways to reduce its cyber attack surface. As part of that effort, SEC is seeking to hire three additional Office of Information Technology (OIT) staff members to “deepen OIT’s expertise in new technologies such as cloud computing, and to expand its proactive monitoring of network and systems for malicious activity by cyber threat actors,” according to the OIG report.
OIG also highlighted SEC’s efforts to meet effective maturity levels for FISMA’s Cybersecurity Framework security functions, and the 11 recommendations a previous OIG report made to meet the level of “effective.” It commended the SEC on corrective actions taken thus far, but encouraged agency management to “promptly act on all opportunities for improvement identified in the last two FISMA reports to help minimize the risk of unauthorized disclosure, modification, use and disruption” of non-public, sensitive SEC information.
OIG said it plans to continue monitoring the SEC’s efforts in cybersecurity and “will complete an ongoing audit of the SEC’s management of the planning, implementation, and security of its cloud computing services.”
Going forward, OIG also will assess the SEC’s mobile device program and controls to better protect information stored or processed on the devices and assess the agency’s firewall security.