The shoe is on the other foot at the U.S. Securities and Exchange Commission after an audit of the agency"s 2004 financial statements revealed that the chief enforcer of the Sarbanes-Oxley Act had "numerous" information security control weaknesses of its own. The audit, which was conducted last summer by the Government Accountability Office and published on May 26, found that the SEC "had not consistently implemented effective electronic access controls" around user accounts and passwords, access rights and permissions, and network security.
There"s a touch of irony in the GAO"s findings, since the SEC is charged with enforcing the Sarbanes-Oxley Act of 2002, which requires executives at publicly held companies to attest to their organizations" internal controls.
"There"s some schadenfreude in discovering that the arbiters of what"s right can"t seem to get it right themselves," said Cathy Hotka, former vice president of IT at the National Retail Federation, who now runs an IT consulting practice in Washington.
Steps Taken
For its part, the SEC has already taken several steps to comply with the recommendations of the GAO audit -- some initiated prior to the recommendations" release, said Corey Booth, a former McKinsey & Co. consultant who became the head of the agency"s Office of Information Technology in early 2004.
Those steps to comply include strengthening the process of authorizing information systems accounts and passwords for SEC employees and discontinuing authorization for employees and contractors when they stop working for the agency. The SEC has also upgraded many of its intrusion-detection systems and firewalls, Booth said.
In addition, the SEC has since added four information security specialists to its 130-person IT department and has created a more systematic process for vetting security issues in its IT development and deployment procedures, according to Booth.
The SEC expects to address all of the GAO"s security recommendations by next June. The bulk of the work will be completed this year, said Booth. He declined to specify the amount to be spent on the work but did note that the agency was awarded a seven-figure increase in its information security budget for 2005.
Empathy for the SEC
Even though many auditors and corporate executives have grumbled about the time and costs required to comply with Sarbanes-Oxley, some said they are empathetic to the challenges that the SEC faces.
"I respect the SEC -- they"re in an incredibly difficult position," said Joseph Lacik Jr., CIO at Aviall Inc., a Dallas-based aviation aftermarket parts distributor.
Although Lacik said he doesn"t expect the SEC to face much backlash from corporate officers for its information security control gaps, he did say that the agency should be held to the same standard as the companies it regulates. "They have to eat their own food like everyone else," he said.
Marios Damianides, international president of the Information Technology Governance Institute in Rolling Meadows, Ill., said the GAO findings aren"t surprising, since "many corporations" have uncovered IT-related control issues in their Sarbanes-Oxley compliance efforts.
Said Damianides, "They"re a government entity that, like any corporation, has to take care of its controls framework."