The Securities and Exchange Commission's watchdog has found several areas in which the SEC needs to improve security to reduce risk, including better email controls to prevent the misuse of sensitive documents.
Late last month, the Office of Inspector General, which conducts independent audits of the commission, released three reports covering several security-related areas. The SEC's Office of Information Technology agreed with all the findings and said it would correct the problems.
In one report, the OIG examined SEC controls for preventing sensitive and nonpublic information from unauthorized disclosure. The audit found that SEC employees and contractors who use the commission's Web mail system were not prevented from downloading and saving documents on non-SEC computers. The SEC uses Microsoft Outlook Web Access.
"Consequently, sensitive and nonpublic information could potentially be disclosed to unauthorized persons," the report said.
In addition, the SEC's system for tracking documents was inadequate and new contractors could work as long as 30 days without taking online "security awareness training."
"Thus, contractors could unintentionally mishandle or disclose sensitive or nonpublic SEC information," the report said.
The SEC has been accused of mishandling sensitive information in the past. In 2011, a former employee claimed the commission destroyed thousands of files on high-profile inquiries, including the investigation of investment adviser Bernard Madoff, who was later convicted of running a Ponzi scheme.
[Also see: After 40 years, email security still elusive]
In another report, the OIG found that the SEC's evaluation of security controls for some information systems needed better documentation. The examination found that contractors conducting security testing and evaluation did not provide enough proof of their work.
The OIG also found inadequate documentation in the evaluation of some security controls performed by the SEC's Office of Information Technology. Without such documentation, the OIT "cannot validate that security controls are functioning as intended," the report said.
"We determined OIT should improve how it evaluated the SEC system's security controls," the OIG said.
The audit also found problems with the way personally identifiable information was handled, which indicated it was not being "properly protected."
In the third report, the OIG found that the SEC's IT department did not always monitor the effectiveness of security controls in accordance to requirements set by the National Institute of Standards and Technology. While the OIT conducts penetration testing and vulnerability scanning continuously, that's not enough to meet NIST requirements.
"As a result, OIT's continuous monitoring program needs improvement," the report said.
While conducting its own internal audits, the SEC requires public companies to disclose security breaches, or even potential breaches, if there's a risk they could have a financial impact.
The SEC appointed Carl Hoecker as its inspector general this year. Before then, he served as the first inspector general of the U.S. Capitol Police. Hoecker replaced David Kotz, who left in 2012.
Read more about data privacy in CSOonline's Data Privacy section.