Thanks for subscribing! Please check your email for further instructions.
Share this post
Why did the SEC perform this Audit?
The Office of Inspector General (OIG) of the U.S. Securities and Exchange Commission (SEC) conducted an audit to assess the SEC’s management of the planning, implementation, and security of its cloud computing services. You can read the audit in its entirety here. Specifically, OIG sought to:
What were the audit findings and recommendations?
The SEC’s Office of Information Technology has not developed policies
and procedures specific to cloud system security, or adequate processes to
ensure compliance with Federal Risk and Authorization Management Program (FedRAMP)
baseline controls and enhancements for which the SEC is responsible. As a result, the SEC’s processes did not adequately
ensure compliance, assess risk, identify issues, or mitigate vulnerabilities
specific to the SEC’s cloud-based systems.
Finding 1: The SEC Used an Ad Hoc
Approach to Implementing Cloud Computing
The SEC did not fully implement its cloud strategy, follow a
clear, robust strategic plan to evaluate and prioritize IT services and
applications for migration to the cloud, or effectively track related
goals. Instead, the SEC used an “ad-hoc”
or “as-needed” approach to implementing cloud computing. This occurred because the SEC did not coordinate
or collaborate on cloud strategies at an enterprise level.
Recommendations related to Finding
Finding 2: Processes for Protecting
the SEC’s Cloud-Based Systems Need Improvement
The SEC’s Office of Information Technology had not developed
policies and procedures specific to cloud system security, or adequate
processes to ensure compliance with FedRAMP baseline controls and enhancements for
which the SEC is responsible.
Recommendation related to Finding
Develop policies and procedures to ensure the following for all
new and existing cloud computing services:
Other matters of Interest
During the audit, other matters of interest that did not warrant
recommendations came to OIG’s attention.
They are as follows:
Please email me with questions or leave a comment below!