The SEC Can More Strategically and Securely Plan, Manage, and Implement Cloud Computing Services

Why did the SEC perform this Audit?

The Office of Inspector General (OIG) of the U.S. Securities and Exchange Commission (SEC) conducted an audit to assess the SEC’s management of the planning, implementation, and security of its cloud computing services.  You can read the audit in its entirety here.  Specifically, OIG sought to:

1. Assess the SEC’s strategy for migrating information technology services and applications to the cloud; and
2. Determine whether key security measures were in place to adequately protect SEC systems that use cloud computing services.

What were the audit findings and recommendations?

The SEC’s Office of Information Technology has not developed policies and procedures specific to cloud system security, or adequate processes to ensure compliance with Federal Risk and Authorization Management Program (FedRAMP) baseline controls and enhancements for which the SEC is responsible.  As a result, the SEC’s processes did not adequately ensure compliance, assess risk, identify issues, or mitigate vulnerabilities specific to the SEC’s cloud-based systems. 

Finding 1: The SEC Used an Ad Hoc Approach to Implementing Cloud Computing

The SEC did not fully implement its cloud strategy, follow a clear, robust strategic plan to evaluate and prioritize IT services and applications for migration to the cloud, or effectively track related goals.  Instead, the SEC used an “ad-hoc” or “as-needed” approach to implementing cloud computing.  This occurred because the SEC did not coordinate or collaborate on cloud strategies at an enterprise level. 

Recommendations related to Finding 1:

• Reestablish a cloud computing governance committee composed of key stakeholders with authority to coordinate and oversee SEC-wide acquisition of cloud computing services and migration of SEC systems to the cloud. 
• Develop a roadmap and implementation plan for cloud migration that provides for evaluating the SEC’s information technology portfolio, prioritizing systems and services for migration to the cloud, as appropriate, based on potential benefits and risks, and tracking of cloud-related goals.

Finding 2: Processes for Protecting the SEC’s Cloud-Based Systems Need Improvement

The SEC’s Office of Information Technology had not developed policies and procedures specific to cloud system security, or adequate processes to ensure compliance with FedRAMP baseline controls and enhancements for which the SEC is responsible. 

Recommendation related to Finding 2:

Develop policies and procedures to ensure the following for all new and existing cloud computing services:

• Applicable cloud system security controls and enhancements are included in the respective SEC cloud-based system security plan.
• Applicable cloud system security controls and enhancements are assessed and supported by sufficient evidence in the respective SEC cloud-based system security assessment report.
• The SEC authorizing official is provided with complete and appropriate information necessary to make risk-based decisions on whether to authorize the SEC’s cloud systems to operate. 

Other matters of Interest

During the audit, other matters of interest that did not warrant recommendations came to OIG’s attention.  They are as follows:

• Conflicting Security Categories
• Underreporting of Cloud Services
• Improvements Needed in Cloud System Incident Response Processes
• SEC Cloud Service Contracts Did Not Consistently Include Security

Please email me with questions or leave a comment below!