Ask the Scholar
Document scope · 1 page
Scholar
Ask about this object, its catalog metadata, its source description, or the page inventory.
For page-specific OCR and visual context, open one of the page chats.
Scholar Source Context
Document identity
localId
74615890
label
U.S. Securities and Exchange Commission
core
doc
dtoType
document
citationUrl
pageCount
1
Source metadata
id
74615890
sourceUrl
contentType
document
title
U.S. Securities and Exchange Commission
citationUrl
collections
Records of the Office of Intergovernmental Affairs (George W. Bush Administration)
Keith Brancato's Files
largeImageUrl
imageCount
1
hasImages
yes
source
import
hasTranscription
no
Source extras
naId
74615890
levelOfDescription
fileUnit
otherTitles
t025-003-ussec-20140370f
recordType
description
ocrSource
nara-archive
Single page context
seq
1
pageIndex
0
type
document
mediaId
46bd7f8a4659aa5e
ocrText
2014-0370-F
[
]
Tuesday, April 21, 2015
FOIA Marker
This is not a textual record. This FOIA Marker indicates that material has been removed
during FOIA processing by George W. Bush Presidential Library staff.
Intergovernmental Affairs, White House Office of
Brancato, Keith
Location or
NARA Number:
FRC ID:
OA Number:
Stack: Row: Sect.: Shelf: Pos.:
Hollinger ID:
W
23
1
8
2
742
13677
1393
1516
Folder Title:
U.S. Securities and Exchange Commission
01/02/02 14:53 FAX 202 942 9650
SEC CONG AFF
001
FAX TRANSMITTAL SHEET
PLEASE DELIVER THE FOLLOWING PAGES :
TO: ThE Honorable George Bush -c/o Nick Calio
FAX NUMBER: 456-1806
PHONE NUMBER: 456-2230
FROM:
Casey Carter, Director
Office of Congressional and Intergovernmental Affairs
TOTAL NUMBER OF PAGES (Including cover sheet): 14
DATE: 1/2/02
IF YOU DO NOT RECEIVE ALL PAGES, PLEASE CALL
BACK AS SOON AS POSSIBLE AT (202) 942-0010.
REMARKS:
FXI- Hard Copy to follow in mail.
Sharoa
NOTE: This documents may contain privileged and nonpublic Information. It is intended only for the use of
the individual or entity named above, and others who specifically have been authorized to receive it. If you are
not the intended recipient of this facsimile, or the agent responsible for delivering it to the Intended recipient, you
hereby are notified that any review, dissemination, distribution, or copying of this communication strictly is
prohibited. If you have received this communication in error, please notify us immediately by telephone and
return the original to the above address by regular postal service without making a copy. Thank you for your
cooperation.
01/02/02 14:54 FAX 202 942 9650
SEC CONG AFF
002
us WASHINKOJ SECURITIES
UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
MCMXXXIV
WASHINGTON. D.C. 20549
THE CHAIRMAN
December 31, 2001
The Honorable George W. Bush
President of the United States
The White House.
1600 Pennsylvania Avenue, N.W.
Washington, D.C. 20500
Dear Mr. President:
I am pleased to report that the management controls of the Securities and Exchange
Commission for the fiscal year ending September 30, 2001 are in compliance with the
standards prescribed by the Comptroller General. This letter fulfills the reporting
requirements of the Federal Managers' Financial Integrity Act of 1982 as they apply to the
SEC. It has been prepared in conformity with the guidance provided by the Office of
Management and Budget. A detailed discussion of the evaluation and review process
supporting this conclusion is at Enclosure A.
I can provide assurance, based on the evaluations conducted by the staff, assurances by
appropriate SEC officials, and other information provided that, taken as a whole, the agency's
internal accounting and administrative systems comply with Section 2 of the Act.
The following material weakness was corrected during the year:
The management controls for safeguarding sensitive, non-public information need
to be strengthened to significantly enhance their effectiveness.
Safeguarding sensitive information is a critical activity at the SEC. To enhance the
effectiveness of our controls over sensitive information, the Commission established
a task force of senior staff to implement corrective actions, hired a security
consultant to assist in a more comprehensive review of overall security, enhanced
building access procedures, and issued an agency-wide policy that addresses
employees' responsibilities to safeguard non-public information. The Commission
has implemented the consultant's most significant recommendations and is
continuing to monitor this area.
The agency continues to work aggressively on correcting the following material
weakness that was identified previously and remains pending.
01/02/02 14:54 FAX 202 942 9650
SEC CONG AFF
003
The Honorable George W. Bush
Page 2
ADP security controls should be enhanced, strengthened, and communicated to all
SEC staff. Many of the security administration processes performed by the SEC
are not standardized or formalized. The lack of formalized policies and
communication of adequate ADP security policies and procedures has the potential
to impair the mission of the agency.
The IT Security Program has substantially completed its mission, which is to
protect the SEC's sensitive information. The SEC's public website and electronic
filing systems have remained secure and available; our perimeter security has
detected and repelled countless probes, scans, and scripted attacks; and our intranet
e-mail and critical applications have remained safe and available during numerous
virus scares, major software upgrades, infrastructure changes, planned and
unscheduled disaster recovery tests and failures, and other potentially catastrophic
events. However, the IT Security Program, while robust and effective, still has
some work ahead to grow into a mature program that is well documented and meets
all federal guidelines. Under the direction of the agency's new IT Security Officer,
the IT Security Group is finalizing a series of technical bulletins to support the
SEC's IT security policy and developing a rigorous set of procedures for security
certification and accreditation of agency systems. These critical milestones are
expected to be completed during fiscal 2002 and 2003, respectively.
Additionally, the agency's financial management systems in use during 2001 were
reviewed as required by Section 4 of the Act. The review was based on the principles and
standards developed by the Comptroller General and implemented through OMB Circular A-
127.
The results of limited reviews conducted of all of the agency's financial management
systems, assurances given by agency officials, and other information provided indicate that the
accounting systems, taken as a whole, are generally in conformance with the principles and
standards developed by the Comptroller General and implemented through OMB Circular A-
127.
The following material non-conformance was corrected during the year:
The SEC needs to track the receipt and allocation of filing fee and account data and
provide on-line inquiry, on a real-time basis, of specific filing fee information. A
new agency system (Entity, Filing and Fees (EFFS)) was implemented in late fiscal
1992. However, since implementation, problems have been identified that inhibit
the agency from maintaining real-time, accurate data.
01/02/02 14:54 FAX 202 942 9650
SEC CONG AFF
<
004
The Honorable George W. Bush
Page 3
Through the efforts of a Commission task force assembled in November 1994, the
agency improved significantly several features of the system and the reliability of
EFFS financial data. However, the task force and an audit conducted by the SEC's
Office of the Inspector General identified insufficient internal controls, lack of
documentation, and difficulties maintaining the system such that a determination
was made to redesign the system.
From fiscal 1995 to 1998, the task force worked on identifying EFFS system
requirements and preparing a contract solicitation to replace the existing system.
The EFFS redesign requirements were included with the EDGAR modernization
initiative, which was awarded in July 1998. The EFFS replacement was
implemented in September 2001. The design of the new system contains adequate
financial controls.
Additional information regarding the agency's compliance with the Act and proposed
corrective actions is contained in Enclosures B through D to this letter.
I would like to emphasize that the SEC is committed to the effective and efficient
management of the resources entrusted to the agency.
Yours truly,
Hawey
I Pett
Enclosures
01/02/02 14:54 FAX 202 942 9650
SEC_CONG_AFF
005
Enclosure A
SECURITIES AND EXCHANGE COMMISSION
REVIEW PROCESS
Description of Organization and Structure of Review Process
The Office of the Executive Director is responsible for coordinating and overseeing the
management control review process (OMB Circular A-123) and evaluations of financial
management systems (OMB Circular A-127). The evaluation process is carried out by the
management control officer assigned in each component, based upon instructions provided by
the Executive Director. The Office of the Executive Director monitors correction of material
weaknesses.
Twenty-six divisions and offices are designated as components. The components range in
size from 9 to 489 positions with an average of 122 positions within a component at the end of
fiscal 2001. Agency components were identified by evaluating the organization and budgetary
allocations of the SEC and its activities. This segmentation ensures comprehensive coverage
of all components
2001 Statistical Data for Review Process
Planned
Conducted
Management Control Reviews
0
0
Alternative Reviews
22
22
Percentage of Assessable Components Reviewed: 62%
Comment on Results Versus Plan
Twenty-two alternative reviews were completed in 2001. These reviews are conducted by
the Commission's Office of Inspector General. The components reviewed consisted of five
field offices; the Offices of General Counsel, the Secretary, the Executive Director, Investor
Education and Assistance, Information Technology, Administrative and Personnel
Management, Filings and Information Services, and Compliance Inspections and
Examinations; ànd the Divisions of Corporation Finance, Market Regulation, and
Enforcement. Some components underwent multiple reviews, and some not included in the
above list were reviewed as part of audits that were not completed by the end of the fiscal
year.
01/02/02 14:55 FAX 202 942 9650
SEC CONG AFF
5.
006
Enclosure B
SECURITIES AND EXCHANGE COMMISSION
STATISTICAL SUMMARY OF PERFORMANCE
:
Section 2, Management Control System
Overall Compliance
X Yes
0 No
Year Achieved
1983
(and all subsequent years)
Number of Material Weaknesses
Pending at
Period Reported
Reported
Corrected
Year-End
Prior Years
31
28
3
1991
0
0
3
1992
:
0
0
3
1993
0
0
3
1994
1
2
2
1995
1
0
3
1996
0
1
2
1997
0
0
2
1998
0
0
2
1999
1
1
2
2000
0
0
2
2001
0
1
1
Pending Material Weaknesses
Category
Number
Program Management:
Program Execution
0
Systems Development & Implementation
0
Asset Disposition
0
Environmental Impact
0
Safety, Health-Related
0
Other (Specify)
0
:
01/02/02 14:55 FAX 202 942 9650
SEC CONG AFF
007
Enclosure B
Page 2
Functional Management:
Procurement
0
Grant Management
0
Personnel & Organizational Management
0
ADP Security
1
Payment Systems & Cash Management
0
Loan Management & Debt Collection
0
Document Management
0
Total
1
Section 4, Financial Management Systems
Compliance Assurance
Year
Overall Compliance with Section 4
Yes
No
Achieved
Conformance with Financial
Information Standards
X
1989
Conformance with Systems
Functional Standards
X
1989
Number of Material Non-conformances
:
Pending at
Period Reported
:
Reported
Corrected
Year-End
Prior Years
3
3
0
1991
0
0
0
1992
1
0
1
1993
1
0
2
1994
0
0
2
1995
1
0
3
1996
0
1
2
1997
0
0
2
1998
0
0
2
1999
0
1
1
2000
0
0
1
2001
0
1
0
01/02/02 14:55 FAX 202 942 9650
SEC CONG AFF
008
Enclosure C
SECURITIES AND EXCHANGE COMMISSION
MATERIAL WEAKNESSES/CORRECTIVE ACTION
1. ADP Security
Functional Category in Statistical Summary: ADP Security
Bureau/Appropriation/Account Number: Office of Information Technology
Administrative Activity/Program Activity: Data Processing--Nationwide
Pace of Corrective Action:
Year Identified: 1989
Original Targeted Correction Date: 1990
Targeted Correction Date in Last Year's Report: 2000
Current Target Date: 2003
Reason for Change of Date(s): Key members of the IT Security Group left the agency for
the private sector in FY 2000, including the IT Security Officer. The new Security Officer is
working aggressively to complete the two remaining critical milestones.
Description of Agency Impact: ADP security controls should be enhanced, strengthened, and
communicated to all SEC staff. Many of the security administration processes performed by the
SEC are not standardized or formalized. The agency also needs to ensure compliance with the
revised OMB Circular A-130 requirements for ADP security administration and system
certification. The lack of formalized policies and standards for security administration leaves the
SEC vulnerable to fraud, mismanagement, and abuse of government resources. In addition,
failure to certify sensitive application systems may result in loss of government resources if a
problem goes undetected due to lack of timely review.
Source of Discovery of Material Weakness: The weakness was identified by the office head
during the 1989 annual certification process and in a 1995 review by an outside auditor.
Critical Milestones in Corrective Action:
Original
Current
Critical Milestone
Plan
Plan
Actual
Final ADP Security Policy
5/92
1998
12/98
Final Automated Information
Security Manual (Technical Bulletins)
6/92
2002
ADP Security Review Program
6/92
1998
1998
Certification and Accreditation Reviews
6/92
2003
01/02/02 14:55 FAX 202 942 9650
SEC CONG AFF
009
Enclosure C
Page 2
A. Completed actions/events: Significant progress has been made in the ADP security area.
Some examples of the more significant accomplishments to date follow.
Restructured the Office of Information Technology.
Established a Security Group in the Office of Information Technology.
Issued an agency-wide IT security policy.
Implemented an extensive security audit program.
Developed a web-based application for system security plans.
Conducted regular security posture assessments to identify system and network
vulnerabilities.
Drafted technical bulletins on a variety of security issues.
Continued training SEC staff on security issues.
Developed an internal website that is dedicated to security issues.
Reviewed and approved all SEC operating system deployment and end user
applications.
Conducted inspections for password security, patch levels, service packs and hot
fixes, anti-virus software, suid programs, permissions on files and directories,
adequate logging levels, and security tool deployment.
Periodically hired outside security experts to review the work conducted by the OIT
Security Group.
Developed a custom Intruder Detection System that actively monitors over 70
firewalls, servers, and general support hosts throughout the SEC.
Implemented a new guideline that requires all new SEC applications to use certain
encryption mechanisms.
Isolated all external network connections behind firewalls.
B. Planned actions/events (short-term, i.e., next 12 months): A series of technical bulletins
will be issued to assist in implementing the IT Security Program. One-fourth of the agency's
sensitive systems will be formally certified and accredited with contractor support.
C. Planned actions/events (long-term): The remaining sensitive systems will be certified
and accredited. We will continue to improve the IT security program
01/02/02 14:56 FAX 202 942 9650
SEC CONG AFF
010
Enclosure C
Page 3
2. Sensitive Information
Functional Category in Statistical Summary: Document Management
Bureau/Appropriation/Account Number: Office of the Executive Director
Administrative Activity/Program Activity: Safeguarding Sensitive Information
Pace of Corrective Action:
Year Identified: 1999
Original Targeted Correction Date: 2000
Targeted Correction Date in Last Year's Report: 2000
Current Target Date: 2001
Reason for Change of Date(s): Not applicable. Corrective actions were completed in 2001.
Description of Agency Impact: The management controls for safeguarding sensitive, non-public
information need to be strengthened to significantly enhance their effectiveness.
Source of Discovery of Material Weakness: The weakness was identified during an audit
conducted by the Office of Inspector General.
Critical Milestones in Corrective Action:
Original
Current
Critical Milestone
Plan
Plan
Actual
Establish Senior Level Task Force
1999
1999
1999
Implement New Building Access Procedures
1999
1999
1999
Hire Consultant to Review Information Security
1999
1999
1999
Issue Comprehensive Policy and Procedures
to All Employees
2000
2000
2000
Implement Security Consultant Recommendations
2000
2001
2001
A. Completed actions/events: To address this weakness, the Commission established a task
force of senior staff to enhance the effectiveness of the agency's controls over sensitive
information, enhanced building access procedures, issued a new policy that addresses employees'
responsibilities to safeguard non-public information and hired a security consultant to review
sensitive information security. The Commission implemented the consultant's most significant
recommendations in fiscal 2001.
01/02/02 14:56 FAX 202 942 9650
SEC CONG AFF
5
011
Enclosure C
Page 4
B. Planned actions/events (short-term, i.e., next 12 months): The Commission will
continue to monitor and improve information security.
C. Planned actions/events (long-term): Same as item B.
01/02/02 14:56 FAX 202 942 9650
SEC CONG AFF
012
Enclosure D
SECURITIES AND EXCHANGE COMMISSION
MATERIAL NON-CONFORMANCE/CORRECTIVE ACTION
1. Entity, Filing and Fee System (EFFS)
Bureau/Appropriation/Account Number: Office of Filings and Information Services
Administrative Activity/Program Activity: Track the receipt and allocation of filing fee and
account data.
Pace of Corrective Action:
Year Identified: 1993
Original Targeted Corrective Action Date: 1994
Targeted Corrective Date in Last Year's Report: 2000
Current Target Correction Date: 2001
Reason for Change in Date(s): Not Applicable. Corrective actions were completed in 2001.
Description and Agency Impact: The SEC needs to track the receipt and allocation of filing fee
and related account data and provide a consolidated source for on-line inquiry, on a real-time
basis, of specific filing fee information. A new agency on-line system was implemented in late
fiscal 1992. However, since implementation several problems have been identified that inhibit
the agency from maintaining real-time, accurate data. The current system does not fully meet the
requirements of the agency or the requirements outlined in OMB Circular A-127 (including the
internal control standards as defined in OMB Circular A-123) for financial management systems.
The following are specific identified deficiencies:
Internal Controls. Internal control deficiencies include (1) an unreliable electronic link with
Mellon Bank which is used to transmit data on fees deposited for SEC at Mellon; (2) interface
problems with the agency's EDGAR system; (3) difficulty in linking fees and filings; (4) limited
data validation; (5) inadequate separation of duties; (6) insufficient audit trails; and (7) a lack of
access level security.
Documentation. The EFFS system does not have sufficient current documentation describing
functional requirements, system specifications, data and transaction requirements, and user and
training materials.
01/02/02 14:56 FAX 202 942 9650
SEC CONG AFF
013
Enclosure D
Page 2
Maintenance. The current EFFS system is difficult to maintain due primarily to its structure and
reliance on a few key individuals.
Source of Discovery of Non-conformance: The non-conformance was identified in early fiscal
1993 by the system manager and the Comptroller of the agency. Subsequently, two SEC task
forces and an audit conducted by the Office of the Inspector General from January 1995 through
October 1995 identified additional deficiencies.
Critical Milestones in Corrective Action:
Original
Current
Critical Milestone
Plan
Plan
Actual
Establish Task Force to
Identify and Resolve System
Problems
12/92
N/A
12/92
Identify and Resolve Critical
Problems
9/93
N/A
9/94
Implement Programming Changes
9/93
N/A
8/95
Establish Second Task Force
11/94
N/A
11/94
Implement New Processing Procedures
and Access Codes
2/96
Correct Audit Trail Weaknesses
2/96
1
Prepare Formal, Written Procedures
2/96
Requirements for Redesign
2/95
N/A
4/96
Completion of Redesign and
Implementation of New System
12/97
2001
9/01
A. Completed actions/events: A task force was established by the Executive Director of the
agency to identify and resolve system problems that inhibit agency needs and compromise
compliance with OMB Circular A-127 requirements. Several critical problems were identified
and resolved and some system changes were implemented. Due to the unusual complexity of the
1
Audit trail weaknesses were corrected in February 1996, with the exception of system
changes to accommodate a "reason" code.
01/02/02 14:57 FAX 202 942 9650
SEC CONG AFF
014
Enclosure D
Page 3
problems identified by this task force, a second task force was assembled. This task force was able
to improve significantly several features of the system and the reliability of EFFS financial data.
These improvements enabled the agency to send account statements to over 17,500 filers and
registrants. However, the task force and an audit conducted by the Office of the Inspector General
identified insufficient internal controls (i.e., separation of duties, access levels, and audit trails),
lack of documentation, and difficulties in maintaining the system such that a determination was
made to redesign the system and to delay full implementation of some corrective actions until EFFS
is redesigned. The EFFS re-write requirements were included in the modernization initiative for the
Commission's EDGAR system. A three-year contract for the modernization of EDGAR was
awarded in July 1998. The EFFS replacement was implemented in September 2001. The design of
the new system contains adequate financial controls.
B. Planned actions/events (short-term, i.e., next 12 months): The SEC will be generating
Account Activity Statements from the new system by the end of February 2002. This will allow
each filer to verify the accuracy of their account information at the SEC.
C. Planned actions/events (long-term, i.e., long-term): We will monitor the new system to
ensure that it tracks the receipt and allocation of filing fee and related account data accurately and
provides a consolidated source for on-line information.