This is the accessible text file for GAO report number GAO-05-679R entitled 'Financial Market Organizations Have Taken Steps to Protect against Electronic Attacks, but Could Take Additional Actions' which was released on July 29, 2005. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. June 29, 2005: The Honorable Joe Barton, Chairman: The Honorable John D. Dingell, Ranking Minority Member: Committee on Energy and Commerce: House of Representatives: The Honorable Fred Upton, Chairman: The Honorable Edward J. Markey, Ranking Minority Member: Subcommittee on Telecommunications and the Internet: Committee on Energy and Commerce: House of Representatives: The Honorable Cliff Stearns, Chairman: The Honorable Jan Schakowsky, Ranking Minority Member: Subcommittee on Commerce, Trade, and Consumer Protection: Committee on Energy and Commerce: House of Representatives: Subject: Financial Market Organizations Have Taken Steps to Protect against Electronic Attacks, but Could Take Additional Actions: The September 11, 2001, terrorist attacks on the World Trade Center exposed the vulnerability of the financial markets to disruption by such events. As part of a series of reviews we have performed at the request of Members of Congress, we have examined and reported on the adequacy of the steps that financial market participants have taken to reduce their vulnerability to attacks and to be better able to recover from such events when they occur.[Footnote 1] In addition to taking steps to reduce the likelihood that physical attacks will damage their facilities, financial market organizations must also implement protections to reduce the potential for electronic attacks to disrupt their operations. Electronic attacks can be the result of individuals (such as hackers) or groups, such terrorist organizations or foreign governments, attempting to gain unauthorized access to a specific organization's networks or systems or from malicious computer programs or codes, such as viruses or worms, that seek to damage data or deny access to legitimate users. Given the importance of this topic, you asked us to review the measures taken by selected critical financial market organizations, including exchanges, clearing organizations, and payment system processors, to protect themselves from attacks and we reported our results to you in September 2004.[Footnote 2] At the time we prepared that report, we were still completing our reviews of the seven selected organizations' information security protections. For this report, our objective was to assess the information security programs in place at these organizations. To maintain the confidentiality of the sensitive information we examined, this report refrains from naming the organizations we reviewed and presents the results of our work in an high-level, aggregated manner. To assess these organizations' information security protections, we assessed whether the organizations had in place five key elements of a sound information security program. As discussed in guidance used for reviews of federal organizations, the Federal Information System Controls Audit Manual (FISCAM), five elements key of an information security program can include: * Information security policies and procedures that cover all major systems and facilities and outline the duties of those responsible for security, * Access controls to prevent unauthorized access to networks and information systems, * Intrusion detection systems that monitor for attempts to gain unauthorized access to networks and information systems, * Incident response procedures to address electronic attacks or breaches, and: * Testing and assessments of an organization's vulnerability to attack and audits of its information security practices and controls. To determine how these organizations had implemented these five key elements for information security, we interviewed their key operations and information security officials. We also examined the security policies of the organizations we visited and reviewed documentation of their system and network architectures and configurations. We also compared their information security measures with those recommended in FISCAM, other federal guidelines and standards, and various industry electronic security best practice principles. We also reviewed internal security audit reports and their supporting documentation and any third- party network vulnerability assessments that had been conducted within the past year. We conducted our work in various cities in the United States between October 2003 and April 2005 in accordance with generally accepted government auditing standards. Results in Brief: We found that all seven of the selected financial market organizations are taking steps to prevent their operations from being disrupted by electronic attacks. Each of the organizations had implemented the five major elements of a sound information security program. However, we identified actions that each organization could take to further improve their protections against attacks or unauthorized access. At the time of this report, many of the organizations had already implemented some of these improvements and had developed plans to address almost all of the other actions we identified. As regulators of these organizations, staff from the Securities and Exchange Commission (SEC) and the Federal Reserve Board of Governors (Federal Reserve) were briefed on the detailed results of our reviews and both indicated that they plan to monitor the progress of the organizations they oversee in implementing the information security improvements we raised during our reviews. Financial Market Organizations Had Implemented the Major Elements of a Sound Information Security Program: A sound information security program requires the implementation of security-related policies and all seven organizations that we reviewed had implemented policies and procedures that addressed the information security practices to be followed in designing and implementing their information networks and systems. Implementing controls over access is the second major element of a sound information security program, and all seven organizations had also implemented controls to prevent unauthorized access to their networks and systems. Examples of these controls include firewalls and routers that are configured to only allow authorized messages and data to be passed to and from selected organizations.[Footnote 3] Other controls these organizations employed on their systems included passwords that were intended to allow only authorized users to access their systems. These organizations had all attempted to protect themselves by implementing multiple controls. For example, all the organizations had implemented layered or tiered information system architectures, which involve placing increasingly sensitive hardware and data behind various layers of access controls. In such an architecture, an organization may place its Web servers that host its public Internet site on its outer layer but position the critical computers that perform its production processing behind several layers that require information to pass through multiple firewalls that restrict access to only authorized users and require various logins and passwords to obtain system access. Figure 1 illustrates a typical layered security architecture. Figure 1: Typical Layered Security Architecture: [See PDF for image] Note: A demilitarized zone is the commonly used term for the portion of the network that sits between an organization's internal network and an external network, usually the Internet. [End of figure] Another way that several of the organizations had attempted to control unauthorized access to their key systems was by implementing elements of a separate out-of-band network that they used to manage the operations and security of their information systems. Having a separate network for administering systems increases an organization's security because it moves the sensitive management functions, such as the ability to change access authorizations or passwords, to computer workstations that are more isolated from the organization's corporate or production networks. All seven of the selected financial market organizations had also implemented the two elements of a sound information security program relating to detecting and responding to intrusions. For example, all seven had installed devices or software designed to detect intrusions or attempts to gain unauthorized access to their networks and systems. All the organizations also had developed appropriate procedures for responding to information security intrusion attempts or incidents. For example, one organization had an internal committee consisting of personnel from its operations and information security areas that met every 2 weeks to discuss the types of intrusion attempts that had occurred during that period. During these meetings, they assess the need to alter their security practices to address emerging issues. Staff from this committee would also share their organization's experiences with the Financial Services Information Sharing and Analysis Center (FS/ISAC), which gathers information from private sector financial markets organizations on information security threats and distributes it to its members.[Footnote 4] Finally, each of the seven organizations also had implemented the final element of a sound information security program by having vulnerability assessments of their systems' security performed and conducting audits of their information security practices and controls. For example, many had penetration tests that attempted to obtain access to protected systems performed by external organizations, with some having multiple assessments done each year. Six of the seven organizations also had internal audit staffs that conducted reviews of their information security, and one organization relied primarily on external auditors. For example, two of the organizations had staff within their internal audit departments that, in our technical experts' judgment, were very well versed in highly technical aspects of information security threats and the corresponding controls that the systems at their organizations needed to be secure. Additional Actions Could Improve the Information Security at These Organizations: Although all seven organizations had the major elements of a sound information security program in place, we also identified additional improvements that each of the organizations could make to further strengthen their protections against electronic attacks. As shown in table 1, we identified anywhere from 11 to 38 suggested improvements at these organizations. In some cases, we identified the same issues at multiple organizations. As the table shows, most of the issues that we identified related to the access controls these organizations had implemented. Table 1: Numbers of Issues Relating to Financial Market Organizations' Information Security Programs, by Element: [See PDF for image] Source: GAO. [End of table] The specific issues that we identified as areas in which the financial market organizations could improve varied. For example, one organization had a policy that required minor patches--software updates that address errors or security vulnerabilities--to go through the same quality assurance testing as major updates and revisions to its systems. Having this policy resulted in longer than necessary delays in the removal of vulnerabilities in the organization's systems. In response to our raising this issue, the organization planned to revise the policy by June 15, 2005. At another organization, we noted that the intrusion detection system being used had not been programmed to detect unusual patterns in the specialized message traffic generated by a Web- based system that the organization had recently deployed. In response, this organization told us that its staff would be developing customized "signatures" to allow their intrusion detection system to better identify potentially harmful traffic by mid 2005. In addition, as shown in the table above, we also identified issues at some organizations in their vulnerability testing or audit activities. For example, one organization had not yet fully established a group within its organization with sufficient responsibility and authority to review, analyze, and manage the results of its various vulnerability assessments from a corporatewide perspective. As shown in table 1, the majority of the issues we identified at the seven financial markets organizations related to the way they were controlling access to their networks and systems. Many of the issues we identified at the organizations involved lack of adequate controls in place at all key points of their networks. The seven organizations also exposed themselves to greater risk by having vulnerabilities on those parts of their networks used to manage network administration or security. For example, to allow its staff to monitor and manage systems from other locations, one organization had been using a remote access software system. However, because this system was used by both key systems administrative staff as well as nonsystems staff in the organization, any attacker gaining access to this system could conceivably also gain access to key security functions, such as firewall management, although these were also protected by other controls. Since our review, this organization told us it has purchased new hardware and software that will be implemented in a manner that removes this vulnerability. At another organization, we noted that staff from an outside vendor had considerable access to the organization's network and, in response, this organization reported revising its contract with the vendor to include subjecting the vendor's relevant staff to fingerprinting and background checks. According to the discussions we held with staff from these organizations and documents they provided, the financial market organizations were already taking actions in response to almost all of the information security issues we identified. As shown in table 2, the organizations had already completed actions to address about 35 percent of the issues we raised at the time of this report. In response to about two thirds of the issues raised, staff from these organizations indicated that actions to address them were either in progress (28 percent) or were being evaluated or considered for future action (33 percent). Table 2: Actions Taken by Financial Market Organizations in Response to GAO-Raised Issues: Status of action: Completed; Number of actions: 57; Percentage of total: 35%. Status of action: In progress; Number of actions: 47; Percentage of total: 28%. Status of action: Planned or being considered; Number of actions: 54; Percentage of total: 33%. Status of action: No action taken; Number of actions: 7; Percentage of total: 4%. Total; Number of actions: 165; Percentage of total: 100%. Source: GAO. [End of table] Financial Market Regulators Plan to Monitor Organizations' Efforts to Improve Information Security: The regulators of the financial market organizations that we reviewed plan to monitor the progress these organizations make in improving information security practices. During the reviews we performed, we briefed SEC staff on the results of our assessments of the information security at the organizations for which SEC has regulatory oversight authority. At several of the briefings we provided to the organizations themselves, SEC staff also participated in the discussions and at one organization SEC staff and GAO staff conducted a joint review. As part of its oversight of these organizations, SEC staff told us they intend to monitor the progress that these organizations make in implementing the improvements we identified during our reviews. Some of the organizations are under the authority of the Federal Reserve Board of Governors. Staff from the Federal Reserve told us that they, in conjunction with other relevant regulators, would also be monitoring progress at these organizations in implementing the improvements we identified. Agency Comments: We provided a draft of this report to the Chairman, SEC, and the Chairman, Federal Reserve. Staff from these organizations provided technical comments that we made as appropriate. As agreed with your offices, unless you publicly announce its contents earlier, we plan no further distribution of this report until 30 days after the date of this report. At that time, we will send copies of this report to the Chairman and Ranking Minority Member, Committee on Financial Services, House of Representatives and the Chairman and Ranking Minority Member, Committee on Banking, Housing, and Urban Affairs, United States Senate. We will also send copies to the Chairman, SEC, and Chairman, Federal Reserve Board of Governors. We will make copies available to others upon request. This report will also be available at no charge on GAO's Web site at http://www.gao.gov. Please contact me at (202) 512-8678 if you or your staff have any questions concerning this report. Contact points for our Ofices of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributors to this report are listed in the enclosure. Signed by: Richard J. Hillman: Director, Financial Markets and Community Investment: Enclosure: GAO Contact and Staff Acknowledgments: GAO Contacts: Richard J. Hillman (202) 512-8678: Staff Acknowledgments: In addition to the individual named above, Cody Goebel, Edward Alexander, Jr., Gerald Barnes, Mark Canter, Jason Carroll, Lon Chin, West Coile, Edward Glagola, Harold Lewis, Eugene Stevens, and Christopher Warweg made key contributions to this report. (250218): FOOTNOTES [1] See GAO, Financial Market Preparedness: Improvements Made, but More Action Needed to Prepare for Wide-Scale Disasters, GAO-04-984 (Washington, D.C.: Sept. 27, 2004); Potential Terrorist Attacks: Additional Actions Needed to Better Prepare Critical Financial Market Participants, GAO-03-251 (Washington, D.C.: Feb. 12, 2003); and Potential Terrorist Attacks: Additional Actions Needed to Better Prepare Critical Financial Market Participants, GAO-03-414 (Washington, D.C.: Feb. 12, 2003). [2] GAO-04-984. [3] Routers are intelligent devices that forward data between segments of local area networks. A firewall is a piece of hardware or software that functions in a networked environment to prevent some communications forbidden by the security policy. It has the basic task of controlling traffic between different zones of trust. Typical zones of trust include the Internet (a zone with no trust) and an internal network (a zone with high trust). The ultimate goal is to provide controlled connectivity between zones. [4] According to an FS/ISAC official, their organization had 1,680 members as of June 2005, and its critical threat alerts were being distributed to almost 9,700 organizations.