SEC Inspector General Report Concludes That The SEC Lacks Proper Accountability Over Laptops
[22404]
April 9, 2008
TO: SMALL FUNDS COMMITTEE No. 12-08TECHNOLOGY COMMITTEE No. 9-08 RE: SEC INSPECTOR GENERAL REPORT CONCLUDES THAT THE SEC LACKS PROPER ACCOUNTABILITY OVER LAPTOPS
The SEC’s Office of Inspector General has published a report containing its findings of a review it conducted of the SEC’s Office of Information Technology (the “OIT”) from October 2007 to February 2008 of the adequacy of controls over laptops issued by the Commission. [1] According to the report, the Inspector General’s “inspection concluded that the OIT does not have the proper accountability over laptops” and that “effective accountability of laptop computers simply does not exist.” This is of concern because “the SEC is privy to an enormous amount of non-public and sensitive market data and most of it is stored on laptops.”
The report documents the following weaknesses that make the Commission’s laptops “extremely susceptible to theft without detection:”
- Unlike other federal agencies, the SEC’s policies do not identify laptops as “sensitive property.” As such, they are not subject to an annual inventory and Directors and Office Heads are responsible for maintaining reasonable controls to safeguard laptops against improper use, theft, and undue deterioration;
- The SEC has failed to conduct a complete inventory of the SEC’s laptops. While a laptop inventory began in 2005, it was not completed due to resource constraints; and
- Due to the SEC’s lax inventory controls, the total number of laptops within the SEC cannot be determined.
The report also found that:
- Equipment was released to employees who did not have possession of it;
- Laptops were released to individuals who the Inspector General could not locate or determine if they were employed by the SEC;
- Laptops appeared to be released as loaners and did not show that they were returned;
- Laptops were given to SEC employees other than those whose names appeared on the SEC’s Property Transaction Report Form; and
- Because of the SEC’s inability to trace ownership of laptops to specific individuals, if a laptop were lost or stolen, the SEC would have difficulty identifying its rightful owner.
Based on the above findings, the Inspector General recommends that the Commission:
(1) Identify Commission-wide sensitive property and allow the SEC’s Directors and Office Heads to determine if they have additional property that should be deemed sensitive.
(2) Require a method of accountability for sensitive property that will ensure that SEC has an accurate accounting of laptops.
(3) Complete a full inventory of laptops to establish a baseline.
(4) Revise the procedures to establish clear accountability for laptops. These procedures should include a requirement that documents the issuance and receipt of equipment to a specific SEC employee.
(5) Specify a form to account for sensitive property. Such form should include contact information of the person receiving the equipment (i.e., printed name, number, email, and location).
Tamara K. Salmon
Senior Associate Counsel
endnotes
[1] See Control Over Laptops, SEC Office of Inspector General (Inspection Report No. 441, March 31, 2008), which is available at: http://www.sec.gov/about/oig/audit/2008/ir441.pdf.