SEC Violations of Its Internal Policies Relating to Information Technology Security

The SEC Office of Inspector General ("OIG") opened an investigation in response to an anonymous complaint alleging mismanagement of a computer security lab in the Division of Trading and Markets Automation Review Policy ("ARP") program. The lab, known as the ARP lab, is used to support the Division of Trading and Markets Office of Market Continuity inspection program, which inspects SRO, stock exchange and clearing agency computer networks. The anonymous complaint alleged that ARP lab staff and management inappropriately allocated and spent significant budget dollars to purchase computer equipment for the lab without justification or planning; used unencrypted laptops during inspections, in violation of SEC information technology security policies; and inappropriately used SEC funds for training. Also included in the complaint were allegations regarding unprofessional behavior, ineffective management and misuse of unrestricted Internet access.

The OIG investigation found that ARP lab staff spent significant budget dollars purchasing computer equipment and software with little oversight or planning, and that a significant portion of that equipment and software was unneeded or never used during the inspection program.