The Securities and Exchange Commission (SEC) is tasked with an important mission—to protect investors; maintain fair, orderly, and efficient markets; and facilitate capital formation. To complete its mission, a diverse set of programs are required to collect and process personally identifiable information (PII), as well as other sensitive or confidential information. In support of its mission, in 2004 the SEC established a comprehensive agency-wide Privacy Program.
Following the Office of Personnel Management (OPM) breach in June 2015, substantial new privacy requirements were added by the White House to mitigate the risk inherent in the retention and utilization of PII. The SEC’s updated privacy program’s framework aligns with NIST Special Publication (SP) 800-53, Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations, Appendix J, Privacy Control Catalog.” The SEC uses NIST Appendix J to operationalize privacy and minimize privacy risks to SEC information and information systems. The SEC has committed to conducting privacy assessments prior to system authorization for each of its systems by 2020.
Over the past year, our team has helped the SEC implement the privacy guidance issued in NIST SP 800-53 and mandated through OMB SP A-130. This work has involved developing methods to document, assess, and report on the status of critical privacy controls. Our team has documented the privacy plans for over 20 major and critical SEC applications; developed a custom assessment plan and process to cover areas left open by NIST SP 800-53A; begun assessment of six SEC systems, including a high-value asset; and completed assessment of two systems. Our scope of work has expanded to cover the entire Privacy lifecycle, from initial documentation to the monitoring of existing systems.
Why This Work Matters
The SEC Privacy Program endeavors to function as a leader in promoting and protecting privacy and transparency for employees, members of the public, and all stakeholders. The SEC intakes a large amount of public and private data to accomplish its broad missions: Informing and Protecting Investors, Facilitating Capital Formation, Enforcing Federal Securities Law, and Regulating Securities Markets.
The SEC has missions to both inform the public and enforce the law. Therefore, careful design and execution of information systems are necessary to avoid the disclosure of PII, while still accomplishing the critical national functions of being an information broker and regulator for the market.
The SEC endeavors to be on the forefront of information privacy requirements. Privacy has only recently entered a risk management and security control model. The area lacks guidance and experienced practitioners. Our team represents a group of lawyers and compliance experts learning the technical side of Privacy, as well as a group of technical assessors learning the Privacy framework for the first time. Our team works hand in hand with the SEC to develop one of the first operational privacy risk management frameworks in the federal government.
Making a Difference
Our team has had the wonderful opportunity to work with talented and highly motivated personnel across each division of the SEC. By building a privacy program that works hand in hand in with information security, we were able to rapidly coordinate with the security branch when our team discovered a substantial vulnerability during the course of our assessment. As our work continues at the SEC, we will ultimately bring our custom assessment method to the 80+ systems in the agency that process PII, including high-value assets crucial for the function of the markets and SEC’s enforcement functionality, such as the public-facing securities filing and reporting portal, EDGAR.
Helping to protect the personal information of the public, filers, and SEC employees has been a challenging and rewarding experience for our team. It has been exciting to strike into new information assurance territory with a mature and well-supported privacy program.