GAO: SEC must improve information security

It has fixed only eight of 51 weaknesses identified last year

The U.S. Securities and Exchange Commission needs to bolster its information security to protect the confidentiality, integrity and availability of financial and sensitive data as well as its information systems, according to a report released late last week by the Government Accountability Office (download PDF).

Although the SEC has corrected or mitigated eight of the 51 weaknesses the GAO reported as unresolved in last year’s report, it hasn’t done enough, the GAO said.

The corrective actions the SEC has taken include replacing a vulnerable, publicly accessible workstation and developing and implementing change-control procedures for a major application. But it has not yet effectively controlled remote access to its servers, established controls over passwords, managed access to its systems and data, securely configured network devices and servers, or implemented auditing and monitoring mechanisms to detect and track security incidents, according to the GAO.

In addition to the 43 vulnerabilities that have not been corrected, the GAO identified 15 new ones, according to the report. Most of the weaknesses have to do with electronic access controls such as user accounts and passwords, access rights and permissions and network devices and services, the GAO said. Because of these vulnerabilities, the SEC’s sensitive financial information is not protected against disclosure, modification or loss, leaving the commission’s operations vulnerable to disruptions, according to the report.

For example, the GAO said the SEC has not adequately controlled user accounts and passwords to ensure that only authorized individuals can access its systems and data. That leaves an increased risk that unauthorized users could gain the identification and passwords needed to access SEC systems, the GAO said. In addition, the SEC permits users to modify sensitive information or critical system files and directories, although those users don’t need such permissions to perform their jobs. As a result, there is increased risk that the SEC’s financial and sensitive data and applications could be compromised.

Until the SEC fully develops, implements and documents key elements of an information-security program to ensure that effective controls are in place and are maintained, its information systems will remain at risk, the GAO said.

The GAO recommended that the SEC fully implement an agencywide information security program. In a written response, the SEC said it agrees with the GAO’s findings and is focusing on implementing its recommendations.

Copyright © 2006 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon