SEC's weak security puts data at risk: GAO
SEC's weak security puts financial, investor data at risk: GAO
The Securities and Exchange Commission needs to strengthen its controls over financial and other sensitive data, the Government Accountability Office said in a new report.
Specifically, SEC should improve its controls over user accounts and passwords, access rights and permissions, network security and audit, and monitoring of security events to prevent or detect unauthorized access to its systems, according to the report
A major reason for the weaknesses is that the agency has not fully established a comprehensive security program, GAO said.
'Sensitive data'including payroll and financial transactions, personnel data, regulatory, and other mission critical information'are at increased risk of unauthorized disclosure, modification or loss, possibly without being detected,' said Gregory Wilshusen, GAO's director for information security issues.
SEC has established a central security management function and appointed a senior information security officer to manage the program. However, the agency has not defined roles for security personnel, assessed risks, implemented security policies, and tested and evaluated the effectiveness of its system controls.
SEC said it would implement the GAO recommendations by June 2006 and indicated that some had already implemented.
'We also understand that the GAO is not advocating 'quick fixes,' but rather a sustained effort that deeply embeds the principles of strong information security throughout our technical environment, our agencywide business processes and our organizational culture,' SEC officials responded in a letter earlier this month.
SEC CIO Corey Booth, managing executive for operations Peter Derby and executive director James McConnell cited the need for resources and significant executive commitment to resolve the security issues.
Mary Mosquera is a reporter for Federal Computer Week.