SEC has failed to fix security gaps, GAO says
- By Mary Mosquera
- Apr 03, 2006
Information security weaknesses persist at the Securities Exchange Commission because the agency has not followed through on recommendations the Government Accountability Office made last year for comprehensive, agencywide information security.
SEC has implemented just a few of its recommendations, GAO said in a report
SEC has replaced a vulnerable, publicly accessible workstation and implemented change control procedures for a major application, but has not yet implemented effective controls for remote access to its servers, the report said. It also has not securely configured network devices and servers or put in place auditing and monitoring mechanisms to detect and track security incidents.
SEC depends on computerized systems to support its financial operations and store the sensitive data it collects from individuals and corporations related to financial and securities filings. Its local and wide area networks connect with these systems. SEC also relies on several financial systems to process and track transactions such as filing fees by corporations and penalties from enforcement activities.
SEC's information security weaknesses remain in large part because the agency has not put in place and documented key elements of a comprehensive information security program to ensure that effective controls are established, the report said.
'Until SEC implements such a program, its facilities and computing resources and the information that is processed, stored and transmitted on its systems will remain vulnerable,' said Gregory Wilshusen, director of GAO's information security issues, said in the report released Friday.
Since GAO's audit, taken from June through October, SEC has completed certification and accreditation for general support systems.
'The remaining four major applications are on track to be accredited during the spring,' said SEC chairman Christopher Cox in a written response.
By October, SEC plans to fix weaknesses that GAO highlighted, including directing the SEC CIO to fully implement an agencywide information security program, assessing systems risk, beginning testing and evaluation program for security controls and tracking remedial action to reduce risk, Cox said.
Mary Mosquera is a reporter for Federal Computer Week.