SEC has failed to fix security gaps, GAO says

Information security weaknesses persist at the Securities Exchange Commission because the agency has not followed through on recommendations the Government Accountability Office made last year for comprehensive, agencywide information security.

SEC has implemented just a few of its recommendations, GAO said in a report.

SEC has replaced a vulnerable, publicly accessible workstation and implemented change control procedures for a major application, but has not yet implemented effective controls for remote access to its servers, the report said. It also has not securely configured network devices and servers or put in place auditing and monitoring mechanisms to detect and track security incidents.

SEC depends on computerized systems to support its financial operations and store the sensitive data it collects from individuals and corporations related to financial and securities filings. Its local and wide area networks connect with these systems. SEC also relies on several financial systems to process and track transactions such as filing fees by corporations and penalties from enforcement activities.

SEC's information security weaknesses remain in large part because the agency has not put in place and documented key elements of a comprehensive information security program to ensure that effective controls are established, the report said.

'Until SEC implements such a program, its facilities and computing resources and the information that is processed, stored and transmitted on its systems will remain vulnerable,' said Gregory Wilshusen, director of GAO's information security issues, said in the report released Friday.

Since GAO's audit, taken from June through October, SEC has completed certification and accreditation for general support systems.

'The remaining four major applications are on track to be accredited during the spring,' said SEC chairman Christopher Cox in a written response.

By October, SEC plans to fix weaknesses that GAO highlighted, including directing the SEC CIO to fully implement an agencywide information security program, assessing systems risk, beginning testing and evaluation program for security controls and tracking remedial action to reduce risk, Cox said.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • senior center (vuqarali/

    Bmore Responsive: Home-grown emergency response coordination 

    Working with the local Code for America brigade, Baltimore’s Health Department built a new contact management system that saves hundreds of hours when checking in on senior care centers during emergencies.

  • man checking phone in the dark (Maridav/

    AI-based ‘listening’ helps VA monitor vets’ mental health

    To better monitor veterans’ mental health, especially during the pandemic, the Department of Veterans Affairs is relying on data and artificial intelligence-based analytics.

Stay Connected