The Securities and Exchange Commission has extensive information-security weaknesses, according to a new report from the Government Accountability Office.
The congressional watchdog agency found that the SEC has corrected or mitigated just 8 of the 51 weaknesses that the GAO reported as unresolved in last year’s report — among them, replacing a vulnerable, publicly accessible workstation.
The GAO also asserted, however, that the commission has not effectively controlled remote access to its servers, established controls over passwords, managed access to its systems and data, securely configured network devices and servers, or implemented auditing and monitoring mechanisms to detect and track security incidents.
“Overall, SEC has not effectively implemented information security controls to properly protect the confidentiality, integrity, and availability of its financial and sensitive information and information systems,” stated the report.
Indeed, the GAO identified 15 new weaknesses; most pertain to electronic access controls such as user accounts and passwords, access rights and permissions, and network devices and services. “These weaknesses increase the risk that financial and sensitive information will be inadequately protected against disclosure, modification, or loss, possibly without detection, and place SEC operations at risk of disruption,” the report elaborated.
The watchdog agency recommended that chairman Christopher Cox direct the commission’s chief information officer to fully implement an SEC-wide information security program. The agency also noted that in its written comments to a draft of the report, the SEC acknowledged that the GAO’s recommendations are appropriate and actionable, and that it is focusing on implementing them fully.