GAO Chides SEC For Vulnerable Data

The Securities and Exchange Commission has failed to control access to its servers, establish controls over passwords, manage access to its systems and data, and take other security-related steps already requested, the report says.
The Government Accountability Office released a report last week stating that the SEC has failed to correct most weaknesses identified in last year's report.

Of 51 weaknesses identified last year, 43 remain and 15 new weaknesses have been identified, according to the report. The commission has failed to control remove access to its servers, establish controls over passwords, manage access to its systems and data, securely configure network devices and servers and implement auditing and monitoring systems to detect and track security incidents, according to the report.

"Overall, SEC has not effectively implemented information security controls to properly protect the confidentiality, integrity and availability of its financial and sensitive information and information systems," the report states. "These weaknesses increase the risk that financial and sensitive information will be inadequately protected against disclosure, modification or loss, possibly without detection and place SEC operations at risk of disruption."

SEC has not fully developed, implemented or documented key elements of an information security program, the report states. Until the commission implements a program, its facilities, computing resources and information will remain vulnerable, according to the report.

The SEC responded to the report stating that its recommendations are appropriate and actionable and that the SEC is fully focused on implementing the recommendations.

The criticism of the commission comes after the GAO identified weaknesses in another body that controls financial data – the Internal Revenue Service.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing