• United States
by Linda Rosencrance

U.S. government agency warned on weak IT security

Apr 10, 20062 mins

The U.S. Securities and Exchange Commission must bolster its information security to protect corporate financial data and other sensitive information stored in its IT systems, according to a report released late last month by the Government Accountability Office.

The report found that the SEC has corrected or mitigated only eight of 51 weaknesses cited by the GAO in a report last year, a response the oversight office of the U.S. Congress called inadequate. The report identified 15 new vulnerabilities in addition to those on last year’s list.

Corrective actions taken by the SEC over the past year include replacing a vulnerable, publicly accessible workstation, and developing and implementing change-control procedures for an undisclosed major application.

The report found that the financial regulatory agency has not yet effectively controlled remote access to its servers, established adequate controls over passwords, or managed access to its systems and data. In addition, the SEC has yet to securely configure network devices and servers or implement auditing and monitoring mechanisms to detect and track security incidents.

Weak controls

Most of the newly discovered weaknesses are related to electronic-access controls such as user accounts and passwords, access rights and permissions, and network devices and services, the GAO said.

For example, the GAO said the SEC has not adequately controlled user accounts and passwords to ensure that only authorized individuals can access its systems and data.

In addition, the GAO found that the SEC permits users to modify sensitive information or critical system files and directories without required permissions, increasing the risk that the SEC’s applications and sensitive financial data could be compromised.

The report determined that the vulnerabilities continue to leave sensitive SEC financial information without sufficient protection against disclosure, modification or loss.

Until the SEC fully develops, implements and documents key elements of an information security program to ensure that effective controls are in place and are maintained, its information systems will remain at risk and be vulnerable to disruption, the GAO said.

In a written response, the SEC said it agrees with the agency’s findings and is focusing on implementing its recommendations.