GAO: New IT Security Flaws Surface at SEC

Lack of Leadership Cited as Weakness
GAO: New IT Security Flaws Surface at SEC
An audit of the Security and Exchange Commission IT systems reveals 23 new weaknesses in controls intended to restrict access to data and systems, as well as weaknesses in other information security controls.

Those new flaws, combined with 16 previously reported, continue to jeopardize the confidentiality, integrity and availability of SEC's financial and sensitive information and information systems, the GAO reported Tuesday.

GAO says a primary reason these weaknesses persist is that the SEC has not yet fully implemented its information security program to ensure that controls are appropriately designed and operating as intended. Specifically, the commission has failed to:

Name senior agency information security officer, a post left vacant since July.
Fully report or assess risks.
Sufficiently test and evaluate the effectiveness of its information system controls.
Certify and accredit a key intermediary subsystem.

One weakness GAO cited involved SEC's failure to adequately document access privileges granted to users of a key financial application, and did not always implement patches on vulnerable workstations and enterprise database servers.

Although progress has been made on 18 weakness earlier identified, GAO says significant and preventable information security control deficiencies create continuing risks of the misuse of federal assets, unauthorized modification or destruction of financial information, inappropriate disclosure of other sensitive information, and disruption of critical operations.

SEC Chairwoman Mary Schapiro, in a letter to the GAO, agreed with GAO's recommendations and reported that the agency is on track to address our new findings and to complete remediation of prior year findings. "Since the mission of the SEC involves ensuring strong internal controls within the companies the agency monitors, it is imperative that we hold ourselves to high standards in this area," Schapiro wrote. "Improving our internal controls has been, and continues to be, one of our highest priorities."

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.