GAO: New IT Security Flaws Surface at SECLack of Leadership Cited as Weakness
Those new flaws, combined with 16 previously reported, continue to jeopardize the confidentiality, integrity and availability of SEC's financial and sensitive information and information systems, the GAO reported Tuesday.
GAO says a primary reason these weaknesses persist is that the SEC has not yet fully implemented its information security program to ensure that controls are appropriately designed and operating as intended. Specifically, the commission has failed to:
One weakness GAO cited involved SEC's failure to adequately document access privileges granted to users of a key financial application, and did not always implement patches on vulnerable workstations and enterprise database servers.
Although progress has been made on 18 weakness earlier identified, GAO says significant and preventable information security control deficiencies create continuing risks of the misuse of federal assets, unauthorized modification or destruction of financial information, inappropriate disclosure of other sensitive information, and disruption of critical operations.
SEC Chairwoman Mary Schapiro, in a letter to the GAO, agreed with GAO's recommendations and reported that the agency is on track to address our new findings and to complete remediation of prior year findings. "Since the mission of the SEC involves ensuring strong internal controls within the companies the agency monitors, it is imperative that we hold ourselves to high standards in this area," Schapiro wrote. "Improving our internal controls has been, and continues to be, one of our highest priorities."