TRENDING:

GAO: New IT Security Flaws Surface at SEC

Lack of Leadership Cited as Weakness Eric Chabrow (GovInfoSecurity) • March 18, 2009    
GAO: New IT Security Flaws Surface at SEC
An audit of the Security and Exchange Commission IT systems reveals 23 new weaknesses in controls intended to restrict access to data and systems, as well as weaknesses in other information security controls.

Those new flaws, combined with 16 previously reported, continue to jeopardize the confidentiality, integrity and availability of SEC's financial and sensitive information and information systems, the GAO reported Tuesday.

GAO says a primary reason these weaknesses persist is that the SEC has not yet fully implemented its information security program to ensure that controls are appropriately designed and operating as intended. Specifically, the commission has failed to:

Name senior agency information security officer, a post left vacant since July.
Fully report or assess risks.
Sufficiently test and evaluate the effectiveness of its information system controls.
Certify and accredit a key intermediary subsystem.

One weakness GAO cited involved SEC's failure to adequately document access privileges granted to users of a key financial application, and did not always implement patches on vulnerable workstations and enterprise database servers.

Although progress has been made on 18 weakness earlier identified, GAO says significant and preventable information security control deficiencies create continuing risks of the misuse of federal assets, unauthorized modification or destruction of financial information, inappropriate disclosure of other sensitive information, and disruption of critical operations.

SEC Chairwoman Mary Schapiro, in a letter to the GAO, agreed with GAO's recommendations and reported that the agency is on track to address our new findings and to complete remediation of prior year findings. "Since the mission of the SEC involves ensuring strong internal controls within the companies the agency monitors, it is imperative that we hold ourselves to high standards in this area," Schapiro wrote. "Improving our internal controls has been, and continues to be, one of our highest priorities."

Previous
GAO: Fake Documents Used to Issue Valid Passports
Next
ManTech Completes DDK Acquisition

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.



Around the Network

Craig Box of ARMO on Kubernetes and Complexity
Craig Box of ARMO on Kubernetes and Complexity
David Derigiotis on the Complex World of Cyber Insurance
David Derigiotis on the Complex World of Cyber Insurance
Showing Evidence of 'Recognized Security Practices'
Showing Evidence of 'Recognized Security Practices'
Are We Doomed? Not If We Focus on Cyber Resilience
Are We Doomed? Not If We Focus on Cyber Resilience
Whistleblowing Brings Visibility to the Role of CISOs
Whistleblowing Brings Visibility to the Role of CISOs
Aité-Novarica's Cybersecurity Impact Award
Aité-Novarica's Cybersecurity Impact Award
The Persisting Risks Posed by Legacy Medical Devices
The Persisting Risks Posed by Legacy Medical Devices
Protecting the Hidden Layer in Neural Networks
Protecting the Hidden Layer in Neural Networks
Organization-Wide Passwordless Orchestration
Organization-Wide Passwordless Orchestration
How 2U Inc. Is Fortifying Its Systems and Solutions Designs
How 2U Inc. Is Fortifying Its Systems and Solutions Designs

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.