SEC's Financial Information at RiskCommission Hasn't Been Consistent in Implementing Controls
Government auditors have identified weaknesses in information security controls at the Securities and Exchange Commission that jeopardize the confidentiality and integrity of the SEC's financial information.
Government Accountability Office auditors uncovered four significant deficiencies in the GAO's review of 2010 and 2011 commission financial statements, including those involving information systems, according to a letter dated April 13 to SEC Chairwoman Mary Schapiro from GAO's James Dalkin, director of financial management and assurance, and Gregory Wilshusen, director of information security issues.
GAO found that the SEC had not consistently or fully implemented controls for identifying and authenticating users, authorizing access to resources, ensuring that sensitive data are encrypted or auditing actions taken on its systems. SEC also had failed to install patch updates on its software, exposing it to known vulnerabilities, which could jeopardize data integrity and confidentiality, the auditors wrote.
SEC policy requires use of complex passwords and account lockout after unsuccessful log-in attempts, as well as disabling inactive accounts. But, the audit revealed, the commission had not enforced complex passwords or account lockout for certain servers supporting key financial applications, nor had it disabled inactive accounts on one server. As a result, the auditors concluded, SEC is at increased risk that accounts could be compromised and used by unauthorized individuals to access sensitive information.
Another SEC policy requires that each user or device be assigned only those privileges or functions needed to perform authorized tasks, but the commission hadn't always employed the principle of least privilege when authorizing access permissions. Specifically, the GAO said, the SEC didn't appropriately restrict security-related parameters and users' rights and privileges for certain network devices, databases and servers supporting key financial applications. "Users have excessive levels of access that were not required to perform their jobs," the auditors wrote. "This could lead to data being inappropriately modified, either inadvertently or deliberately."
The SEC also didn't configure servers supporting key financial applications to use encryption when transmitting data, resulting in increased risk that transmitted data can be intercepted, viewed and modified. The commission hadn't consistently configured certain servers supporting key financial applications to maintain audit trails for all security-relevant events, resulting in increased risk that the commission will be unable to determine if certain malicious incidents have occurred and who or what caused them.
Vulnerabilities' Exposure Could Be Exploited
A procedure requiring remediation efforts such as patching to be implemented with seven days for vulnerabilities deemed of high or critical importance wasn't routinely followed. "Failing to apply critical patches increases the risk of exposing SEC systems to vulnerabilities that could be exploited," the audit states.
GAO said SEC management failed to develop or maintain baseline configurations of security settings or associated guides for configuring several of its systems and devices. In addition, the commission reported that it didn't have an automated capability that provided visibility into the system configurations of any of its IT assets. That means, the GAO said, the SEC risks not being able to ensure that its systems are securely configured in accordance with federal and commission policies.
Among other shortfalls GAO auditors pointed out: failure to develop a comprehensive vulnerability management strategy, including a scanning schedule, and perform compliance and vulnerability scans on its applications, databases and network devices. SEC also failed to furnish evidence of analysis and actions taken based on scan results. "By not implementing a comprehensive vulnerability management scanning program, "the auditors wrote, "SEC is at increased risk of not being able to detect vulnerabilities that could jeopardize the security of its systems."
GAO recommended the chief operating and chief information officers establish configuration baselines and related guidance to secure systems and monitor system configuration baseline implementation. Auditors also advised the SEC to develop and implement a comprehensive vulnerability management strategy that includes routine scanning of commission's systems and evaluation of such scanning to provide for any needed corrective actions.