GAO: SEC systems vulnerable to attack

Computer networks at the Securities and Exchange Commission remain vulnerable to hacking, a Government Accountability Office report finds.

Data at risk includes regulatory information, SEC financial transactions and internal payroll and personnel information, the report states.

Security is getting more attention these days because of high-profile cases involving Bank of America, information gatherers ChoicePoint and LexisNexis, where unauthorized people were able to access personal data.

During the period of GAO's review, from April though November 2004, the commission’s network intrusion-detection system was not fully implemented and “there was no capability to target unusual or suspicious network events for review as they occurred,” the report states.

Network services and devices were vulnerable, outdated, and/or misconfigured, the report also states.

During one examination of SEC security controls, GAO auditors found an internal SEC network-connected computer located inside a public area. Some former employees also retained network access, including one former employee who could still log onto SEC systems for eight months after departing the commission.

The congressional watchdog also found that some SEC network users could bypass security and audit controls altogether.

A key reason for the commission’s security weaknesses is its lack of a comprehensive information security program, the report states. Although the agency has established a central security group and appointed a senior information security officer, SEC officials have yet to complete a comprehensive risk assessment and develop adequate policies, the report states.

Each year, the SEC processes more than 600,000 financial documents and collects more than $1 billion in filing fees, penalties and disgorgements in fulfilling its mission to oversee U.S. security markets.

GAO auditors are not alone in noting SEC security weaknesses; a fiscal 2004 SEC inspector general audit found the commission substantially out of compliance with the Federal Information Security Management Act of 2002.

SEC officials said the commission recognizes the need to further its existing programs and will complete the corrective actions identified by GAO auditors by June 2006. Significant progress is already underway, adds the official commission response to the GAO findings.

About the Author

David Perera is a special contributor to Defense Systems.


  • Congress
    U.S. Capitol (Photo by M DOGAN / Shutterstock)

    Funding bill clears Congress, heads for president's desk

    The $1.3 trillion spending package passed the House of Representatives on March 22 and the Senate in the early hours of March 23. President Trump is expected to sign the bill, securing government funding for the remainder of fiscal year 2018.

  • 2018 Fed 100

    The 2018 Federal 100

    This year's Fed 100 winners show just how much committed and talented individuals can accomplish in federal IT. Read their profiles to learn more!

  • Census
    How tech can save money for 2020 census

    Trump campaign taps census question as a fund-raising tool

    A fundraising email for the Trump-Pence reelection campaign is trying to get supporters behind a controversial change to the census -- asking respondents whether or not they are U.S. citizens.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.