SEC’s inconsistent controls leave financial data at risk

System sleuthing helps snare SEC fraudsters

The Securities and Exchange Commission has not implemented critical information technology security controls consistently to protect its financial and sensitive-information and systems, the Government Accountability Office said. Several new security weaknesses also remain unresolved, it added.

SEC needs to improve how it puts in place information security policies and procedures, how it tests and evaluates controls for major systems required by its certification and accreditation process, and take timely and effective action to correct problems in its remediation plans, GAO said in a report earlier this week.

“Until SEC does, it will have limited assurance that it will be able to manage risks and protect sensitive information on an ongoing basis,” said Gregory Wilshusen, director of GAO’s information security issues.

SEC should verify that all system owners and offices apply agency security policies and procedures, complete recertification and re-accreditation testing and evaluation on the general ledger system, and follow through on action plans to fix problems effectively and in a timely manner.

The agency that oversees the securities industry to protect investors has corrected 58 of 71 weaknesses reported the previous year, in large part because SEC’s senior managers participated in activities to implement IT security, including establishing policies and procedures for risk management, ensuring that all users complete security training and developing an incident response program.

Despite this progress, the report says SEC has acted inconsistently to safeguard the confidentiality, integrity and availability of its sensitive data and the systems on which it runs. GAO cited weaknesses in access controls, boundary protection, identification and authentication, authorization, and configuration management.

For example, SEC did not have current documentation on the privileges granted to users of a major application, did not securely configure certain system settings and has not consistently installed all patches to its systems.

“As a result, the commission’s financial and sensitive data are at increased risk of unauthorized disclosure, modification or destruction,” Wilshusen said.

SEC agreed that it needed to maintain momentum to address the remaining IT security gaps. Since the audit, the commission has deployed software on agency workstations to protect against malicious code attacks, put in place a process to ensure that the agency follows its policy to assign risk classifications to application changes, and completed yearly security awareness training of all employees.

“Since the mission of the SEC is to ensure strong internal controls within all U.S. public companies, it is imperative that the agency and its staff hold ourselves to the highest standards in this area,” said SEC Chairman Christopher Cox and CIO Corey Booth in a letter in response to GAO.


  • Cybersecurity
    CISA chief Chris Krebs disusses the future of the agency at Auburn University Aug. 22 2019

    Shared services and the future of CISA

    Chris Krebs, the head of the Cybersecurity and Infrastructure Security Agency at DHS, said that many federal agencies will be outsourcing cyber to a shared service provider in the future.

  • Telecom
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA softens line on looming EIS due date

    Think of the September deadline for agencies to award contracts under the General Services Administration's $50-billion telecommunications contract as a "yellow light," said GSA's telecom services director.

  • Defense
    Shutterstock photo id 669226093 By Gorodenkoff

    IC looks to stand up a new enterprise IT program office

    The intelligence community wants to stand up a new program executive office to help develop new IT capabilities.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.