SEC’s inconsistent controls leave financial data at risk

The Securities and Exchange Commission has not implemented critical information technology security controls consistently to protect its financial and sensitive-information and systems, the Government Accountability Office said. Several new security weaknesses also remain unresolved, it added. SEC needs to improve how it puts in place information security policies and procedures, how it tests and evaluates controls for major systems required by its certification and accreditation process, and take timely and effective action to correct problems in its remediation plans, GAO said in a report earlier this week. “Until SEC does, it will have limited assurance that it will be able to manage risks and protect sensitive information on an ongoing basis,” said Gregory Wilshusen, director of GAO’s information security issues. SEC should verify that all system owners and offices apply agency security policies and procedures, complete recertification and re-accreditation testing and evaluation on the general ledger system, and follow through on action plans to fix problems effectively and in a timely manner. The agency that oversees the securities industry to protect investors has corrected 58 of 71 weaknesses reported the previous year, in large part because SEC’s senior managers participated in activities to implement IT security, including establishing policies and procedures for risk management, ensuring that all users complete security training and developing an incident response program. Despite this progress, the report says SEC has acted inconsistently to safeguard the confidentiality, integrity and availability of its sensitive data and the systems on which it runs. GAO cited weaknesses in access controls, boundary protection, identification and authentication, authorization, and configuration management. For example, SEC did not have current documentation on the privileges granted to users of a major application, did not securely configure certain system settings and has not consistently installed all patches to its systems. “As a result, the commission’s financial and sensitive data are at increased risk of unauthorized disclosure, modification or destruction,” Wilshusen said. SEC agreed that it needed to maintain momentum to address the remaining IT security gaps. Since the audit, the commission has deployed software on agency workstations to protect against malicious code attacks, put in place a process to ensure that the agency follows its policy to assign risk classifications to application changes, and completed yearly security awareness training of all employees. “Since the mission of the SEC is to ensure strong internal controls within all U.S. public companies, it is imperative that the agency and its staff hold ourselves to the highest standards in this area,” said SEC Chairman Christopher Cox and CIO Corey Booth in a letter in response to GAO.