SEC failed to fix security holes; two dozen new ones found

The Securities Exchange Commission failed to deploy proper security controls to protect computer networks from unauthorized access, leaving sensitive financial information at risk, according to a report the Government Accountability Office released on Tuesday.

As part of a fiscal 2008 audit of financial statements, GAO evaluated the effectiveness of SEC's information security controls for key financial systems, data, and networks. The agency concluded in the report that weaknesses in information security cause "a significant deficiency" in protecting information systems and data used for financial reporting.

SEC corrected or mitigated 18 deficiencies in its security controls that GAO indentified in a prior audit, which the auditor released in February 2008. SEC improved identity management processes and the security of the perimeter of its operations center, more consistently monitored unusual and suspicious network activities, and removed network system accounts and data center access rights for employees who left the agency.

But SEC has yet to address 16 other weaknesses GAO identified in the previous report, including failing to adequately document access privileges for a database application that manages information submitted by companies.

GAO identified 23 new weaknesses in controls intended to restrict access to data and certain systems that "jeopardize the confidentiality, integrity and availability of SEC's financial and sensitive information and information systems," the report stated.

SEC did not consistently enforce identification and authentication of users accessing the systems, for example, and did not always sufficiently restrict system privileges to only those users who needed access to the information to perform their jobs. The commission also did not always ensure that information transmitted over the network was adequately encrypted, nor did it configure all database systems to allow necessary auditing and monitoring of how information was accessed, GAO reported.

"Previously reported and newly identified weaknesses hinder the commission's ability to perform vital functions and increase the risk of unauthorized disclosure, modification or destruction of financial information," the report noted.

GAO attributed many of the shortcomings to SEC's failure to put an effective security program in place that enforces security policies and procedures. The position of the senior agency information security officer, which the SEC chief information officer is required to appoint under the Federal Information Security Management Act, has been vacant for eight months and an announcement has not yet been posted advertising the position.

"Until SEC mitigates known information security weaknesses in access controls and other information system controls and fully implements a comprehensive agencywide information security program, its financial information will remain at increased risk of unauthorized disclosure, modification, or destruction, and its management decisions may be based on unreliable or inaccurate information," GAO reported.

In a letter responding to the report, SEC Chairwoman Mary Schapiro agreed with the recommendations and said the commission is "on track to address new findings and to complete remediation of prior year findings."