[ISN] GAO: SEC's info security not up to snuff

InfoSec News isn at c4i.org
Thu Apr 6 04:27:23 EDT 2006


http://www.fcw.com/article92839-04-05-06-Web

By Dibya Sarkar
Apr. 5, 2006 

Congressional investigators said the Securities and Exchange
Commission is not doing a good job of strengthening the security of
its information systems, leaving them vulnerable to illegal access or
disruption.

In a new report released last week, Government Accountability Office
investigators said SEC officials have addressed only eight of 51
weaknesses detailed in an earlier GAO report. Among the improvements,
SEC officials replaced a publicly accessible workstation and changed
control procedures for a major application.

"However, SEC did not effectively control remote access to its
servers, establish controls over password composition and storage, or
manage access to its systems and data," the report states. "Further,
the commission did not securely configure all its network devices and
servers, nor did it implement auditing and monitoring mechanisms to
detect and track security-relevant incidents."

The problem is that SEC officials have not yet fully developed,
documented and implemented a comprehensive information security
program, the report states. The commission still needs to develop or
document policies and procedures that assess risks, test and evaluate
effectiveness of controls, monitor and report corrective action, and
analyze security incidents, according to the report. The commission
also needs to ensure that employees have the proper training, the
report states.

GAO also found 15 security weaknesses in addition to the 43 that still
need to be corrected. SEC officials have not implemented consistent
and effective access controls over user accounts and passwords, among
other problems, according to the report. The commission also needs to
do a better job of addressing physical security challenges, software
patch management processes, segregation of computer functions and
application change controls, which ensure only authorized programs and
modifications are implemented, the report states.

"These weaknesses increase the risk that financial and sensitive
information will be inadequately protected against disclosure,
modification, or loss, possibly without detection, and place SEC
operations at risk of disruption," the report states.

That's not to say the SEC hasn't made some improvements. It has
increased the number of security employees, certified and accredited
several major applications and established a backup data center,
according to the report.

According to the GAO report, Christopher Cox, the SEC's chairman,
agreed with the findings and said the commission is taking steps to
improve the security program.

In a March 24 letter to GAO, Cox wrote, for example, that 16 major
applications have been certified and accredited, and the remaining
four will be accredited during the spring. The commission is
maintaining and tracking its "plans of action and milestones" through
a new automated system, he added.

Cox wrote that GAO's recommendations are appropriate and actionable
and that the SEC will implement them before October, the end of fiscal
2006. Those actions include fixing specific weaknesses and
implementing an agencywide information security program.





More information about the ISN mailing list