Sunday, June 26, 2022

US govt agency warned on weak IT security

The US Securities and Exchange Commission must bolster itsinformation security to protect corporate financial data and othersensitive information stored in its IT systems, according to areport released late last month by the Government AccountabilityOffice.

The report found that the SEC has corrected or mitigated onlyeight of 51 weaknesses cited by the GAO in a report last year, aresponse the oversight office of the U.S. Congress calledinadequate. The report identified 15 new vulnerabilities inaddition to those on last year’s list.

Corrective actions taken by the SEC over the past year includereplacing a vulnerable, publicly accessible workstation, anddeveloping and implementing change-control procedures for anundisclosed major application.

The report found that the financial regulatory agency has notyet effectively controlled remote access to its servers,established adequate controls over passwords, or managed access toits systems and data. In addition, the SEC has yet to securelyconfigure network devices and servers or implement auditing andmonitoring mechanisms to detect and track security incidents.

Weak controls

Most of the newly discovered weaknesses are related toelectronic-access controls such as user accounts and passwords,access rights and permissions, and network devices and services,the GAO said.

For example, the GAO said the SEC has not adequately controlleduser accounts and passwords to ensure that only authorizedindividuals can access its systems and data.

In addition, the GAO found that the SEC permits users to modifysensitive information or critical system files and directorieswithout required permissions, increasing the risk that the SEC’sapplications and sensitive financial data could be compromised.

The report determined that the vulnerabilities continue to leavesensitive SEC financial information without sufficient protectionagainst disclosure, modification or loss.

Until the SEC fully develops, implements and documents keyelements of an information security program to ensure thateffective controls are in place and are maintained, its informationsystems will remain at risk and be vulnerable to disruption, theGAO said.

In a written response, the SEC said it agrees with the agency’sfindings and is focusing on implementing its recommendations.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.