The US Securities and Exchange Commission must bolster itsinformation security to protect corporate financial data and othersensitive information stored in its IT systems, according to areport released late last month by the Government AccountabilityOffice.

The report found that the SEC has corrected or mitigated onlyeight of 51 weaknesses cited by the GAO in a report last year, aresponse the oversight office of the U.S. Congress calledinadequate. The report identified 15 new vulnerabilities inaddition to those on last year’s list.

Corrective actions taken by the SEC over the past year includereplacing a vulnerable, publicly accessible workstation, anddeveloping and implementing change-control procedures for anundisclosed major application.

The report found that the financial regulatory agency has notyet effectively controlled remote access to its servers,established adequate controls over passwords, or managed access toits systems and data. In addition, the SEC has yet to securelyconfigure network devices and servers or implement auditing andmonitoring mechanisms to detect and track security incidents.

Weak controls

Most of the newly discovered weaknesses are related toelectronic-access controls such as user accounts and passwords,access rights and permissions, and network devices and services,the GAO said.

For example, the GAO said the SEC has not adequately controlleduser accounts and passwords to ensure that only authorizedindividuals can access its systems and data.

In addition, the GAO found that the SEC permits users to modifysensitive information or critical system files and directorieswithout required permissions, increasing the risk that the SEC’sapplications and sensitive financial data could be compromised.

The report determined that the vulnerabilities continue to leavesensitive SEC financial information without sufficient protectionagainst disclosure, modification or loss.

Until the SEC fully develops, implements and documents keyelements of an information security program to ensure thateffective controls are in place and are maintained, its informationsystems will remain at risk and be vulnerable to disruption, theGAO said.

In a written response, the SEC said it agrees with the agency’sfindings and is focusing on implementing its recommendations.