GAO Reports Lax Data Protection At Securities And Exchange Commission - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Infrastructure

GAO Reports Lax Data Protection At Securities And Exchange Commission

The Securities and Exchange Commission hasn't effectively implemented IT controls to protect the integrity, confidentiality, and availability of its financial and sensitive data, congressional auditors find.

Personal data held in a government database is at increased risk of unauthorized disclosure, modification, or loss—possibly without anyone knowing, government auditors reported Thursday.

The Government Accountability Office, the investigative arm of Congress, contends the Securities and Exchange Commission hasn't effectively implemented IT controls to protect the integrity, confidentiality, and availability of its financial and sensitive data.

Specifically, the GAO says in a 29-page report—addressed to SEC chairman William Donaldson—that the SEC hadn't consistently implemented effective electronic access controls, including user accounts and passwords, access rights and permissions, network security, and audit and monitoring of security-relevant events to prevent, limit, and detect access to its critical financial and sensitive systems.

In addition, the report says, weaknesses in other information system controls, including physical security, segregation of computer functions, application change controls, and service continuity, further increase risk to the SEC's information systems. "As a result, sensitive data—including payroll and financial transactions, personnel data, regulatory, and other mission-critical information—were at increased risk of unauthorized disclosure, modification, or loss, possibly without detection," Gregory Wilshusen, the GAO's director of information security issues, wrote in the report.

A major factor for the SEC's IT control weaknesses is that the commission hasn't fully developed and implemented a comprehensive agency information security program to provide reasonable assurance that effective controls are established and maintained and that information security receives sufficient management attention, Wilshusen says. Although the SEC has taken some actions to improve security management, including establishing a central security-management function and appointing a senior information security officer to manage the program, it had not clearly defined roles and responsibilities for security personnel.

In addition, the GAO says, the SEC had not fully assessed its risks, established or implemented security policies, promoted security awareness, and tested and evaluated the effectiveness of its information system controls. The commission doesn't have a solid foundation for resolving existing information system control weaknesses and continuously managing information security risks, Wilshusen says.

In response, the SEC agreed with the GAO recommendations that the commission's CIO Corey Booth moves to fully develop and implement an effective, agencywide information security program. In a letter to Wilshusen, Booth assured the GAO that the SEC already is addressing the problems raised by congressional auditors.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
Reflections on Tech in 2019
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  12/9/2019
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll