A report by the Government Accountability Office finds that while the Securities and Exchange Commission has made strides in improving the security of its data and resolving previously identified problems, “weaknesses continue to limit the effectiveness of other security controls.”
The assessment is a follow-up to a security-focused audit GAO previously conducted of the Commission's fiscal years 2014 and 2015 financial statements. The objective was to determine the effectiveness of information security controls for protecting the confidentiality, integrity, and availability of key financial systems and information. To do this, the audit examined information security policies, plans, and procedures; tested controls over key financial applications; interviewed agency officials; and assessed corrective actions taken to address previously reported weaknesses.
Subsequently, the SEC addressed several identified problems, including separating its user production network from the internal management network. Of 20 weaknesses previously identified by GAO, it had resolved five and “made progress” in addressing the other 15 as of Sept. 30, 2015. Plenty of work, however, still remains.
“While SEC had issued policies and implemented controls based on those policies, it did not consistently protect access to its systems,” GAO warns in its new report. “Organizations should design and implement controls to prevent, limit, and detect unauthorized access to computer resources. The commission did not consistently protect its network from possible intrusions, identify and authenticate users, authorize access to resources, audit and monitor actions taken on its systems and network, and restrict physical access to sensitive assets.”
The GAO report warns that:
The Commission does not consistently manage the configuration of its systems. Configuration management includes ensuring that hardware and software are configured with appropriate security features and that changes are systematically controlled. The SEC, however, did not maintain and monitor official configuration baselines for its financial systems and general support system.
The SEC does not always appropriately separate incompatible duties. Separation of duties involves dividing responsibilities so that a single individual does not control all critical stages of a process. The Commission did not adequately separate duties among its three computing environments.
While SEC developed contingency and disaster recovery plans for its information systems, those plans were not fully reviewed, completed, or up-to-date. Contingency and disaster recovery planning are essential to resuming operations in the event of a disruption or disaster.
These weaknesses exist, in part, because SEC has not fully implemented an organization-wide information security program, as called for by federal law and guidance. In particular, it has not: consistently reviewed and updated its information security policies in a timely manner; completely documented plans of action to address weaknesses; documented a physical inventory of its systems and applications; and fully implemented a program to continuously monitor the security of its systems and networks.
“Collectively, these weaknesses increase the risk that SEC's systems could be compromised, jeopardizing the confidentiality, integrity, and availability of sensitive financial information,” GAO wrote. “While not constituting material weaknesses or significant deficiencies, they warrant SEC management's attention.”