14 DAY TRIAL // In a report published on Thursday, the United States Government Accountability Office (GAO) noted that the Security and Exchange Commission (SEC) needed to further improve its information security controls.
While GAO acknowledges that SEC has made progress in this area, there are still some weaknesses that need to be addressed.
For instance, the report highlights issues with access controls, patch management, contingency and disaster recovery planning, and segregation of duties.
As far as access controls are concerned, SEC has not restricted physical access to sensitive information, it has not encrypted sensitive information, it has not audited and monitored its systems, and it hasn’t focused enough on user management.
Furthermore, the SEC hasn’t applied software patches quickly enough, and it hasn’t properly segregated development and production computing environments.
When it comes to contingency and disaster recovery planning, the GAO has found that although there are plans in place, the commission hasn’t ensured “redundancy of a critical server.”
“The information security weaknesses existed, in part, because SEC did not effectively oversee and manage the implementation of information security controls during the migration of this key financial system to a new location,” the report by the GAO reads.
“Specifically, during the migration, SEC did not consistently oversee the information security-related work performed by the contractor and effectively manage risk,” it continues.
“Until SEC mitigates control deficiencies and strengthens the implementation of its security program, its financial information and systems may be exposed to unauthorized disclosure, modification, use, and disruption.”
Thomas Bayer, the SEC’s chief information officer, has responded to the report, admitting that the organization has yet to achieve its goals as far as information security is concerned.
As far as the lack of contractor oversight is concerned, Bayer says that the SEC remains confident that its “layered defense architecture” would have enabled it to detect and respond to potential intrusions efficiently.
Regarding risk management, Bayer noted, “The Office of Information Technology has implemented project risk management processes and an Information Security Risk Management Program that include identifying and conveying risks, performing security impact analyses, and mitigating identified risks, as appropriate.”
However, he admits that disaster recovery plans have not been updated or tested due to “time constraints.”
“In 2014, the SEC will continue to optimize our controls and further improve the security of our systems that support financial processes and our overall risk management process,” the CIO noted.