The Securities and Exchange Commission, heavily reliant on computerized systems, needs to continue improving its information security program, GAO has said after examining security plans, policies, and practices, interviewing officials, and conducting tests of operational controls.
The SEC has made important progress toward correcting previously reported information security control weaknesses, GAO said, noting that it has corrected or mitigated 8 of 20 previously reported weaknesses.
For example, the agency has documented authorizations for software modifications, developed a comprehensive program for monitoring access activities to its computer network environment, and tested and evaluated the effectiveness of controls for the general ledger system, according to GAO-08-280.
It said the commission has developed remedial action plans to mitigate identified weaknesses in its systems and developed a mechanism to track the progress of actions to correct deficiencies.
GAO attributed the progress to a senior management actively engaged in implementing information security measures.
