The Securities and Exchange Commission, which relies on
computerized systems to support financial and mission
operations “has not effectively implemented information
system controls to protect the integrity, confidentiality,
and availability of its financial and sensitive data,”
the Government Accountability Office has said following
an audit of the agency’s fiscal 2004 financial statements.
It said SEC has not consistently implemented effective
control over access, including the regulation of “user
accounts and passwords, access rights and permissions,
network security, or audit and monitoring of
security-relevant events to prevent, limit, and detect
access to its critical financial and sensitive systems.”
Weakness in other areas such as physical security,
lumping together computer functions, control over changes
to applications and “service continuity,” all put
sensitive data such as payroll and financial transactions,
personnel data, regulatory and other critical data at
risk of modification, loss, or disclosure without being
detected.
One reason for the overall weakness of SEC’s information
security, according to GAO-05-262, is that the agency
“has not fully developed and implemented a comprehensive
agency information security program to provide reasonable
assurance that effective controls are established and
maintained and that information security receives
sufficient management attention.”
While SEC has established a central security management
function and appointed a senior information security
officer to manage the program, it has yet to clearly
define roles and responsibilities for security
personnel, said GAO.
