Still, the SEC has yet to complete actions to correct 12 previously reported weaknesses, GAO said. It said, for example, that workstations remain susceptible to malicious code attacks and perimeter security is not properly implemented at its Operations Center.
SEC has not consistently implemented effective controls to prevent, limit, or detect unauthorized access to computing resources, according to the report.
It said the agency did not always consistently enforce strong controls for identifying and authenticating users, or limit user access to only those individuals who need such access to perform their job functions, partly because the agency has not yet fully implemented its information security program to ensure that controls are appropriately designed and operating effectively.
The SEC Chairman characterized the findings as an opportunity for further improvement and said the agency is on track to address shortcomings identified in the report in the current fiscal year.
