The Securities and Exchange Commission has made progress strengthening information security controls, but weaknesses exist in several controls for a key financial system’s network, servers, applications, and databases, GAO has said following an audit of the agency’s fiscal 2013 and 2012 financial statements.
It said for example that the SEC did not consistently protect its system boundary from possible intrusions; identify and authenticate users; authorize access to resources; encrypt sensitive data; audit and monitor actions taken on the commission’s networks, systems, and databases; and restrict physical access to sensitive assets.
The SEC also did not securely configure the system at its new data center according to its configuration baseline requirements. In addition, it did not consistently apply software patches intended to fix vulnerabilities to servers and databases in a timely manner, according to GAO-14-419.
Further, it said agency did not adequately segregate its development and production computing environments, and although the SEC had developed contingency and disaster recovery plans, it did not ensure redundancy of a critical server.
GAO said the weaknesses existed, in part, because SEC did not effectively oversee and manage the implementation of information security controls during the migration of this key financial system to a new location.
The agency generally agreed to more effectively oversee contractors performing security-related tasks andto improve risk management.