The U.S. Securities and Exchange Commission (SEC) has taken steps to improve its information security, but it still hasn't corrected several vulnerabilities found in February 2008, according to an auditor's report.
The SEC, the agency that oversees the struggling U.S. financial industry, has corrected 18 of 34 information security weaknesses found by the U.S. Government Accountability Office in February 2008, and the GAO has identified 23 new weaknesses, it said in a new report.
The new weaknesses are in controls intended to restrict access to data and systems, and in other controls "that continue to jeopardize the confidentiality, integrity, and availability of SEC's financial and sensitive information," the GAO said in its report, released Tuesday.
The major reason for the weaknesses is that the SEC has not fully rolled out its information security program, filled a vacancy for senior information security officer and fully tested the effectiveness of its information security controls, the GAO said. "These weaknesses represent a significant deficiency in internal controls over the information systems and data used for financial reporting," the GAO's report said.
The SEC did not always enforce strong password settings on its enterprise database servers, and multiple people shared user accounts to enter system information on a key SEC enterprise data application, the GAO report said.
Passwords in plain text may have been available to unauthorized users, the report added.
In addition, the SEC did not always encrypt sensitive information, including communications between client computers and a key financial application's database servers, the report said. Users authenticating to a key enterprise database application also sent unencrypted passwords across the network.
SEC also did not always provide adequate auditing and monitoring of enterprise databases, and it did not maintain complete audit trails of activity by users and applications in the database applications that were relevant to security, the GAO report said.
Until those weaknesses are fixed, the SEC's "financial information will remain at increased risk of unauthorized disclosure, modification, or destruction, and its management decisions may be based on unreliable or inaccurate information," the GAO report said.
In response to the report, SEC Chairwoman Mary Schapiro said the agency generally agrees with the GAO recommendations.
But Schapiro also said the SEC has made "continued progress" toward improving information security. "Because in previous years the SEC had addressed many of the more common information security weaknesses, auditors have increasingly focused their reviews on a narrower set of relatively lower-level controls," she wrote in a response included in the GAO report.
The SEC will focus on authentication and encryption going forward, Schapiro wrote.