http://w
ww.fcw.com/article92839-04-05-06-Web
By Dibya Sarkar
Apr. 5, 2006
Congressional investigators said the Securities and Exchange
Commission is not doing a good job of strengthening the
security of
its information systems, leaving them vulnerable to illegal
access or
disruption.
In a new report released last week, Government
Accountability Office
investigators said SEC officials have addressed only eight
of 51
weaknesses detailed in an earlier GAO report. Among the
improvements,
SEC officials replaced a publicly accessible workstation and
changed
control procedures for a major application.
"However, SEC did not effectively control remote
access to its
servers, establish controls over password composition and
storage, or
manage access to its systems and data," the report
states. "Further,
the commission did not securely configure all its network
devices and
servers, nor did it implement auditing and monitoring
mechanisms to
detect and track security-relevant incidents."
The problem is that SEC officials have not yet fully
developed,
documented and implemented a comprehensive information
security
program, the report states. The commission still needs to
develop or
document policies and procedures that assess risks, test and
evaluate
effectiveness of controls, monitor and report corrective
action, and
analyze security incidents, according to the report. The
commission
also needs to ensure that employees have the proper
training, the
report states.
GAO also found 15 security weaknesses in addition to the 43
that still
need to be corrected. SEC officials have not implemented
consistent
and effective access controls over user accounts and
passwords, among
other problems, according to the report. The commission also
needs to
do a better job of addressing physical security challenges,
software
patch management processes, segregation of computer
functions and
application change controls, which ensure only authorized
programs and
modifications are implemented, the report states.
"These weaknesses increase the risk that financial and
sensitive
information will be inadequately protected against
disclosure,
modification, or loss, possibly without detection, and place
SEC
operations at risk of disruption," the report states.
That's not to say the SEC hasn't made some improvements.
It has
increased the number of security employees, certified and
accredited
several major applications and established a backup data
center,
according to the report.
According to the GAO report, Christopher Cox, the SEC's
chairman,
agreed with the findings and said the commission is taking
steps to
improve the security program.
In a March 24 letter to GAO, Cox wrote, for example, that 16
major
applications have been certified and accredited, and the
remaining
four will be accredited during the spring. The commission is
maintaining and tracking its "plans of action and
milestones" through
a new automated system, he added.
Cox wrote that GAO's recommendations are appropriate and
actionable
and that the SEC will implement them before October, the end
of fiscal
2006. Those actions include fixing specific weaknesses and
implementing an agencywide information security program.
_________________________________
Donate online for the Ron Santo Walk to Cure Diabetes
http://www.c4i.org/etha
n.html
|