GAO Takes SEC to Task Over Vulnerable Financial Systems

The watchdog in an audit said that “a key financial system” has weaknesses in several controls across the network, servers, applications and databases, including access controls, patch management, segregation of duties and contingency/disaster recovery planning.

“Until SEC mitigates control deficiencies and strengthens the implementation of its security program, its financial information and systems may be exposed to unauthorized disclosure, modification, use and disruption,” the GAO said in its report. “These weaknesses, considered collectively, contributed to GAO’s determination that SEC had a significant deficiency in internal control over financial reporting for fiscal year 2013.”

When it comes to access, the SEC “did not consistently protect its system boundary from possible intrusions; identify and authenticate users; authorize access to resources; encrypt sensitive data; audit and monitor actions taken on the commission’s networks, systems, and databases; and restrict physical access to sensitive assets.

The SEC did not securely configure the system at its new data center according to its configuration baseline requirements either. And, it did not consistently apply software patches intended to fix vulnerabilities to servers and databases in a timely manner.

The GAO also found that the SEC did not adequately segregate its development and production computing environments. For example, development user accounts were active on the system’s production servers.

And finally, when it comes to contingency and disaster recovery planning, the SEC has implemented many plans, but has failed to ensure redundancy of a critical server.

“The information security weaknesses existed, in part, because SEC did not effectively oversee and manage the implementation of information security controls during the migration of this key financial system to a new location,” the GAO said. “Specifically, during the migration, SEC did not (1) consistently oversee the information security-related work performed by the contractor and (2) effectively manage risk.”

What’s Hot on Infosecurity Magazine?