Stay up-to-date with the latest developments in securities law through access to both news and all statutes and regulations. Find relevant corporate filings through a searchable EDGAR database. And...
April 28 — The Securities and Exchange Commission needs to improve its controls over information security, the Government Accountability Office said April 28.
While the agency has addressed previously identified problems, including separating the user production network from the internal management network, “weaknesses continue to limit the effectiveness of other security controls.”
The report was based on GAO's audit of the commission's financial statements for fiscal years 2014 and 2015.
Although the agency had security policies and controls, it didn't consistently protect access to its systems, GAO said. In particular, it reported, the commission didn't consistently protect its network from possible intrusions, authenticate users, authorize access to resources, monitor actions taken on its systems or restrict access to sensitive assets. It also didn't consistently manage the configuration of its systems or appropriately separate incompatible duties, according to the report. A single individual shouldn't control all critical stages of a process, according to GAO.
In addition, it wrote, the agency's contingency and disaster recovery plans for its information systems weren't up to date. These and other weaknesses existed in part because SEC didn't fully implement an agency-wide information security program.
In other matters, GAO said that of 20 previously identified weaknesses that weren't resolved as of the end of fiscal 2014, the SEC had resolved five and made progress on the other 15 as of the end of the following fiscal year. 2015.
The weaknesses increase the risk that SEC's systems could be compromised, jeopardizing the confidentiality sensitive financial information, GAO said. “While not constituting material weaknesses or significant deficiencies, they warrant SEC management's attention.”
In addition to the 15 earlier recommendations that haven't been fully implemented, GAO said, it is recommending that the SEC:
GAO added that in a separate report with limited distribution, it recommended that the SEC take 30 actions to address newly identified control weaknesses.
In comments on a draft report, Chief Information Officer Pamela Dyson concurred with GAO's recommendations.
To contact the reporter on this story: Phyllis Diamond in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Susan Jenkins at email@example.com
To see GAO Report No. 16-493, Opportunities Exist for SEC to Improve Its Controls Over Financial Systems and Data, go to http://src.bna.com/ev0.
Notify me when updates are available (No standing order will be created).
Put me on standing order
Notify me when new releases are available (no standing order will be created)