A recently released report from the U.S. Government AccountabilityOffice said that while the SEC has improved its information security by addressingpreviously identified weaknesses, there is still room for improvement in its controlsover financial systems and data.
The GAO identified weaknesses in the SEC's controls such as failureto consistently protect its network from outside intrusions as well as impropermanagement of systems configurations. The report also indicated that the SEC didnot fully update, review or complete its information system's contingency and disasterrecovery plans, in addition to failing to always appropriately separating incompatibleand critical duties in its three computing environments.
According to the GAO, the problems partly stem from the agency'sfailure to fully implement a federally required organizationwide information securityprogram. In addition, among other things, the GAO also called out the SEC for notregularly updating and reviewing its policies on information security and failingto implement a means to have its systems and networks continuously monitored.
The GAO said that of 20 weaknesses it previously identified thatremained unresolved as of Sept. 30, 2014, the SEC had resolved five and made progressin addressing the other 15 as of Sept. 30, 2015. Two resolved weaknesses were importantto improving SEC security.