Securities commission rife with security gaps, GAO says
Agency charged with regulating other companies’ financial systems has regulation problems of its own.
The Securities and Exchange Commission, which is charged with regulating financial systems and controls of publicly trade companies and monitoring securities markets, has trouble regulating its own financial data, according to the Government Accountability Office.
In a report (GAO-05-262) issued Thursday, GAO said the commission lacks standard information security controls such as user accounts and passwords, dividing tasks among more than one person, and physical security of computers. As a result of the weaknesses, sensitive payroll, personnel and regulatory data are at risk of being stolen or modified, the GAO said.
While for the most part the information is accessible only to SEC employees, GAO identified at least one situation in which computers were sitting in a public space in SEC's Washington building, where members of the public conceivably could access sensitive data.
Gregory Wilshusen, director of GAO's information security issues team and lead author of the report, said members of the public could find sensitive data if they were familiar with the computer system. "You would have to be able to exploit vulnerabilities to gain access to internal data," he said.
SEC only recently established a central security management program, and GAO said the commission has not clearly defined the responsibilities of personnel responsible for information security. Prior to this report, GAO had not looked at SEC's information security. GAO also issued a second, nonpublic report with more detailed information about security weaknesses.
Wilshusen said that when agencies install a new computer system to manage sensitive data, they first leave it relatively open in order to make it easy to install. "It's important to then go in and delete or disable services that you don't need," he said.
Security controls, such as user names and passwords, enable computer actions to be traced back to the person who performed the action. The report found that the SEC gave out passwords that were easy to guess, and didn't cut off access to terminated employees, including one who still had access eight months after leaving.
"These practices increase the risk that individuals might gain unauthorized access to SEC resources without attribution," the report said.
GAO found the commission to be in violation of both the OMB's 2003 regulation requiring agencies to ensure that their information systems are secure as well as the 2002 Federal Information Security Management Act, which also requires certain information security controls.
In a letter included in the report, SEC generally agreed with GAO's recommendations and said the commission is working to address them. SEC attributed the weaknesses to "our historic lack of a comprehensive agency program to manage information security."
SEC said it would complete the GAO's recommendations by June 2006.