Information Security: Sustained Progress Needed to Strengthen Controls at the Securities and Exchange Commission

摘要

SEC has made important progress toward correcting previously reported information security control weaknesses. Specifically, it has corrected or mitigated 58 of the 71 weaknesses previously reported as unresolved at the conclusion of GAO's 2005 audit. The commission resolved all of the previously reported weaknesses in security related activities and contingency planning, and made significant progress in resolving access control weaknesses. A key reason for its progress was that SEC's senior management was actively engaged in implementing information security related activities. Despite this progress, SEC has not consistently implemented certain key controls to effectively safeguard the confidentiality, integrity, and availability of its financial and sensitive information and information systems. In addition to 13 previously identified weaknesses that remain unresolved, 15 new information security weaknesses were identified. By the conclusion of GAO's review, SEC took action to address 11 of the 15 new weaknesses. A primary reason for these control weaknesses is that SEC had not consistently implemented elements of its information security program. This included inconsistent implementation of agency policies and procedures, not sufficiently testing and evaluating the effectiveness of controls for a major system as required by its certification and accreditation process, and not consistently taking effective and timely action to correct deficiencies identified in remedial action plans. Until SEC does, it will have limited assurance that it will be able to manage risks and protect sensitive information on an ongoing basis.