dChan
Anonymous ID: 91d8c0 July 28, 2018, 1:21 p.m. No.2328074   🗄️.is 🔗kun

https://www.gao.gov/mobile/products/GAO-17-469

What GAO Found

The Securities and Exchange Commission (SEC) improved the security controls over its key financial systems and information. In particular, as of September 2016, the commission had resolved 47 of the 58 recommendations we had previously made that had not been implemented by the conclusion of the FY 2015 audit. However, SEC had not fully implemented 11 recommendations that included consistently protecting its network boundaries from possible intrusions, identifying and authenticating users, authorizing access to resources, auditing and monitoring actions taken on its systems and network, or encrypting sensitive information while in transmission.

In addition, 15 newly identified control deficiencies limited the effectiveness of SEC's controls for protecting the confidentiality, integrity, and availability of its information systems. For example, the commission did not consistently control logical access to its financial and general support systems. In addition, although the commission enhanced its configuration management controls, it used unsupported software to process financial data. Further, SEC did not adequately segregate incompatible duties for one of its personnel. These weaknesses existed, in part, because SEC did not fully implement key elements of its information security program. For example, SEC did not maintain up-to-date network diagrams and asset inventories in its system security plans for its general support system and its key financial system application to accurately and completely reflect the current operating environment. The commission also did not fully implement and continuously monitor those systems' security configurations. Twenty-six information security control recommendations related to 26 deficiencies found in SEC's financial and general support systems remained unresolved as of September 30, 2016.

 

https://www.gao.gov/mobile/product_recommendations/GAO-17-469

1 Recommendation: To effectively manage its information security program, the Chairman of the SEC should maintain up-to-date network diagrams and asset inventories in the system security plans for General Support System and a key financial system to accurately and completely reflect the current operating environment.

2 Priority Recommendation

3 Agency Affected: United States Securities and Exchange Commission

4 Status: Open

5 Comments: SEC agreed with this recommendation and has taken initial steps to implement it. Specifically, the agency made progress both in updating its systems security plans with network diagrams and in creating a hardware asset inventory. However, as of June 2018, information in SEC's system security plans and inventories were not fully up to date. To fully implement this recommendation, the agency should complete a full inventory of its information systems, including providing consistent and accurate representation of its operating environment and provide more certainty on the status of systems' information controls.

 

1 Recommendation: To effectively manage its information security program, the Chairman of the SEC should perform continuous monitoring using automated configuration and vulnerability scanning on the operating systems, databases, and network devices.

2 Priority Recommendation

3 Agency Affected: United States Securities and Exchange Commission

4 Status: Open

5 Comments: SEC agreed with this recommendation and has taken initial steps to implement it. Specifically, the agency deployed scanning software and performed vulnerability and configuration scanning. However, as of June 2018, SEC's infrastructure components were not fully configured in a secure manner and automated scanning was not fully deployed according to configuration baselines. To fully implement this recommendation, SEC must ensure that scanning for vulnerabilities across components of key financial systems is performed consistently and against an approved baseline.

 

 

https://www.gao.gov/cghome/gdbiog.html

Gene L. Dodaro became the eighth Comptroller General of the United States and head of the U.S. Government Accountability Office (GAO) on December 22, 2010, when he was confirmed by the United States Senate. He was nominated by President Obama in September of 2010 from a list of candidates selected by a bipartisan, bicameral congressional commission. He had been serving as Acting Comptroller General since March of 2008. >>Mr. Dodaro is married to the former Joan McCabe and has three adult children.