The GAO raised the issue of SEC data security about a year ago and made a series of recommendations to our nation's top securities regulator about how the agency might shore up potential gaps. A year later and the GAO is whacking the SEC again for failing to follow through on the necessary changes:

Via Government Computer News:

SEC has failed to fix security gaps, GAO says

April 3, 2006
Government Computer News
By Mary Mosquera, GCN Staff

Information security weaknesses persist at the Securities Exchange Commission because the agency has not followed through on recommendations the Government Accountability Office made last year for comprehensive, agencywide information security. SEC has implemented just a few of its recommendations, GAO said in a report...

...SEC’s information security weaknesses remain in large part because the agency has not put in place and documented key elements of a comprehensive information security program to ensure that effective controls are established, the report said. “Until SEC implements such a program, its facilities and computing resources and the information that is processed, stored and transmitted on its systems will remain vulnerable,” said Gregory Wilshusen, director of GAO’s information security issues, said in the report released Friday...

...“The remaining four major applications are on track to be accredited during the spring,” said SEC chairman Christopher Cox in a written response. By October, SEC plans to fix weaknesses that GAO highlighted, including directing the SEC CIO to fully implement an agencywide information security program, assessing systems risk, beginning testing and evaluation program for security controls and tracking remedial action to reduce risk, Cox said.

More from the article here. And click here to download a PDF copy of the new GAO report.

-- MDT

Labels: GAO