The Securities and Exchange Commission doesn't have a comprehensive information security program, and weaknesses in the system keep piling up, according to a new report by the Government Accountability Office.

The SEC has corrected 18 of the 34 weaknesses reported in a 2008 audit. But the GAO found an additional 23 new ones in its latest audit.

Among the missing components of SEC's security program:

* The commission has not filled the senior information security officer position.

* The SEC did not keep senior managers fully apprised of risks.

* System security tests were not always sufficient.

* A key intermediary subsystem was not certified and accredited.

"Because in previous years the SEC had addressed many of the more common information security weaknesses, auditors have increasingly focused their reviews on a narrower set of relatively lower-level controls," SEC Chairwoman Mary Schapiro wrote in response to the GAO report. "Since the conclusion of the audit in November 2008, we have made additional progress in resolving outstanding issues and further strengthening our information security program."

For more on the SEC's lapses:
- check out this Government Computer News article