The U.S. Securities and Exchange Commission needs improvement in internal cybersecurity controls and accounting procedures, according to a recent GAO report. A significant portion of the 45-page document focused on information security deficiencies.

In the agency's 2009 annual financial statement audit, the GAO identified seven weaknesses in information security controls. According to the report, SEC did not adequately:

• Segregate computer-related duties and functions,
• Restrict user privileges,
• Implement patches and current software versions,
• Use approved, secure means to transmit data,
• Implement configuration management, and
• Complete a certification and accreditation of its general ledger system and supporting processes during the fiscal year.

Prior SEC audits from 2005, 2007, 2008 and 2009 identified 43 security weaknesses in information system controls. At the time of the March 16 report 22 of those corrective actions remained unresolved. Authorization proves to be an especially challenging category for the SEC--only one of the five recommendations has been successfully completed in that area. Configuration management, especially in the area of patches and upgrades, also needs attention with 10 out of 13 corrective actions unresolved for the category.

For more:
- read the GAO report (.pdf)

Related Articles:
GAO: Bureau of Public Debt must address information security
IRS cybersecurity weak
GAO: DoD loses track of 72,000 combat records
GAO: Cybersecurity flaws at Los Alamos lab