BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Federal watchdog says SEC security issues put financial data at risk

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 23 Apr 2014 18:47:20 -0600
http://www.scmagazine.com/federal-watchdog-says-sec-security-issues-put-financial-data-at-risk/article/343345/

A congressional watchdog has tasked the U.S. Securities and Exchange
Commission (SEC) with addressing a number of security weaknesses impacting
its system.

On Thursday, the U.S. Government Accountability Office (GAO) released a
report (
http://media.scmagazine.com/documents/67/gao_on_sec_security_issues_16737.pdf)
detailing the issues, which included SEC not encrypting sensitive data,
properly identifying and authenticating users, or securely configuring a
vital financial system, leaving it vulnerable to attack.

According to the 25-page report, “the information security weaknesses
existed, in part, because SEC did not effectively oversee and manage the
implementation of information security controls during the migration of
this key financial system to a new location."

The watchdog said that SEC did not adequately oversee a contractor it hired
to migrate its systems to a different data center last June.

As a result of SEC's need to improve security controls, GAO determined that
the agency – which regulates the securities market, including exchanges,
brokers, dealers and investment firms – had a “significant deficiency in
internal control over financial reporting for fiscal year 2013.”

GAO recommended that the SEC assign security staff to monitor contractors
performing security-related tasks, and that it improve its risk management
operations.

In response to the findings, SEC's Chief Information Officer Thomas Bayer
wrote in a letter (page 22 of the report) that the agency would "continue
to optimize our controls and further improve the security of our systems
that support financial processes and our overall risk management process."
GAO's report was based on an audit for the fiscal years 2012 and 2013.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: