Do As I Say, Not As I Do
An investigation by the Government Accountability Office ("GAO") recently revealed continued widespread flaws in the SEC's information security controls that have left the agency's financial and sensitive information vulnerable to attacks by computer hackers. The GAO's findings followed an extensive five-month investigation at the SEC's headquarters and nearby computer facility. According to the GAO, the SEC has failed to limit remote access to its servers, establish controls over passwords, securely configure all network devices and establish security-monitoring procedures. The GAO report concluded, "Overall, the SEC has not effectively implemented information security controls to properly protect the confidentiality, integrity, and availability of its financial and sensitive information and information systems."
Information security issues are nothing new for the SEC. As recently as last fall, the GAO released a report detailing no less than 51 different weaknesses in the SEC's information security protocol. According to the latest GAO report, only 8 of the 51 previously identified weaknesses were corrected and an additional 15 new weaknesses were found. SEC Chairman Christopher Cox responded to the GAO's latest report by stating that the SEC is moving to address its information security issues and that it has made "significant strides" in upgrading its computer security in recent months.
The SEC demands tight internal controls from the companies it investigates. Yet, the SEC has failed to implement tight internal controls to protect the highly sensitive information that its investigations uncover. The SEC does not have to be perfect, but it has to lead by example. If the SEC is going to demand companies implement tight controls, then the SEC must implement even tighter controls to govern its own activities. The GAO report demonstrates the SEC's failure to live up to the very high standards the agency has (and should) set for others. The SEC's failure to effectively protect its information presents a very real and serious risk (see a recent Reuters' story detailing the potential fallout if a hacker was able to breach the SEC's lax computer security measures). Hopefully, the SEC can remedy this problem soon, not only to protect the information it houses, but also to set a better example for the companies it investigates.
