The General Accountability Office recently posted a report on the U.S. Securities and Exchange Commission's cybersecurity...
efforts, which the GAO found to be lacking in several critical areas. What were the main takeaways from the GAO's SEC cybersecurity report? And what does this report mean for the SEC's own authority to regulate cybersecurity for private companies?
The Government Accountability Office (GAO) provides independent, external audits for government agencies. The GAO recently performed an audit of cybersecurity at the Securities and Exchange Commission (SEC) and issued a report finding that there were four key weaknesses that put SEC systems at risk.
The four findings about SEC cybersecurity were typical of those that might be found during an audit of any large organization. They included:
- Inconsistent use of access controls to prevent, limit and detect unauthorized access to computer systems. While there were SEC cybersecurity policies and controls in place, they were not consistently enforced.
- Inconsistent configuration management and baselining of computer systems.
- Inadequate separation of duties in several SEC computing systems.
- Failure to fully review and update disaster recovery and contingency plans for information systems.
The report stated that these problems were a direct result of the SEC not fully implementing an organization-wide information security program. It is important to note that the GAO put these four findings in context by saying "While not constituting material weaknesses or significant deficiencies, they warrant SEC management's attention." These SEC cybersecurity findings are not unlike those that information security managers around the world receive at the end of any comprehensive audit.
The GAO recommended that the SEC take several actions to full implement its information security program and correct these issues. But there is no reason to believe that this audit will have any impact on the SEC's regulatory authority. The SEC's authority comes from Congress and the GAO does not have the ability to remove any of its regulatory powers, nor has it expressed any desire to do so in the audit report.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Find out what CISOs should include in security reports
Learn the differences between mandatory access control and application sandboxing
Discover whether backup or disaster recovery is better
Dig Deeper on Government information security management
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.