GAO: SEC Needs to Bolster IT Controls

The Securities and Exchange Commission has not implemented effective information system controls to protect sensitive data according to a searing report from the Government Accountability Office. As part of its 2004 audit of the SEC's financials, the GAO assessed the effectiveness of the regulator's controls within its information systems -- the barriers that protect the confidentiality and availability of sensitive financial data. The auditor general found that the commission had not implemented "with any consistency," electronic access controls including user accounts, passwords and network security. Additionally, the GAO unearthed weaknesses in other information system controls including physical security and segregation of computer functions. As a result, sensitive data such as payroll, personal information and financial transactions, were at risk for unauthorized access or disclosure. The office recommended that the SEC chair William Donaldson direct his CIO to bolster its agency-wide security program. The SEC said that "significant progress" was already being made to address the failings.