Although the SEC has corrected or mitigated eight of the 51 weaknesses the GAO reported as unresolved in last year's report, it hasn't done enough, the GAO said.

The corrective actions the SEC has taken include replacing a vulnerable, publicly accessible workstation and developing and implementing change-control procedures for a major application. But it has not yet effectively controlled remote access to its servers, established controls over passwords, managed access to its systems and data, securely configured network devices and servers, or implemented auditing and monitoring mechanisms to detect and track security incidents, according to the GAO.

In addition to the 43 vulnerabilities that have not been corrected, the GAO identified 15 new ones, according to the report. Most of the weaknesses have to do with electronic access controls such as user accounts and passwords, access rights and permissions and network devices and services, the GAO said. Because of these vulnerabilities, the SEC's sensitive financial information is not protected against disclosure, modification or loss, leaving the commission's operations vulnerable to disruptions, according to the report.

For example, the GAO said the SEC has not adequately controlled user accounts and passwords to ensure that only authorized individuals can access its systems and data. That leaves an increased risk that unauthorized users could gain the identification and passwords needed to access SEC systems, the GAO said. In addition, the SEC permits users to modify sensitive information or critical system files and directories, although those users don't need such permissions to perform their jobs. As a result, there is increased risk that the SEC's financial and sensitive data and applications could be compromised.

Until the SEC fully develops, implements and documents key elements of an information-security program to ensure that effective controls are in place and are maintained, its information systems will remain at risk, the GAO said.