IG: SEC Tardy in Patching IT SystemSEC Doesn't Sufficiently Maintain Patch Documentation
The IG also said SEC's IT office doesn't sufficiently maintain documentation on what patches are deployed and the date of deployment.
Auditors, in SEC's annual Federal Information Security Management Act report to the Office of Management and Budget, found that the commission's IT office documented and incorporated National Institute of Standards and Technology patch requirements in its policies and procedures but the guidance wasn't always followed.
"We found significant delays in the deployment of patches," the IG said.
Auditors cited, as an example, the following delay: Microsoft issued its Service Pack 3 patch in May 2008, but was only deployed in 2010 to the SEC's systems. NIST Special Publication 800-53 guidance does not require that patching be done within a certain time frame. the auditors pointed out, but it does state that the organization promptly installs security-relevant software updates such as patches, services packs and hot fixes.
In addition, the IG said, SEC's IT office applied multiple patches since November 2009, but couldn't provide the exact dates when it applied the patches so auditors were unable to determine the timeliness and effectiveness of SEC's patch management process when the IG made its preliminary report to OMB last November. Since then, the SEC provided auditors with a list of patches applied. That list suggested patch management at SEC is improving, the auditors said. Still, the IG report said, auditors weren't able to fully determine the effectiveness of the SEC patch management process.