Do as I say...

The U.S. Securities and Exchange Commission (SEC) failed to implement the same controls it monitors in public insurance corporations for Sarbanes-Oxley compliance, according to the IT Compliance Institute, an online information technology compliance site. The SEC isn't subject to SOX, HIPAA, or GLB, but it is accountable to the Federal Information Security Management Act. Under this law, the SEC has annually reported on its information security since 2002.The report, released by the Government Accountability Office, noted the following vulnerabilities: Ineffective electronic access controls of user accounts and passwords, access rights and permissions; network vulnerability to improper access, through both network architecture and direct physical access to unlocked wiring closets; spotty policies and procedures for key control areas and general support systems; and an inability to assess security risks or identify anomalous or suspicious network activities for review.