via Fierce Government IT
It took the Securities and Exchange Commission at least 18 months to install service pack 3 on its Microsoft XP operating system computers, says an annual review of SEC Federal Information Security Management Act.
The report, dated March 3 and prepared by the SEC inspector general with contracted help from cybersecurity firm c51of Sterling, Va., finds that the SEC’s patch management is “not fully developed and implemented.”
Microsoft released XP SP3 in May 2008, but the SEC didn’t install it on computers until calendar year 2010, the report notes.
The report also finds the SEC not discontinuing 14 active directory network accounts for separated or terminated employees. Two of those accounts were logged into after the employees in question had left the SEC–creating a risk that a malicious party could have gained access to sensitive SEC data, the report says.