Skip to Navigation
Skip to Main content
OIG Home
OIG Home


Skip SHARE THIS PAGE section Skip STAY CONNECTED section

CFPB Report: 2019-IT-C-015 October 31, 2019

2019 Audit of the Bureau's Information Security Program

available formats

The Federal Information Security Modernization Act of 2014 requires us to perform an annual, independent evaluation of the Bureau's information security program. We evaluated the program's maturity level (from a possible low of 1 to a possible high of 5) across several areas.

Since our review last year, the Bureau has matured its information security program. It is now operating at level 4 (managed and measurable), which indicates an effective level of security. Nonetheless, the Bureau has opportunities to further strengthen its information security program—for example, by ensuring that security assessment and authorization processes are performed before deploying agency systems and by determining what governance and security program changes may be needed to effectively manage security for its high-value assets.

We are making recommendations to strengthen the Bureau's information security program in the areas of risk management, identity and access management, data protection and privacy, incident response, and contingency planning.