CFPB Report: 2019-IT-C-015 October 31, 2019
The Federal Information Security Modernization Act of 2014 requires us to perform an annual, independent evaluation of the Bureau's information security program. We evaluated the program's maturity level (from a possible low of 1 to a possible high of 5) across several areas.
Since our review last year, the Bureau has matured its information security program. It is now operating at level 4 (managed and measurable), which indicates an effective level of security. Nonetheless, the Bureau has opportunities to further strengthen its information security program—for example, by ensuring that security assessment and authorization processes are performed before deploying agency systems and by determining what governance and security program changes may be needed to effectively manage security for its high-value assets.
We are making recommendations to strengthen the Bureau's information security program in the areas of risk management, identity and access management, data protection and privacy, incident response, and contingency planning.
