CFPB Report: 2018-IT-C-002R January 25, 2018
Mobile devices help CFPB staff carry out their duties, but the portability of these devices heightens the risk of loss or theft of IT equipment and data. We therefore evaluated the CFPB's mobile encryption practices.
The CFPB has an effective process for encrypting the data on its mobile devices. However, the agency has not been able to fully account for all laptops assigned to users since its establishment. While conducting this audit, we notified the CFPB of actions it should take to rectify this issue. Our report also includes a suggestion to help the CFPB better manage risks associated with sensitive data on unaccounted-for laptops by strengthening ongoing efforts to develop and implement an insider threat program and incident containment strategies. The Chief Information Officer concurred with our suggestion, and we will follow up on these matters in our future work.
This report is restricted due to the sensitive nature of this information.