CFPB Report: 2013-AA-C-005 March 28, 2013
The Federal Information Security Management Act of 2002 (FISMA) requires the Office of Inspector General to evaluate the effectiveness of the information security controls and techniques for a subset of the agency's information systems, including those provided or managed by another agency, a contractor, or another organization. To meet FISMA requirements, we reviewed the information system security controls for the Consumer Financial Protection Bureau's (CFPB's) Consumer Response System (CRS).
Our audit objective was to evaluate the adequacy of selected security controls for protecting the CRS from unauthorized access, modification, destruction, or disclosure, as well as the system's compliance with FISMA and the information security policies, procedures, standards, and guidelines of the CFPB.
The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 created the CFPB and directed it to establish a database to facilitate the centralized collection, monitoring, and response to complaints regarding consumer financial products or services. To meet this requirement, the CFPB contracted with several vendors to provide the CRS. The CRS is a contractor-operated system, and it is classified as a major application on the CFPB's FISMA inventory.
Overall, we found that a number of steps have been taken to secure the CRS. However, we found that improvements are needed to ensure that the requirements of FISMA are met. Our report includes nine recommendations to CRS management to strengthen security controls for the system. We will follow up on the implementation of each recommendation in this report as part of our future audit activities related to the CFPB's continuing implementation of FISMA.
Given the sensitivity of information security review work, our reports in this area are generally restricted. Such is the case for this audit report.
In comments to a draft of our report, the Acting Chief Information Officer concurred with our recommendations and outlined actions that have been taken, are underway, and planned to address our recommendations.
