CFPB Report: 2013-IT-C-020 December 2, 2013
CONSUMER FINANCIAL PROTECTION BUREAU
1700 G Street NW, Washington, DC 20552
November 26, 2013
Mr. Andrew Patchan, Jr.
Associate Inspector General for Audits and Attestations
Board of Governors of the Federal Reserve System & Consumer Financial Protection Bureau
20th and C Streets, NW
Washington, DC 20551
Dear Mr. Patchan,
Thank you for the opportunity to review and comment on the Office of Inspector General's report entitled 2013 Audit of the Consumer Financial Protection Bureau's Information Security Program.
We are pleased that you closed all three FY12 audit recommendations and found that the Bureau has strengthened its information security program in alignment with FISMA guidelines. This year's report highlighted CFPB's progress in the key areas of risk management, identity and access management, incident response and reporting, contractor systems, and other important functional areas that support an effective information security program. We also appreciate your acknowledgement of the Bureau's progress towards full implementation of FISMA standards and your office's helpful recommendations to further optimize CFPB's continued growth.
We have reviewed and concur with your recommendations regarding opportunities for improvement in the areas of continuous monitoring, configuration management, security training, and incident response and reporting. As noted in the report, the Bureau has implemented an information security program that is consistent with FISMA requirements, and we will continue to build on that foundation to further refine processes and capabilities. These recommendations are consistent with the Bureau's plans to increase the use of automated tools and further centralize enterprise capabilities. As we discussed with your staff, the Bureau has already begun to align existing plans and take action to pursue these opportunities for improvement.
Thank you for the professionalism and courtesy that your office demonstrated throughout this review, as well as your acknowledgement of our efforts to be responsive, communicative, and supportive of the audit team throughout the audit. We have provided comments for each recommendation.
Sincerely,
/signed/
Ashwin Vasan
Chief Information Officer
Enclosure
Response to Opportunities for Improvement Presented in the IG Report Entitled 2013 Audit of the Consumer Financial Protection Bureau's Information Security Program
Recommendation 1: Strengthen the CFPB's information security continuous monitoring program by (a) defining and implementing performance measures to facilitate decision making and improve performance of the agency's continuous monitoring program and (b) identifying additional automated tools to assess security controls and analyze and respond to the results of continuous monitoring activities.
Management Response: The Bureau concurs with this recommendation. As noted in the report, the Bureau's Continuous Monitoring program is consistent with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-137. Similar to most agencies, the CFPB is working towards optimizing the operational benefits of an effective continuous monitoring strategy that can also satisfy compliance measures that were designed for point-in-time, paper-based information security programs. At the same time that the CFPB continuous monitoring program is being defined and the core capabilities implemented, the Bureau is pursuing the use of additional automated tools and an improved use of performance measures. In recent months, the Bureau has conducted significant market research and engaged with other government agencies to identify and assess the appropriate strategy and suite of automated tools. Personnel and funding have been planned to support the enhancements to the Bureau's continuous monitoring program in FY14.
Recommendation 2: Develop and implement an organization-wide configuration management plan and a consistent process for patch management.
Management Response: The Bureau concurs with this recommendation. The Bureau's technology landscape has been rapidly evolving and shaping towards that of a 21st century agency, designed to support the needs of the internal users and those of the consumers that the Bureau exists to serve. While the CFPB is still establishing its underlying IT architecture, further centralizing the implementation and management of processes such as patch management will support successful operations Bureau-wide. Recommendation #2 confirms the Bureau's preexisting determination regarding the importance of configuration management, including a consistent patch management process, to ensure an effective and efficient information technology environment. Centralized management, improved automated capabilities, and performance measures will further improve existing functions. Prior to release of this report, the Bureau's recently appointed CIO had initiated several highly-focused efforts to mature core process areas. These efforts will support the Bureau's ongoing transition from start-up IT to efficient and effective enterprise management. Under the CIO's direction, configuration management tops the list of priorities for maturing the Bureau's enterprise architecture in the coming year.
Recommendation 3: Design, develop, and implement a role-based security training program for individuals with significant security responsibilities.
Management Response: The Bureau concurs with this recommendation. The Bureau has made significant accomplishments in establishing internal processes and capabilities in a short timeframe. In terms of security training, the Bureau works diligently not only to satisfy the baseline FISMA standards, but also to augment the effectiveness of security training by identifying with the target audience and providing security awareness content designed to make CFPB employees an extension of the information security program. Your staff noted the breadth and diversity of the Bureau's existing security awareness training for general users, and suggested additional opportunities for improvement in role-based security training. Recommendation #3 supports the Bureau's plan to finalize the current role-based security training strategy and to ensure that individuals with significant security responsibilities receive the appropriate training.
Recommendation 4: Ensure that audit logs and security incident information from all relevant sources are centrally tracked, analyzed, and correlated.
Management Response: The Bureau concurs with this recommendation. The CFPB information technology infrastructure has grown from an indistinguishable component of the Treasury to an increasingly independent enterprise that still benefits from certain core capabilities of the Department. The Bureau's incident monitoring and response functions are closely coupled with those of Treasury, with both shared and independent capabilities and intersecting processes. Similar to the plans noted in the Management Response to Recommendation #2, the Bureau began a concerted effort to centralize and optimize existing processes and capabilities such that additional operational effectiveness and efficiencies may be gained. Recommendation #4 supports the Bureau's existing plans to enhance and further automate the collection, correlation, and reporting of audit logs and security incident information. Prior to release of this report, personnel and funding were aligned to support the planned enhancements to the Bureau's capabilities to centralize and automate the use of audit log and security incident information in FY14.