CFPB Report: 2013-IT-C-020 December 2, 2013
Our specific audit objectives were to evaluate the effectiveness of the CFPB's security controls and techniques as well as compliance by the CFPB with FISMA and related information security policies, procedures, standards, and guidelines. To accomplish our objectives, we reviewed the effectiveness of the CFPB's information security program across the 11 areas outlined in DHS's 2013 FISMA reporting guidance for IGs. These areas include continuous monitoring, configuration management, identity and access management, incident response and reporting, risk management, security training, plan of action and milestones, remote access management, contingency planning, contractor systems, and security capital planning. To assess the CFPB's information security program in these areas, we interviewed CFPB management, staff, and contractors; analyzed security policies, procedures, and documentation; and observed and tested specific security processes and controls. We also assessed the implementation of select security controls for a contractor-operated system listed on the CFPB's FISMA inventory and performed vulnerability scanning on select system devices.
We utilized the results of our review of the CFPB's information security program and testing of controls for a select system to evaluate the implementation of specific attributes outlined in DHS's 2013 FISMA reporting guidance for IGs. As noted in our report, the CFPB is relying on Treasury for specific information security program services. These services include remote access and identity and access management. To evaluate specific attributes outlined in DHS's FISMA reporting guidance for remote access and identity and access management, we relied on the work performed by the Treasury Office of Inspector General (OIG) as part of its 2013 FISMA review of Treasury's information security program. We performed sufficient, appropriate procedures to meet requirements outlined in generally accepted government auditing standards for relying on the work of other audit organizations, including the following:
We conducted our fieldwork from June 2013 to September 2013. We conducted this audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence we obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.