CFPB Report: 2013-IT-C-020 December 2, 2013
Our specific audit objectives, based on the Federal Information Security Management Act of 2002 (FISMA), were to evaluate the effectiveness of the Consumer Financial Protection Bureau's (CFPB's) security controls and techniques as well as compliance by the CFPB with FISMA and related information security policies, procedures, standards, and guidelines. Our scope and methodology are detailed in appendix B.
FISMA provides a framework for ensuring the effectiveness of information security controls over federal operations and assets and a mechanism for oversight of federal information security programs.1 FISMA requires agencies to develop, document, and implement an agency-wide information security program for the information and information systems that support the operations and assets of the agency, including those provided by another agency, contractor, or other source. FISMA also requires each agency Inspector General (IG) to perform an annual independent evaluation of the information security program and practices of its respective agency.
In support of FISMA's independent evaluation requirements, the U.S. Department of Homeland Security (DHS) has issued guidance to IGs on FISMA reporting for 2013.2 This guidance directs IGs to evaluate the performance of agency information security programs across a variety of attributes grouped into 11 areas. These areas are continuous monitoring, configuration management, identity and access management, incident response and reporting, risk management, security training, plan of action and milestones, remote access management, contingency planning, contractor systems, and security capital planning.
As noted in our 2012 FISMA audit report, when the CFPB began operations in July 2011, it relied on the information security program and systems of the U.S. Department of the Treasury (Treasury). The CFPB continues to rely on Treasury for certain information security program services and systems, including in the areas of remote access, security awareness training, and incident reporting. Our 2012 report also included three recommendations to assist the CFPB in developing, documenting, and implementing its own information security program. Specifically, we recommended that the CFPB's Chief Information Officer (CIO) finalize agency-wide information security policies and procedures, develop and implement a comprehensive information security strategy, and strengthen contractor oversight processes for information security controls. Since 2012, the CFPB has made significant progress in developing, documenting, and implementing its information security program; as such, we are closing out our three FISMA audit recommendations from 2012.